New way to deploy apps in my server

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-05-20 05:12:34 +02:00 · 2026-04-11 02:26:00 +02:00
parent 29bdd6468a
commit 28b7923e47
22 changed files with 759 additions and 407 deletions
@@ -1,24 +1,37 @@
-{config, ...}: {
-  sops.secrets = {
-    umami-secret = {
-      mode = "0600";
-    };
-  };
-  services.umami = {
-    enable = true;
-    settings = {
-      PORT = 8097;
-      APP_SECRET_FILE = config.sops.secrets.umami-secret.path;
-      DISABLE_TELEMETRY = true;
-      DISABLE_BOT_CHECK = true;
-    };
-  };
-  services.cloudflared.tunnels."${config.var.tunnelId}".ingress."umami.${config.var.domain}" = "http://localhost:${toString config.services.umami.settings.PORT}";
-  systemd.services.default-creds.environment = {
-    PUBLIC_UMAMI_URL = "https://umami.${config.var.domain}";
-    # FIXME:
-    PUBLIC_UMAMI_WEBSITE_ID = "7197484c-01ad-488e-9caa-5ab7b7595f08";
-    UMAMI_URL = "http://localhost:8097";
-    UMAMI_WEBSITE_ID = "7197484c-01ad-488e-9caa-5ab7b7595f08";
-  };
+{ config, lib, ... }:
+let
+  inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
+in
+{
+  sops.secrets.umami-secret.mode = "0400";
+
+  imports = [
+    (mkContainer {
+      name = "umami";
+      hostIp = "10.233.10.1";
+      containerIp = "10.233.10.2";
+      bindMounts."/run/secrets/umami-secret" = {
+        hostPath = config.sops.secrets.umami-secret.path;
+        isReadOnly = true;
+      };
+      nixosConfig = { ... }: {
+        services.umami = {
+          enable = true;
+          settings = {
+            PORT = 8080;
+            HOSTNAME = "0.0.0.0";
+            APP_SECRET_FILE = "/run/secrets/umami-secret";
+            DISABLE_TELEMETRY = true;
+            DISABLE_BOT_CHECK = true;
+          };
+        };
+        # PrivateUsers breaks systemd-creds inside nspawn containers (nested user namespaces)
+        systemd.services.umami.serviceConfig.PrivateUsers = lib.mkForce false;
+        networking.firewall.allowedTCPPorts = [ 8080 ];
+        system.stateVersion = "24.05";
+      };
+    })
+  ];
+
+  services.cloudflared.tunnels."${config.var.tunnelId}".ingress."umami.${config.var.domain}" = "http://10.233.10.2:8080";
 }