From fd8c8efcf0307c25596ddf035aa1e5213d2a6285 Mon Sep 17 00:00:00 2001 From: Sam Date: Wed, 15 Jan 2025 16:19:12 +0000 Subject: [PATCH] add podman-autostart service to docker --- .../optional/nixos-containers/docker.nix | 12 ++ .../nixos-containers/semitamaps-worker.nix | 175 ------------------ 2 files changed, 12 insertions(+), 175 deletions(-) diff --git a/hosts/common/optional/nixos-containers/docker.nix b/hosts/common/optional/nixos-containers/docker.nix index 5628856..f9a2ce9 100644 --- a/hosts/common/optional/nixos-containers/docker.nix +++ b/hosts/common/optional/nixos-containers/docker.nix @@ -162,6 +162,18 @@ in { networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; + systemd.services.podman-autostart = { + enable = true; + after = ["podman.service"]; + wantedBy = ["multi-user.target"]; + description = "Automatically start containers with --restart=always tag"; + serviceConfig = { + Type = "idle"; + ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1''; + ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always''; + }; + }; + services.openssh = { enable = true; settings.PasswordAuthentication = false; diff --git a/hosts/common/optional/nixos-containers/semitamaps-worker.nix b/hosts/common/optional/nixos-containers/semitamaps-worker.nix index 34d5036..4522cae 100644 --- a/hosts/common/optional/nixos-containers/semitamaps-worker.nix +++ b/hosts/common/optional/nixos-containers/semitamaps-worker.nix @@ -1,178 +1,3 @@ -# { -# lib, -# pkgs, -# inputs, -# configVars, -# ... -# }: let -# pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; -# containerName = "sm-worker"; -# sops-nix = inputs.sops-nix; -# semitamapsData = configVars.locations.semitamapsData; -# in { -# environment.persistence."/persist" = { -# hideMounts = true; -# directories = [ -# "/var/lib/nixos-containers/${containerName}" -# ]; -# }; -# -# networking.nat.enable = true; -# networking.nat.internalInterfaces = ["ve-+"]; -# networking.nat.externalInterface = "br0"; -# -# containers.${containerName} = { -# enableTun = true; -# -# # configuration to run docker/podman in systemd-nspawn container -# # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 -# additionalCapabilities = [ -# ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' -# ]; -# extraFlags = ["--private-users-ownership=chown"]; -# allowedDevices = [ -# { -# node = "/dev/fuse"; -# modifier = "rwm"; -# } -# { -# node = "/dev/mapper/control"; -# modifier = "rw"; -# } -# { -# node = "/dev/console"; -# modifier = "rwm"; -# } -# { -# node = "/dev/net/tun"; -# modifier = "rw"; -# } -# ]; -# ###### -# -# autoStart = true; -# privateNetwork = true; -# hostBridge = "br0"; -# nixpkgs = pkgs.path; -# bindMounts = { -# "/etc/ssh/ssh_host_ed25519_key" = { -# hostPath = "/etc/ssh/ssh_host_ed25519_key"; -# isReadOnly = true; -# }; -# "/data/semitamaps-data" = { -# hostPath = semitamapsData; -# isReadOnly = false; -# }; -# }; -# -# config = { -# pkgs, -# lib, -# ... -# }: let -# configVars = import ../../../../vars {inherit inputs lib;}; -# secretsDirectory = builtins.toString inputs.nix-secrets; -# secretsFile = "${secretsDirectory}/secrets.yaml"; -# -# # define ip addresses -# containerIp = configVars.networking.addresses.sm-worker.ip; -# gatewayIp = configVars.networking.addresses.gateway.ip; -# in { -# networking = { -# defaultGateway = "${gatewayIp}"; -# interfaces.eth0.ipv4.addresses = [ -# { -# "address" = "${containerIp}"; -# "prefixLength" = 24; -# } -# ]; -# firewall = { -# enable = true; -# allowedTCPPorts = [ -# 2322 -# 8080 -# 8081 -# ]; -# }; -# useHostResolvConf = lib.mkForce false; -# }; -# -# sops = { -# defaultSopsFile = "${secretsFile}"; -# validateSopsFiles = false; -# -# age = { -# sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; -# }; -# }; -# -# sops.secrets = { -# }; -# -# imports = [ -# sops-nix.nixosModules.sops -# ]; -# -# services.resolved.enable = true; -# -# environment.systemPackages = [ -# pkgs.vim -# pkgs.git -# pkgs.python311 -# pkgs.poetry -# pkgs.htop -# pkgs.podman-compose -# pkgs.jdk -# ]; -# -# virtualisation = { -# podman = { -# enable = true; -# dockerSocket.enable = true; -# defaultNetwork.settings.dns_enabled = true; -# dockerCompat = true; -# }; -# }; -# -# systemd.services.photon = { -# wantedBy = ["multi-user.target"]; -# after = ["network.target"]; -# description = "Photon Service"; -# path = ["/run/current-system/sw"]; -# serviceConfig = { -# WorkingDirectory = "/data/semitamaps-data/photon"; -# ExecStart = pkgs.writeShellScript "photon" '' -# java -jar photon-*.jar -cors-any -# ''; -# Restart = "on-failure"; -# }; -# }; -# -# programs.nix-ld.enable = true; -# programs.nix-ld.libraries = with pkgs; [ -# zlib -# libgcc -# ]; -# -# programs.ssh.knownHosts = { -# "git.bitlab21.com" = { -# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg"; -# }; -# }; -# -# services.openssh = { -# enable = true; -# settings.PasswordAuthentication = false; -# }; -# -# users.users.root = { -# openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); -# }; -# -# system.stateVersion = "24.05"; -# }; -# }; -# } { pkgs, lib,