modules/containers: a hacc-specific containers module

this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system.
2024-04-19 19:11:03 +02:00 · 2024-04-19 19:11:03 +02:00 · f654b33a56
commit f654b33a56
parent 3dc63acf52
10 changed files with 134 additions and 135 deletions
--- a/flake.nix
+++ b/flake.nix
@ -38,33 +38,20 @@
          system = "x86_64-linux";
          config.allowUnfree = true;
        };
-        evalConfig = config: (nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            config
-            {
-              nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
-              imports = [ modules.nopersist profiles.container ];
-            }
-          ];
-          specialArgs = {
-            # some of our modules import each other, and evalConfig is used for containers
-            inherit modules evalConfig;
-            sources = inputs;
-          };
-        }).config.system.build.toplevel;
    in {
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./parsons/configuration.nix
          ./modules/buildinfo.nix
+          ./modules/containers.nix
          sops-nix.nixosModules.sops
          { nixpkgs.pkgs = pkgs; }
        ];
        specialArgs = {
          sources = inputs;
-          inherit modules evalConfig;
+          inherit modules profiles;
+          inherit (nixpkgs.lib) nixosSystem;
        };
      };

--- a/modules/container-profile.nix
+++ b/modules/container-profile.nix
@ -14,12 +14,5 @@
    '';
  };

-  # I /suspect/ this is not actually needed.
-  # TODO: find spoons to deal with potential breakage, test removing this
-  networking.defaultGateway = {
-    address = "192.168.100.1";
-    interface = "eth0";
-  };
-
  system.stateVersion = lib.mkDefault "21.05";
 }
--- a/modules/containers.nix
+++ b/modules/containers.nix
@ -0,0 +1,95 @@
+{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
+
+let
+  mkIPv4 = index: local:
+    "192.168.${if local then "100" else "101"}.${toString index}";
+  mkIPv6 = index: local:
+    "fd00::${if local then "100" else "101"}:${toString index}";
+
+  evalConfig = nixosConfig: (nixosSystem {
+    inherit (config.nixpkgs) system;
+    modules = [
+      nixosConfig
+      modules.nopersist
+      profiles.container
+      { nixpkgs.pkgs = lib.mkForce pkgs; }
+    ];
+    specialArgs = {
+      inherit modules sources;
+    };
+  }).config.system.build.toplevel;
+
+in {
+  options.hacc.containers = with lib.options;
+    mkOption {
+      description = ''
+        hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
+          - they automatically get an IPv4/IPv6 address assigned
+            (note that these are not guaranteed to be stable across config changes,
+            so please use {option}`containers.<name>.hostAddress` & friends to
+            reference them elsewhere)
+          - they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
+          - they are evaluated with our own version of {nix}`evalConfig`, which includes a
+            couple more modules by default, use our version of `nixpkgs`, and includes the
+            {nix}`profiles.containers` profile setting sane defaults for containers.
+      '';
+      default = { };
+      type = with lib.types;
+        types.attrsOf (types.submodule {
+          options = {
+            bindToPersist = mkOption {
+              default = true;
+              type = types.bool;
+              description =
+                "Wether to mount /persist/containers/<name> at /persist into this container.";
+            };
+
+            bindSecrets = mkOption {
+              default = false;
+              type = types.bool;
+              description =
+                "Whether to mount /run/secrets/<name> at /secrets into this container.";
+            };
+
+            config = mkOption {
+              type = types.unspecified;
+              description =
+                "The container's config, to be evaluated with our own {nix}`evalConfig`.";
+            };
+          };
+        });
+    };
+
+  # wrapped into imap1, which enumerates the containers; IP addresses are then
+  # simply assigned based on the order the containers are in the list.
+  config.containers = lib.mkMerge (lib.imap1
+    (index: { name, value }: let container = value; in {
+      ${name} = {
+        hostAddress = mkIPv4 index false;
+        localAddress = mkIPv4 index true;
+        hostAddress6 = mkIPv6 index false;
+        localAddress6 = mkIPv6 index true;
+
+        privateNetwork = true;
+        autoStart = true;
+        ephemeral = true;
+
+        bindMounts = lib.mkMerge [
+          (lib.mkIf container.bindToPersist {
+            "/persist" = {
+              hostPath = "/persist/containers/${name}";
+              isReadOnly = false;
+            };
+          })
+          (lib.mkIf container.bindSecrets {
+            "/secrets" = {
+              hostPath = "/run/secrets/${name}";
+              isReadOnly = true;
+            };
+          })
+        ];
+
+        path = evalConfig container.config;
+      };
+    }) (lib.attrsToList config.hacc.containers));
+}
--- a/parsons/forgejo.nix
+++ b/parsons/forgejo.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.forgejo = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.10";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/forgejo";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.forgejo = {
+    config = { lib, pkgs, ... }: {
      system.stateVersion = "21.11";

      environment.systemPackages = [ pkgs.forgejo ];
@ -79,7 +68,7 @@
      services.openssh = {
        enable = true;
        listenAddresses = [ {
-          addr = "192.168.100.10";
+          addr = config.containers.forgejo.localAddress;
          port = 22;
        } ];
        settings = {
@ -87,7 +76,7 @@
          AcceptEnv = "GIT_PROTOCOL";
        };
      };
-    });
+    };
  };

  services.nginx.virtualHosts."git.infra4future.de" = {
--- a/parsons/hedgedoc-hacc.nix
+++ b/parsons/hedgedoc-hacc.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {

