Configure podman and koito

2025-06-21 19:39:41 +00:00 · 2025-06-21 19:39:41 +00:00 · a339897c48
commit a339897c48
parent 547365c5c3
6 changed files with 104 additions and 7 deletions
--- a/hosts/greatyamada/nixos/default.nix
+++ b/hosts/greatyamada/nixos/default.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
  imports = [ ./filesystems.nix ];

  boot = {
@ -14,7 +14,18 @@
  environment.systemPackages = with pkgs; [ arion docker-client ];

  networking = {
-    firewall.enable = true;
+    firewall = {
+      enable = true;
+      interfaces = let
+        matchAll =
+          if !config.networking.nftables.enable then "podman+" else "podman*";
+      in {
+        "${matchAll}" = {
+          allowedTCPPorts = [ 5432 ];
+          allowedUDPPorts = [ 53 ];
+        };
+      };
+    };
    hostName = "greatyamada";
    networkmanager.enable = true;
    useDHCP = lib.mkDefault false;
@ -43,10 +54,14 @@
    users.avery.extraGroups = [ "media" ];
  };

-  virtualisation.podman = {
-    enable = true;
-    dockerSocket.enable = true;
-    defaultNetwork.settings.dns_enabled = true;
+  virtualisation = {
+    oci-containers.backend = "podman";
+    podman = {
+      enable = true;
+      autoPrune.enable = true;
+      dockerSocket.enable = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
  };

  time.timeZone = "UTC";
--- a/hosts/greatyamada/services/_port-definitions.nix
+++ b/hosts/greatyamada/services/_port-definitions.nix
@ -4,6 +4,7 @@
  adguardhome-dhcp-udp = 67;
  forgejo-http = 3000;
  jellyfin-http = 8096;
+  koito = 4110;
  minecraft = 13914;
  navidrome-https = 4533;
  nginx-https = 443;
--- a/hosts/greatyamada/services/adguardhome.nix
+++ b/hosts/greatyamada/services/adguardhome.nix
@ -20,7 +20,7 @@ in {
          session_ttl = "720h";
        };
        dns = {
-          bind_hosts = [ "0.0.0.0" ];
+          bind_hosts = [ "10.0.0.1" ];
          port = portDefinitions.adguardhome-dns;
          anonymize_client_ip = false;
          ratelimit = 0;
--- a/hosts/greatyamada/services/default.nix
+++ b/hosts/greatyamada/services/default.nix
@ -5,6 +5,7 @@
    ./forgejo.nix
    ./inadyn.nix
    ./jellyfin.nix
+    ./koito.nix
    # ./minecraft
    ./nginx.nix
    ./pgadmin.nix
--- a/hosts/greatyamada/services/koito.nix
+++ b/hosts/greatyamada/services/koito.nix
@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  portDefinitions = import ./_port-definitions.nix;
+  nginxLocalConfig = import ./nginx-local-config.nix;
+in {
+  virtualisation.oci-containers.containers."koito" = {
+    image = "gabehf/koito:latest";
+    environment = {
+      "KOITO_ALLOWED_HOSTS" = "koito.rcia.dev";
+      "KOITO_ENABLE_LBZ_RELAY" = "true";
+      "KOITO_LBZ_RELAY_URL" = "https://api.listenbrainz.org/1";
+    };
+    environmentFiles = [ config.sops.templates."koito.env".path ];
+    volumes = [ "/mnt/hdd-01/koito:/etc/koito:rw" ];
+    ports = [ "${toString portDefinitions.koito}:4110/tcp" ];
+    log-driver = "journald";
+    extraOptions = [ "--network-alias=koito" "--network=koito_default" ];
+  };
+  systemd.services."podman-koito" = {
+    serviceConfig = { Restart = lib.mkOverride 90 "always"; };
+    after = [ "podman-network-koito_default.service" ];
+    requires = [ "podman-network-koito_default.service" ];
+    partOf = [ "podman-compose-koito-root.target" ];
+    wantedBy = [ "podman-compose-koito-root.target" ];
+  };
+
+  services.nginx.virtualHosts."koito.rcia.dev" = {
+    locations."/".proxyPass =
+      "http://localhost:${toString portDefinitions.koito}";
+    forceSSL = true;
+    useACMEHost = "rcia.dev";
+  };
+
+  sops = {
+    secrets = {
+      "koito/database_url" = { };
+      "koito/listenbrainz_token" = { };
+    };
+    templates."koito.env".content = ''
+      KOITO_DATABASE_URL=${config.sops.placeholder."koito/database_url"}
+      KOITO_LBZ_RELAY_TOKEN=${
+        config.sops.placeholder."koito/listenbrainz_token"
+      }
+    '';
+  };
+
+  # Networks
+  systemd.services."podman-network-koito_default" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "podman network rm -f koito_default";
+    };
+    script = ''
+      podman network inspect koito_default || podman network create koito_default
+    '';
+    partOf = [ "podman-compose-koito-root.target" ];
+    wantedBy = [ "podman-compose-koito-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-koito-root" = {
+    unitConfig = { Description = "Root target generated by compose2nix."; };
+    after = [ "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}
--- a/hosts/greatyamada/services/postgresql.nix
+++ b/hosts/greatyamada/services/postgresql.nix
@ -4,8 +4,17 @@ in {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
+    enableTCPIP = true;
    dataDir =
      "/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}";
    settings.port = portDefinitions.postgresql;
+    authentication = pkgs.lib.mkOverride 10 ''
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+
+      # Allow containers access to the database
+      host all all 10.89.0.0/16 trust
+    '';
  };
 }