artemislena
/
nixos-server-configs
2
2
Fork 0
Code Issues Pull Requests Projects Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
nixos-server-configs/podman/containers.nix

222 lines
8.2 KiB
Raw Permalink Blame History

{ config, ... }:
let
wireguardIP = "10.0.0.45";
podmanIP = "10.88.0.1";
userGroupFiles = [ "/etc/passwd:/etc/passwd:ro,noexec,nosuid,nodev" "/etc/group:/etc/group:ro,noexec,nosuid,nodev" ];
commonOptions = containerName:
[
"--label=io.containers.autoupdate=registry" "--label=PODMAN_SYSTEMD_UNIT=podman-${containerName}.service"
"--security-opt=no-new-privileges" "--cap-drop=all"
];
tedditEnvironment = {
REDIS_HOST = podmanIP;
REDIS_PORT = "6381";
TRUST_PROXY = "true";
TRUST_PROXY_ADDRESS = "10.0.0.80";
NSFW_ENABLED = "false";
VIDEOS_MUTED = "false";
POST_COMMENTS_SORT = "new";
};
tedditConfig = suffix: {
image = "docker.io/teddit/teddit:latest";
user = "teddit:teddit";
extraOptions = commonOptions "teddit${suffix}";
volumes = userGroupFiles;
environmentFiles = [ "/etc/teddit_redis_password" ];
};
sharedInvConf = ''
# https://github.com/iv-org/invidious/blob/master/config/config.example.yml
use_pubsub_feeds: true
statistics_enabled: true
external_port: 443
port: 4000
log_level: "Off"
popular_enabled: false
enable_user_notifications: false # Reduces disk usage
registration_enabled: false
admins: ["artemislena"]
default_user_preferences:
default_home: <none>
autoplay: true
feed_menu: ["Trending", "Subscriptions", "Playlists"]
'';
invidiousConfig = suffix: {
image = "quay.io/invidious/invidious:latest";
extraOptions = commonOptions "invidious${suffix}" ++ [ "--uidmap=0:200000:100000" "--gidmap=0:200000:100000" ];
environment.INVIDIOUS_CONFIG = ''
https_only: true
domain: yt.artemislena.eu
# Background jobs should only run on one instance (the Onion instance, in this case)
channel_threads: 0
feed_threads: 0
jobs:
clear_expired_items:
enable: false
banner: "If you need a local account on this instance, <a href=\"https://artemislena.eu\">contact us</a>"
'' + sharedInvConf;
environmentFiles = [ /etc/invidious_environment ]; # DB password and HMAC key
user = "invidious:invidious";
};
nitterConfig = suffix: {
image = "docker.io/zedeus/nitter:latest";
user = "nitter:nitter";
extraOptions = commonOptions "nitter${suffix}";
volumes = userGroupFiles ++ [
"/etc/nitter/nitter${suffix}.conf:/src/nitter.conf:ro,noexec,nosuid,nodev" # https://github.com/zedeus/nitter/issues/633
];
};
in
{
virtualisation.oci-containers.containers = {
ntfy = {
image = "docker.io/binwiederhier/ntfy";
volumes = userGroupFiles ++ [
"/etc/nixos/ntfy:/etc/ntfy:ro,noexec,nosuid,nodev"
"/var/lib/ntfy:/var/lib/ntfy:noexec,nosuid,nodev"
"/var/cache/ntfy:/var/cache/ntfy:noexec,nosuid,nodev"
];
ports = [ "${wireguardIP}:8082:8080" ];
cmd = [ "serve" ];
extraOptions = commonOptions "ntfy" ++ [ "--umask=0077" ];
user = "ntfy:ntfy";
};
rimgo = {
image = "codeberg.org/video-prize-ranch/rimgo";
ports = [ "${wireguardIP}:3000:3000" ];
extraOptions = commonOptions "rimgo";
volumes = userGroupFiles;
user = "rimgo:rimgo";
environment = {
PRIVACY_COUNTRY = "Germany";
PRIVACY_PROVIDER = "Vodafone Deutschland";
PRIVACY_CLOUDFLARE = "false";
PRIVACY_NOT_COLLECTED = "true";
};
};
proxitok = {
image = "ghcr.io/pablouser1/proxitok";
ports = [ "${wireguardIP}:8083:80" ];
extraOptions = commonOptions "proxitok" ++ [ "--umask=0077" "--cap-add=setuid" "--cap-add=setgid" "--cap-add=net_bind_service" ];
volumes = [ "/var/cache/proxitok:/cache:noexec,nosuid,nodev" ];
environment = {
LATTE_CACHE = "/cache";
API_CACHE = "redis";
REDIS_HOST = "10.88.0.1";
REDIS_PORT = "6380";
API_SIGNER = "remote";
API_SIGNER_URL = "http://10.88.0.1:8080/signature";
APP_URL = "https://tok.artemislena.eu";
};
environmentFiles = [ "/etc/proxitok_redis_password" ];
