wip podman on h001

2025-04-29 17:15:19 -05:00 · 2025-04-29 17:15:19 -05:00 · b0ca7ab8d7
commit b0ca7ab8d7
parent d5ce9cd3eb
6 changed files with 186 additions and 42 deletions
--- a/common/programs/default.nix
+++ b/common/programs/default.nix
@ -1,4 +1,8 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  ccfg = import ../config.nix;
+  cfg = config.${ccfg.custom_config_key}.programs;
+in
 {
  imports = [
    ./qFlipper.nix
@ -7,6 +11,31 @@
    ./tailnet.nix
    ./ssh.nix
    ./docker.nix
+    ./podman.nix
    ./incus.nix
  ];
+  config = {
+    assertions = [
+      (
+        let
+          enabledVirtualizers = lib.filter (x: x.enabled) [
+            {
+              name = "docker";
+              enabled = cfg.docker.enable;
+            }
+            {
+              name = "podman";
+              enabled = cfg.podman.enable;
+            }
+          ];
+        in
+        {
+          assertion = lib.length enabledVirtualizers <= 1;
+          message =
+            "Only one virtualizer can be enabled at a time. Enabled: "
+            + lib.concatStringsSep ", " (map (x: x.name) enabledVirtualizers);
+        }
+      )
+    ];
+  };
 }
--- a/common/programs/podman.nix
+++ b/common/programs/podman.nix
@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "podman"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+  users_cfg = config.${ccfg.custom_config_key}.users;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "podman";
+    };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.podman = {
+      enable = true;
+      dockerSocket.enable = true;
+      autoPrune.enable = true;
+    };
+    # TODO add admins?
+    users.extraGroups.podman.members = lib.mkIf (users_cfg.primary != null) [ users_cfg.primary ];
+  };
+}
--- a/hosts/h001/containers/default.nix
+++ b/hosts/h001/containers/default.nix
@ -0,0 +1,96 @@
+{ common }:
+{
+  ...
+}:
+{
+  imports = [
+    # common.nixosModules.containers.librechat
+    # common.nixosModules.containers.forgejo
+  ];
+
+  config = {
+    ## Give internet access
+    networking = {
+      nat = {
+        enable = true;
+        internalInterfaces = [ "ve-*" ];
+        externalInterface = "enp0s31f6";
+        enableIPv6 = true;
+      };
+      firewall.trustedInterfaces = [ "ve-*" ];
+    };
+
+    containers.wasabi = {
+      ephemeral = true;
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.0.0.1";
+      localAddress = "10.0.0.111";
+      config =
+        { config, pkgs, ... }:
+        {
+          system.stateVersion = "24.11";
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "foo@example.org";
+          networking.firewall = {
+            enable = true;
+            allowedTCPPorts = [ 80 ];
+          };
+        };
+    };
+
+    virtualisation.oci-containers.containers = {
+      ntest = {
+        image = "nginx:alpine";
+        ports = [
+          "127.0.0.1:8085:80"
+        ];
+      };
+    };
+
+    virtualisation.oci-containers.backend = "podman";
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "localhost" = {
+          locations."/" = {
+            proxyPass = "http://10.0.0.111";
+          };
+        };
+
+        # "git.joshuabell.xyz" = {
+        #   # GIT passthrough
+        #   locations."/" = {
+        #     proxyPass = "http://10.0.0.2:3000";
+        #   };
+        # };
+
+        "_" = {
+          default = true;
+          locations."/" = {
+            return = "404"; # or 444 for drop
+          };
+        };
+      };
+
+      # STREAMS
+      streamConfig = ''
+        server {
+          listen 3032;
+          proxy_pass 10.0.0.2:3032;
+        }
+      '';
+
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}
--- a/hosts/h001/flake.nix
+++ b/hosts/h001/flake.nix
@ -30,6 +30,7 @@
              ros_neovim.nixosModules.default
              ./configuration.nix
              ./hardware-configuration.nix
+              (import ./containers { inherit common; })
              (
                { config, pkgs, ... }:
                {
@ -44,7 +45,7 @@
                    programs = {
                      tailnet.enable = true;
                      ssh.enable = true;
-                      docker.enable = true;
+                      podman.enable = true;
                    };
                    users = {
                      admins = [ "luser" ]; # First admin is also the primary user owning nix config
--- a/hosts/h002/flake.lock
