trustmeim.gay / nix
Personal Nix flake
nixos home-manager nix
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: Initial OCI virtualization options

Luna Perroni 02bc2e1c 3575f485

+254 -31
+1
nix/lib/default.nix
··· 5 5 ... 6 6 } @ args: { 7 7 flake = import ./flake.nix args; 8 + oci = import ./oci.nix args; 8 9 packages = import ./packages.nix args; 9 10 secrets = import ./secrets.nix args; 10 11 services = import ./services.nix args;
+20
nix/lib/oci.nix
··· 1 + { 2 + lib, 3 + self, 4 + ... 5 + }: rec { 6 + mkDefaultContainer = lib.recursiveUpdate defaultContainer; 7 + defaultContainer = { 8 + environment = { 9 + TZ = self.vars.timezone; 10 + PUID = 1000; 11 + GUID = 1000; 12 + }; 13 + volumes = [ 14 + "/dev/rtc:/dev/rtc:ro" 15 + "/etc/localtime:/etc/localtime:ro" 16 + "/etc/timezone:/etc/timezone:ro" 17 + ]; 18 + restart = "unless-stopped"; 19 + }; 20 + }
+4 -1
nix/nixos/configs/desktop/default.nix
··· 11 11 gaming.enable = true; 12 12 networking.trusted = true; 13 13 users.emily.enable = true; 14 - virtualization.oci.enable = true; 14 + virtualization.oci = { 15 + enable = true; 16 + externalInterface = "enp6s0"; 17 + }; 15 18 profiles = { 16 19 formfactor.desktop = true; 17 20 hardware.gpu.nvidia = true;
+1 -1
nix/nixos/modules/locale/default.nix
··· 1 1 {self, ...}: { 2 2 time = { 3 - timeZone = "America/Sao_Paulo"; 3 + timeZone = self.vars.timezone; 4 4 hardwareClockInLocalTime = true; 5 5 }; 6 6 i18n = {
+1 -1
nix/nixos/modules/services/home-assistant/default.nix
··· 20 20 homeassistant = { 21 21 unit_system = "metric"; 22 22 temperature_unit = "C"; 23 - time_zone = "America/Sao_Paulo"; 23 + time_zone = config.time.timeZone; 24 24 }; 25 25 recorder.db_url = "postgresql://@/hass"; 26 26 "automation ui" = "!include automations.yaml";
+3 -2
nix/nixos/modules/tailscale/default.nix
··· 34 34 }; 35 35 advertise.tags = lib.mkOption { 36 36 description = "ACL tags to advertise"; 37 - default = ["nixos"]; 37 + default = []; 38 38 type = with lib.types; listOf str; 39 39 }; 40 40 }; ··· 47 47 services.tailscale = let 48 48 inherit (cfg.advertise) tags; 49 49 formattedTags = 50 - cfg.advertise.tags 50 + ["nixos"] 51 + ++ tags 51 52 |> map (it: "tag:${it}") 52 53 |> builtins.concatStringsSep ","; 53 54 in {
+3 -26
nix/nixos/modules/virtualization/default.nix
··· 1 1 { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: let 7 - cfg = config.my.virtualization; 8 - in { 9 - options.my.virtualization = { 10 - oci.enable = lib.mkEnableOption "OCI container virtualization"; 11 - }; 12 - 13 - config = lib.mkIf cfg.oci.enable { 14 - environment = { 15 - shellAliases._docker = lib.getExe pkgs.docker-client; 16 - systemPackages = [pkgs.podman-compose]; 17 - variables.PODMAN_COMPOSE_WARNING_LOGS = "false"; 18 - }; 19 - 20 - virtualisation.podman = { 21 - enable = true; 22 - autoPrune.enable = true; 23 - defaultNetwork.settings.dns_enabled = true; 24 - dockerCompat = true; 25 - dockerSocket.enable = true; 26 - }; 27 - }; 2 + imports = [ 3 + ./oci 4 + ]; 28 5 }
+48
nix/nixos/modules/virtualization/oci/compose.nix
