Use postgres hosted
This commit is contained in:
parent
51042197ba
commit
034e422797
7 changed files with 94 additions and 0 deletions
|
|
@ -76,6 +76,8 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec
|
||||||
| `gitea-runner-ubuntu.service` | Forgejo (Gitea) Actions CI runner, uses docker images |
|
| `gitea-runner-ubuntu.service` | Forgejo (Gitea) Actions CI runner, uses docker images |
|
||||||
| `forgejo-arion.service` | Forgejo itself, run via Arion/Podman |
|
| `forgejo-arion.service` | Forgejo itself, run via Arion/Podman |
|
||||||
| `riverside-arion.service` | Riverside app, run via Arion/Docker |
|
| `riverside-arion.service` | Riverside app, run via Arion/Docker |
|
||||||
|
| `podman-coldairnetworks-postgres.service` | PostgreSQL 16 on port 5432 (publicly exposed) |
|
||||||
|
| `podman-coldairnetworks-pgadmin.service` | pgAdmin 4 on port 5050 (localhost only) |
|
||||||
| `podman-navidrome.service` | Navidrome music server on port 4533 |
|
| `podman-navidrome.service` | Navidrome music server on port 4533 |
|
||||||
| `podman-nextcloud.service` | Nextcloud/SSH container on port 8087 |
|
| `podman-nextcloud.service` | Nextcloud/SSH container on port 8087 |
|
||||||
| `podman-sync.io.service` | sync.io app on port 9090 |
|
| `podman-sync.io.service` | sync.io app on port 9090 |
|
||||||
|
|
@ -92,6 +94,36 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec
|
||||||
- `DOCKER_HOST` for the gitea-runner is set to `unix:///run/podman/podman.sock`.
|
- `DOCKER_HOST` for the gitea-runner is set to `unix:///run/podman/podman.sock`.
|
||||||
- The gitea-runner runs docker images for CI jobs, so the `gitea-runner` user is in the `docker` and `podman` supplementary groups.
|
- The gitea-runner runs docker images for CI jobs, so the `gitea-runner` user is in the `docker` and `podman` supplementary groups.
|
||||||
|
|
||||||
|
## PostgreSQL / pgAdmin (coldairnetworks)
|
||||||
|
|
||||||
|
Two Podman containers defined in `linux.nix` under `virtualisation.oci-containers`.
|
||||||
|
|
||||||
|
| Container | Image | Port | Role |
|
||||||
|
|---|---|---|---|
|
||||||
|
| `coldairnetworks-postgres` | `postgres:16` | 5432 (public) | PostgreSQL database |
|
||||||
|
| `coldairnetworks-pgadmin` | `dpage/pgadmin4` | 5050 (localhost) | pgAdmin 4 web UI |
|
||||||
|
|
||||||
|
### Credential files (not in git — create manually on server)
|
||||||
|
|
||||||
|
| Path | Contents |
|
||||||
|
|---|---|
|
||||||
|
| `/var/coldairnetworks-db/postgres.env` | `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB` |
|
||||||
|
| `/var/coldairnetworks-db/pgadmin.env` | `PGADMIN_DEFAULT_EMAIL`, `PGADMIN_DEFAULT_PASSWORD` |
|
||||||
|
| `/var/coldairnetworks-db/htpasswd` | nginx basic auth — generate with `htpasswd -c /var/coldairnetworks-db/htpasswd <user>` |
|
||||||
|
|
||||||
|
### Data directories
|
||||||
|
|
||||||
|
| Host path | Purpose |
|
||||||
|
|---|---|
|
||||||
|
| `/var/coldairnetworks-db/postgres` | PostgreSQL data (owned root:root) |
|
||||||
|
| `/var/coldairnetworks-db/pgadmin` | pgAdmin state (owned uid 5050 — the pgAdmin container user) |
|
||||||
|
|
||||||
|
### Access
|
||||||
|
|
||||||
|
- **Web UI**: `https://db.coldairnetworks.com` — nginx basic auth first, then pgAdmin login
|
||||||
|
- **Direct connection**: `psql -h mainframe.philippeterson.com -U admin -d coldairnetworks` (port 5432 open in firewall)
|
||||||
|
- **pgAdmin → PostgreSQL**: when adding a server in pgAdmin, use `host.containers.internal` as the hostname (Podman host gateway), port 5432
|
||||||
|
|
||||||
## VNC desktop
|
## VNC desktop
|
||||||
|
|
||||||
`podman-vnc-desktop.service` runs a KDE Plasma desktop inside a container, accessible via noVNC at `localhost:6080` (reverse-proxied by nginx). The image is built locally — no registry involved.
|
`podman-vnc-desktop.service` runs a KDE Plasma desktop inside a container, accessible via noVNC at `localhost:6080` (reverse-proxied by nginx). The image is built locally — no registry involved.
