From b0ca7ab8d7f6460778fafe576f6cf91b1e0878bc Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Tue, 29 Apr 2025 17:15:19 -0500 Subject: [PATCH] wip podman on h001 --- common/programs/default.nix | 31 +++++++++- common/programs/podman.nix | 32 +++++++++++ hosts/h001/containers/default.nix | 96 +++++++++++++++++++++++++++++++ hosts/h001/flake.nix | 3 +- hosts/h002/flake.lock | 48 +++++----------- hosts/lio/containers.nix | 18 +++--- 6 files changed, 186 insertions(+), 42 deletions(-) create mode 100644 common/programs/podman.nix create mode 100644 hosts/h001/containers/default.nix diff --git a/common/programs/default.nix b/common/programs/default.nix index 9dcd9d3..83e7271 100644 --- a/common/programs/default.nix +++ b/common/programs/default.nix @@ -1,4 +1,8 @@ -{ ... }: +{ config, lib, ... }: +let + ccfg = import ../config.nix; + cfg = config.${ccfg.custom_config_key}.programs; +in { imports = [ ./qFlipper.nix @@ -7,6 +11,31 @@ ./tailnet.nix ./ssh.nix ./docker.nix + ./podman.nix ./incus.nix ]; + config = { + assertions = [ + ( + let + enabledVirtualizers = lib.filter (x: x.enabled) [ + { + name = "docker"; + enabled = cfg.docker.enable; + } + { + name = "podman"; + enabled = cfg.podman.enable; + } + ]; + in + { + assertion = lib.length enabledVirtualizers <= 1; + message = + "Only one virtualizer can be enabled at a time. Enabled: " + + lib.concatStringsSep ", " (map (x: x.name) enabledVirtualizers); + } + ) + ]; + }; } diff --git a/common/programs/podman.nix b/common/programs/podman.nix new file mode 100644 index 0000000..8be88f9 --- /dev/null +++ b/common/programs/podman.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: +let + ccfg = import ../config.nix; + cfg_path = [ + ccfg.custom_config_key + "programs" + "podman" + ]; + cfg = lib.attrsets.getAttrFromPath cfg_path config; + users_cfg = config.${ccfg.custom_config_key}.users; +in +{ + options = + { } + // lib.attrsets.setAttrByPath cfg_path { + enable = lib.mkEnableOption "podman"; + }; + + config = lib.mkIf cfg.enable { + virtualisation.podman = { + enable = true; + dockerSocket.enable = true; + autoPrune.enable = true; + }; + # TODO add admins? + users.extraGroups.podman.members = lib.mkIf (users_cfg.primary != null) [ users_cfg.primary ]; + }; +} diff --git a/hosts/h001/containers/default.nix b/hosts/h001/containers/default.nix new file mode 100644 index 0000000..a8952cd --- /dev/null +++ b/hosts/h001/containers/default.nix @@ -0,0 +1,96 @@ +{ common }: +{ + ... +}: +{ + imports = [ + # common.nixosModules.containers.librechat + # common.nixosModules.containers.forgejo + ]; + + config = { + ## Give internet access + networking = { + nat = { + enable = true; + internalInterfaces = [ "ve-*" ]; + externalInterface = "enp0s31f6"; + enableIPv6 = true; + }; + firewall.trustedInterfaces = [ "ve-*" ]; + }; + + containers.wasabi = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = "10.0.0.1"; + localAddress = "10.0.0.111"; + config = + { config, pkgs, ... }: + { + system.stateVersion = "24.11"; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 ]; + }; + }; + }; + + virtualisation.oci-containers.containers = { + ntest = { + image = "nginx:alpine"; + ports = [ + "127.0.0.1:8085:80" + ]; + }; + }; + + virtualisation.oci-containers.backend = "podman"; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "localhost" = { + locations."/" = { + proxyPass = "http://10.0.0.111"; + }; + }; + + # "git.joshuabell.xyz" = { + # # GIT passthrough + # locations."/" = { + # proxyPass = "http://10.0.0.2:3000"; + # }; + # }; + + "_" = { + default = true; + locations."