+++ b/hosts/h002/flake.lock
@ -32,17 +32,17 @@
        "ragenix": "ragenix"
      },
      "locked": {
-        "lastModified": 1742406739,
-        "narHash": "sha256-1Tdt3a0Le9cDD0voBeDcSuHtRbVTX/vAhbDrMIOE/+o=",
+        "lastModified": 1745957989,
+        "narHash": "sha256-mLYJXPri4DVRa6exEPtzlkje5FZVSYAteObHOxcAvfA=",
        "ref": "refs/heads/master",
-        "rev": "2b026ed0c883c942a84d20a9c0491905e61ddbf3",
-        "revCount": 373,
+        "rev": "6277d06b4dcaa6665e92aaf5f20eee49a8362556",
+        "revCount": 426,
        "type": "git",
-        "url": "https://git.joshuabell.xyz/dotfiles"
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      },
      "original": {
        "type": "git",
-        "url": "https://git.joshuabell.xyz/dotfiles"
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
      }
    },
    "crane": {
@ -210,16 +210,15 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1735697839,
-        "narHash": "sha256-0Acw0UaLi+VNThsmeX8zOKi000DFrYXNnrgpOpk2+MM=",
+        "lastModified": 1745961410,
+        "narHash": "sha256-RU4c9JVZp/CdWyPUUZGsZvTWvjrFtXLUnlMs38IeHD0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "5eaa5fdf06d2b15d373b82c0f3a1ec1c6cab02ae",
+        "rev": "a2001229477b3a343b13e6e7870fa37fedd8e09d",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "master",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -624,22 +623,6 @@
        "type": "github"
      }
    },
-    "nvim_plugin-lvimuser/lsp-inlayhints.nvim": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1686236485,
-        "narHash": "sha256-06CiJ+xeMO4+OJkckcslqwloJyt2gwg514JuxV6KOfQ=",
-        "owner": "lvimuser",
-        "repo": "lsp-inlayhints.nvim",
-        "rev": "d981f65c9ae0b6062176f0accb9c151daeda6f16",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lvimuser",
-        "repo": "lsp-inlayhints.nvim",
-        "type": "github"
-      }
-    },
    "nvim_plugin-m4xshen/hardtime.nvim": {
      "flake": false,
      "locked": {
@ -1193,7 +1176,6 @@
        "nvim_plugin-lewis6991/gitsigns.nvim": "nvim_plugin-lewis6991/gitsigns.nvim",
        "nvim_plugin-lnc3l0t/glow.nvim": "nvim_plugin-lnc3l0t/glow.nvim",
        "nvim_plugin-lukas-reineke/indent-blankline.nvim": "nvim_plugin-lukas-reineke/indent-blankline.nvim",
-        "nvim_plugin-lvimuser/lsp-inlayhints.nvim": "nvim_plugin-lvimuser/lsp-inlayhints.nvim",
        "nvim_plugin-m4xshen/hardtime.nvim": "nvim_plugin-m4xshen/hardtime.nvim",
        "nvim_plugin-mbbill/undotree": "nvim_plugin-mbbill/undotree",
        "nvim_plugin-mfussenegger/nvim-lint": "nvim_plugin-mfussenegger/nvim-lint",
@ -1228,17 +1210,17 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1735841437,
-        "narHash": "sha256-ZwmlaFhOlQ7f6Rq6VxRup7giPiwQlwe71HcoO/laRJo=",
+        "lastModified": 1745585761,
+        "narHash": "sha256-xS3068xhndFrZh9GcTTNTmeebGq1A3uVykRRdzJOj3Y=",
        "ref": "refs/heads/master",
-        "rev": "71d82c875fff85ae250804f45f1acf65f42cdc1e",
-        "revCount": 253,
+        "rev": "e5523910a0c07c88d026d006f5962434bfa53548",
+        "revCount": 277,
        "type": "git",
-        "url": "https://git.joshuabell.xyz/nvim"
+        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
      },
      "original": {
        "type": "git",
-        "url": "https://git.joshuabell.xyz/nvim"
+        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
      }
    },
    "rust-overlay": {
--- a/hosts/lio/containers.nix
+++ b/hosts/lio/containers.nix
@ -26,15 +26,12 @@
      firewall.trustedInterfaces = [ "ve-*" ];
    };

-    # mathesar
-    # services.mathesar.secretKey = "mImvhwyu0cFmtUNOAyOjm6qozWjEmHyrGIpOTZXWW7lnkj5RP3";
-
    containers.wasabi = {
      ephemeral = true;
      autoStart = true;
      privateNetwork = true;
-      hostAddress = "192.168.100.2";
-      localAddress = "192.168.100.11";
+      hostAddress = "10.0.0.1";
+      localAddress = "10.0.0.111";
      config =
        { config, pkgs, ... }:
        {
@ -48,10 +45,17 @@
        };
    };

+    virtualisation.oci-containers.containers = {
+      ntest = {
+        image = "nginx:alpine";
+        ports = [
+          "127.0.0.1:8085:80"
+        ];
+      };
+    };
+
    virtualisation.oci-containers.backend = "docker";

-    security.acme.acceptTerms = true;
-    security.acme.defaults.email = "admin@joshuabell.xyz";
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;