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@
|
||||||
8082 #webdav
|
8082 #webdav
|
||||||
8087 #nextcloud
|
8087 #nextcloud
|
||||||
|
|
||||||
|
5432 #coldairnetworks postgres
|
||||||
9090 #sync.io
|
9090 #sync.io
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -91,6 +91,16 @@ in {
|
||||||
file = ./secrets/openai-api-key.age;
|
file = ./secrets/openai-api-key.age;
|
||||||
owner = "root";
|
owner = "root";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
coldairnetworks-db-postgres = {
|
||||||
|
file = ./secrets/coldairnetworks-db-postgres.age;
|
||||||
|
owner = "root";
|
||||||
|
};
|
||||||
|
|
||||||
|
coldairnetworks-db-pgadmin = {
|
||||||
|
file = ./secrets/coldairnetworks-db-pgadmin.age;
|
||||||
|
owner = "root";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
|
@ -251,6 +261,8 @@ in {
|
||||||
"d /var/riverside/files 0755 root root"
|
"d /var/riverside/files 0755 root root"
|
||||||
"d /var/riverside/postgres 0755 root root"
|
"d /var/riverside/postgres 0755 root root"
|
||||||
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
|
"d /var/lib/gitea-runner/ubuntu 0755 gitea-runner gitea-runner"
|
||||||
|
"d /var/coldairnetworks-db/postgres 0755 root root"
|
||||||
|
"d /var/coldairnetworks-db/pgadmin 0700 5050 5050"
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "${hostname}";
|
networking.hostName = "${hostname}";
|
||||||
|
|
@ -301,6 +313,22 @@ in {
|
||||||
# ports = ["8081:80"];
|
# ports = ["8081:80"];
|
||||||
# };
|
# };
|
||||||
|
|
||||||
|
"coldairnetworks-postgres" = {
|
||||||
|
autoStart = true;
|
||||||
|
image = "postgres:16";
|
||||||
|
ports = [ "5432:5432" ];
|
||||||
|
volumes = [ "/var/coldairnetworks-db/postgres:/var/lib/postgresql/data" ];
|
||||||
|
environmentFiles = [ config.age.secrets.coldairnetworks-db-postgres.path ];
|
||||||
|
};
|
||||||
|
|
||||||
|
"coldairnetworks-pgadmin" = {
|
||||||
|
autoStart = true;
|
||||||
|
image = "dpage/pgadmin4";
|
||||||
|
ports = [ "127.0.0.1:5050:80" ];
|
||||||
|
volumes = [ "/var/coldairnetworks-db/pgadmin:/var/lib/pgadmin" ];
|
||||||
|
environmentFiles = [ config.age.secrets.coldairnetworks-db-pgadmin.path ];
|
||||||
|
};
|
||||||
|
|
||||||
"navidrome" = {
|
"navidrome" = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
environment = {
|
environment = {
|
||||||
|
|
@ -465,5 +493,6 @@ in {
|
||||||
"acme-selfsigned-webdav.philippeterson.com.service"
|
"acme-selfsigned-webdav.philippeterson.com.service"
|
||||||
"acme-selfsigned-pluto.philippeterson.com.service"
|
"acme-selfsigned-pluto.philippeterson.com.service"
|
||||||
"acme-selfsigned-paperless.philippeterson.com.service"
|
"acme-selfsigned-paperless.philippeterson.com.service"
|
||||||
|
"acme-selfsigned-db.coldairnetworks.com.service"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -89,6 +89,27 @@
|
||||||
proxyPass = "http://127.0.0.1:3011/";
|
proxyPass = "http://127.0.0.1:3011/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"db.coldairnetworks.com" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
basicAuthFile = "/var/coldairnetworks-db/htpasswd";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:5050/";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_read_timeout 86400;
|
||||||
|
client_max_body_size 100M;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
"quineglobal.com" = {
|
"quineglobal.com" = {
|
||||||
enableACME = false;
|
enableACME = false;
|
||||||
forceSSL = false;
|
forceSSL = false;
|
||||||
|
|
|
||||||
5
nixos/secrets/coldairnetworks-db-pgadmin.age
Normal file
5
nixos/secrets/coldairnetworks-db-pgadmin.age
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 NFD/vg J4wIMQPFUPgrZ0Nc7jzXP2+iyBWAf3nuGtTEsqo3pF0
|
||||||
|
tjt1/xOiC9FIDDMjBSMpCNtqOKCkTmy0lsUl0jk6mLs
|
||||||
|
--- H8bQNc9LNjqhCUCMPP0hx/L74tFeo4cNf1s/kvn0Vqk
|
||||||
|
®±£}ÏYò¸Ñ†‹l<E280B9>@P‰é€b,¨Ò4þøS<C3B8>¥uÍ»‘uh0£ë rŽ?PÿÚ<C3BF>dwn’Å´Ú]õuü–üÖÁ1ð_bn1û×*ß䘂Rùœ¦:òW+ú@<40>ï'¼.w#»êÝ”=%'°e¨4Ü8
tnžn׬
|
||||||
BIN
nixos/secrets/coldairnetworks-db-postgres.age
Normal file
BIN
nixos/secrets/coldairnetworks-db-postgres.age
Normal file
Binary file not shown.
|
|
@ -37,4 +37,10 @@ in {
|
||||||
|
|
||||||
# OPENAI_API_KEY
|
# OPENAI_API_KEY
|
||||||
"./openai-api-key.age".publicKeys = [mainframePublicKey];
|
"./openai-api-key.age".publicKeys = [mainframePublicKey];
|
||||||
|
|
||||||
|
# POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB
|
||||||
|
"./coldairnetworks-db-postgres.age".publicKeys = [mainframePublicKey];
|
||||||
|
|
||||||
|
# PGADMIN_DEFAULT_EMAIL, PGADMIN_DEFAULT_PASSWORD
|
||||||
|
"./coldairnetworks-db-pgadmin.age".publicKeys = [mainframePublicKey];
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue