containers

lib/module/default.nix

@@ -49,31 +49,42 @@ rec {
     {
       name,
       localAddress ? "127.0.0.1",
-      port ? "80",
+      ports ? [ "80" ],
       bindMounts ? { },
       config ? { },
     }:
     { lib, ... }:
     {
       containers.${name} = {
-        inherit localAddress bindMounts config;
+        inherit localAddress bindMounts;
+
+        config = config // {
+          networking = {
+            firewall = {
+              enable = true;
+              allowedTCPPorts = ports;
+            };
+            # Use systemd-resolved inside the container
+            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+            useHostResolvConf = lib.mkForce false;
+          };
+
+          services.resolved.enable = true;
+          system.stateVersion = "23.11";
+        };
         autoStart = lib.mkDefault true;
         privateNetwork = lib.mkDefault true;
         hostAddress = lib.mkDefault "10.0.1.3";
       };
 
       networking = {
-        nat = {
+        nat.forwardPorts = map (port: {
-          forwardPorts = [
+          destination = lib.mkDefault "${localAddress}:${toString port}";
-            {
+          sourcePort = lib.mkDefault port;
-              destination = lib.mkDefault "${localAddress}:${toString port}";
+        }) ports;
-              sourcePort = lib.mkDefault port;
-            }
-          ];
-        };
         firewall = {
-          allowedTCPPorts = [ port ];
+          allowedTCPPorts = ports;
-          allowedUDPPorts = [ port ];
+          allowedUDPPorts = ports;
         };
       };
     };

modules/nixos/services/actual/default.nix

@@ -65,19 +65,6 @@ let
           };
         };
       };
-
-      networking = {
-        firewall = {
-          enable = true;
-          allowedTCPPorts = [ cfg.port ];
-        };
-        # Use systemd-resolved inside the container
-        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-        useHostResolvConf = lib.mkForce false;
-      };
-
-      services.resolved.enable = true;
-      system.stateVersion = "23.11";
     };
 
   bindMounts = {
@@ -99,7 +86,7 @@ let
     (lib.${namespace}.mkContainer {
       name = "actual";
       localAddress = cfg.localAddress;
-      port = cfg.port;
+      ports = [ cfg.port ];
       bindMounts = bindMounts;
       config = actualConfig;
     })

modules/nixos/services/gitea/default.nix

@@ -14,7 +14,7 @@ let
   metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
 
   serviceConfig =
-    { lib, ... }:
+    { ... }:
     {
       services.gitea = {
         enable = true;
@@ -48,19 +48,6 @@ let
         extraGroups = [ "keys" ];
       };
 
-      networking = {
-        firewall = {
-          enable = true;
-          allowedTCPPorts = [
-            cfg.httpPort
-            cfg.sshPort
-          ];
-        };
-        # Use systemd-resolved inside the container
-        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-        useHostResolvConf = lib.mkForce false;
-      };
-
       # Create and set permissions for required directories
       system.activationScripts.gitea-dirs = ''
         mkdir -p /var/lib/gitea
@@ -70,9 +57,6 @@ let
         chown -R gitea:gitea /run/secrets/jallen-nas
         chmod -R 775 /run/secrets/jallen-nas
       '';
-
-      services.resolved.enable = true;
-      system.stateVersion = "23.11";
     };
 
   bindMounts = {
@@ -99,7 +83,10 @@ let
     (lib.${namespace}.mkContainer {
       name = "gitea";
       localAddress = cfg.localAddress;
-      port = cfg.httpPort;
+      ports = [
+        cfg.httpPort
+        cfg.sshPort
+      ];
       bindMounts = bindMounts;
       config = serviceConfig;
     })

modules/nixos/services/matrix/default.nix

@@ -117,18 +117,6 @@ let
         }
       ];
     };
-
-    networking = {
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ cfg.port ];
-        allowedUDPPorts = [ cfg.port ];
-      };
-      # Use systemd-resolved inside the container
-      # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-      useHostResolvConf = lib.mkForce false;
-    };
-    services.resolved.enable = true;
   };
 
   bindMounts = {
@@ -150,7 +138,7 @@ let
     (lib.${namespace}.mkContainer {
       name = "matrix-synapse";
       localAddress = cfg.localAddress;
-      port = cfg.port;
+      ports = [ cfg.port ];
       bindMounts = bindMounts;
       config = matrixConfig;
     })

modules/nixos/services/ntfy/default.nix

@@ -30,18 +30,6 @@ let
         };
       };
     };
-
-    networking = {
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ cfg.port ];
-        allowedUDPPorts = [ cfg.port ];
-      };
-      # Use systemd-resolved inside the container
-      # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-      useHostResolvConf = lib.mkForce false;
-    };
-    services.resolved.enable = true;
     # Create and set permissions for required directories
     system.activationScripts.ntfy-dirs = ''
       mkdir -p /var/lib/ntfy-sh
@@ -75,7 +63,7 @@ let
     (lib.${namespace}.mkContainer {
       name = "ntfy";
       localAddress = cfg.localAddress;
-      port = cfg.port;
+      ports = [ cfg.port ];
       bindMounts = bindMounts;
       config = ntfyConfig;
     })