diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 00a68296..f5261107 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -8,9 +8,6 @@ uid = 994; gid = 993; - pihole = { - enable = true; - }; unbound = { enable = false; }; @@ -57,9 +54,16 @@ credentialsFile = config.age.secrets.vaultwardenCloudflared.path; }; }; - qbittorrent = { + podman = { enable = true; - port = 8080; + qbittorrent = { + enable = true; + port = 8080; + }; + pihole = { + enable = true; + port = 8054; + }; }; }; } diff --git a/modules/default.nix b/modules/default.nix index e40daa45..3bd787e3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -133,8 +133,7 @@ ./server/sonarr ./server/jellyseerr ./server/jellyfin - ./server/qbittorrent - ./server/pihole + ./server/podman ./server/unbound ./server/uptime-kuma ]; diff --git a/modules/server/podman/default.nix b/modules/server/podman/default.nix new file mode 100644 index 00000000..a00caf67 --- /dev/null +++ b/modules/server/podman/default.nix @@ -0,0 +1,186 @@ +{ + config, + lib, + ... +}: let + srv = config.server; + cfg = config.server.podman; +in { + options.server.podman = { + enable = lib.mkEnableOption "Enables Podman"; + qbittorrent = { + enable = lib.mkEnableOption "Enable qBittorrent"; + url = lib.mkOption { + type = lib.types.str; + default = "qbt.${srv.domain}"; + }; + port = lib.mkOption { + type = lib.types.int; + default = 8080; + description = "The port to host qBittorrent on."; + }; + homepage.name = lib.mkOption { + type = lib.types.str; + default = "qBittorrent"; + }; + homepage.description = lib.mkOption { + type = lib.types.str; + default = "Torrent client"; + }; + homepage.icon = lib.mkOption { + type = lib.types.str; + default = "qbittorrent.svg"; + }; + homepage.category = lib.mkOption { + type = lib.types.str; + default = "Downloads"; + }; + }; + pihole = { + enable = lib.mkEnableOption { + description = "Enable"; + }; + port = lib.mkOption { + type = lib.types.int; + default = 8053; + description = "The port to host PiHole on."; + }; + url = lib.mkOption { + type = lib.types.str; + default = "pihole.${srv.domain}"; + }; + homepage.name = lib.mkOption { + type = lib.types.str; + default = "PiHole"; + }; + homepage.description = lib.mkOption { + type = lib.types.str; + default = "Adblocking and DNS service"; + }; + homepage.icon = lib.mkOption { + type = lib.types.str; + default = "pi-hole.svg"; + }; + homepage.category = lib.mkOption { + type = lib.types.str; + default = "Services"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation = { + containers.enable = true; + podman.enable = true; + }; + + networking.firewall = lib.mkIf cfg.pihole.enable { + allowedTCPPorts = [53 5335]; + allowedUDPPorts = [53 5335]; + }; + + services.caddy.virtualHosts = lib.mkMerge [ + (lib.mkIf cfg.qbittorent.enable { + "${cfg.qbittorrent.url}" = { + useACMEHost = srv.domain; + extraConfig = '' + reverse_proxy http://127.0.0.1:${toString cfg.qbittorrent.port} + ''; + }; + }) + + (lib.mkIf cfg.pihole.enable { + "${cfg.pihole.url}" = { + useACMEHost = srv.domain; + extraConfig = '' + reverse_proxy http://127.0.0.1:${toString cfg.pihole.port} + ''; + }; + }) + ]; + + virtualisation.oci-containers.containers = lib.mkMerge [ + (lib.mkIf cfg.qbittorrent.enable { + qbittorrent = { + image = "ghcr.io/hotio/qbittorrent:latest"; + autoStart = true; + dependsOn = ["gluetun"]; + ports = [ + "8080:8080" + "58846:58846" + ]; + extraOptions = [ + "--network=container:gluetun" + ]; + volumes = [ + "/var/lib/qbittorrent:/config:rw" + "/share/downloads:/downloads:rw" + ]; + environmentFiles = [ + config.age.secrets.gluetunEnv.path + ]; + environment = { + PUID = "994"; + PGID = "993"; + TZ = "Europe/Stockholm"; + WEBUI_PORT = "${builtins.toString cfg.qbittorrent.port}"; + }; + }; + + gluetun = { + image = "qmcgaw/gluetun"; + ports = [ + "8388:8388" + "58846:58846" + "8080:8080" + ]; + devices = ["/dev/net/tun:/dev/net/tun"]; + autoStart = true; + extraOptions = [ + "--cap-add=NET_ADMIN" + ]; + volumes = ["/var:/gluetun"]; + environmentFiles = [ + config.age.secrets.gluetunEnv.path + ]; + environment = { + DEV_MODE = "false"; + VPN_SERVICE_PROVIDER = "mullvad"; + VPN_TYPE = "wireguard"; + SERVER_CITIES = "Stockholm"; + }; + }; + }) + + (lib.mkIf cfg.pihole.enable { + pihole = { + autoStart = true; + image = "pihole/pihole:latest"; + volumes = [ + "/var/lib/pihole:/etc/pihole/" + "/var/lib/dnsmasq.d:/etc/dnsmasq.d/" + ]; + environment = { + TZ = "Europe/Stockholm"; + CUSTOM_CACHE_SIZE = "0"; + # PIHOLE_DNS_ = "10.88.0.1#5335"; + # DNSSEC = "false"; + # REV_SERVER = "true"; + WEBTHEME = "default-darker"; + }; + environmentFiles = [config.age.secrets.pihole.path]; + ports = [ + "53:53/tcp" + "53:53/udp" + "8053:80/tcp" + ]; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_NICE" + "--cap-add=SYS_TIME" + ]; + }; + }) + ]; + }; +}