From 02b5dd32a2b7273c9e8562bcc63f0bf8dda73512 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Sun, 5 Oct 2025 22:16:44 -0500 Subject: [PATCH] containers --- lib/module/default.nix | 35 +++++++++++++++-------- modules/nixos/services/actual/default.nix | 15 +--------- modules/nixos/services/gitea/default.nix | 23 ++++----------- modules/nixos/services/matrix/default.nix | 14 +-------- modules/nixos/services/ntfy/default.nix | 14 +-------- 5 files changed, 31 insertions(+), 70 deletions(-) diff --git a/lib/module/default.nix b/lib/module/default.nix index 882f290..bb39aa2 100644 --- a/lib/module/default.nix +++ b/lib/module/default.nix @@ -49,31 +49,42 @@ rec { { name, localAddress ? "127.0.0.1", - port ? "80", + ports ? [ "80" ], bindMounts ? { }, config ? { }, }: { lib, ... }: { containers.${name} = { - inherit localAddress bindMounts config; + inherit localAddress bindMounts; + + config = config // { + networking = { + firewall = { + enable = true; + allowedTCPPorts = ports; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; autoStart = lib.mkDefault true; privateNetwork = lib.mkDefault true; hostAddress = lib.mkDefault "10.0.1.3"; }; networking = { - nat = { - forwardPorts = [ - { - destination = lib.mkDefault "${localAddress}:${toString port}"; - sourcePort = lib.mkDefault port; - } - ]; - }; + nat.forwardPorts = map (port: { + destination = lib.mkDefault "${localAddress}:${toString port}"; + sourcePort = lib.mkDefault port; + }) ports; firewall = { - allowedTCPPorts = [ port ]; - allowedUDPPorts = [ port ]; + allowedTCPPorts = ports; + allowedUDPPorts = ports; }; }; }; diff --git a/modules/nixos/services/actual/default.nix b/modules/nixos/services/actual/default.nix index f3b0232..f3c7852 100644 --- a/modules/nixos/services/actual/default.nix +++ b/modules/nixos/services/actual/default.nix @@ -65,19 +65,6 @@ let }; }; }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ cfg.port ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - system.stateVersion = "23.11"; }; bindMounts = { @@ -99,7 +86,7 @@ let (lib.${namespace}.mkContainer { name = "actual"; localAddress = cfg.localAddress; - port = cfg.port; + ports = [ cfg.port ]; bindMounts = bindMounts; config = actualConfig; }) diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix index f6e5b6b..e3e253d 100644 --- a/modules/nixos/services/gitea/default.nix +++ b/modules/nixos/services/gitea/default.nix @@ -14,7 +14,7 @@ let metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; serviceConfig = - { lib, ... }: + { ... }: { services.gitea = { enable = true; @@ -48,19 +48,6 @@ let extraGroups = [ "keys" ]; }; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - cfg.httpPort - cfg.sshPort - ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - # Create and set permissions for required directories system.activationScripts.gitea-dirs = '' mkdir -p /var/lib/gitea @@ -70,9 +57,6 @@ let chown -R gitea:gitea /run/secrets/jallen-nas chmod -R 775 /run/secrets/jallen-nas ''; - - services.resolved.enable = true; - system.stateVersion = "23.11"; }; bindMounts = { @@ -99,7 +83,10 @@ let (lib.${namespace}.mkContainer { name = "gitea"; localAddress = cfg.localAddress; - port = cfg.httpPort; + ports = [ + cfg.httpPort + cfg.sshPort + ]; bindMounts = bindMounts; config = serviceConfig; }) diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index 4bbee3e..3b69b57 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -117,18 +117,6 @@ let } ]; }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ cfg.port ]; - allowedUDPPorts = [ cfg.port ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; }; bindMounts = { @@ -150,7 +138,7 @@ let (lib.${namespace}.mkContainer { name = "matrix-synapse"; localAddress = cfg.localAddress; - port = cfg.port; + ports = [ cfg.port ]; bindMounts = bindMounts; config = matrixConfig; }) diff --git a/modules/nixos/services/ntfy/default.nix b/modules/nixos/services/ntfy/default.nix index 8d3dbb3..67b69fd 100644 --- a/modules/nixos/services/ntfy/default.nix +++ b/modules/nixos/services/ntfy/default.nix @@ -30,18 +30,6 @@ let }; }; }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ cfg.port ]; - allowedUDPPorts = [ cfg.port ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - services.resolved.enable = true; # Create and set permissions for required directories system.activationScripts.ntfy-dirs = '' mkdir -p /var/lib/ntfy-sh @@ -75,7 +63,7 @@ let (lib.${namespace}.mkContainer { name = "ntfy"; localAddress = cfg.localAddress; - port = cfg.port; + ports = [ cfg.port ]; bindMounts = bindMounts; config = ntfyConfig; })