stt, mem0, rofi-project-opener
This commit is contained in:
m3tm3re
@@ -1,63 +0,0 @@
|
||||
# services/ - m3-atlas Service Configurations
|
||||
|
||||
Main server services including Traefik reverse proxy and containerized apps.
|
||||
|
||||
## Container Network
|
||||
|
||||
- **Network**: `web` (podman network)
|
||||
- **Subnet**: `10.89.0.0/24`
|
||||
- **Gateway/Postgres**: `10.89.0.1`
|
||||
- **DNS Challenge**: GoDaddy via Traefik
|
||||
|
||||
## Adding a New Container
|
||||
|
||||
1. Pick next available IP from registry (currently: `10.89.0.22`)
|
||||
2. Register port in `hosts/common/ports.nix`
|
||||
3. Create `containers/<service>.nix`:
|
||||
|
||||
```nix
|
||||
{config, ...}: {
|
||||
virtualisation.oci-containers.containers."service" = {
|
||||
image = "registry/image:tag";
|
||||
environmentFiles = [config.age.secrets.service-env.path];
|
||||
ports = ["127.0.0.1:PORT:PORT"];
|
||||
volumes = ["service_data:/data"];
|
||||
extraOptions = [
|
||||
"--add-host=postgres:10.89.0.1"
|
||||
"--ip=10.89.0.XX"
|
||||
"--network=web"
|
||||
];
|
||||
};
|
||||
|
||||
services.traefik.dynamicConfigOptions.http = {
|
||||
services.service.loadBalancer.servers = [{ url = "http://localhost:PORT/"; }];
|
||||
routers.service = {
|
||||
rule = "Host(`service.domain.com`)";
|
||||
tls.certResolver = "godaddy";
|
||||
service = "service";
|
||||
entrypoints = "websecure";
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
4. Import in `containers/default.nix`
|
||||
5. Add secret to `secrets.nix` and root `secrets.nix`
|
||||
6. Update IP registry in root AGENTS.md
|
||||
|
||||
## Service Files (non-container)
|
||||
|
||||
| File | Purpose |
|
||||
|------|---------|
|
||||
| traefik.nix | Reverse proxy, TLS, entrypoints |
|
||||
| postgres.nix | Native PostgreSQL for containers |
|
||||
| tailscale.nix | Mesh VPN |
|
||||
| gitea.nix | Native Gitea (not containerized) |
|
||||
| minio.nix | S3-compatible storage |
|
||||
|
||||
## Traefik Patterns
|
||||
|
||||
- HTTP redirect to HTTPS: automatic via `web` entrypoint
|
||||
- TLS: `certResolver = "godaddy"` (DNS challenge)
|
||||
- Auth middleware: `middlewares = ["auth"]` (basic auth)
|
||||
- Domain redirects: See `traefik.nix` middlewares
|
||||
85
hosts/m3-atlas/services/containers/AGENTS.md
Normal file
85
hosts/m3-atlas/services/containers/AGENTS.md
Normal file
@@ -0,0 +1,85 @@
|
||||
# CONTAINER SERVICES (m3-atlas)
|
||||
|
||||
**Container orchestration with Podman + Traefik reverse proxy**
|
||||
|
||||
## OVERVIEW
|
||||
11 containerized services on dedicated `web` network (10.89.0.0/24) with Traefik SSL termination.
|
||||
|
||||
## STRUCTURE
|
||||
```
|
||||
containers/
|
||||
├── default.nix # Network setup + service imports
|
||||
├── baserow.nix # 10.89.0.10 - No-code database
|
||||
├── ghost.nix # 10.89.0.11 - Blog platform
|
||||
├── kestra.nix # 10.89.0.12 - Workflow orchestration
|
||||
├── littlelink.nix # 10.89.0.13 - Link aggregator
|
||||
├── matomo.nix # 10.89.0.14 - Analytics
|
||||
├── restreamer.nix # 10.89.0.15 - Video streaming
|
||||
├── slash.nix # 10.89.0.16 - Link shortener
|
||||
└── slash-nemoti.nix # 10.89.0.17 - Personal link shortener
|
||||
```
|
||||
|
||||
## WHERE TO LOOK
|
||||
|
||||
| Task | Action | Notes |
|
||||
|------|--------|-------|
|
||||
| Add container | Copy existing .nix, increment IP | Must update default.nix imports |
|
||||
| Fix networking | Check IP conflicts in 10.89.0.0/24 | Gateway always 10.89.0.1 |
|
||||
| Debug Traefik | Check router rules in service file | Domain must match DNS |
|
||||
| Access database | Use `--add-host=mysql:10.89.0.1` | Gateway IP for host services |
|
||||
|
||||
## CONVENTIONS
|
||||
|
||||
### Container Definition Template
|
||||
```nix
|
||||
virtualisation.oci-containers.containers.<name> = {
|
||||
image = "registry/image:tag";
|
||||
ports = ["127.0.0.1:<external>:<internal>"];
|
||||
volumes = ["/var/lib/<service>:/data"];
|
||||
environmentFiles = [config.age.secrets.<name>-env.path];
|
||||
extraOptions = [
|
||||
"--network=web"
|
||||
"--ip=10.89.0.<sequential>"
|
||||
"--add-host=mysql:10.89.0.1" # If DB needed
|
||||
];
|
||||
};
|
||||
```
|
||||
|
||||
### Traefik Integration
|
||||
```nix
|
||||
services.traefik.dynamicConfigOptions.http = {
|
||||
services.<name>.loadBalancer.servers = [{
|
||||
url = "http://127.0.0.1:<port>";
|
||||
}];
|
||||
routers.<name> = {
|
||||
rule = "Host(`<subdomain>.m3ta.dev`)";
|
||||
service = "<name>";
|
||||
tls.certResolver = "godaddy";
|
||||
};
|
||||
# Legacy redirect (if needed)
|
||||
routers.<name>-old = {
|
||||
rule = "Host(`<subdomain>.m3tam3re.com`)";
|
||||
service = "<name>";
|
||||
middlewares = ["redirect-m3ta"];
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
### IP Allocation
|
||||
- **10.89.0.1**: Gateway (host)
|
||||
- **10.89.0.10-17**: Assigned containers
|
||||
- **10.89.0.18+**: Available for new services
|
||||
|
||||
## ANTI-PATTERNS
|
||||
|
||||
- **DON'T** expose ports publicly - bind to 127.0.0.1 only
|
||||
- **DON'T** skip static IP assignment - routing breaks without it
|
||||
- **DON'T** hardcode secrets - use age-encrypted env files
|
||||
- **DON'T** forget to add imports to default.nix
|
||||
|
||||
## NOTES
|
||||
|
||||
- Network created via activation script in default.nix
|
||||
- All services behind Traefik - no direct external access
|
||||
- MySQL/PostgreSQL run on host, accessed via gateway IP
|
||||
- Secrets pattern: `<service>-env.age` with environment variables
|
||||
Reference in New Issue
Block a user