add podman-autostart service to docker

2025-01-15 16:19:12 +00:00 · 2025-01-15 16:19:12 +00:00 · fd8c8efcf0
parent 3fe2f6dcf9
commit fd8c8efcf0
2 changed files with 12 additions and 175 deletions
--- a/hosts/common/optional/nixos-containers/docker.nix
+++ b/hosts/common/optional/nixos-containers/docker.nix
@ -162,6 +162,18 @@ in {
      networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
      systemd.services.podman-autostart = {
        enable = true;
        after = ["podman.service"];
        wantedBy = ["multi-user.target"];
        description = "Automatically start containers with --restart=always tag";
        serviceConfig = {
          Type = "idle";
          ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1'';
          ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always'';
        };
      };
      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
--- a/hosts/common/optional/nixos-containers/semitamaps-worker.nix
+++ b/hosts/common/optional/nixos-containers/semitamaps-worker.nix
@ -1,178 +1,3 @@
 # {
 #   lib,
 #   pkgs,
 #   inputs,
 #   configVars,
 #   ...
 # }: let
 #   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
 #   containerName = "sm-worker";
 #   sops-nix = inputs.sops-nix;
 #   semitamapsData = configVars.locations.semitamapsData;
 # in {
 #   environment.persistence."/persist" = {
 #     hideMounts = true;
 #     directories = [
 #       "/var/lib/nixos-containers/${containerName}"
 #     ];
 #   };
 #
 #   networking.nat.enable = true;
 #   networking.nat.internalInterfaces = ["ve-+"];
 #   networking.nat.externalInterface = "br0";
 #
 #   containers.${containerName} = {
 #     enableTun = true;
 #
 #     # configuration to run docker/podman in systemd-nspawn container
 #     # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
 #     additionalCapabilities = [
 #       ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
 #     ];
 #     extraFlags = ["--private-users-ownership=chown"];
 #     allowedDevices = [
 #       {
 #         node = "/dev/fuse";
 #         modifier = "rwm";
 #       }
 #       {
 #         node = "/dev/mapper/control";
 #         modifier = "rw";
 #       }
 #       {
 #         node = "/dev/console";
 #         modifier = "rwm";
 #       }
 #       {
 #         node = "/dev/net/tun";
 #         modifier = "rw";
 #       }
 #     ];
 #     ######
 #
 #     autoStart = true;
 #     privateNetwork = true;
 #     hostBridge = "br0";
 #     nixpkgs = pkgs.path;
 #     bindMounts = {
 #       "/etc/ssh/ssh_host_ed25519_key" = {
 #         hostPath = "/etc/ssh/ssh_host_ed25519_key";
 #         isReadOnly = true;
 #       };
 #       "/data/semitamaps-data" = {
 #         hostPath = semitamapsData;
 #         isReadOnly = false;
 #       };
 #     };
 #
 #     config = {
 #       pkgs,
 #       lib,
 #       ...
 #     }: let
 #       configVars = import ../../../../vars {inherit inputs lib;};
 #       secretsDirectory = builtins.toString inputs.nix-secrets;
 #       secretsFile = "${secretsDirectory}/secrets.yaml";
 #
 #       # define ip addresses
 #       containerIp = configVars.networking.addresses.sm-worker.ip;
 #       gatewayIp = configVars.networking.addresses.gateway.ip;
 #     in {
 #       networking = {
 #         defaultGateway = "${gatewayIp}";
 #         interfaces.eth0.ipv4.addresses = [
 #           {
 #             "address" = "${containerIp}";
 #             "prefixLength" = 24;
 #           }
 #         ];
 #         firewall = {
 #           enable = true;
 #           allowedTCPPorts = [
 #             2322
 #             8080
 #             8081
 #           ];
 #         };
 #         useHostResolvConf = lib.mkForce false;
 #       };
 #
 #       sops = {
 #         defaultSopsFile = "${secretsFile}";
 #         validateSopsFiles = false;
 #
 #         age = {
 #           sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
 #         };
 #       };
 #
 #       sops.secrets = {
 #       };
 #
 #       imports = [
 #         sops-nix.nixosModules.sops
 #       ];
 #
 #       services.resolved.enable = true;
 #
 #       environment.systemPackages = [
 #         pkgs.vim
 #         pkgs.git
 #         pkgs.python311
 #         pkgs.poetry
 #         pkgs.htop
 #         pkgs.podman-compose
 #         pkgs.jdk
 #       ];
 #
 #       virtualisation = {
 #         podman = {
 #           enable = true;
 #           dockerSocket.enable = true;
 #           defaultNetwork.settings.dns_enabled = true;
 #           dockerCompat = true;
 #         };
 #       };
 #
 #       systemd.services.photon = {
 #         wantedBy = ["multi-user.target"];
 #         after = ["network.target"];
 #         description = "Photon Service";
 #         path = ["/run/current-system/sw"];
 #         serviceConfig = {
 #           WorkingDirectory = "/data/semitamaps-data/photon";
 #           ExecStart = pkgs.writeShellScript "photon" ''
 #             java -jar photon-*.jar -cors-any
 #           '';
 #           Restart = "on-failure";
 #         };
 #       };
 #
 #       programs.nix-ld.enable = true;
 #       programs.nix-ld.libraries = with pkgs; [
 #         zlib
 #         libgcc
 #       ];
 #
 #       programs.ssh.knownHosts = {
 #         "git.bitlab21.com" = {
 #           publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
 #         };
 #       };
 #
 #       services.openssh = {
 #         enable = true;
 #         settings.PasswordAuthentication = false;
 #       };
 #
 #       users.users.root = {
 #         openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
 #       };
 #
 #       system.stateVersion = "24.05";
 #     };
 #   };
 # }
 {
  pkgs,
  lib,