{ inputs, lib, config, configVars, pkgs, ... }: let mongodbPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/mongodb/baseddata/password".path; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; containerName = "mongodb"; containerIp = configVars.networking.addresses.mongodb.ip; gatewayIp = configVars.networking.addresses.gateway.ip; in { sops.secrets = { "software/postgres/postgres/password" = { }; }; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; containers.${containerName} = { autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { # "/var/db/mongodb" = { # hostPath = "/media/main-ssd/mongodb"; # isReadOnly = false; # }; }; config = { pkgs, lib, ... }: { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 27017 ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; environment.systemPackages = with pkgs; [ mongosh ]; # allow unfree packages nixpkgs.config.allowUnfreePredicate = let whitelist = map lib.getName [ pkgs.mongodb ]; in pkg: builtins.elem (lib.getName pkg) whitelist; services.mongodb = { enable = true; # enableAuth = true; # initialRootPassword = mongodbPasswordPath; bind_ip = "0.0.0.0"; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; system.stateVersion = "24.05"; }; }; }