WIP: portainer service and host

2025-01-06 15:39:09 +01:00 · 2025-01-06 15:39:09 +01:00 · 350fe15576
commit 350fe15576
parent 2673c763d5
11 changed files with 182 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -93,6 +93,7 @@
                "metrics"
                "nextcloud"
                "vaultwarden"
                "portainer"
              ];
            };
@ -131,6 +132,15 @@
              ];
            };
            portainer.deployment = {
              targetHost = "192.168.1.156";
              tags = [
                "lxc"
                "node"
                "portainer"
              ];
            };
            deadbeef.deployment = {
              allowLocalDeployment = true;
              targetHost = null;
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -143,4 +143,15 @@ in
    # specialArgs = { };
  };
  portainer = nixpkgs.lib.nixosSystem {
    pkgs = pkgs "x86_64-linux";
    modules = [
      myModule
      proxmoxModule
      ./portainer
      agenix.nixosModules.default
    ];
    # specialArgs = { };
  };
 }
--- a/hosts/plex/default.nix
+++ b/hosts/plex/default.nix
@ -32,7 +32,6 @@
  };
  networking = {
    # firewall.allowedTCPPorts = [ 80 ];
    nameservers = [ "192.168.1.2" ];
  };
--- a/hosts/portainer/default.nix
+++ b/hosts/portainer/default.nix
@ -0,0 +1,40 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 let
  portainerDataDir = "/var/lib/portainer"; # Define the directory for persistent data
 in
 {
  age.secrets.watchtowerSecrets.file = ../../secrets/watchtower-secrets.age;
  my = {
    utils.commons.enable = true;
    virtualisation = {
      proxmox.enable = true;
      portainer = {
        enable = true;
        enableWatchtower = true;
        environmentSecrets = config.age.secrets.watchtowerSecrets.path;
      };
    };
  };
  time.timeZone = "Europe/Rome";
  # Extra packages
  environment.systemPackages = with pkgs; [ ];
  services = {
    openssh.enable = true;
  };
  networking = {
    nameservers = [ "192.168.1.2" ];
  };
  system.stateVersion = "24.11";
 }
--- a/modules/monitoring/prometheus.nix
+++ b/modules/monitoring/prometheus.nix
@ -41,6 +41,8 @@ in
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
      age.secrets.searx-prometheus-secret.file = ../../secrets/searx-prometheus-secret.age;
      services.prometheus = {
        enable = true;
        scrapeConfigs = [
--- a/modules/virtualisation/default.nix
+++ b/modules/virtualisation/default.nix
@ -6,5 +6,6 @@
    ./lxc-guest.nix
    ./podman.nix
    ./podman-pod.nix
    ./portainer.nix
  ];
 }
--- a/modules/virtualisation/docker.nix
+++ b/modules/virtualisation/docker.nix
@ -22,7 +22,7 @@ in
        };
      };
-      oci-containers.backend = "podman";
+      oci-containers.backend = "docker";
    };
  };
--- a/modules/virtualisation/portainer.nix
+++ b/modules/virtualisation/portainer.nix
@ -0,0 +1,103 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.my.virtualisation.portainer;
 in
 {
  options.my.virtualisation.portainer = {
    enable = lib.mkEnableOption "Run Portainer";
    version = lib.mkOption {
      type = lib.types.str;
      default = "latest";
      description = ''
        Portainer version to use, default is latest
      '';
    };
    portainerDataDir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/portainer";
      description = ''
        Where Portainer will save its data
      '';
    };
    enableWatchtower = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Enable Watchtower to automatically update Portainer