@ -6,20 +6,11 @@
    "hedgedoc-hacc/env" = {};
  };

-  containers.pad-hacc = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.5";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-hacc";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
-    };
-    path = evalConfig ({ config, lib, ... }: {
+  containers.pad-hacc.bindMounts = {
+    "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
+  };
+  hacc.containers.pad-hacc = {
+    config = { config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
@ -78,7 +69,7 @@
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
-    });
+    };
  };
  services.nginx.virtualHosts."pad.hacc.earth" = {
    enableACME = true;
--- a/parsons/hedgedoc-i4f.nix
+++ b/parsons/hedgedoc-i4f.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.pad-i4f = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.6";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/pad-i4f";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, ... }: {
+  hacc.containers.pad-i4f = {
+    config = { config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
@ -57,7 +46,7 @@
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
-    });
+    };
  };

  services.nginx.virtualHosts."pad.infra4future.de" = {
--- a/parsons/mattermost.nix
+++ b/parsons/mattermost.nix
@ -1,26 +1,14 @@
-{ config, pkgs, lib, evalConfig, ...}:
+{ config, pkgs, lib, ...}:

 {
  sops.secrets = {
    "mattermost/env" = {};
  };

-  containers.mattermost = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.3";
-    ephemeral = true;
+  hacc.containers.mattermost = {
+    bindSecrets = true;

-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/mattermost";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/mattermost";
-    };
-
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+    config = { config, lib, pkgs, ... }: {
      systemd.services.mattermost.serviceConfig.EnvironmentFile =
        lib.mkForce "/secrets/env";

@ -218,7 +206,7 @@
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
-    });
+    };
  };

  services.nginx.virtualHosts."mattermost.infra4future.de" = {
--- a/parsons/nextcloud.nix
+++ b/parsons/nextcloud.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.nextcloud = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.2";
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/nextcloud";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.nextcloud = {
+    config = { config, lib, pkgs, ... }: {
      environment.systemPackages = [ pkgs.htop ];

      services.nextcloud = {
@ -82,7 +71,7 @@
        requires = ["postgresql.service"];
        after = ["postgresql.service"];
      };
-    });
+    };
  };

  services.nginx.virtualHosts."cloud.infra4future.de" = {
--- a/parsons/tracktrain.nix
+++ b/parsons/tracktrain.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 let
  tracktrain-config = ''
@ -25,14 +25,14 @@ in
    enableACME = true;
    forceSSL = true;
    locations."/" = {
-      proxyPass = "http://192.168.42.41:4000";
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
      proxyWebsockets = true;
    };
    # note: this shadows the /metrics endpoint of tracktrain
    # in case you remove this, please consider putting something
    # else here to keep it from being publicly scrapable
    locations."/metrics/" = {
-      proxyPass = "http://192.168.42.41:2342";
+      proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
      proxyWebsockets = true;
      extraConfig = ''
        rewrite  ^/metrics/(.*)  /$1 break;
@ -40,21 +40,10 @@ in
    };
  };

-  containers.tracktrain = {
-    privateNetwork = true;
-    hostAddress = "192.168.42.40";
-    localAddress = "192.168.42.41";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/tracktrain";
-        isReadOnly = false;
-      };
-      "/secrets".hostPath = "/run/secrets/tracktrain";
-    };
+  hacc.containers.tracktrain = {
+    bindSecrets = true;

-    path = evalConfig ({ config, lib, pkgs, ... }: {
+    config = { config, lib, pkgs, ... }: {
      system.stateVersion = "21.11";

      users.users.tracktrain = {
@ -151,7 +140,7 @@ in
      systemd.services.grafana.serviceConfig.EnvironmentFile =
        "/secrets/env";
      hacc.bindToPersist = [ "/var/lib/grafana" ];
-    });
+    };
  };

 }
--- a/parsons/uffd.nix
+++ b/parsons/uffd.nix
@ -1,19 +1,8 @@
-{ config, lib, pkgs, evalConfig, ... }:
+{ config, lib, pkgs, ... }:

 {
-  containers.uffd = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.9";
-    autoStart = true;
-    ephemeral = true;
-    bindMounts = {
-      "/persist" = {
-        hostPath = "/persist/containers/uffd";
-        isReadOnly = false;
-      };
-    };
-    path = evalConfig ({ config, lib, pkgs, ... }: {
+  hacc.containers.uffd = {
+    config = { config, lib, pkgs, ... }: {
      services.uwsgi = {
        enable = true;
        plugins = [ "python3" ];
@ -29,7 +18,7 @@
          hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
        };
      };
-    });
+    };
  };
  services.nginx.virtualHosts."login.infra4future.de" = {
    enableACME = true;