··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: let 7 + cfg = config.my.virtualization.oci.compose; 8 + in { 9 + options.my.virtualization.oci.compose = { 10 + enable = 11 + lib.mkEnableOption "compose files" 12 + // {default = config.my.virtualization.oci.enable;}; 13 + project = lib.mkOption { 14 + description = "Project name for generated compose file"; 15 + type = lib.types.str; 16 + default = "homelab"; 17 + }; 18 + attrs = lib.mkOption { 19 + type = lib.types.attrs; 20 + }; 21 + prettyAttrs = lib.mkOption { 22 + type = lib.types.str; 23 + }; 24 + file = lib.mkOption { 25 + type = lib.types.pathInStore; 26 + }; 27 + text = lib.mkOption { 28 + type = lib.types.str; 29 + }; 30 + }; 31 + config = lib.mkIf cfg.enable { 32 + my.virtualization.oci.compose = { 33 + attrs = { 34 + inherit (config.my.virtualization.oci) networks services; 35 + name = cfg.project; 36 + }; 37 + prettyAttrs = 38 + cfg.attrs 39 + |> lib.generators.toPretty {}; 40 + text = 41 + cfg.attrs 42 + |> builtins.toJSON; 43 + file = pkgs.runCommand "compose-yaml" {buildInputs = [pkgs.remarshal];} '' 44 + remarshal --if json --of yaml > $out < ${pkgs.writeText "compose-json" cfg.text} 45 + ''; 46 + }; 47 + }; 48 + }
+65
nix/nixos/modules/virtualization/oci/default.nix
··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + self, 6 + ... 7 + }: let 8 + inherit (self.vars.networks) oci; 9 + cfg = config.my.virtualization.oci; 10 + in { 11 + imports = [ 12 + ./compose.nix 13 + ./networks.nix 14 + ./services 15 + ]; 16 + 17 + options.my.virtualization.oci = { 18 + enable = lib.mkEnableOption "OCI container virtualization"; 19 + externalInterface = lib.mkOption { 20 + description = "Which interface to use to connect to the outside world"; 21 + type = with lib.types; nullOr (enum (builtins.attrNames (config.networking.interfaces // config.networking.wlanInterfaces))); 22 + default = null; 23 + }; 24 + user = lib.mkOption { 25 + description = "Which user to run OCI containers under"; 26 + type = with lib.types; nullOr (enum (builtins.attrNames (config.users.users))); 27 + default = self.vars.name.user; 28 + }; 29 + }; 30 + 31 + config = lib.mkIf cfg.enable { 32 + my.virtualization.oci = { 33 + networks = { 34 + internal = { 35 + internal = true; 36 + ipam.config = [{subnet = oci.internal.routingPrefix;}]; 37 + }; 38 + external = { 39 + external = true; 40 + ipam.config = [{subnet = oci.external.routingPrefix;}]; 41 + }; 42 + }; 43 + }; 44 + 45 + environment = { 46 + shellAliases = { 47 + _docker = lib.getExe pkgs.docker-client; 48 + }; 49 + systemPackages = [ 50 + pkgs.podman-compose 51 + ]; 52 + variables = { 53 + PODMAN_COMPOSE_WARNING_LOGS = "false"; 54 + }; 55 + }; 56 + 57 + virtualisation.podman = { 58 + enable = true; 59 + autoPrune.enable = true; 60 + defaultNetwork.settings.dns_enabled = true; 61 + dockerCompat = true; 62 + dockerSocket.enable = true; 63 + }; 64 + }; 65 + }
+15
nix/nixos/modules/virtualization/oci/networks.nix
··· 1 + { 2 + lib, 3 + pkgs, 4 + ... 5 + }: let 6 + format = pkgs.formats.yaml {}; 7 + in { 8 + options.my.virtualization.oci.networks = lib.mkOption { 9 + description = "freeform OCI compose networks"; 10 + type = lib.types.submodule { 11 + freeformType = format.type; 12 + }; 13 + default = {}; 14 + }; 15 + }
+47
nix/nixos/modules/virtualization/oci/services/cloudflare-ddns.nix
