2024-10-11 23:27:07 +03:00
|
|
|
{
|
2024-11-04 04:37:29 +03:00
|
|
|
config,
|
|
|
|
const,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
util,
|
|
|
|
...
|
|
|
|
}: {
|
|
|
|
mkContainer = cfg: extra: lib.recursiveUpdate {
|
|
|
|
# Allow nested containers.
|
|
|
|
additionalCapabilities = [ ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' ];
|
|
|
|
enableTun = true;
|
2024-06-29 21:51:55 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Start containers with the system by default.
|
|
|
|
autoStart = config.container.autoStart;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# IP Address of the host. This is required for container to have access to the Internet.
|
|
|
|
hostAddress = config.container.host;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Container's IP address.
|
|
|
|
localAddress = cfg.address;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Isolate container from other hosts.
|
|
|
|
privateNetwork = true;
|
|
|
|
} extra;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Common configuration for the system inside the container.
|
|
|
|
mkContainerConfig = cfg: extra: lib.recursiveUpdate {
|
|
|
|
boot.isContainer = true;
|
2024-06-29 21:51:55 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# HACK: Do not evaluate nixpkgs inside the container. Use host's instead.
|
2024-11-15 01:42:21 +03:00
|
|
|
# nixpkgs.pkgs = lib.mkForce pkgs;
|
2024-11-04 04:37:29 +03:00
|
|
|
nixpkgs.pkgs = lib.mkForce pkgs;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Release version.
|
|
|
|
system.stateVersion = const.stateVersion;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Allow passwordless login as root.
|
|
|
|
users = {
|
|
|
|
users.root.password = "";
|
|
|
|
mutableUsers = false;
|
|
|
|
};
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
networking = {
|
|
|
|
# Default DNS servers.
|
|
|
|
nameservers = [
|
|
|
|
"1.1.1.1"
|
|
|
|
"1.0.0.1"
|
|
|
|
];
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686
|
|
|
|
useHostResolvConf = lib.mkForce false;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Configure firewall.
|
|
|
|
firewall = {
|
|
|
|
enable = true;
|
|
|
|
extraCommands = (util.trimTabs ''
|
|
|
|
# Full access from the host.
|
|
|
|
iptables -I INPUT -s ${config.container.host} -j ALLOW
|
|
|
|
'');
|
|
|
|
};
|
|
|
|
};
|
|
|
|
} extra;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Create a directory on the host for container use.
|
|
|
|
mkContainerDir = cfg: dirs: map (path: "d '${cfg.storage}/${path}' 1777 root root - -") dirs;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Common configuration for Nginx server.
|
|
|
|
mkServer = cfg: lib.recursiveUpdate { forceSSL = false; } cfg;
|
2024-06-25 04:04:39 +03:00
|
|
|
|
2024-11-04 04:37:29 +03:00
|
|
|
# Attach the host media directory to container.
|
|
|
|
# They will be added to /type/{0..9}
|
|
|
|
attachMedia = type: ro: builtins.listToAttrs (
|
|
|
|
lib.imap0 (i: path: {
|
|
|
|
name = "/${type}/${toString i}";
|
|
|
|
value = {
|
|
|
|
hostPath = path;
|
|
|
|
isReadOnly = ro;
|
|
|
|
};
|
|
|
|
}) config.container.media.${type}
|
|
|
|
);
|
2024-06-25 04:04:39 +03:00
|
|
|
}
|