Testing containers

2025-02-20 16:49:59 -08:00 · 2025-02-20 16:49:59 -08:00 · d98a6b99d5
commit d98a6b99d5
parent 609a4e7686
7 changed files with 68 additions and 7 deletions
--- a/nixos/containers/default.nix
+++ b/nixos/containers/default.nix
@ -1,4 +1,4 @@
-{ ip, stateVersion, hostname, ... }: {
+{ config, host, ip, stateVersion, hostname, ... }: {
  imports = [
    ./${hostname}
    # Modules
@ -25,10 +25,10 @@
    };
  };

-  time.timeZone = "Europe/Warsaw";
+  time.timeZone = config.time.timeZone;
  boot.isContainer = true;
  system.stateVersion = stateVersion;
-  networking.hostName = hostname;
+  networking.hostName = "${hostname}-${host}";
  programs.fish.enable = true;

  # Select internationalisation properties.
--- a/nixos/hosts/framework-server/containers.nix
+++ b/nixos/hosts/framework-server/containers.nix
@ -1,10 +1,10 @@
-{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
+{ hostname, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
 let 
  libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
 in {

  containers = {
-    rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; unfree = true; desktop = "gnome"; };
+    rdesktop = libx.mkContainer { hostname = "rdesktop"; host = hostname; ip = "2"; unfree = true; desktop = "gnome"; };
  };

  # Networking config
--- a/nixos/hosts/framework-server/wireguard.nix
+++ b/nixos/hosts/framework-server/wireguard.nix
@ -27,7 +27,7 @@
        ips = [ "10.100.0.2/24" ];
        listenPort = 51820;
        privateKeyFile = "/run/secrets/wireguard_key";
-        peers = [
+        peers =  [
          { # osaka-linode-01
            publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
            presharedKeyFile = "/run/secrets/preshared_key";
--- a/nixos/hosts/nuc-server/containers.nix
+++ b/nixos/hosts/nuc-server/containers.nix
@ -0,0 +1,30 @@
+{ hostname, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
+let 
+  libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
+in {
+
+  containers = {
+    rdesktop = libx.mkContainer { hostname = "rdesktop"; host = hostname; ip = "2"; unfree = true; desktop = "gnome"; };
+  };
+
+  # Networking config
+  networking.bridges.nix-br0.interfaces = [];
+
+  # Add an IP address to the bridge interface.
+  networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
+
+  # Firewall commands allowing traffic to go in and out of the bridge interface
+  # (and to the guest LXD instance).  Also sets up the actual NAT masquerade rule.
+  networking.firewall.extraCommands = ''
+    iptables -A INPUT -i nix-br0  -j ACCEPT
+
+    # These three technically aren't needed, since by default the FORWARD and
+    # OUTPUT firewalls accept everything everything, but lets keep them in just
+    # in case.
+    iptables -A FORWARD -o nix-br0  -j ACCEPT
+    iptables -A FORWARD -i nix-br0  -j ACCEPT
+    iptables -A OUTPUT  -o nix-br0  -j ACCEPT
+
+    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
+  '';
+} 
--- a/nixos/hosts/nuc-server/default.nix
+++ b/nixos/hosts/nuc-server/default.nix
@ -16,6 +16,7 @@ in {
    ./mounts.nix
    ./cron.nix
    ./firewall.nix
+    ./containers.nix
  ];

  boot.kernelParams = [ "ip=${ipAddress}::${gateway}:255.255.255.0:${hostname}:${netDev}:none" ];
--- a/nixos/hosts/warsaw-ovh-01/containers.nix
+++ b/nixos/hosts/warsaw-ovh-01/containers.nix
@ -0,0 +1,30 @@
+{ hostname, lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
+let 
+  libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
+in {
+
+  containers = {
+    rdesktop = libx.mkContainer { hostname = "rdesktop"; host = hostname; ip = "2"; unfree = true; desktop = "gnome"; };
+  };
+
+  # Networking config
+  networking.bridges.nix-br0.interfaces = [];
+
+  # Add an IP address to the bridge interface.
+  networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
+
+  # Firewall commands allowing traffic to go in and out of the bridge interface
+  # (and to the guest LXD instance).  Also sets up the actual NAT masquerade rule.
+  networking.firewall.extraCommands = ''
+    iptables -A INPUT -i nix-br0  -j ACCEPT
+
+    # These three technically aren't needed, since by default the FORWARD and
+    # OUTPUT firewalls accept everything everything, but lets keep them in just
+    # in case.
+    iptables -A FORWARD -o nix-br0  -j ACCEPT
+    iptables -A FORWARD -i nix-br0  -j ACCEPT
+    iptables -A OUTPUT  -o nix-br0  -j ACCEPT
+
+    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
+  '';
+} 
--- a/nixos/hosts/warsaw-ovh-01/default.nix
+++ b/nixos/hosts/warsaw-ovh-01/default.nix
@ -11,11 +11,11 @@
    # Copy from framework-server 
    ../framework-server/cron.nix
    ../framework-server/firewall.nix
-    ../framework-server/containers.nix

    # Host Specific
    ./disks.nix
    ./wireguard.nix
+    ./containers.nix
  ];

  environment.systemPackages =  [