From 9d8164f28d8d8e8cc2643b724fd05aa519f427f3 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Sat, 2 Nov 2024 23:59:38 -0400 Subject: [PATCH] update docker configs, upgrade postgres Signed-off-by: ahuston-0 --- systems/palatine-hill/attic/default.nix | 15 ----- systems/palatine-hill/configuration.nix | 26 +------- systems/palatine-hill/docker/archiveteam.nix | 5 +- systems/palatine-hill/docker/default.nix | 18 +++--- systems/palatine-hill/docker/firefly.nix | 4 +- systems/palatine-hill/docker/foundry.nix | 2 +- systems/palatine-hill/docker/glances.nix | 1 - systems/palatine-hill/docker/nextcloud.nix | 47 ++++++++++----- systems/palatine-hill/firewall.nix | 1 + systems/palatine-hill/postgresql.nix | 62 ++++++++++++++++++++ systems/palatine-hill/secrets.yaml | 8 ++- systems/palatine-hill/vars.nix | 1 + 12 files changed, 116 insertions(+), 74 deletions(-) create mode 100644 systems/palatine-hill/postgresql.nix diff --git a/systems/palatine-hill/attic/default.nix b/systems/palatine-hill/attic/default.nix index 1d52dc2..e061931 100644 --- a/systems/palatine-hill/attic/default.nix +++ b/systems/palatine-hill/attic/default.nix @@ -11,21 +11,6 @@ ]; services = { - postgresql = { - enable = true; - ensureDatabases = [ "atticd" ]; - ensureUsers = [ - { - name = "atticd"; - ensureDBOwnership = true; - } - ]; - upgrade = { - enable = true; - stopServices = [ "atticd" ]; - }; - }; - atticd = { enable = true; diff --git a/systems/palatine-hill/configuration.nix b/systems/palatine-hill/configuration.nix index 2860ebe..8184d77 100644 --- a/systems/palatine-hill/configuration.nix +++ b/systems/palatine-hill/configuration.nix @@ -16,6 +16,7 @@ ./minio.nix ./networking.nix ./nextcloud.nix + ./postgresql.nix ./zfs.nix ]; @@ -68,31 +69,6 @@ smartd.enable = true; calibre-server.enable = true; - postgresql = { - enable = true; - enableJIT = true; - identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map alice postgres - # Let other names login as themselves - superuser_map /^(.*)$ \1 - ''; - - # initialScript = config.sops.secrets."postgres/init".path; - - upgrade = { - enable = true; - stopServices = [ - "hydra-evaluator" - "hydra-init" - "hydra-notify" - "hydra-queue-runner" - "hydra-send-stats" - "hydra-server" - ]; - }; - }; }; nix.gc.options = "--delete-older-than 150d"; diff --git a/systems/palatine-hill/docker/archiveteam.nix b/systems/palatine-hill/docker/archiveteam.nix index bc8e235..1ebc0d4 100644 --- a/systems/palatine-hill/docker/archiveteam.nix +++ b/systems/palatine-hill/docker/archiveteam.nix @@ -73,7 +73,7 @@ let }; archiveteam-blogger = { image = "blogger-grab"; - scale = 0; + scale = 1; }; archiveteam-vbox7 = { image = "vbox7-grab"; @@ -97,9 +97,8 @@ let }; }; container-spec = container-name: container: { - image = "atdr.meo.ws/archiveteam/${container}"; + image = "atdr.meo.ws/archiveteam/${container}:latest"; extraOptions = [ - "--restart=unless-stopped" "--stop-signal=SIGINT" ]; labels = { diff --git a/systems/palatine-hill/docker/default.nix b/systems/palatine-hill/docker/default.nix index d9f15a5..3608662 100644 --- a/systems/palatine-hill/docker/default.nix +++ b/systems/palatine-hill/docker/default.nix @@ -8,17 +8,17 @@ { imports = [ ./archiveteam.nix - ./books.nix - ./firefly.nix - ./foundry.nix + # ./books.nix + #./firefly.nix + #./foundry.nix ./glances.nix - ./haproxy.nix - ./minecraft.nix + # ./haproxy.nix + # ./minecraft.nix ./nextcloud.nix - ./postgres.nix - ./restic.nix - ./torr.nix - ./unifi.nix + # ./postgres.nix + # ./restic.nix + # ./torr.nix + # ./unifi.nix ]; virtualisation.oci-containers.backend = "docker"; diff --git a/systems/palatine-hill/docker/firefly.nix b/systems/palatine-hill/docker/firefly.nix index 4c6ca1e..872dcd4 100644 --- a/systems/palatine-hill/docker/firefly.nix +++ b/systems/palatine-hill/docker/firefly.nix @@ -8,7 +8,6 @@ in firefly = { image = "fireflyiii/core:latest"; extraOptions = [ - "--restart=always" "--network=firefly-iii_default" "--network=postgres-net" ]; @@ -18,8 +17,7 @@ in }; fidi = { image = "fireflyiii/data-importer:latest"; - extraOptions = [ "--restart=always" ]; - environmentFiles = [ "${ffiii_path}.fidi.env" ]; + environmentFiles = [ "${ffiii_path}/.fidi.env" ]; ports = [ "4187:8080" ]; dependsOn = [ "firefly" ]; }; diff --git a/systems/palatine-hill/docker/foundry.nix b/systems/palatine-hill/docker/foundry.nix index 688c004..8799dbc 100644 --- a/systems/palatine-hill/docker/foundry.nix +++ b/systems/palatine-hill/docker/foundry.nix @@ -16,7 +16,6 @@ in environmentFiles = [ config.sops.secrets."docker/foundry".path ]; volumes = [ "${fvtt_path}:/data" ]; extraOptions = [ - "--restart=unless-stopped" "--network=haproxy-net" ]; }; @@ -24,5 +23,6 @@ in sops.secrets."docker/foundry" = { owner = "docker-service"; + restartUnits = [ "docker-foundryvtt.service" ]; }; } diff --git a/systems/palatine-hill/docker/glances.nix b/systems/palatine-hill/docker/glances.nix index 8fb5944..c7757cc 100644 --- a/systems/palatine-hill/docker/glances.nix +++ b/systems/palatine-hill/docker/glances.nix @@ -9,7 +9,6 @@ in glances = { image = "nicolargo/glances:latest-full"; extraOptions = [ - "--restart=always" "--pid=host" "--network=haproxy-net" ]; diff --git a/systems/palatine-hill/docker/nextcloud.nix b/systems/palatine-hill/docker/nextcloud.nix index 63b1788..29ca7a5 100644 --- a/systems/palatine-hill/docker/nextcloud.nix +++ b/systems/palatine-hill/docker/nextcloud.nix @@ -3,18 +3,20 @@ let vars = import ../vars.nix; nextcloud_path = vars.primary_nextcloud; + redis_path = vars.primary_redis; # nextcloud-image = import ./nextcloud-image { inherit pkgs; }; nextcloud-base = { - image = "nextcloud:stable-apache"; + # image comes from running docker compose build in nextcloud-docker/.examples/full/apache + image = "nextcloud-nextcloud"; hostname = "nextcloud"; volumes = [ "${nextcloud_path}/nc_data:/var/www/html:z" "${nextcloud_path}/nc_php:/usr/local/etc/php" "${nextcloud_path}/nc_prehooks:/docker-entrypoint-hooks.d/before-starting" + #"${nextcloud_path}/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro" ]; extraOptions = [ - "--restart=unless-stopped" "--network=haproxy-net" "--network=postgres-net" "--network=nextcloud_default" @@ -28,20 +30,19 @@ in nextcloud = nextcloud-base // { ports = [ "9999:80" ]; }; - nextcloud-cron = nextcloud-base // { - entrypoint = "/cron.sh"; - dependsOn = [ - "redis" - "nextcloud" - ]; - }; redis = { image = "redis:latest"; - extraOptions = [ "--restart=unless-stopped" ]; - volumes = [ "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf" ]; + user = "600:600"; + volumes = [ + "${config.sops.secrets."docker/redis".path}:/usr/local/etc/redis/redis.conf" + "${redis_path}:/data" + ]; + extraOptions = [ + "--network=nextcloud_default" + ]; cmd = [ "redis-server" - config.sops.secrets."docker/redis".path + "/usr/local/etc/redis/redis.conf" ]; }; go-vod = { @@ -52,17 +53,33 @@ in }; volumes = [ "${nextcloud_path}/nc_data:/var/www/html:ro" ]; extraOptions = [ - "--restart=always" "--device=/dev/dri:/dev/dri" ]; }; }; + users.users.www-data = { + uid = 33; + isSystemUser = true; + group = "www-data"; + }; + + users.groups.www-data = { + gid = 33; + members = [ "www-data" ]; + }; + sops = { defaultSopsFile = ../secrets.yaml; secrets = { - "docker/redis".owner = "docker-service"; - "docker/nextcloud".owner = "docker-service"; + "docker/redis" = { + owner = "docker-service"; + restartUnits = [ "docker-redis.service" ]; + }; + "docker/nextcloud" = { + owner = "www-data"; + restartUnits = [ "docker-nextcloud.service" ]; + }; }; }; } diff --git a/systems/palatine-hill/firewall.nix b/systems/palatine-hill/firewall.nix index 63bbb2f..73937fc 100644 --- a/systems/palatine-hill/firewall.nix +++ b/systems/palatine-hill/firewall.nix @@ -5,6 +5,7 @@ 8081 8082 8443 + 3000 ]; } diff --git a/systems/palatine-hill/postgresql.nix b/systems/palatine-hill/postgresql.nix new file mode 100644 index 0000000..a8d616b --- /dev/null +++ b/systems/palatine-hill/postgresql.nix @@ -0,0 +1,62 @@ +{ + config, + lib, + pkgs, + ... +}: + +# sudo -u postgres vacuumdb --all --analyze-in-stages +# /var/lib/postgresql/16/delete_old_cluster.sh +let + vars = import ./vars.nix; + dataDir = "${vars.primary_db}/postgresql/nix/${config.services.postgresql.package.psqlSchema}"; + backupLocation = "${vars.primary_db}/postgresql/nix_backups"; +in +{ + services = { + postgresql = { + inherit dataDir; + enable = true; + enableJIT = true; + package = pkgs.postgresql_16; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map alice postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + + # initialScript = config.sops.secrets."postgres/init".path; + ensureDatabases = [ "atticd" ]; + ensureUsers = [ + { + name = "atticd"; + ensureDBOwnership = true; + } + ]; + + refreshCollation = true; + vacuumAnalyzeTimer.enable = true; + upgrade = { + enable = true; + stopServices = [ + "hydra-evaluator" + "hydra-init" + "hydra-notify" + "hydra-queue-runner" + "hydra-send-stats" + "hydra-server" + "atticd" + ]; + }; + }; + postgresqlBackup = { + enable = true; + compression = "zstd"; + compressionLevel = 19; + pgdumpOptions = "--create --clean"; + location = backupLocation; + }; + }; +} diff --git a/systems/palatine-hill/secrets.yaml b/systems/palatine-hill/secrets.yaml index 8dbc233..879127b 100644 --- a/systems/palatine-hill/secrets.yaml +++ b/systems/palatine-hill/secrets.yaml @@ -14,6 +14,10 @@ upsmon: password: ENC[AES256_GCM,data:0tZKzQOYaij9jdnDTv61ma8i,iv:GEqlCOOUHTjUzfz+X5lCnqcX9SjAG6bVc8Luv97wnSg=,tag:XLvsucW6sIMHKG2AHmxZEw==,type:str] minio: credentials: ENC[AES256_GCM,data:78ANAQ2756IISlkUFPxy9lQYRml8C9PvkkiXME4nMjtWwPgybvSM2nrO3yVhTgyOyUZjYYWzJlpwstfIAbuWEgGFhbMixSSNSgsWozojm0hWfPBWZ5x4iX++0ARFdfxIAjiGlM/HGa0YO/2tSA6oW6FqM4RbC1vPnqJc,iv:8Y+SilqKsUH/J6M+l4Wpm2J3nPXeoUhA1+GvhzlqMHE=,tag:5dYBlYPIUjd+U+r/dqJWIA==,type:str] +docker: + foundry: ENC[AES256_GCM,data:K2dviECCTJTzDzMsnmJRmccA7AE7G9vy1yLvjYLFg4eLTsTLo0zatbtmqls5JIeDMTLdTBcELz+YpWYq1y9pY/nuzFfx1X77w3JwklAe7lYZ8vaTKS/ohvt3M/u3qC9Z1P2t/Uc=,iv:UdPMh+GVR1CkUSTb266DUC0E2bLmBn/cQK9V0962X8g=,tag:XC/a2B88QFeuAPuLriFN4A==,type:str] + nextcloud: ENC[AES256_GCM,data:Zg9TjF7H3gb73P1sYVuFTMzwuvPxQcS3l3Oy6uwI0k7yg643Pg8NKU/Vq+3znzwbZFUbUnmyZp20oS9JZeSoYDLle4FbEPvbZwE7T0xMQYXhGIFHUExKACBZvTIj+mI5ltcVgeMOS0nIt7OLr1tlQaT6/BdmVbBhU9ln2E7CRemjE1cqZE7GGCiMtRJ9eY1BM/z2PnfQGNn+gOlVs37yCz4Kt7CO3ZG1MweB/OxHqVPPxwhwoMneKWTYVou+eV6oeMyQA/PujLtW5fYdqq0rIGTl5Dt+PsbiqWjVIeL2I9mAFYpaXCJHVCLmKLRiD5RFjvnluvxl12fQg6SAnjGGsLC7f4e1Rn3fADWA/Wxn6xr51ZTtfTmIUFNhiXmrqp2D/uzZD3lrfriqVPajzsQipV8BVcvSWtzWrJEJkHUxXpiGspO3i6YPO5O0odu1zbM9EFx1NkxrT+OmPxfCSXQ/2C4h9KkABu/BDxMNQRzuks47h8VHlxGG3yt8PYBfygiedkUo4mx/tT704omTZALivtZ62X6Ey9Z/r3MtuoxeFpGDilG+U99hBIMoF47ICWZJhK+GoRpW4rrT2lkxAK1tV8bmKdAJAUsOT72qGLA3liVy,iv:3mOZtR1VH43DY5muW/jaTfoV93I+cl4ZbWFEZSe9gZM=,tag:nMZfN1718/fufrRHcHp3nA==,type:str] + redis: ENC[AES256_GCM,data:/3gCgqE5Jiplaw3SlbeA5dmOkCD5frZ9dhRYwhFGAbQ=,iv:8setdgbXwOfOOkEwqG70GjTYUty5clRmzdpPYfUcA9c=,tag:guSVDvr2ou9dLnVAfxfN7w==,type:str] server-validation: webhook: ENC[AES256_GCM,data:d8drMmXcbWCGwOanYr6jUCz5+d1bgTrPKMl4yxFi49oapqFUFSQo2pA3bP9DA2n0b63ZJp1IDyJGBRGjFUsSC8EkKQsYMIm962o++D4h7/l9GZU2TBcn5VgvSldETgwloMg92i3zEApNCeZTtwFwJuJTwmUsZmg528Kj7SBcDw4H18dW8MMfgzBTkZUh,iv:F/UtYjWNoG1la1xaNevRXP/4lNT2TgYfmukbncHILDA=,tag:fJpdG5di6j8Wm54KLHZEsg==,type:str] sops: @@ -31,8 +35,8 @@ sops: d241ZnZ2MWg3YVNBbkh2S0NqeE5PdFEKWqnQH4kZszkKZTSgur0c5hGMoMx9zBdz tSvUbe2+WKX7q6y7XqsD1KjFI+POVDF+YN7H9ja96+JqvKRteXNhCg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-21T03:48:29Z" - mac: ENC[AES256_GCM,data:4Pt9+NLI9fawOFo8eljafNF8UgIlkSWAuZKGi9GHlVTSqBnpVuVBb5WYhNxLJ/02a2kJ4M1v/YdFIOuLiUVjLopF0phpWZU96eCrblO+9qzss+LvwCTVoTWTzA3Mqh5nKOo2PC8pPi/LeNjdpbIkPZB56O3o8oq0IAQ92h+jCJo=,iv:SU1v+xDK2WW6ugf2Z9QkuwtghavBuKceOr0gQ38tF+0=,tag:U6l+qQZpEZF6TApBbBaqYg==,type:str] + lastmodified: "2024-11-02T22:44:22Z" + mac: ENC[AES256_GCM,data:8SO1wP5wWDTqut+GWtYv2rMjcLhOZmzeUViXxOHuKiqUr0mrNIonsRpZi/qVNmWkJ3svjrt6N1cyoGXcLzg+mcj7AA7jsARUhrG8awXjISW0n0LUz4TTIXvecVHmw6iKdMNt+5IvhQd3u+UM1WJxf8ELfy5D+z1NWjJ6YOcIEDw=,iv:xn4MGMS4k+BA50FuzCpmUfC3e790X1uLdbtSHUfO7r8=,tag:r0C/HNl3NGt6i89nRRAFoQ==,type:str] pgp: - created_at: "2024-09-05T06:10:49Z" enc: |- diff --git a/systems/palatine-hill/vars.nix b/systems/palatine-hill/vars.nix index 780749c..5c6732c 100644 --- a/systems/palatine-hill/vars.nix +++ b/systems/palatine-hill/vars.nix @@ -13,5 +13,6 @@ rec { primary_libvirt = "${zfs_primary}/libvirt"; primary_minio = "${zfs_primary}/minio"; primary_nextcloud = "${zfs_primary}/nextcloud"; + primary_redis = "${zfs_primary}/redis"; primary_torr = "${zfs_primary}/torr"; }