{ pkgs, lib, inputs, configVars, ... }: let containerName = "docker"; containerIp = configVars.networking.addresses.docker.ip; gatewayIp = configVars.networking.addresses.gateway.ip; dockerContainerData = configVars.locations.dockerContainerData; mediaDataMountPoint = configVars.locations.mediaDataMountPoint; photosDataMountPoint = configVars.locations.photosDataMountPoint; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; arion = inputs.arion; sops-nix = inputs.sops-nix; in { networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; services.restic.backups = { daily = { paths = [ dockerContainerData ]; exclude = [ ]; }; }; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; containers."${containerName}" = { enableTun = true; # configuration to run docker/podman in systemd-nspawn container # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 additionalCapabilities = [ ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' ]; extraFlags = ["--private-users-ownership=chown"]; allowedDevices = [ { node = "/dev/fuse"; modifier = "rwm"; } { node = "/dev/mapper/control"; modifier = "rw"; } { node = "/dev/console"; modifier = "rwm"; } { node = "/dev/dri/card1"; modifier = "rwm"; } { node = "/dev/dri/renderD128"; modifier = "rwm"; } { node = "/dev/net/tun"; modifier = "rw"; } ]; ###### autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/media/photos" = { hostPath = photosDataMountPoint; isReadOnly = false; }; "/dev/dri" = { hostPath = "/dev/dri"; isReadOnly = false; }; "/media/media" = { hostPath = mediaDataMountPoint; isReadOnly = false; }; "/srv/docker" = { hostPath = dockerContainerData; isReadOnly = false; }; "/etc/ssh/ssh_host_ed25519_key" = { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; }; config = { pkgs, lib, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; sops = { defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; age = { sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; }; }; imports = [ arion.nixosModules.arion sops-nix.nixosModules.sops ../arion-containers/arrstack.nix ../arion-containers/jellyfin.nix ../arion-containers/photoprism.nix ]; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.arion pkgs.dive pkgs.podman-tui pkgs.podman-compose ]; virtualisation = { podman = { enable = true; dockerSocket.enable = true; defaultNetwork.settings.dns_enabled = true; dockerCompat = true; }; }; networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; systemd.services.podman-autostart = { enable = true; after = ["podman.service"]; wantedBy = ["multi-user.target"]; description = "Automatically start containers with --restart=always tag"; serviceConfig = { Type = "idle"; ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1''; ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always''; }; }; services.prometheus = { exporters = { node = { enable = true; enabledCollectors = ["systemd"]; openFirewall = true; }; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; system.stateVersion = "24.05"; }; }; }