··· 1 + { 2 + config, 3 + lib, 4 + self, 5 + ... 6 + }: let 7 + inherit (config.my.secret.helpers) mkSecret; 8 + cfg = config.my.virtualization.oci.containers.cloudflare-ddns; 9 + in { 10 + options.my.virtualization.oci.containers.cloudflare-ddns = { 11 + enable = lib.mkEnableOption "cloudflare-ddns container"; 12 + }; 13 + 14 + config = lib.mkIf cfg.enable { 15 + my.secret.definitions = { 16 + "cloudflare-api-token" = mkSecret "cloudflare-api-token" { 17 + intermediary = true; 18 + }; 19 + "cloudflare-ddns-env" = mkSecret "cloudflare-ddns-env" { 20 + owner = config.my.virtualization.oci.user; 21 + generator = { 22 + dependencies = {inherit (config.age.secrets) cloudflare-api-token;}; 23 + script = { 24 + lib, 25 + decrypt, 26 + deps, 27 + ... 28 + }: '' 29 + printf 'API_KEY="%s"\n' $(${decrypt} ${lib.escapeShellArg deps.cloudflare-api-token.file}) 30 + ''; 31 + }; 32 + }; 33 + }; 34 + 35 + my.virtualization.oci.services.cloudflare-ddns = { 36 + image = "oznu/cloudflare-ddns"; 37 + environment = { 38 + ZONE = self.vars.domain.main; 39 + INTERFACE = config.my.virtualization.oci.externalInterface; 40 + PROXIED = "true"; 41 + RRTYPE = "AAAA"; 42 + }; 43 + env_file = config.my.secrets."cloudflare-ddns-env".path; 44 + network_mode = "host"; 45 + }; 46 + }; 47 + }
+21
nix/nixos/modules/virtualization/oci/services/default.nix
··· 1 + { 2 + lib, 3 + pkgs, 4 + self, 5 + ... 6 + }: let 7 + format = pkgs.formats.yaml {}; 8 + in { 9 + imports = [ 10 + ./cloudflare-ddns.nix 11 + ]; 12 + 13 + options.my.virtualization.oci.services = lib.mkOption { 14 + description = "freeform OCI compose services"; 15 + type = lib.types.submodule { 16 + freeformType = format.type; 17 + }; 18 + default = {}; 19 + apply = lib.mapAttrs (_: service: self.lib.oci.mkDefaultContainer service); 20 + }; 21 + }
+7
nix/nixos/profiles/hardware/gpu/nvidia.nix
··· 22 22 package = config.boot.kernelPackages.nvidiaPackages.stable; 23 23 powerManagement.enable = true; 24 24 }; 25 + nvidia-container-toolkit = { 26 + enable = true; 27 + device-name-strategy = "uuid"; 28 + discovery-mode = "auto"; 29 + mount-nvidia-executables = true; 30 + mount-nvidia-docker-1-directories = true; 31 + }; 25 32 }; 26 33 services.xserver.videoDrivers = ["nvidia"]; 27 34
+10
secrets/.rekeyed/desktop/17fde1b49f7e9ee93076dc983eccd681-cloudflare-ddns-env.age
··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 NQ2aOg HZdwk+AmUwimPuzcoHTz5FU31YzvfmIs4xL7klSTtmY 3 + kmTdYifQmlAyABASZ6eyxUBhpKyYjgiRZqbvjSiAWTU 4 + -> dz-grease 5 + T0YHCpFimnUSa44WDIZVYMJA6KWWyZ3v3gEp4EDvEdxNJwbDu9uwh+8gWNWZ17cV 6 + wQMXZ8OK 7 + --- 9qlkhxnQF50KuNPEK7MO3puJcXOc7ZLPsV3m6gHM2mo 8 + � �`-�C�����u�#��pm|��4�I�GO���uO8�Gx ڸ� 9 + ��Н�S�MY�� 10 + /Yo��A�.5�,\�I���{��
secrets/cloudflare-api-token.age

This is a binary file and will not be displayed.

secrets/cloudflare-ddns-env.age

This is a binary file and will not be displayed.

+2
vars/default.nix
··· 2 2 name.user = "lpchaim"; 3 3 name.full = "Luna Perroni"; 4 4 email.main = "lpchaim@proton.me"; 5 + domain.main = "lpcha.im"; 6 + timezone = "America/Sao_Paulo"; 5 7 flake.path = "~/.config/nixos"; 6 8 networks = import ./networks.nix; 7 9 repo = rec {
+6
vars/networks.nix
··· 5 5 routingPrefix = "10.0.0.0/8"; 6 6 subnetMask = "255.255.255.0"; 7 7 }; 8 + oci.internal = { 9 + routingPrefix = "172.16.80.0/24"; 10 + }; 11 + oci.external = { 12 + routingPrefix = "10.10.250.0/24"; 13 + }; 8 14 }