yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Separate podman and traefik

Browse source
This commit is contained in:
Yan Lin 2025-09-07 01:59:45 +02:00
parent 261fea477e
commit 673bdeb83b
3 changed files with 159 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

46
hosts/nixos/hs/system.nix
View file

@ -4,6 +4,8 @@
./disk-config.nix ./disk-config.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../../../modules/tailscale.nix ../../../modules/tailscale.nix
../../../modules/podman.nix
../../../modules/traefik.nix
]; ];
# GRUB bootloader with ZFS support # GRUB bootloader with ZFS support
@ -63,8 +65,7 @@
hostName = "hs"; hostName = "hs";
hostId = "8425e349"; # Required for ZFS, good practice for any system hostId = "8425e349"; # Required for ZFS, good practice for any system
networkmanager.enable = true; networkmanager.enable = true;
firewall.enable = false; firewall = { enable = false; };
# firewall.allowedTCPPorts = [ 22 ]; # SSH
}; };
# Set your time zone # Set your time zone
@ -154,46 +155,6 @@
}; };
}; };
# Container virtualization with Podman
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other
defaultNetwork.settings.dns_enabled = true;
# Create macvlan network for Home Assistant
extraPackages = [ pkgs.netavark pkgs.aardvark-dns ];
};
# Enable OCI container support
oci-containers = {
backend = "podman";
containers.homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:stable";
volumes = [
"/home/yanlin/deploy/data/home/config:/config"
"/etc/localtime:/etc/localtime:ro"
"/run/dbus:/run/dbus:ro"
];
environment = {
TZ = "Europe/Copenhagen";
};
extraOptions = [
"--privileged" # Required for USB device access
"--network=host" # Use host networking
"--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle
"--device=/dev/dri:/dev/dri" # Hardware acceleration
];
autoStart = true;
};
};
};
# SnapRAID configuration for parity protection # SnapRAID configuration for parity protection
services.snapraid = { services.snapraid = {
enable = true; enable = true;
@ -241,7 +202,6 @@
]; ];
}; };
# Enable smartd for disk health monitoring # Enable smartd for disk health monitoring
services.smartd = { services.smartd = {
enable = true; enable = true;

47
modules/podman.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
{
# Container virtualization with Podman
virtualisation = {
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other
defaultNetwork.settings.dns_enabled = true;
# Extra packages for networking
extraPackages = [ pkgs.netavark pkgs.aardvark-dns ];
};
# Enable OCI container support
oci-containers = {
backend = "podman";
containers.homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:stable";
volumes = [
"/home/yanlin/deploy/data/home/config:/config"
"/etc/localtime:/etc/localtime:ro"
"/run/dbus:/run/dbus:ro"
];
environment = {
TZ = "Europe/Copenhagen";
# Configure Home Assistant to trust reverse proxy
HASS_HTTP_TRUSTED_PROXY_1 = "127.0.0.1";
HASS_HTTP_TRUSTED_PROXY_2 = "::1";
HASS_HTTP_USE_X_FORWARDED_FOR = "true";
};
extraOptions = [
"--privileged" # Required for USB device access
"--network=host" # Use host networking
"--device=/dev/ttyUSB0:/dev/ttyUSB0" # Sky Connect Zigbee dongle
"--device=/dev/dri:/dev/dri" # Hardware acceleration
];
autoStart = true;
};
};
};
}

109
modules/traefik.nix Normal file
View file

@ -0,0 +1,109 @@
{ config, pkgs, lib, ... }:
{
# Traefik reverse proxy service
services.traefik = {
enable = true;
# Static configuration
staticConfigOptions = {
# Entry points for HTTP and HTTPS
entrypoints = {
web = {
address = ":80";
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
};
websecure = {
address = ":443";
};
};
# Certificate resolver using Cloudflare DNS challenge
certificatesResolvers.cloudflare = {
acme = {
email = "cloudflare@yanlincs.com";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = {
provider = "cloudflare";
delayBeforeCheck = 60;
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
# API and dashboard
api = {
dashboard = true;
debug = false;
};
# Logging
log = {
level = "INFO";
};
accessLog = {};
# Global settings
global = {
checkNewVersion = false;
sendAnonymousUsage = false;
};
};
# Dynamic configuration for services
dynamicConfigOptions = {
http = {
routers = {
homeassistant = {
rule = "Host(`home.hs.yanlincs.com`)";
service = "homeassistant";
tls = {
certResolver = "cloudflare";
domains = [{
main = "*.hs.yanlincs.com";
}];
};
};
};
services = {
homeassistant = {
loadBalancer = {
servers = [{
url = "http://localhost:8123";
}];
};
};
};
};
};
# Environment variables for Cloudflare
environmentFiles = [ "/run/secrets/traefik-env" ];
};
# Create environment file for Traefik Cloudflare credentials
systemd.services.traefik-env-setup = {
description = "Setup Traefik environment file";
before = [ "traefik.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p /run/secrets
cat > /run/secrets/traefik-env << 'EOF'
CF_API_EMAIL=cloudflare@yanlincs.com
CF_DNS_API_TOKEN=JtIInpXOB8NIDGuYvjyV6kLCysN0mb7MKvryuya-
EOF
chmod 600 /run/secrets/traefik-env
'';
};
}