From 0348068063138f5deb02932406a7c0a2ec17c596 Mon Sep 17 00:00:00 2001
From: Crony Akatsuki <crony@cronyakatsuki.xyz>
Date: Tue, 12 Aug 2025 08:17:28 +0200
Subject: [PATCH] feat(thor): use systemd services to start lemmy (compose2nix)

---
 modules/servers/thor/lemmy.nix   | 220 ++++++++++++++++++++++++++++++-
 modules/servers/thor/secrets.nix |   3 +
 secrets/lemmy.env.age            | Bin 0 -> 1787 bytes
 secrets/secrets.nix              |   1 +
 4 files changed, 223 insertions(+), 1 deletion(-)
 create mode 100644 secrets/lemmy.env.age

diff --git a/modules/servers/thor/lemmy.nix b/modules/servers/thor/lemmy.nix
index c78b40c..b149e67 100644
--- a/modules/servers/thor/lemmy.nix
+++ b/modules/servers/thor/lemmy.nix
@@ -1,4 +1,222 @@
-{...}: {
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  # Enable container name DNS for all Podman networks.
+  networking.firewall.interfaces = let
+    matchAll =
+      if !config.networking.nftables.enable
+      then "podman+"
+      else "podman*";
+  in {
+    "${matchAll}".allowedUDPPorts = [53];
+  };
+
+  # Containers
+  virtualisation.oci-containers.containers."lemmy-backend" = {
+    image = "dessalines/lemmy:0.19.11";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/lemmy.hjson:/config/config.hjson:rw,Z"
+    ];
+    dependsOn = [
+      "lemmy-db"
+      "lemmy-pictrs"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=lemmy"
+      "--network-alias=lemmy"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-backend" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-db" = {
+    image = "docker.io/postgres:16-alpine";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/postgres:/var/lib/postgresql/data:rw,Z"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=postgres-lemmy"
+      "--network-alias=postgres"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-db" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-pictrs" = {
+    image = "docker.io/asonix/pictrs:0.5";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/pictrs:/mnt:rw,Z"
+    ];
+    user = "991:991";
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=pictrs"
+      "--memory=723517440b"
+      "--network-alias=pictrs"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-pictrs" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-proxy" = {
+    image = "nginx:1-alpine";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/nginx_internal.conf:/etc/nginx/nginx.conf:ro,Z"
+      "/var/lib/lemmy/proxy_params:/etc/nginx/proxy_params:ro,Z"
+    ];
+    ports = [
+      "127.0.0.1:1236:8536/tcp"
+    ];
+    dependsOn = [
+      "lemmy-pictrs"
+      "lemmy-ui"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=proxy"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-proxy" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-ui" = {
+    image = "dessalines/lemmy-ui:0.19.11";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/lemmy-ui/extra_themes:/app/extra_themes:rw"
+    ];
+    dependsOn = [
+      "lemmy-backend"
+      "lemmy-pictrs"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=lemmy-ui"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-ui" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."podman-network-lemmy_default" = {
+    path = [pkgs.podman];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "podman network rm -f lemmy_default";
+    };
+    script = ''
+      podman network inspect lemmy_default || podman network create lemmy_default
+    '';