/" = { + return = "404"; # or 444 for drop + }; + }; + }; + + # STREAMS + streamConfig = '' + server { + listen 3032; + proxy_pass 10.0.0.2:3032; + } + ''; + + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/hosts/h001/flake.nix b/hosts/h001/flake.nix index ef45406..e9643ae 100644 --- a/hosts/h001/flake.nix +++ b/hosts/h001/flake.nix @@ -30,6 +30,7 @@ ros_neovim.nixosModules.default ./configuration.nix ./hardware-configuration.nix + (import ./containers { inherit common; }) ( { config, pkgs, ... }: { @@ -44,7 +45,7 @@ programs = { tailnet.enable = true; ssh.enable = true; - docker.enable = true; + podman.enable = true; }; users = { admins = [ "luser" ]; # First admin is also the primary user owning nix config diff --git a/hosts/h002/flake.lock b/hosts/h002/flake.lock index ac5caf1..ea91b0e 100644 --- a/hosts/h002/flake.lock +++ b/hosts/h002/flake.lock @@ -32,17 +32,17 @@ "ragenix": "ragenix" }, "locked": { - "lastModified": 1742406739, - "narHash": "sha256-1Tdt3a0Le9cDD0voBeDcSuHtRbVTX/vAhbDrMIOE/+o=", + "lastModified": 1745957989, + "narHash": "sha256-mLYJXPri4DVRa6exEPtzlkje5FZVSYAteObHOxcAvfA=", "ref": "refs/heads/master", - "rev": "2b026ed0c883c942a84d20a9c0491905e61ddbf3", - "revCount": 373, + "rev": "6277d06b4dcaa6665e92aaf5f20eee49a8362556", + "revCount": 426, "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, "original": { "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" } }, "crane": { @@ -210,16 +210,15 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1735697839, - "narHash": "sha256-0Acw0UaLi+VNThsmeX8zOKi000DFrYXNnrgpOpk2+MM=", + "lastModified": 1745961410, + "narHash": "sha256-RU4c9JVZp/CdWyPUUZGsZvTWvjrFtXLUnlMs38IeHD0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5eaa5fdf06d2b15d373b82c0f3a1ec1c6cab02ae", + "rev": "a2001229477b3a343b13e6e7870fa37fedd8e09d", "type": "github" }, "original": { "owner": "nixos", - "ref": "master", "repo": "nixpkgs", "type": "github" } @@ -624,22 +623,6 @@ "type": "github" } }, - "nvim_plugin-lvimuser/lsp-inlayhints.nvim": { - "flake": false, - "locked": { - "lastModified": 1686236485, - "narHash": "sha256-06CiJ+xeMO4+OJkckcslqwloJyt2gwg514JuxV6KOfQ=", - "owner": "lvimuser", - "repo": "lsp-inlayhints.nvim", - "rev": "d981f65c9ae0b6062176f0accb9c151daeda6f16", - "type": "github" - }, - "original": { - "owner": "lvimuser", - "repo": "lsp-inlayhints.nvim", - "type": "github" - } - }, "nvim_plugin-m4xshen/hardtime.nvim": { "flake": false, "locked": { @@ -1193,7 +1176,6 @@ "nvim_plugin-lewis6991/gitsigns.nvim": "nvim_plugin-lewis6991/gitsigns.nvim", "nvim_plugin-lnc3l0t/glow.nvim": "nvim_plugin-lnc3l0t/glow.nvim", "nvim_plugin-lukas-reineke/indent-blankline.nvim": "nvim_plugin-lukas-reineke/indent-blankline.nvim", - "nvim_plugin-lvimuser/lsp-inlayhints.nvim": "nvim_plugin-lvimuser/lsp-inlayhints.nvim", "nvim_plugin-m4xshen/hardtime.nvim": "nvim_plugin-m4xshen/hardtime.nvim", "nvim_plugin-mbbill/undotree": "nvim_plugin-mbbill/undotree", "nvim_plugin-mfussenegger/nvim-lint": "nvim_plugin-mfussenegger/nvim-lint", @@ -1228,17 +1210,17 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1735841437, - "narHash": "sha256-ZwmlaFhOlQ7f6Rq6VxRup7giPiwQlwe71HcoO/laRJo=", + "lastModified": 1745585761, + "narHash": "sha256-xS3068xhndFrZh9GcTTNTmeebGq1A3uVykRRdzJOj3Y=", "ref": "refs/heads/master", - "rev": "71d82c875fff85ae250804f45f1acf65f42cdc1e", - "revCount": 253, + "rev": "e5523910a0c07c88d026d006f5962434bfa53548", + "revCount": 277, "type": "git", - "url": "https://git.joshuabell.xyz/nvim" + "url": "https://git.joshuabell.xyz/ringofstorms/nvim" }, "original": { "type": "git", - "url": "https://git.joshuabell.xyz/nvim" + "url": "https://git.joshuabell.xyz/ringofstorms/nvim" } }, "rust-overlay": { diff --git a/hosts/lio/containers.nix b/hosts/lio/containers.nix index c7ccf60..a8a25ac 100644 --- a/hosts/lio/containers.nix +++ b/hosts/lio/containers.nix @@ -26,15 +26,12 @@ firewall.trustedInterfaces = [ "ve-*" ]; }; - # mathesar - # services.mathesar.secretKey = "mImvhwyu0cFmtUNOAyOjm6qozWjEmHyrGIpOTZXWW7lnkj5RP3"; - containers.wasabi = { ephemeral = true; autoStart = true; privateNetwork = true; - hostAddress = "192.168.100.2"; - localAddress = "192.168.100.11"; + hostAddress = "10.0.0.1"; + localAddress = "10.0.0.111"; config = { config, pkgs, ... }: { @@ -48,10 +45,17 @@ }; }; + virtualisation.oci-containers.containers = { + ntest = { + image = "nginx:alpine"; + ports = [ + "127.0.0.1:8085:80" + ]; + }; + }; + virtualisation.oci-containers.backend = "docker"; - security.acme.acceptTerms = true; - security.acme.defaults.email = "admin@joshuabell.xyz"; services.nginx = { enable = true; recommendedGzipSettings = true;