wip podman on h001

common/programs/default.nix

@@ -1,4 +1,8 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  ccfg = import ../config.nix;
+  cfg = config.${ccfg.custom_config_key}.programs;
+in
 {
   imports = [
     ./qFlipper.nix
@@ -7,6 +11,31 @@
     ./tailnet.nix
     ./ssh.nix
     ./docker.nix
+    ./podman.nix
     ./incus.nix
   ];
+  config = {
+    assertions = [
+      (
+        let
+          enabledVirtualizers = lib.filter (x: x.enabled) [
+            {
+              name = "docker";
+              enabled = cfg.docker.enable;
+            }
+            {
+              name = "podman";
+              enabled = cfg.podman.enable;
+            }
+          ];
+        in
+        {
+          assertion = lib.length enabledVirtualizers <= 1;
+          message =
+            "Only one virtualizer can be enabled at a time. Enabled: "
+            + lib.concatStringsSep ", " (map (x: x.name) enabledVirtualizers);
+        }
+      )
+    ];
+  };
 }

common/programs/podman.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "podman"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+  users_cfg = config.${ccfg.custom_config_key}.users;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "podman";
+    };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.podman = {
+      enable = true;
+      dockerSocket.enable = true;
+      autoPrune.enable = true;
+    };
+    # TODO add admins?
+    users.extraGroups.podman.members = lib.mkIf (users_cfg.primary != null) [ users_cfg.primary ];
+  };
+}

hosts/h001/containers/default.nix

@@ -0,0 +1,96 @@
+{ common }:
+{
+  ...
+}:
+{
+  imports = [
+    # common.nixosModules.containers.librechat
+    # common.nixosModules.containers.forgejo
+  ];
+
+  config = {
+    ## Give internet access
+    networking = {
+      nat = {
+        enable = true;
+        internalInterfaces = [ "ve-*" ];
+        externalInterface = "enp0s31f6";
+        enableIPv6 = true;
+      };
+      firewall.trustedInterfaces = [ "ve-*" ];
+    };
+
+    containers.wasabi = {
+      ephemeral = true;
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "10.0.0.1";
+      localAddress = "10.0.0.111";
+      config =
+        { config, pkgs, ... }:
+        {
+          system.stateVersion = "24.11";
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "foo@example.org";
+          networking.firewall = {
+            enable = true;
+            allowedTCPPorts = [ 80 ];
+          };
+        };
+    };
+
+    virtualisation.oci-containers.containers = {
+      ntest = {
+        image = "nginx:alpine";
+        ports = [
+          "127.0.0.1:8085:80"
+        ];
+      };
+    };
+
+    virtualisation.oci-containers.backend = "podman";
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "localhost" = {
+          locations."/" = {
+            proxyPass = "http://10.0.0.111";
+          };
+        };
+
+        # "git.joshuabell.xyz" = {
+        #   # GIT passthrough
+        #   locations."/" = {
+        #     proxyPass = "http://10.0.0.2:3000";
+        #   };
+        # };
+
+        "_" = {
+          default = true;
+          locations."/" = {
+            return = "404"; # or 444 for drop
+          };
+        };
+      };
+
+      # STREAMS
+      streamConfig = ''
+        server {
+          listen 3032;
+          proxy_pass 10.0.0.2:3032;
+        }
+      '';
+
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}

hosts/h001/flake.nix

@@ -30,6 +30,7 @@
               ros_neovim.nixosModules.default
               ./configuration.nix
               ./hardware-configuration.nix
+              (import ./containers { inherit common; })
               (
                 { config, pkgs, ... }:
                 {
@@ -44,7 +45,7 @@
                     programs = {
                       tailnet.enable = true;
                       ssh.enable = true;
-                      docker.enable = true;
+                      podman.enable = true;
                     };
                     users = {
                       admins = [ "luser" ]; # First admin is also the primary user owning nix config