+    partOf = ["podman-compose-lemmy-root.target"];
+    wantedBy = ["podman-compose-lemmy-root.target"];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-lemmy-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+
   services.traefik.dynamicConfigOptions.http = {
     services.lemmy.loadBalancer.servers = [
       {
diff --git a/modules/servers/thor/secrets.nix b/modules/servers/thor/secrets.nix
index fe7bbed..a26447b 100644
--- a/modules/servers/thor/secrets.nix
+++ b/modules/servers/thor/secrets.nix
@@ -10,6 +10,9 @@
       conduit = {
         file = ../../../secrets/conduit.age;
       };
+      lemmy-env = {
+        file = ../../../secrets/lemmy.env.age;
+      };
     };
   };
 }
diff --git a/secrets/lemmy.env.age b/secrets/lemmy.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..c235b098256f2222683d4b58b762ada787be55c3
GIT binary patch
literal 1787
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP3NXp@E>|dsbPRJb
zaSsSjE-TIQ4ma`5O3pO*a8AljE=kEqD=qWLtV(k<b;-!eG~p`NE_4ge4l^)I$~DtB
zwsb5g^>R-Pt2A=;ODYfW4>8Tpwg@Z^4a##(&qlY+Ogkg6AW)&y#W^G>zsk(C)WhA=
zGAhF_&{w<AG9WS3+%Yw<EK}Po%FMka+1bL;F`FyN)x0#{slwPeATQWAsKO<(%qS`{
zD&5bsG|)fP+^s-6yDZQ*E6Fg#!~)&69DRS6a7Tp{AM+r?U{j+EBZCqjFVny@kK%N%
z!Xy{hDyPbdEFb^0u%NVx41>g=>_D#kT-S)uEPuZWufi~|9Mj5*Tu+~@$h4^P&>W-U
zsPrI5-*O*Ui%@-SQw+bEYnyr-2P)`C235G2riNGsS)^C_6=&w>=|_b{B|Ew~hPeB=
z=lg}5g&MmD=NhF2nQ#SoIa&rp8sz6VC%IWhg@<MtCkK1^1XWp-xt1ll7Z{f&2B*1Y
zR92<CMxy)8zuX|iy<8zEsVFSD($UAzxxm-ot0J{5DaXjf)YQ)-x7;MuJR~jCvNST>
zE7d18q@1f%-!IrduPoBM%q29%*Ci#~(=@C+HOI@(A~C4QH83&6EZDK!%sZgKC=}hc
zWLHl=Uq^+AjM7~1)WXUX6LaTE(=1=@LYG8C!!#q$^g>f3CqH-h++cmb6u(66^kS}x
z#B9%$!m^A^qx?ec0(ax!@bs$W^1KWaPnXc*D&I<j5DUk!z`QW8h;nq>3X^=jivksb
zOLN?V{fm=)v%-RM!zx|%^#jT*T*ETlQqv>SvkHqts=|$moysE3GAy`)lJ&zwLZWgl
zg0p;04b8Gm^2*Belb!U_ObkjQJu529k{x}ui*rIsU3}4PbN7pi3`$o>sWNl%2{o&V
za5qXXPYRC6ttzMtaQE`6NG{E?Og79db;&i0GBphINDt&nbgC@PH_t3I@ys`I)Xp(3
zP4_FZ2zPgKjwmY0$qxz$PBab8u(0%W(k@1~EiFYq$|q1E-OIAd#56c5vADd_GutO4
z#H2LT$k{m9B{e+QIKaKku`E|VDj+{EC(M;A*xw_^yC68bxFk8##4jT?G|wZ$-y*=!
zD=XC0DOg`WBO|3C*eBgDv?!2ES65d-J3TYaCD^FK%PA|@(mm3oD$BDV*D^8L#LFbu
z%rh~-BG)}aJ1M9rEXb2fPv7a8nT^xQfD?Ih>XH*gE_?k=TqW+-v?z7QrHpA;HXU;<
zU~!E6{4Mv%g+rhFMPpk&XUio1SngG0*p`3re7;%RGlnZOFY7Vh_-(@Md7^gFwW+Il
zAIw?P`89KA_k|C?<U*FN7hBd?rmZ%S_two&mlI~k4y}-6%v(QO{&7%A*QuZhzl7Y^
zUY+=~=Hcv)AMZU&)+iYo%gA<RJ1_598FVvo?>vk3-q)pK%@RsZo}O!OsPy^PqCF*d
zly|w-@Ah0g&!duS%evBj@w5vPJL_);Hr$HhKQh-sFJcjUP+7m31ryWZ<@~|Z7t2R*
zT;|=FyGgL?@RF3N0rRY0N}U!{sdc@dn?8*%oaySd3-wDfs+{{jx=uf{Hs|xg1qzGZ
zPo_jIdQy0D!nGf=mR@d|Hmph4_+oAzuAlZq<6u$v0@r&Lw=3KeU*&y@dzhj%$1#j&
z+4}5y2T3Kbr~l_Mococ&Zc`H=lE+}Nw@E~|_<2iS^{V(dzc=l#>Wx3_>0AG)Buj3d
zZkXBXpUXLGF6A@N*4}*X!Ncddq2^NlQkSB>PdIgTH=Eww8`TEQW_fX5$M+Vgt$vfs
zJGcMOtW6UR1uS4$7rw$r$l#=5RsR;&$AVINw`<P4W^3^BJpY{Mk9Gc3-`6P#=>q?I
zemkwdym_tOx9{p3tFwbYChXBn*rD}OUF`9JxP!qLm%Oss*2g%H-!*o%%6W^{Rn1Q}
zIaEI@m!DB-lk=uw_NtEU6aTFdn4!G5=8`05;#`ASGcEtw)(ZFcKM9iE*LK3-g>e<f
z%&0AYzMXz<_kN=D6W;Y}%k%ag_enUJEfoBC+u!4M{ZH6A|J}Wq7rxggOgSh}o2feE
zYLZLjHD9HFUGvr&Ey>l7k8fc*c7ttWBtsfYGz-%or#!cbD>&~=TD4XzxlWfqVzp!W
z1C!QOOP&0tEhw9^>8kA7QmJc}^(xgG$Ig8YvD*86sg-wr!_C=m7hUQ!-jTYeRCKB6
GRciqDoVcq1

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3061d69..09174dc 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -37,4 +37,5 @@ in {
   "restic-server-pass.age".publicKeys = systems ++ users;
   "restic-server-repo.age".publicKeys = systems ++ users;
   "restic-server-env.age".publicKeys = systems ++ users;
+  "lemmy.env.age".publicKeys = systems ++ users;
 }