{ config, pkgs, lib, ... }: let cfg = config.services.vm_docker; in { options.services.vm_docker = { enable = lib.mkEnableOption "Enable minimal config"; pgsql_ip = lib.mkOption { type = lib.types.str; description = "docker database IP address"; }; }; config = lib.mkIf cfg.enable { age.secrets.docker-lapi-key = { file = ../../secrets/docker-lapi-key.age; owner = "crowdsec"; }; }; fileSystems."/mnt/docker-data" = { device = "/dev/disk/by-uuid/39fb44a4-5c01-4337-894f-a6a6f4212b10"; fsType = "ext4"; }; users.users.tbarnouin.extraGroups = [ "docker" ]; virtualisation = { oci-containers.backend = "docker"; docker = { enable = true; autoPrune.enable = true; daemon.settings = { userland-proxy = false; metrics-addr = "0.0.0.0:9323"; data-root = "/mnt/docker-data"; }; }; virtualisation.oci-containers.containers = { "gluetun" = { image = "ghcr.io/qdm12/gluetun:latest"; environment = { "QBT_WEBUI_ENABLED" = "true"; "SERVER_CITIES" = "Paris"; "SERVER_COUNTRIES" = "France"; "TZ" = "Europe/Paris"; "VPN_PORT_FORWARDING" = "on"; "VPN_SERVICE_PROVIDER" = "protonvpn"; "VPN_TYPE" = "wireguard"; "WIREGUARD_PRIVATE_KEY" = "IJqSQQC2heTOqo0YvqNHq+ZzPmBuKk9vrdo5pZtU2GE="; }; volumes = [ "gluetun_gluetun-config:/gluetun:rw" ]; ports = [ "8080:8080/tcp" ]; log-driver = "journald"; extraOptions = [ "--cap-add=NET_ADMIN" "--device=/dev/net/tun:/dev/net/tun:rwm" "--health-cmd=[\"wget\", \"--spider\", \"-q\", \"http://google.com\"]" "--health-interval=30s" "--health-retries=3" "--health-timeout=10s" "--network-alias=gluetun" "--network=gluetun_default" "--sysctl=net.ipv6.conf.all.disable_ipv6=1" ]; }; "qbittorrent" = { image = "lscr.io/linuxserver/qbittorrent:latest"; environment = { "DOCKER_MODS" = "ghcr.io/t-anc/gsp-qbittorent-gluetun-sync-port-mod:main"; "GSP_GTN_API_KEY" = "1egJpY4lciGGs2CkpESR9RR480O4QyLqzKwQ792X7R4plzh5hri0pDsotWqYF1GM"; "GSP_MINIMAL_LOGS" = "false"; "GSP_QBITTORRENT_PORT" = "53764"; "PGID" = "1000"; "PUID" = "1000"; "QBITTORRENT_INTERFACE" = "tun0"; "TZ" = "Europe/Paris"; "WEBUI_PORT" = "8080"; }; volumes = [ "/mnt/DATA/:/downloads:rw" "/mnt/docker-data/gluetun/qbittorrent/webui:/webui:rw" "gluetun_qbittorrent-config:/config:rw" ]; dependsOn = [ "gluetun" ]; log-driver = "journald"; extraOptions = [ "--network=container:gluetun" ]; }; }; systemd.services = { "docker-gluetun" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; RestartMaxDelaySec = lib.mkOverride 90 "1m"; RestartSec = lib.mkOverride 90 "100ms"; RestartSteps = lib.mkOverride 90 9; }; after = [ "docker-network-gluetun_default.service" "docker-volume-gluetun_gluetun-config.service" ]; requires = [ "docker-network-gluetun_default.service" "docker-volume-gluetun_gluetun-config.service" ]; partOf = [ "docker-compose-gluetun-root.target" ]; wantedBy = [ "docker-compose-gluetun-root.target" ]; }; "docker-qbittorrent" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; RestartMaxDelaySec = lib.mkOverride 90 "1m"; RestartSec = lib.mkOverride 90 "100ms"; RestartSteps = lib.mkOverride 90 9; }; after = [ "docker-volume-gluetun_qbittorrent-config.service" ]; requires = [ "docker-volume-gluetun_qbittorrent-config.service" ]; partOf = [ "docker-compose-gluetun-root.target" ]; wantedBy = [ "docker-compose-gluetun-root.target" ]; }; # Networks "docker-network-gluetun_default" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStop = "docker network rm -f gluetun_default"; }; script = '' docker network inspect gluetun_default || docker network create gluetun_default ''; partOf = [ "docker-compose-gluetun-root.target" ]; wantedBy = [ "docker-compose-gluetun-root.target" ]; }; # Volumes "docker-volume-gluetun_gluetun-config" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' docker volume inspect gluetun_gluetun-config || docker volume create gluetun_gluetun-config ''; partOf = [ "docker-compose-gluetun-root.target" ]; wantedBy = [ "docker-compose-gluetun-root.target" ]; }; "docker-volume-gluetun_qbittorrent-config" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' docker volume inspect gluetun_qbittorrent-config || docker volume create gluetun_qbittorrent-config ''; partOf = [ "docker-compose-gluetun-root.target" ]; wantedBy = [ "docker-compose-gluetun-root.target" ]; }; # Root service # When started, this will automatically create all resources and start # the containers. When stopped, this will teardown all resources. "docker-compose-gluetun-root" = { unitConfig = { Description = "Root target generated by compose2nix."; }; wantedBy = [ "multi-user.target" ]; }; }; services = { crowdsec = { settings.lapi.credentialsFile = "${config.age.secrets.docker-lapi-key.path}"; localConfig = { acquisitions = [ { source = "journalctl"; journalctl_filter = [ "_SYSTEMD_UNIT=docker.service" ]; labels = { type = "syslog"; }; } ]; }; }; }; }; }