      '';
    };
    environmentSecrets = lib.mkOption {
      type = lib.types.str;
      default = "";
      description = ''
        Secrets for container in a environment file
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    my.virtualisation.docker.enable = true;
    virtualisation.oci-containers = {
      backend = "docker"; # Use Docker as the backend
      containers = {
        portainer = {
          image = "portainer/portainer-ce:latest";
          ports = [ "9000:9000" ];
          volumes = [
            "/var/run/docker.sock:/var/run/docker.sock"
            "${cfg.portainerDataDir}:/data" # Add persistent volume for Portainer data
          ];
          environmentFiles = [ cfg.environmentSecrets ];
          labels = {
            "com.centurylinklabs.watchtower.enable" = "true";
          };
          autoStart = true;
        };
        watchtower = lib.mkIf cfg.enableWatchtower {
          image = "containrrr/watchtower";
          volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
          autoStart = true;
          environmentFiles = [ cfg.environmentSecrets ];
          environment = {
            "TZ" = "Europe/Rome";
            "WATCHTOWER_CLEANUP" = "true";
            "WATCHTOWER_SCHEDULE" = "0 0 4 * * *"; # Run every day at 4am
            "WATCHTOWER_LABEL_ENABLE" = "true"; # Only update labeled containers
            "WATCHTOWER_NOTIFICATIONS" = "shoutrrr"; # Use shoutrrr for notifications
          };
        };
      };
    };
    # Ensure the directory exists and has the correct permissions
    systemd.tmpfiles.settings = {
      "10-portainerDataDir" = {
        ${cfg.portainerDataDir} = {
          d = {
            group = "root";
            mode = "0755";
            user = "root";
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 9000 ];
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -18,6 +18,7 @@ let
      machines.search
      machines.metrics
    ];
    watchtower-secrets = [ machines.portainer ];
  };
 in
 builtins.listToAttrs (
--- a/secrets/watchtower-secrets.age
+++ b/secrets/watchtower-secrets.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 UCdOEA ZQx4PyHXTBgT/LQny9jPjgRTQyUOAeA2T9SNOaPszhs
 DgovswGjIsM+W3zoFYMCe/rXou0+NhyFG3vEwu53034
 -> ssh-ed25519 Si3UKw 3JXc63vpXWE6SitcXZt0JMG1gyNyd3qylsll8s7r0F0
 EynhPtlkR9T2RnyqPy1aEEapMz2bk2Zc6RrexvHJC+I
 -> ssh-ed25519 3UG3uw JjmL+xTZJDMFTbt3F1nbcf4mvjBbSnaek2OjxSBPGzA
 dY9txlNjV2TS/MzBaSlFYj5QJNeEX5aKjT0APollOAA
 -> ssh-ed25519 JEhtoQ qG6sJ97Zpt2J6gZnIa+VW5u5EEqMPNFBbjI8+DhsYAI
 xcPjp38cNW+qgSueZKqzbkQfkt/Z59i/j0bEmNfwEoc
 --- IRCC6zMDqQq9VeYTdATtPTy7C0s8LrqrNllT9w2t4eg
 ×7™®P²[ƒ‚ÌÓD¨³ºö.˜èËg<ÕË—<C38B>ûo“3¨'¡ö5><3E>“ÌE™7ó´´¡à˜9sø²¬5
ÌEàæ‹;^†èf0Yüi¾…SKš.È(ÿ1«¾<C2AB>û¡ØÐï«ÃÐs¼þ[à:½‘Ôï6S€>CøŸŸÓA“ëÕ·`z&:¤·+y	8àÛê*…T,Ÿ5Jõs<C3B5>Ý½^I²œâß§ÊTUq¹[
 øn1¤µ7ù@ŸÐyš6uN 4Bó;têýMèõ
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -14,6 +14,7 @@ rec {
    vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOW9uYQpPMiKvI/KFRvd/5f9J8a0zLaQxstWRI8VNObV";
    search = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBhRxaMK+swWcbd6dyBvPw74EtB5mghjgBzmIhXy9cRt"; # TODO: Update this key
    plex = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINp9itRJGSSVWLxwrcudyGUNOOKl+qqtf+IzLHrhffyt";
    portainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgg4SKMCw2/21l1crY7trFnrCmNSrkYPl3vEDnJ8aQn";
  };
  # Machines able to provision other machines