Refactor container configuration

2026-01-22 00:21:34 +01:00 · 2024-09-02 13:33:44 +02:00 · 2024-09-02 13:33:44 +02:00 · 380d8202ff
commit 380d8202ff
parent 8af96429ff
15 changed files with 288 additions and 241 deletions
--- a/hosts/stratus/containers/default.nix
+++ b/hosts/stratus/containers/default.nix
@ -0,0 +1,95 @@
+{
+  config,
+  inputs,
+  self,
+  lib,
+  ...
+}:
+let
+  containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
+  interface = "eno1";
+  dataDirOf = name: "/data/${name}";
+in
+{
+  imports = [
+    ./nextcloud
+    ./paperless
+  ];
+
+  sops.secrets = lib.mapAttrs' (
+    name: _: lib.nameValuePair "container/${name}/ssh-key" { }
+  ) containers;
+
+  systemd.tmpfiles.rules = lib.flatten (
+    lib.mapAttrsToList (name: _: [
+      "d ${dataDirOf name} - - -"
+      "d /var/lib/tailscale-${name} - - -"
+    ]) containers
+  );
+
+  containers = lib.mapAttrs (name: _: {
+    autoStart = true;
+    ephemeral = true;
+    macvlans = [ interface ];
+
+    bindMounts = {
+      "/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
+      ${dataDirOf name}.isReadOnly = false;
+      "/var/lib/tailscale" = {
+        hostPath = "/var/lib/tailscale-${name}";
+        isReadOnly = false;
+      };
+    };
+
+    specialArgs = {
+      inherit inputs self;
+      inherit (config.system) stateVersion;
+      inherit (config.networking) domain;
+      dataDir = dataDirOf name;
+    };
+    config =
+      {
+        self,
+        stateVersion,
+        domain,
+        ...
+      }:
+      {
+        imports = [
+          "${self}/modules/system/sops.nix"
+          "${self}/modules/system/tailscale.nix"
+        ];
+
+        system = {
+          inherit stateVersion;
+        };
+
+        networking = {
+          inherit domain;
+          useNetworkd = true;
+          useHostResolvConf = false;
+        };
+
+        systemd.network = {
+          enable = true;
+          networks."10-mv-${interface}" = {
+            matchConfig.Name = "mv-${interface}";
+            networkConfig.DHCP = "yes";
+            dhcpV4Config.ClientIdentifier = "mac";
+          };
+        };
+
+        myConfig.sops = {
+          enable = true;
+          defaultSopsFile = ./${name}/secrets.yaml;
+        };
+
+        sops.secrets."tailscale-auth-key" = { };
+        services.tailscale.interfaceName = "userspace-networking";
+        myConfig.tailscale = {
+          enable = true;
+          ssh.enable = true;
+        };
+      };
+  }) containers;
+}