hosts/h002/flake.lock

@@ -32,17 +32,17 @@
         "ragenix": "ragenix"
       },
       "locked": {
-        "lastModified": 1742406739,
+        "lastModified": 1745957989,
-        "narHash": "sha256-1Tdt3a0Le9cDD0voBeDcSuHtRbVTX/vAhbDrMIOE/+o=",
+        "narHash": "sha256-mLYJXPri4DVRa6exEPtzlkje5FZVSYAteObHOxcAvfA=",
         "ref": "refs/heads/master",
-        "rev": "2b026ed0c883c942a84d20a9c0491905e61ddbf3",
+        "rev": "6277d06b4dcaa6665e92aaf5f20eee49a8362556",
-        "revCount": 373,
+        "revCount": 426,
         "type": "git",
-        "url": "https://git.joshuabell.xyz/dotfiles"
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
       "original": {
         "type": "git",
-        "url": "https://git.joshuabell.xyz/dotfiles"
+        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       }
     },
     "crane": {
@@ -210,16 +210,15 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1735697839,
+        "lastModified": 1745961410,
-        "narHash": "sha256-0Acw0UaLi+VNThsmeX8zOKi000DFrYXNnrgpOpk2+MM=",
+        "narHash": "sha256-RU4c9JVZp/CdWyPUUZGsZvTWvjrFtXLUnlMs38IeHD0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5eaa5fdf06d2b15d373b82c0f3a1ec1c6cab02ae",
+        "rev": "a2001229477b3a343b13e6e7870fa37fedd8e09d",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -624,22 +623,6 @@
         "type": "github"
       }
     },
-    "nvim_plugin-lvimuser/lsp-inlayhints.nvim": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1686236485,
-        "narHash": "sha256-06CiJ+xeMO4+OJkckcslqwloJyt2gwg514JuxV6KOfQ=",
-        "owner": "lvimuser",
-        "repo": "lsp-inlayhints.nvim",
-        "rev": "d981f65c9ae0b6062176f0accb9c151daeda6f16",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lvimuser",
-        "repo": "lsp-inlayhints.nvim",
-        "type": "github"
-      }
-    },
     "nvim_plugin-m4xshen/hardtime.nvim": {
       "flake": false,
       "locked": {
@@ -1193,7 +1176,6 @@
         "nvim_plugin-lewis6991/gitsigns.nvim": "nvim_plugin-lewis6991/gitsigns.nvim",
         "nvim_plugin-lnc3l0t/glow.nvim": "nvim_plugin-lnc3l0t/glow.nvim",
         "nvim_plugin-lukas-reineke/indent-blankline.nvim": "nvim_plugin-lukas-reineke/indent-blankline.nvim",
-        "nvim_plugin-lvimuser/lsp-inlayhints.nvim": "nvim_plugin-lvimuser/lsp-inlayhints.nvim",
         "nvim_plugin-m4xshen/hardtime.nvim": "nvim_plugin-m4xshen/hardtime.nvim",
         "nvim_plugin-mbbill/undotree": "nvim_plugin-mbbill/undotree",
         "nvim_plugin-mfussenegger/nvim-lint": "nvim_plugin-mfussenegger/nvim-lint",
@@ -1228,17 +1210,17 @@
         "rust-overlay": "rust-overlay_2"
       },
       "locked": {
-        "lastModified": 1735841437,
+        "lastModified": 1745585761,
-        "narHash": "sha256-ZwmlaFhOlQ7f6Rq6VxRup7giPiwQlwe71HcoO/laRJo=",
+        "narHash": "sha256-xS3068xhndFrZh9GcTTNTmeebGq1A3uVykRRdzJOj3Y=",
         "ref": "refs/heads/master",
-        "rev": "71d82c875fff85ae250804f45f1acf65f42cdc1e",
+        "rev": "e5523910a0c07c88d026d006f5962434bfa53548",
-        "revCount": 253,
+        "revCount": 277,
         "type": "git",
-        "url": "https://git.joshuabell.xyz/nvim"
+        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       },
       "original": {
         "type": "git",
-        "url": "https://git.joshuabell.xyz/nvim"
+        "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
       }
     },
     "rust-overlay": {

hosts/lio/containers.nix

@@ -26,15 +26,12 @@
       firewall.trustedInterfaces = [ "ve-*" ];
     };
 
-    # mathesar
-    # services.mathesar.secretKey = "mImvhwyu0cFmtUNOAyOjm6qozWjEmHyrGIpOTZXWW7lnkj5RP3";
-
     containers.wasabi = {
       ephemeral = true;
       autoStart = true;
       privateNetwork = true;
-      hostAddress = "192.168.100.2";
+      hostAddress = "10.0.0.1";
-      localAddress = "192.168.100.11";
+      localAddress = "10.0.0.111";
       config =
         { config, pkgs, ... }:
         {
@@ -48,10 +45,17 @@
         };
     };
 
+    virtualisation.oci-containers.containers = {
+      ntest = {
+        image = "nginx:alpine";
+        ports = [
+          "127.0.0.1:8085:80"
+        ];
+      };
+    };
+
     virtualisation.oci-containers.backend = "docker";
 
-    security.acme.acceptTerms = true;
-    security.acme.defaults.email = "admin@joshuabell.xyz";
     services.nginx = {
       enable = true;
       recommendedGzipSettings = true;