add podman-autostart service to docker

2025-01-15 16:19:12 +00:00 · 2025-01-15 16:19:12 +00:00 · fd8c8efcf0
parent 3fe2f6dcf9
commit fd8c8efcf0
2 changed files with 12 additions and 175 deletions
--- a/hosts/common/optional/nixos-containers/docker.nix
+++ b/hosts/common/optional/nixos-containers/docker.nix
@ -162,6 +162,18 @@ in {

      networking.firewall.interfaces."podman+".allowedUDPPorts = [53];

+      systemd.services.podman-autostart = {
+        enable = true;
+        after = ["podman.service"];
+        wantedBy = ["multi-user.target"];
+        description = "Automatically start containers with --restart=always tag";
+        serviceConfig = {
+          Type = "idle";
+          ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1'';
+          ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always'';
+        };
+      };
+
      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
--- a/hosts/common/optional/nixos-containers/semitamaps-worker.nix
+++ b/hosts/common/optional/nixos-containers/semitamaps-worker.nix
@ -1,178 +1,3 @@
-# {
-#   lib,
-#   pkgs,
-#   inputs,
-#   configVars,
-#   ...
-# }: let
-#   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
-#   containerName = "sm-worker";
-#   sops-nix = inputs.sops-nix;
-#   semitamapsData = configVars.locations.semitamapsData;
-# in {
-#   environment.persistence."/persist" = {
-#     hideMounts = true;
-#     directories = [
-#       "/var/lib/nixos-containers/${containerName}"
-#     ];
-#   };
-#
-#   networking.nat.enable = true;
-#   networking.nat.internalInterfaces = ["ve-+"];
-#   networking.nat.externalInterface = "br0";
-#
-#   containers.${containerName} = {
-#     enableTun = true;
-#
-#     # configuration to run docker/podman in systemd-nspawn container
-#     # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
-#     additionalCapabilities = [
-#       ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
-#     ];
-#     extraFlags = ["--private-users-ownership=chown"];
-#     allowedDevices = [
-#       {
-#         node = "/dev/fuse";
-#         modifier = "rwm";
-#       }
-#       {
-#         node = "/dev/mapper/control";
-#         modifier = "rw";
-#       }
-#       {
-#         node = "/dev/console";
-#         modifier = "rwm";
-#       }
-#       {
-#         node = "/dev/net/tun";
-#         modifier = "rw";
-#       }
-#     ];
-#     ######
-#
-#     autoStart = true;
-#     privateNetwork = true;
-#     hostBridge = "br0";
-#     nixpkgs = pkgs.path;
-#     bindMounts = {
-#       "/etc/ssh/ssh_host_ed25519_key" = {
-#         hostPath = "/etc/ssh/ssh_host_ed25519_key";
-#         isReadOnly = true;
-#       };
-#       "/data/semitamaps-data" = {
-#         hostPath = semitamapsData;
-#         isReadOnly = false;
-#       };
-#     };
-#
-#     config = {
-#       pkgs,
-#       lib,
-#       ...
-#     }: let
-#       configVars = import ../../../../vars {inherit inputs lib;};
-#       secretsDirectory = builtins.toString inputs.nix-secrets;
-#       secretsFile = "${secretsDirectory}/secrets.yaml";
-#
-#       # define ip addresses
-#       containerIp = configVars.networking.addresses.sm-worker.ip;
-#       gatewayIp = configVars.networking.addresses.gateway.ip;
-#     in {
-#       networking = {
-#         defaultGateway = "${gatewayIp}";
-#         interfaces.eth0.ipv4.addresses = [
-#           {
-#             "address" = "${containerIp}";
-#             "prefixLength" = 24;
-#           }
-#         ];
-#         firewall = {
-#           enable = true;
-#           allowedTCPPorts = [
-#             2322
-#             8080
-#             8081
-#           ];
-#         };
-#         useHostResolvConf = lib.mkForce false;
-#       };
-#
-#       sops = {
-#         defaultSopsFile = "${secretsFile}";
-#         validateSopsFiles = false;
-#
-#         age = {
-#           sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
-#         };
-#       };
-#
-#       sops.secrets = {
-#       };
-#
-#       imports = [
-#         sops-nix.nixosModules.sops
-#       ];
-#
-#       services.resolved.enable = true;
-#
-#       environment.systemPackages = [
-#         pkgs.vim
-#         pkgs.git
-#         pkgs.python311
-#         pkgs.poetry
-#         pkgs.htop
-#         pkgs.podman-compose
-#         pkgs.jdk
-#       ];
-#
-#       virtualisation = {
-#         podman = {
-#           enable = true;
-#           dockerSocket.enable = true;
-#           defaultNetwork.settings.dns_enabled = true;
-#           dockerCompat = true;
-#         };
-#       };
-#
-#       systemd.services.photon = {
-#         wantedBy = ["multi-user.target"];
-#         after = ["network.target"];
-#         description = "Photon Service";
-#         path = ["/run/current-system/sw"];
-#         serviceConfig = {
-#           WorkingDirectory = "/data/semitamaps-data/photon";
-#           ExecStart = pkgs.writeShellScript "photon" ''
-#             java -jar photon-*.jar -cors-any
-#           '';
-#           Restart = "on-failure";
-#         };
-#       };
-#
-#       programs.nix-ld.enable = true;
-#       programs.nix-ld.libraries = with pkgs; [
-#         zlib
-#         libgcc
-#       ];
-#
-#       programs.ssh.knownHosts = {
-#         "git.bitlab21.com" = {
-#           publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
-#         };
-#       };
-#
-#       services.openssh = {
-#         enable = true;
-#         settings.PasswordAuthentication = false;
-#       };
-#
-#       users.users.root = {
-#         openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
-#       };
-#
-#       system.stateVersion = "24.05";
-#     };
-#   };
-# }
 {
  pkgs,
  lib,