From 350fe155760cfd35a37ba8c2e32f9f38f1bab19a Mon Sep 17 00:00:00 2001 From: pazpi Date: Mon, 6 Jan 2025 15:39:09 +0100 Subject: [PATCH] WIP: portainer service and host --- flake.nix | 10 +++ hosts/default.nix | 11 +++ hosts/plex/default.nix | 1 - hosts/portainer/default.nix | 40 +++++++++++ modules/monitoring/prometheus.nix | 2 + modules/virtualisation/default.nix | 1 + modules/virtualisation/docker.nix | 2 +- modules/virtualisation/portainer.nix | 103 +++++++++++++++++++++++++++ secrets.nix | 1 + secrets/watchtower-secrets.age | 12 ++++ ssh-keys.nix | 1 + 11 files changed, 182 insertions(+), 2 deletions(-) create mode 100644 hosts/portainer/default.nix create mode 100644 modules/virtualisation/portainer.nix create mode 100644 secrets/watchtower-secrets.age diff --git a/flake.nix b/flake.nix index 31f5cc5..84711e5 100644 --- a/flake.nix +++ b/flake.nix @@ -93,6 +93,7 @@ "metrics" "nextcloud" "vaultwarden" + "portainer" ]; }; @@ -131,6 +132,15 @@ ]; }; + portainer.deployment = { + targetHost = "192.168.1.156"; + tags = [ + "lxc" + "node" + "portainer" + ]; + }; + deadbeef.deployment = { allowLocalDeployment = true; targetHost = null; diff --git a/hosts/default.nix b/hosts/default.nix index c088d36..ff19a67 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -143,4 +143,15 @@ in # specialArgs = { }; }; + portainer = nixpkgs.lib.nixosSystem { + pkgs = pkgs "x86_64-linux"; + modules = [ + myModule + proxmoxModule + ./portainer + agenix.nixosModules.default + ]; + # specialArgs = { }; + }; + } diff --git a/hosts/plex/default.nix b/hosts/plex/default.nix index f3e8cae..337ea60 100644 --- a/hosts/plex/default.nix +++ b/hosts/plex/default.nix @@ -32,7 +32,6 @@ }; networking = { - # firewall.allowedTCPPorts = [ 80 ]; nameservers = [ "192.168.1.2" ]; }; diff --git a/hosts/portainer/default.nix b/hosts/portainer/default.nix new file mode 100644 index 0000000..11ecc67 --- /dev/null +++ b/hosts/portainer/default.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + ... +}: +let + portainerDataDir = "/var/lib/portainer"; # Define the directory for persistent data +in +{ + + age.secrets.watchtowerSecrets.file = ../../secrets/watchtower-secrets.age; + + my = { + utils.commons.enable = true; + virtualisation = { + proxmox.enable = true; + portainer = { + enable = true; + enableWatchtower = true; + environmentSecrets = config.age.secrets.watchtowerSecrets.path; + }; + }; + }; + + time.timeZone = "Europe/Rome"; + + # Extra packages + environment.systemPackages = with pkgs; [ ]; + + services = { + openssh.enable = true; + }; + + networking = { + nameservers = [ "192.168.1.2" ]; + }; + + system.stateVersion = "24.11"; +} diff --git a/modules/monitoring/prometheus.nix b/modules/monitoring/prometheus.nix index b813d12..d870ba1 100644 --- a/modules/monitoring/prometheus.nix +++ b/modules/monitoring/prometheus.nix @@ -41,6 +41,8 @@ in config = lib.mkMerge [ (lib.mkIf cfg.enable { + age.secrets.searx-prometheus-secret.file = ../../secrets/searx-prometheus-secret.age; + services.prometheus = { enable = true; scrapeConfigs = [ diff --git a/modules/virtualisation/default.nix b/modules/virtualisation/default.nix index f03c000..e05e629 100644 --- a/modules/virtualisation/default.nix +++ b/modules/virtualisation/default.nix @@ -6,5 +6,6 @@ ./lxc-guest.nix ./podman.nix ./podman-pod.nix + ./portainer.nix ]; } diff --git a/modules/virtualisation/docker.nix b/modules/virtualisation/docker.nix index 3d9227b..af59486 100644 --- a/modules/virtualisation/docker.nix +++ b/modules/virtualisation/docker.nix @@ -22,7 +22,7 @@ in }; }; - oci-containers.backend = "podman"; + oci-containers.backend = "docker"; }; }; diff --git a/modules/virtualisation/portainer.nix b/modules/virtualisation/portainer.nix new file mode 100644 index 0000000..ee6eb2a --- /dev/null +++ b/modules/virtualisation/portainer.nix @@ -0,0 +1,103 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.my.virtualisation.portainer; +in +{ + options.my.virtualisation.portainer = { + enable = lib.mkEnableOption "Run Portainer"; + + version = lib.mkOption { + type = lib.types.str; + default = "latest"; + description = '' + Portainer version to use, default is latest + ''; + }; + + portainerDataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/portainer"; + description = '' + Where Portainer will save its data + ''; + }; + + enableWatchtower = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Enable Watchtower to automatically update Portainer + ''; + }; + + environmentSecrets = lib.mkOption { + type = lib.types.str; + default = ""; + description = '' + Secrets for container in a environment file + ''; + }; + + }; + + config = lib.mkIf cfg.enable { + + my.virtualisation.docker.enable = true; + + virtualisation.oci-containers = { + backend = "docker"; # Use Docker as the backend + + containers = { + portainer = { + image = "portainer/portainer-ce:latest"; + ports = [ "9000:9000" ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "${cfg.portainerDataDir}:/data" # Add persistent volume for Portainer data + ]; + environmentFiles = [ cfg.environmentSecrets ]; + labels = { + "com.centurylinklabs.watchtower.enable" = "true"; + }; + autoStart = true; + }; + + watchtower = lib.mkIf cfg.enableWatchtower { + image = "containrrr/watchtower"; + volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + autoStart = true; + environmentFiles = [ cfg.environmentSecrets ]; + environment = { + "TZ" = "Europe/Rome"; + "WATCHTOWER_CLEANUP" = "true"; + "WATCHTOWER_SCHEDULE" = "0 0 4 * * *"; # Run every day at 4am + "WATCHTOWER_LABEL_ENABLE" = "true"; # Only update labeled containers + "WATCHTOWER_NOTIFICATIONS" = "shoutrrr"; # Use shoutrrr for notifications + }; + }; + + }; + }; + + # Ensure the directory exists and has the correct permissions + systemd.tmpfiles.settings = { + "10-portainerDataDir" = { + ${cfg.portainerDataDir} = { + d = { + group = "root"; + mode = "0755"; + user = "root"; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9000 ]; + + }; +} diff --git a/secrets.nix b/secrets.nix index 4620d05..a06e246 100644 --- a/secrets.nix +++ b/secrets.nix @@ -18,6 +18,7 @@ let machines.search machines.metrics ]; + watchtower-secrets = [ machines.portainer ]; }; in builtins.listToAttrs ( diff --git a/secrets/watchtower-secrets.age b/secrets/watchtower-secrets.age new file mode 100644 index 0000000..ee4002e --- /dev/null +++ b/secrets/watchtower-secrets.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 UCdOEA ZQx4PyHXTBgT/LQny9jPjgRTQyUOAeA2T9SNOaPszhs +DgovswGjIsM+W3zoFYMCe/rXou0+NhyFG3vEwu53034 +-> ssh-ed25519 Si3UKw 3JXc63vpXWE6SitcXZt0JMG1gyNyd3qylsll8s7r0F0 +EynhPtlkR9T2RnyqPy1aEEapMz2bk2Zc6RrexvHJC+I +-> ssh-ed25519 3UG3uw JjmL+xTZJDMFTbt3F1nbcf4mvjBbSnaek2OjxSBPGzA +dY9txlNjV2TS/MzBaSlFYj5QJNeEX5aKjT0APollOAA +-> ssh-ed25519 JEhtoQ qG6sJ97Zpt2J6gZnIa+VW5u5EEqMPNFBbjI8+DhsYAI +xcPjp38cNW+qgSueZKqzbkQfkt/Z59i/j0bEmNfwEoc +--- IRCC6zMDqQq9VeYTdATtPTy7C0s8LrqrNllT9w2t4eg +7P[D.g<˗o3'5>E7 9s5 E;^f0YiSK.(1s[:6S>CAշ`z&:+y 8*T,5Jsݽ^IߧTUq[ +n17@y6uN 4B;tM \ No newline at end of file diff --git a/ssh-keys.nix b/ssh-keys.nix index 482266a..cdf4ff5 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -14,6 +14,7 @@ rec { vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV"; search = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; # TODO: Update this key plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt"; + portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn"; }; # Machines able to provision other machines