# { # lib, # pkgs, # inputs, # configVars, # ... # }: let # pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; # containerName = "sm-worker"; # sops-nix = inputs.sops-nix; # semitamapsData = configVars.locations.semitamapsData; # in { # environment.persistence."/persist" = { # hideMounts = true; # directories = [ # "/var/lib/nixos-containers/${containerName}" # ]; # }; # # networking.nat.enable = true; # networking.nat.internalInterfaces = ["ve-+"]; # networking.nat.externalInterface = "br0"; # # containers.${containerName} = { # enableTun = true; # # # configuration to run docker/podman in systemd-nspawn container # # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 # additionalCapabilities = [ # ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' # ]; # extraFlags = ["--private-users-ownership=chown"]; # allowedDevices = [ # { # node = "/dev/fuse"; # modifier = "rwm"; # } # { # node = "/dev/mapper/control"; # modifier = "rw"; # } # { # node = "/dev/console"; # modifier = "rwm"; # } # { # node = "/dev/net/tun"; # modifier = "rw"; # } # ]; # ###### # # autoStart = true; # privateNetwork = true; # hostBridge = "br0"; # nixpkgs = pkgs.path; # bindMounts = { # "/etc/ssh/ssh_host_ed25519_key" = { # hostPath = "/etc/ssh/ssh_host_ed25519_key"; # isReadOnly = true; # }; # "/data/semitamaps-data" = { # hostPath = semitamapsData; # isReadOnly = false; # }; # }; # # config = { # pkgs, # lib, # ... # }: let # configVars = import ../../../../vars {inherit inputs lib;}; # secretsDirectory = builtins.toString inputs.nix-secrets; # secretsFile = "${secretsDirectory}/secrets.yaml"; # # # define ip addresses # containerIp = configVars.networking.addresses.sm-worker.ip; # gatewayIp = configVars.networking.addresses.gateway.ip; # in { # networking = { # defaultGateway = "${gatewayIp}"; # interfaces.eth0.ipv4.addresses = [ # { # "address" = "${containerIp}"; # "prefixLength" = 24; # } # ]; # firewall = { # enable = true; # allowedTCPPorts = [ # 2322 # 8080 # 8081 # ]; # }; # useHostResolvConf = lib.mkForce false; # }; # # sops = { # defaultSopsFile = "${secretsFile}"; # validateSopsFiles = false; # # age = { # sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; # }; # }; # # sops.secrets = { # }; # # imports = [ # sops-nix.nixosModules.sops # ]; # # services.resolved.enable = true; # # environment.systemPackages = [ # pkgs.vim # pkgs.git # pkgs.python311 # pkgs.poetry # pkgs.htop # pkgs.podman-compose # pkgs.jdk # ]; # # virtualisation = { # podman = { # enable = true; # dockerSocket.enable = true; # defaultNetwork.settings.dns_enabled = true; # dockerCompat = true; # }; # }; # # systemd.services.photon = { # wantedBy = ["multi-user.target"]; # after = ["network.target"]; # description = "Photon Service"; # path = ["/run/current-system/sw"]; # serviceConfig = { # WorkingDirectory = "/data/semitamaps-data/photon"; # ExecStart = pkgs.writeShellScript "photon" '' # java -jar photon-*.jar -cors-any # ''; # Restart = "on-failure"; # }; # }; # # programs.nix-ld.enable = true; # programs.nix-ld.libraries = with pkgs; [ # zlib # libgcc # ]; # # programs.ssh.knownHosts = { # "git.bitlab21.com" = { # publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg"; # }; # }; # # services.openssh = { # enable = true; # settings.PasswordAuthentication = false; # }; # # users.users.root = { # openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); # }; # # system.stateVersion = "24.05"; # }; # }; # } { pkgs, lib, inputs, configVars, ... }: let pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; containerName = "sm-worker"; sops-nix = inputs.sops-nix; semitamapsData = configVars.locations.semitamapsData; containerIp = configVars.networking.addresses.sm-worker.ip; gatewayIp = configVars.networking.addresses.gateway.ip; in { networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; containers."${containerName}" = { enableTun = true; # configuration to run docker/podman in systemd-nspawn container # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12 additionalCapabilities = [ ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' ]; extraFlags = ["--private-users-ownership=chown"]; allowedDevices = [ { node = "/dev/fuse"; modifier = "rwm"; } { node = "/dev/mapper/control"; modifier = "rw"; } { node = "/dev/console"; modifier = "rwm"; } { node = "/dev/dri/card1"; modifier = "rwm"; } { node = "/dev/dri/renderD128"; modifier = "rwm"; } { node = "/dev/net/tun"; modifier = "rw"; } ]; ###### autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/etc/ssh/ssh_host_ed25519_key" = { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; "/data/semitamaps-data" = { hostPath = semitamapsData; isReadOnly = false; }; }; config = { pkgs, lib, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 2322 8080 8081 ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; sops = { defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; age = { sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; }; }; imports = [ sops-nix.nixosModules.sops ]; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.arion pkgs.dive pkgs.podman-tui pkgs.podman-compose pkgs.jdk ]; virtualisation = { podman = { enable = true; dockerSocket.enable = true; defaultNetwork.settings.dns_enabled = true; dockerCompat = true; }; }; networking.firewall.interfaces."podman+".allowedUDPPorts = [53]; systemd.services.podman-autostart = { enable = true; after = ["podman.service"]; wantedBy = ["multi-user.target"]; description = "Automatically start containers with --restart=always tag"; serviceConfig = { Type = "idle"; ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1''; ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always''; }; }; systemd.services.photon = { wantedBy = ["multi-user.target"]; after = ["network.target"]; description = "Photon Service"; path = ["/run/current-system/sw"]; serviceConfig = { WorkingDirectory = "/data/semitamaps-data/photon"; ExecStart = pkgs.writeShellScript "photon" '' java -jar photon-*.jar -cors-any ''; Restart = "on-failure"; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; system.stateVersion = "24.05"; }; }; }