diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix index 8eb7070..aeeeb55 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix @@ -159,38 +159,14 @@ in }; containers = { - authelia-init = { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-yq}"; - volumes = - let - entrypoint = pkgs.writeTextFile { - name = "entrypoint.sh"; - executable = true; - text = builtins.readFile ./init-entrypoint.sh; - }; - in - [ - "${volumes.authelia.ref}:/etc/authelia" - "${hmConfig.sops.templates.authelia-users.path}:/etc/authelia/users.yaml.default:ro" - "${hmConfig.sops.templates.authelia.path}:/etc/authelia/conf.d/authelia.yaml:ro" - "${entrypoint}:/entrypoint.sh:ro" - ]; - entrypoint = "/entrypoint.sh"; - }; - - serviceConfig = { - Type = "oneshot"; - Restart = "on-failure"; - }; - - unitConfig.After = [ "sops-nix.service" ]; - }; - authelia = { containerConfig = { image = "docker-archive:${selfPkgs.docker-authelia}"; - volumes = [ "${volumes.authelia.ref}:/etc/authelia" ]; + volumes = [ + "${volumes.authelia.ref}:/etc/authelia" + "${hmConfig.sops.templates.authelia-users.path}:/etc/authelia/users.yaml.default:ro" + "${hmConfig.sops.templates.authelia.path}:/etc/authelia/conf.d/authelia.yaml:ro" + ]; networks = [ networks.authelia.ref networks.traefik.ref @@ -207,7 +183,6 @@ in }; unitConfig.After = [ - "${containers.authelia-init._serviceName}.service" "${containers.authelia-postgresql._serviceName}.service" "${containers.authelia-redis._serviceName}.service" "sops-nix.service" @@ -236,7 +211,7 @@ in exec = [ "--save 60 1" ]; }; - prometheus-init.containerConfig.volumes = + prometheus.containerConfig.volumes = let autheliaConfig = (pkgs.formats.yaml { }).generate "authelia.yaml" { scrape_configs = diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/init-entrypoint.sh b/hosts/jupiter/users/storm/configs/console/podman/authelia/init-entrypoint.sh deleted file mode 100644 index 725a9ab..0000000 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/init-entrypoint.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -set -o errexit -set -o nounset - -touch /etc/authelia/users.yaml -# shellcheck disable=SC2016 -yq eval-all '. as $item ireduce ({}; . * $item)' /etc/authelia/users.yaml /etc/authelia/users.yaml.default -i -# shellcheck disable=SC2016 -yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/authelia/conf.d/*.yaml > /etc/authelia/configuration.yaml diff --git a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix index 090fce8..d6244bb 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/gitea/default.nix @@ -258,7 +258,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-gitea.path}:/etc/authelia/conf.d/gitea.yaml:ro" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix b/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix index 338f53b..479960e 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix @@ -147,7 +147,7 @@ in networks = [ networks.grafana.ref ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-grafana.path}:/etc/authelia/conf.d/grafana.yaml:ro" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/jellyfin/default.nix b/hosts/jupiter/users/storm/configs/console/podman/jellyfin/default.nix index 2836ce4..0e4d6a3 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/jellyfin/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/jellyfin/default.nix @@ -123,7 +123,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-jellyfin.path}:/etc/authelia/conf.d/jellyfin.yaml:ro" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix b/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix index 13625ad..3cb95fe 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/nextcloud/default.nix @@ -222,7 +222,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-nextcloud.path}:/etc/authelia/conf.d/nextcloud.yaml:ro" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix index ac548e6..762c14c 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/default.nix @@ -122,7 +122,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - prometheus-init.containerConfig.volumes = + prometheus.containerConfig.volumes = let ntfyConfig = (pkgs.formats.yaml { }).generate "ntfy.yaml" { scrape_configs = diff --git a/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix b/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix index a0c04b7..bb27000 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/outline/default.nix @@ -160,7 +160,7 @@ in exec = [ "--save 60 1" ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-outline.path}:/etc/authelia/conf.d/outline.yaml:ro" ]; }; diff --git a/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix b/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix index 96c9e41..bd2b769 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/prometheus/default.nix @@ -80,7 +80,7 @@ in home-manager.users.${user} = let - inherit (hmConfig.virtualisation.quadlet) volumes containers networks; + inherit (hmConfig.virtualisation.quadlet) volumes networks; in { virtualisation.quadlet = { @@ -119,165 +119,140 @@ in exec = [ "--collector.enable-all" ]; }; - prometheus-init = - let - prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" { - global.scrape_interval = "15s"; + prometheus.containerConfig = { + image = "docker-archive:${selfPkgs.docker-prometheus}"; + volumes = + let + prometheusConfig = (pkgs.formats.yaml { }).generate "prometheus.yaml" { + global.scrape_interval = "15s"; - scrape_configs = - let - hostname = config.networking.hostName; - jupiterVpsHostname = jupiterVpsConfig.networking.hostName; - in - [ - { - job_name = "${hostname}-node-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9100" ]; - labels = { - app = "node-exporter"; - user = "root"; - inherit hostname; - }; - } - { - targets = [ "prometheus-node-exporter:9100" ]; - labels = { - app = "node-exporter"; - inherit user hostname; - }; - } - ]; - } - { - job_name = "${hostname}-podman-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9882" ]; - labels = { - app = "podman-exporter"; - user = "root"; - inherit hostname; - }; - } - { - targets = [ "prometheus-podman-exporter:9882" ]; - labels = { - app = "podman-exporter"; - inherit user hostname; - }; - } - ]; - } - { - job_name = "${hostname}-fail2ban-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9191" ]; - labels = { - app = "fail2ban-exporter"; - user = "root"; - inherit hostname; - }; - } - ]; - } - { - job_name = "${hostname}-smartctl-exporter"; - static_configs = [ - { - targets = [ "host.containers.internal:9633" ]; - labels = { - app = "smartctl-exporter"; - user = "root"; - inherit hostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-node-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9100" ]; - labels = { - app = "node-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-podman-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9882" ]; - labels = { - app = "podman-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - { - job_name = "${jupiterVpsHostname}-fail2ban-exporter"; - static_configs = [ - { - targets = [ "10.0.0.1:9191" ]; - labels = { - app = "fail2ban-exporter"; - user = "root"; - hostname = jupiterVpsHostname; - }; - } - ]; - } - ]; - }; - in - { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-yq}"; - volumes = [ - "${volumes.prometheus-config.ref}:/etc/prometheus" - "${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml" - ]; - entrypoint = "/bin/bash"; - exec = [ - "-c" - "yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml" - ]; - }; - - serviceConfig = { - Type = "oneshot"; - Restart = "on-failure"; - }; - }; - - prometheus = { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-prometheus}"; - volumes = [ + scrape_configs = + let + hostname = config.networking.hostName; + jupiterVpsHostname = jupiterVpsConfig.networking.hostName; + in + [ + { + job_name = "${hostname}-node-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9100" ]; + labels = { + app = "node-exporter"; + user = "root"; + inherit hostname; + }; + } + { + targets = [ "prometheus-node-exporter:9100" ]; + labels = { + app = "node-exporter"; + inherit user hostname; + }; + } + ]; + } + { + job_name = "${hostname}-podman-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9882" ]; + labels = { + app = "podman-exporter"; + user = "root"; + inherit hostname; + }; + } + { + targets = [ "prometheus-podman-exporter:9882" ]; + labels = { + app = "podman-exporter"; + inherit user hostname; + }; + } + ]; + } + { + job_name = "${hostname}-fail2ban-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9191" ]; + labels = { + app = "fail2ban-exporter"; + user = "root"; + inherit hostname; + }; + } + ]; + } + { + job_name = "${hostname}-smartctl-exporter"; + static_configs = [ + { + targets = [ "host.containers.internal:9633" ]; + labels = { + app = "smartctl-exporter"; + user = "root"; + inherit hostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-node-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9100" ]; + labels = { + app = "node-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-podman-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9882" ]; + labels = { + app = "podman-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + { + job_name = "${jupiterVpsHostname}-fail2ban-exporter"; + static_configs = [ + { + targets = [ "10.0.0.1:9191" ]; + labels = { + app = "fail2ban-exporter"; + user = "root"; + hostname = jupiterVpsHostname; + }; + } + ]; + } + ]; + }; + in + [ + "${prometheusConfig}:/etc/prometheus/conf.d/prometheus.yaml" "${volumes.prometheus-config.ref}:/etc/prometheus" "${volumes.prometheus-data.ref}:/var/lib/prometheus" ]; - networks = [ - networks.prometheus.ref - networks.grafana.ref - ]; - exec = [ - "--log.level=warn" - "--config.file=/etc/prometheus/prometheus.yaml" - "--storage.tsdb.path=/var/lib/prometheus" - "--storage.tsdb.retention.time=1y" - ]; - }; - - unitConfig.After = [ "${containers.prometheus-init._serviceName}.service" ]; + networks = [ + networks.prometheus.ref + networks.grafana.ref + ]; + exec = [ + "--log.level=warn" + "--storage.tsdb.retention.time=1y" + ]; }; grafana.containerConfig.volumes = diff --git a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix index cd330e6..2fb1064 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix @@ -122,7 +122,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = + authelia.containerConfig.volumes = let config = (pkgs.formats.yaml { }).generate "shlink.yaml" { access_control.rules = [ diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index 650de1a..acda0ca 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -133,7 +133,7 @@ in }; }; - authelia-init.containerConfig.volumes = + authelia.containerConfig.volumes = let config = (pkgs.formats.yaml { }).generate "traefik.yaml" { access_control.rules = [ @@ -147,7 +147,7 @@ in in [ "${config}:/etc/authelia/conf.d/traefik.yaml:ro" ]; - prometheus-init.containerConfig.volumes = + prometheus.containerConfig.volumes = let traefikConfig = (pkgs.formats.yaml { }).generate "traefik.yaml" { scrape_configs = diff --git a/hosts/jupiter/users/storm/configs/console/podman/transmission/default.nix b/hosts/jupiter/users/storm/configs/console/podman/transmission/default.nix index 0308b56..cc39541 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/transmission/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/transmission/default.nix @@ -63,7 +63,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = + authelia.containerConfig.volumes = let config = (pkgs.formats.yaml { }).generate "transmission.yaml" { access_control.rules = [ diff --git a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix index 72b68a4..75c4dd2 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix @@ -144,7 +144,7 @@ in unitConfig.After = [ "sops-nix.service" ]; }; - authelia-init.containerConfig.volumes = [ + authelia.containerConfig.volumes = [ "${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro" ]; }; diff --git a/packages/default.nix b/packages/default.nix index a5dea48..ecb8c1a 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -39,7 +39,6 @@ docker-traefik = import ./docker/traefik { inherit pkgs; }; docker-transmission-protonvpn = import ./docker/transmission-protonvpn { inherit pkgs; }; docker-whoami = import ./docker/whoami { inherit pkgs; }; - docker-yq = import ./docker/yq { inherit pkgs; }; jellyfin-plugin-bookshelf = import ./jellyfin/plugins/bookshelf { inherit pkgs; }; jellyfin-plugin-intro-skipper = import ./jellyfin/plugins/intro-skipper { inherit pkgs; }; diff --git a/packages/docker/authelia/default.nix b/packages/docker/authelia/default.nix index eabe423..a7a4671 100644 --- a/packages/docker/authelia/default.nix +++ b/packages/docker/authelia/default.nix @@ -1,20 +1,28 @@ { pkgs, ... }: +let + entrypoint = pkgs.writeTextFile { + name = "entrypoint"; + executable = true; + destination = "/bin/entrypoint"; + text = builtins.readFile ./entrypoint.sh; + }; +in pkgs.dockerTools.buildImage { name = "authelia"; fromImage = import ../base { inherit pkgs; }; copyToRoot = pkgs.buildEnv { name = "root"; - paths = with pkgs; [ authelia ]; + paths = with pkgs; [ + entrypoint + authelia + yq-go + ]; pathsToLink = [ "/bin" ]; }; config = { - Entrypoint = [ "authelia" ]; - Cmd = [ - "--config" - "/etc/authelia/configuration.yaml" - ]; + Entrypoint = [ "entrypoint" ]; ExposedPorts = { "9091/tcp" = { }; }; diff --git a/packages/docker/authelia/entrypoint.sh b/packages/docker/authelia/entrypoint.sh new file mode 100644 index 0000000..49b22f2 --- /dev/null +++ b/packages/docker/authelia/entrypoint.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset + +if [ -f /etc/authelia/users.yaml.default ]; then + touch /etc/authelia/users.yaml + # shellcheck disable=SC2016 + yq eval-all '. as $item ireduce ({}; . * $item)' /etc/authelia/users.yaml /etc/authelia/users.yaml.default -i +fi + +if [ -d /etc/authelia/conf.d ]; then + # shellcheck disable=SC2016 + yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/authelia/conf.d/*.yaml > /etc/authelia/configuration.yaml +fi + +exec authelia \ + --config /etc/authelia/configuration.yaml \ + "$@" diff --git a/packages/docker/prometheus/default.nix b/packages/docker/prometheus/default.nix index 94f0bc5..e777b7a 100644 --- a/packages/docker/prometheus/default.nix +++ b/packages/docker/prometheus/default.nix @@ -1,21 +1,34 @@ { pkgs, ... }: +let + entrypoint = pkgs.writeTextFile { + name = "entrypoint"; + executable = true; + destination = "/bin/entrypoint"; + text = builtins.readFile ./entrypoint.sh; + }; +in pkgs.dockerTools.buildImage { name = "prometheus"; fromImage = import ../base { inherit pkgs; }; copyToRoot = pkgs.buildEnv { name = "root"; - paths = with pkgs; [ prometheus ]; + paths = with pkgs; [ + entrypoint + prometheus + yq-go + ]; pathsToLink = [ "/bin" ]; }; config = { - Entrypoint = [ "prometheus" ]; + Entrypoint = [ "entrypoint" ]; ExposedPorts = { "9090/tcp" = { }; }; WorkingDir = "/var/lib/prometheus"; Volumes = { + "/etc/prometheus" = { }; "/var/lib/prometheus" = { }; }; }; diff --git a/packages/docker/prometheus/entrypoint.sh b/packages/docker/prometheus/entrypoint.sh new file mode 100644 index 0000000..76c12c4 --- /dev/null +++ b/packages/docker/prometheus/entrypoint.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset + +if [ -d /etc/prometheus/conf.d ]; then + # shellcheck disable=SC2016 + yq eval-all '. as $item ireduce ({}; . *+ $item)' /etc/prometheus/conf.d/*.yaml > /etc/prometheus/prometheus.yaml +fi + +exec prometheus \ + --config.file=/etc/prometheus/prometheus.yaml \ + --storage.tsdb.path=/var/lib/prometheus \ + "$@" diff --git a/packages/docker/yq/default.nix b/packages/docker/yq/default.nix deleted file mode 100644 index c63f656..0000000 --- a/packages/docker/yq/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: -pkgs.dockerTools.buildImage { - name = "yq"; - fromImage = import ../base { inherit pkgs; }; - - copyToRoot = pkgs.buildEnv { - name = "root"; - paths = with pkgs; [ yq-go ]; - pathsToLink = [ "/bin" ]; - }; - - config = { - Entrypoint = [ "yq" ]; - }; -}