dependsOn = [ "signtok" ];
};
signtok = {
image = "ghcr.io/pablouser1/signtok";
user = "signtok:signtok";
volumes = userGroupFiles;
extraOptions = commonOptions "signtok";
ports = [ "${podmanIP}:8080:8080" ];
};
teddit = tedditConfig "" // {
ports = [ "${wireguardIP}:8080:8080" ];
environment = tedditEnvironment // {
DOMAIN = "teddit.artemislena.eu";
API_FORCE_HTTPS = "true";
USE_HELMET = "true";
USE_HELMET_HSTS = "true";
};
};
teddit_onion = tedditConfig "_onion" // {
ports = [ "${wireguardIP}:8081:8080" ];
environment = tedditEnvironment // { DOMAIN = "teddit.lpoaj7z2zkajuhgnlltpeqh3zyq7wk2iyeggqaduhgxhyajtdt2j7wad.onion"; };
};
invidious = invidiousConfig "" // { ports = [ "${wireguardIP}:4000:4000" ]; };
invidious1 = invidiousConfig "1" // { ports = [ "${wireguardIP}:4001:4000" ]; };
invidious2 = invidiousConfig "2" // { ports = [ "${wireguardIP}:4002:4000" ]; };
invidious_onion = invidiousConfig "_onion" // {
ports = [ "127.0.0.1:80:4000" ];
environment.INVIDIOUS_CONFIG = ''
https_only: false
hsts: false
domain: ng27owmagn5amdm7l5s3rsqxwscl5ynppnis5dqcasogkyxcfqn7psid.onion
external_port: 80
banner: "If you need a local account on this instance, <a href=\"http://lpoaj7z2zkajuhgnlltpeqh3zyq7wk2iyeggqaduhgxhyajtdt2j7wad.onion/contact.html\">contact us</a>"
'' + sharedInvConf;
};
nitter = nitterConfig "" // { ports = [ "${wireguardIP}:8084:8080" ]; };
nitter_onion = nitterConfig "_onion" // { ports = [ "${wireguardIP}:8085:8080" ]; };
draupnir = {
image = "docker.io/gnuxie/draupnir:latest";
ports = [ "${wireguardIP}:8086:8080" ];
extraOptions = commonOptions "draupnir" ++ [ "--umask=0077" ];
volumes = userGroupFiles ++ [ "/etc/draupnir:/data:noexec,nosuid,nodev" ];
user = "draupnir:draupnir";
};
cryptpad = {
image = "docker.io/promasu/cryptpad:nginx-alpine";
ports = [ "${wireguardIP}:80:80" ];
volumes = [
"/etc/nixos/cryptpad/config.js:/cryptpad/config/config.js:ro,noexec,nosuid,nodev"
"/etc/nixos/cryptpad/application_config.js:/cryptpad/customize/application_config.js:ro,noexec,nosuid,nodev"
"/etc/nixos/cryptpad/nginx.conf:/etc/nginx/conf.d/cryptpad.conf" # Hack to patch https://github.com/xwiki-labs/cryptpad-docker/issues/58
"/var/lib/cryptpad/blob:/cryptpad/blob:noexec,nosuid,nodev"
"/var/lib/cryptpad/block:/cryptpad/block:noexec,nosuid,nodev"
"/var/lib/cryptpad/data:/cryptpad/data:noexec,nosuid,nodev"
"/var/lib/cryptpad/files:/cryptpad/datastore:noexec,nosuid,nodev"
];
environment = {
CPAD_MAIN_DOMAIN = "pad.artemislena.eu";
CPAD_SANDBOX_DOMAIN = "sandbox.pad.artemislena.eu";
CPAD_TRUSTED_PROXY = "10.0.0.80";
CPAD_REALIP_HEADER = "X-Forwarded-For";
CPAD_HTTP2_DISABLE = "true";
};
extraOptions = commonOptions "cryptpad" ++ [
"--cap-add=setuid" "--cap-add=setgid" "--cap-add=net_bind_service" "--cap-add=kill" "--cap-add=chown" "--cap-add=dac_override"
];
};
breezewiki = {
image = "quay.io/pussthecatorg/breezewiki:latest";
ports = [ "${wireguardIP}:10416:10416" ];
environment = {
bw_canonical_origin = "https://bw.artemislena.eu";
bw_log_outgoing = "false";
};
extraOptions = commonOptions "breezewiki" ++ [ "--uidmap=0:400000:400000" "--gidmap=0:400000:400000" ];
};
libreddit = {
image = "docker.io/spikecodes/libreddit";
ports = [ "${wireguardIP}:8087:8080" ];
environment = {
LIBREDDIT_DEFAULT_POST_SORT = "new";
LIBREDDIT_DEFAULT_COMMENT_SORT = "new";
LIBREDDIT_DEFAULT_SHOW_NSFW = "on"; # Not showing makes posts simply disappear (rather than warning); could be confusing
LIBREDDIT_DEFAULT_BLUR_NSFW = "on";
LIBREDDIT_DEFAULT_USE_HLS = "on";
};
user = "libreddit:libreddit";
extraOptions = commonOptions "libreddit" ++ [
"--uidmap=0:300000:300000" "--gidmap=0:300000:300000"
"--health-cmd=none" # Healthcheck is broken
];
};
};
}
Reference in new issue View Git Blame Copy Permalink