From fd7797c6e7c88d1267e8eeb51f34700b54bf5c62 Mon Sep 17 00:00:00 2001 From: soraefir Date: Wed, 6 May 2026 01:05:32 +0200 Subject: [PATCH] Wip Migrate podman --- modules/server/containers/default.nix | 14 ++++++-- modules/server/containers/defs/authentik.nix | 25 +++++--------- modules/server/database/default.nix | 35 ++++++++++++++++++++ modules/shared/syscfg/default.nix | 4 ++- systems/sandbox/cfg.nix | 7 +++- 5 files changed, 65 insertions(+), 20 deletions(-) create mode 100644 modules/server/database/default.nix diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index 0fa2c39..2060e42 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -4,8 +4,7 @@ let enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; containerSetsList = lib.mapAttrsToList (name: containerCfg: import (./defs + "/${name}.nix") { - inherit config pkgs lib ; - inherit (containerCfg) port special_param; + inherit config pkgs lib containerCfg; } ) enabledConfigs; mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); @@ -16,5 +15,16 @@ in backend = "podman"; containers = mergedContainers; }; + + systemd.services.init-podman-network = { + description = "Create Podman network with subnet"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + ${pkgs.podman}/bin/podman network inspect podnet || \ + ${pkgs.podman}/bin/podman network create --subnet=10.88.0.0/16 podnet + ''; + }; }; } \ No newline at end of file diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index 1e85664..50ebeb5 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, containerCfg, pkgs, lib, ... }: let serverCfg = config.syscfg.server; in { systemd.tmfiles.rules = [ @@ -6,17 +6,6 @@ in { "d ${serverCfg.dataPath}/authentik/template 0755 root root -" ]; containers = { - auth_postgresql = { - image = "postgres:14-alpine"; - hostname = "auth_postgresql"; - volumes = [ ]; - environment = { - POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD"; - POSTGRES_USER = "authentik"; - POSTGRES_DB = "authentik"; - }; - }; - auth_redis = { image = "redis:alpine"; hostname = "auth_redis"; @@ -52,11 +41,15 @@ in { "traefik.http.routers.sso.entrypoints" = "web-secure"; "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; "traefik.http.routers.sso.tls" = "true"; - "traefik.http.services.sso.loadbalancer.server.port" = "9000"; + "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}"; }; cmd = [ "server" ]; + extraOptions = [ + "--network=portnet" + "--ip=${containerCfg.ip}" + ]; ports = [ - "9999:9000" + "9999:${toString containerCfg.port}" ]; }; @@ -71,8 +64,8 @@ in { environment = { "AUTHENTIK_REDIS__HOST" = "auth_redis"; "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql"; - "AUTHENTIK_POSTGRESQL__USER" = "authentik"; - "AUTHENTIK_POSTGRESQL__NAME" = "authentik"; + "AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; + "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD"; "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY"; }; diff --git a/modules/server/database/default.nix b/modules/server/database/default.nix new file mode 100644 index 0000000..c25f444 --- /dev/null +++ b/modules/server/database/default.nix @@ -0,0 +1,35 @@ + +{ config, lib, pkgs, ... }: +let + listNames = config.syscfg.server.db; + + containerNames = lib.mapAttrsToList + (name: cfg: name) + (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers); + + allApps = lib.unique (listNames ++ containerNames); + +in { + services.postgresql = { + enable = true; + ensureDatabases = map (name: "${name}_db") allApps; + ensureUsers = map (name: { name = "${name}_user"; }) allApps; + backup = { + enable = true; + location = "/var/lib/postgresql/backups"; + startAt = "-- 04:00:00"; # Runs every day at 4 AM + backupAll = true; # Backs up all databases and roles + }; + }; + + systemd.services.postgresql.postStart = lib.mkAfter '' + ${lib.concatMapStringsSep "\n" (name: '' + $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" + + if [ -f "${config.sops.secrets."${name}_pass".path}" ]; then + PASS=$(cat "${config.sops.secrets."${name}_pass".path}") + $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" + fi + '') allApps} + ''; +} \ No newline at end of file diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index 598aa81..2defb8f 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -105,7 +105,9 @@ let containers = mkOption { type = types.attrsOf (types.submodule { options = { - enable = mkOption {type = types.bool;default = false;}; + enable = mkOption { type = types.bool;default = false; }; + db = mkOption { type = types.bool;default = false; }; + ip = mkOption { type = types.str; }; port = mkOption { type = types.port; }; extraParam = mkOption { type = types.str; default = ""; }; }; diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix index 12e6d2a..0cf75e3 100644 --- a/systems/sandbox/cfg.nix +++ b/systems/sandbox/cfg.nix @@ -31,7 +31,12 @@ containers = { #cloud = {enable = true;}; - authentik = {enable = true;}; + authentik = { + enable = true; + db = true; + ip = "10.88.0.125"; + port = 9000 ; + }; }; }; };