WIP: portainer service and host

2025-01-06 15:39:09 +01:00 · 2025-01-06 15:39:09 +01:00 · 350fe15576
commit 350fe15576
parent 2673c763d5
11 changed files with 182 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -93,6 +93,7 @@
                "metrics"
                "nextcloud"
                "vaultwarden"
+                "portainer"
              ];
            };

@ -131,6 +132,15 @@
              ];
            };

+            portainer.deployment = {
+              targetHost = "192.168.1.156";
+              tags = [
+                "lxc"
+                "node"
+                "portainer"
+              ];
+            };
+
            deadbeef.deployment = {
              allowLocalDeployment = true;
              targetHost = null;
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -143,4 +143,15 @@ in
    # specialArgs = { };
  };

+  portainer = nixpkgs.lib.nixosSystem {
+    pkgs = pkgs "x86_64-linux";
+    modules = [
+      myModule
+      proxmoxModule
+      ./portainer
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }
--- a/hosts/plex/default.nix
+++ b/hosts/plex/default.nix
@ -32,7 +32,6 @@
  };

  networking = {
-    # firewall.allowedTCPPorts = [ 80 ];
    nameservers = [ "192.168.1.2" ];
  };

--- a/hosts/portainer/default.nix
+++ b/hosts/portainer/default.nix
@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  portainerDataDir = "/var/lib/portainer"; # Define the directory for persistent data
+in
+{
+
+  age.secrets.watchtowerSecrets.file = ../../secrets/watchtower-secrets.age;
+
+  my = {
+    utils.commons.enable = true;
+    virtualisation = {
+      proxmox.enable = true;
+      portainer = {
+        enable = true;
+        enableWatchtower = true;
+        environmentSecrets = config.age.secrets.watchtowerSecrets.path;
+      };
+    };
+  };
+
+  time.timeZone = "Europe/Rome";
+
+  # Extra packages
+  environment.systemPackages = with pkgs; [ ];
+
+  services = {
+    openssh.enable = true;
+  };
+
+  networking = {
+    nameservers = [ "192.168.1.2" ];
+  };
+
+  system.stateVersion = "24.11";
+}
--- a/modules/monitoring/prometheus.nix
+++ b/modules/monitoring/prometheus.nix
@ -41,6 +41,8 @@ in
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

+      age.secrets.searx-prometheus-secret.file = ../../secrets/searx-prometheus-secret.age;
+
      services.prometheus = {
        enable = true;
        scrapeConfigs = [
--- a/modules/virtualisation/default.nix
+++ b/modules/virtualisation/default.nix
@ -6,5 +6,6 @@
    ./lxc-guest.nix
    ./podman.nix
    ./podman-pod.nix
+    ./portainer.nix
  ];
 }
--- a/modules/virtualisation/docker.nix
+++ b/modules/virtualisation/docker.nix
@ -22,7 +22,7 @@ in
        };
      };

-      oci-containers.backend = "podman";
+      oci-containers.backend = "docker";

    };
  };
--- a/modules/virtualisation/portainer.nix
+++ b/modules/virtualisation/portainer.nix
@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.virtualisation.portainer;
+in
+{
+  options.my.virtualisation.portainer = {
+    enable = lib.mkEnableOption "Run Portainer";
+
+    version = lib.mkOption {
+      type = lib.types.str;
+      default = "latest";
+      description = ''
+        Portainer version to use, default is latest
+      '';
+    };
+
+    portainerDataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/portainer";
+      description = ''
+        Where Portainer will save its data
+      '';
+    };
+
+    enableWatchtower = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Enable Watchtower to automatically update Portainer
+      '';
+    };
+
+    environmentSecrets = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = ''
+        Secrets for container in a environment file
+      '';
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    my.virtualisation.docker.enable = true;
+
+    virtualisation.oci-containers = {
+      backend = "docker"; # Use Docker as the backend
+
+      containers = {
+        portainer = {
+          image = "portainer/portainer-ce:latest";
+          ports = [ "9000:9000" ];
+          volumes = [
+            "/var/run/docker.sock:/var/run/docker.sock"
+            "${cfg.portainerDataDir}:/data" # Add persistent volume for Portainer data
+          ];
+          environmentFiles = [ cfg.environmentSecrets ];
+          labels = {
+            "com.centurylinklabs.watchtower.enable" = "true";
+          };
+          autoStart = true;
+        };
+
+        watchtower = lib.mkIf cfg.enableWatchtower {
+          image = "containrrr/watchtower";
+          volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+          autoStart = true;
+          environmentFiles = [ cfg.environmentSecrets ];
+          environment = {
+            "TZ" = "Europe/Rome";
+            "WATCHTOWER_CLEANUP" = "true";
+            "WATCHTOWER_SCHEDULE" = "0 0 4 * * *"; # Run every day at 4am
+            "WATCHTOWER_LABEL_ENABLE" = "true"; # Only update labeled containers
+            "WATCHTOWER_NOTIFICATIONS" = "shoutrrr"; # Use shoutrrr for notifications
+          };
+        };
+
+      };
+    };
+
+    # Ensure the directory exists and has the correct permissions
+    systemd.tmpfiles.settings = {
+      "10-portainerDataDir" = {
+        ${cfg.portainerDataDir} = {
+          d = {
+            group = "root";
+            mode = "0755";
+            user = "root";
+          };
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 9000 ];
+
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -18,6 +18,7 @@ let
      machines.search
      machines.metrics
    ];
+    watchtower-secrets = [ machines.portainer ];
  };
 in
 builtins.listToAttrs (
--- a/secrets/watchtower-secrets.age
+++ b/secrets/watchtower-secrets.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 UCdOEA ZQx4PyHXTBgT/LQny9jPjgRTQyUOAeA2T9SNOaPszhs
+DgovswGjIsM+W3zoFYMCe/rXou0+NhyFG3vEwu53034
+-> ssh-ed25519 Si3UKw 3JXc63vpXWE6SitcXZt0JMG1gyNyd3qylsll8s7r0F0
+EynhPtlkR9T2RnyqPy1aEEapMz2bk2Zc6RrexvHJC+I
+-> ssh-ed25519 3UG3uw JjmL+xTZJDMFTbt3F1nbcf4mvjBbSnaek2OjxSBPGzA
+dY9txlNjV2TS/MzBaSlFYj5QJNeEX5aKjT0APollOAA
+-> ssh-ed25519 JEhtoQ qG6sJ97Zpt2J6gZnIa+VW5u5EEqMPNFBbjI8+DhsYAI
+xcPjp38cNW+qgSueZKqzbkQfkt/Z59i/j0bEmNfwEoc
+--- IRCC6zMDqQq9VeYTdATtPTy7C0s8LrqrNllT9w2t4eg
+×7™®P²[ƒ‚ÌÓD¨³ºö.˜èËg<ÕË—<C38B>ûo“3¨'¡ö5><3E>“ÌE™7ó´´¡à˜9sø²¬5
ÌEàæ‹;^†èf0Yüi¾…SKš.È(ÿ1«¾<C2AB>û¡ØÐï«ÃÐs¼þ[à:½‘Ôï6S€>CøŸŸÓA“ëÕ·`z&:¤·+y	8àÛê*…T,Ÿ5Jõs<C3B5>Ý½^I²œâß§ÊTUq¹[
+øn1¤µ7ù@ŸÐyš6uN 4Bó;têýMèõ
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -14,6 +14,7 @@ rec {
    vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV";
    search = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; # TODO: Update this key
    plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt";
+    portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn";
  };

  # Machines able to provision other machines