nix-config/modules/containers.nix

{
  config,
  nix-config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) mkIf;
  inherit (config.modules.system) username;
  inherit (config.boot) enableContainers;

  template = {
    privateNetwork = true;
    ephemeral = true;
    restartIfChanged = false;

    bindMounts = {
      "/mnt" = {
        hostPath = "/home/${username}/containers/wine";
        isReadOnly = false;
      };

      waylandDisplay = rec {
        hostPath = "/run/user/1000";
        mountPoint = hostPath;
      };

      x11Display = rec {
        hostPath = "/tmp/.X11-unix";
        mountPoint = hostPath;
      };

      dri = rec {
        hostPath = "/dev/dri";
        mountPoint = hostPath;
      };
    };

    allowedDevices = [
      {
        modifier = "rw";
        node = "/dev/dri/renderD128";
      }
    ];

    specialArgs = {
      inherit nix-config;
    };
  };
in
{
  environment.systemPackages = mkIf (pkgs.system == "x86_64-linux") (
    with nix-config.inputs.sakaya.packages.${pkgs.system}; [ sakaya ]
  );

  containers = mkIf enableContainers {
    wine = template // {
      hostAddress = "192.168.100.34";
      localAddress = "192.168.100.49";
      config =
        {
          nix-config,
          config,
          lib,
          pkgs,
          ...
        }:

        let
          inherit (nix-config.inputs.sakaya.packages.${pkgs.system}) sakaya;
          inherit (config.modules.system) username;
          inherit (lib) getExe;
        in
        {
          imports = with nix-config.nixosModules; [
            shell
            desktop
            system
            stylix
            fonts
          ];

          home-manager.sharedModules = with nix-config.homeModules; [
            fish
            git
            gtk
            kitty
            neovim
            xresources
            yazi
          ];

          nixpkgs.overlays = builtins.attrValues nix-config.overlays;

          environment = {
            systemPackages =
              (with pkgs; [
                wineWowPackages.waylandFull
                winetricks
              ]);

            variables = {
              TERM = "xterm-kitty";
            };

            sessionVariables = {
              WAYLAND_DISPLAY = "wayland-1";
              QT_QPA_PLATFORM = "wayland";
              QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
              SDL_VIDEODRIVER = "wayland";
              CLUTTER_BACKEND = "wayland";
              MOZ_ENABLE_WAYLAND = "1";
              XDG_RUNTIME_DIR = "/run/user/1000";
              DISPLAY = ":0";
              QT_IM_MODULE = "fcitx";
              XMODIFIERS = "@im=fcitx";
              SDL_IM_MODULE = "fcitx";
              GLFW_IM_MODULE = "ibus";
              LC_ALL = "ja_JP.UTF-8";
              TZ = "Asia/Tokyo";
            };
          };

          hardware.graphics.enable = true;

          networking.firewall.allowedTCPPorts = [ 39493 ];

          systemd.services.sakaya = {
            enable = true;
            description = "sakaya server";
            unitConfig.Type = "simple";
            path = with pkgs; [ su ];
            serviceConfig.ExecStart = "/usr/bin/env su ${username} --command=${getExe sakaya}";
            wantedBy = [ "multi-user.target" ];
          };
        };
    };

    wordpress = {
      privateNetwork = true;
      ephemeral = true;
      autoStart = true;

      hostAddress = "192.168.100.24";
      localAddress = "192.168.100.39";

      specialArgs = {
        inherit nix-config;
      };

      config =
        { nix-config, pkgs, ... }:
        {
          imports = with nix-config.nixosModules; [
            system
          ];

          users.defaultUserShell = pkgs.fish;

          programs = {
            fish.enable = true;
            neovim.enable = true;
          };

          environment = {
            systemPackages = with pkgs; [ kitty ];
            shells = with pkgs; [ fish ];

            variables = {
              TERM = "xterm-kitty";
            };
          };

          networking = {
            firewall.allowedTCPPorts = [ 80 ];
          };

          services.wordpress.sites.localhost = { };
        };
    };
  };
}
modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`{`
			`config,`
			`nix-config,`
			`lib,`
meta: Move sakaya to containers module 2024-09-10 05:08:01 +02:00			`pkgs,`
modules: Format with nixfmt-rfc-style 2024-08-03 20:40:07 +02:00			`...`
			`}:`
chore: Formatting 2023-06-23 21:48:29 +02:00
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`let`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`inherit (lib) mkIf;`
phone: Move containers config out of container module We should explicitly enable it instead of conditionally disable it. 2024-07-17 11:55:08 +02:00			`inherit (config.modules.system) username;`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`inherit (config.boot) enableContainers;`
meta: Don't hardcode home directory This is a much better way of handling things. 2024-04-05 01:38:57 +02:00
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`template = {`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`privateNetwork = true;`
containers(wine): Implement impermanence Useful to avoid certain things working due to a certain state, then forgetting what was changed over time. 2023-06-16 20:21:23 +02:00			`ephemeral = true;`
containers: Disable restartIfChanged Makes it possible to use sakaya without worrying about the container automatically restarting on config changes and closing all the wine applications. This was previously part of my personal nixpkgs branch but I turned it into an option that should hopefully be upstreamed soon. 2023-10-11 00:38:13 +02:00			`restartIfChanged = false;`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00
			`bindMounts = {`
meta: Remove variables from containers Modules solve the variable problem in a nicer way. 2023-06-22 17:43:19 +02:00			`"/mnt" = {`
meta: Don't hardcode home directory This is a much better way of handling things. 2024-04-05 01:38:57 +02:00			`hostPath = "/home/${username}/containers/wine";`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`isReadOnly = false;`
			`};`
Make wine container support display output This works, and I was surprised that I needed to change little to nothing at all. 2023-06-03 21:36:26 +02:00
			`waylandDisplay = rec {`
			`hostPath = "/run/user/1000";`
			`mountPoint = hostPath;`
			`};`

			`x11Display = rec {`
			`hostPath = "/tmp/.X11-unix";`
			`mountPoint = hostPath;`
			`};`
containers(wine): Passthrough /dev/dri Enables the wine container to have native graphics performance on the host. 2023-06-16 20:22:57 +02:00
			`dri = rec {`
			`hostPath = "/dev/dri";`
			`mountPoint = hostPath;`
			`};`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`};`

containers(wine): Passthrough /dev/dri Enables the wine container to have native graphics performance on the host. 2023-06-16 20:22:57 +02:00			`allowedDevices = [`
			`{`
			`modifier = "rw";`
			`node = "/dev/dri/renderD128";`
			`}`
			`];`
feat: Simplify imports by importing with specialArgs This change makes it possible to import the modules that are required from the flake inputs in the output modules themselves, thus preventing users from having to manually import those modules. This simplifies things overall and was made possible by the specialArgs option that allowed these flake inputs to be passed into our container. 2024-04-05 15:36:21 +02:00
			`specialArgs = {`
feat: Pass nix-config as self to avoid infinite recursion This change makes it possible to use this nix-config in all the different ways imaginable (containers, bare metal, tests, and as a separate flake input) without running into infinite recursion issues with self. It does this by using a trick similar to JavaScript in which `var self = this;`, thus enabling the usage of "this" (or self, in Nix's case) where it wouldn't otherwise be possible. Note that this only works if the input for this repository is named nix-config. This makes it impractical to combine with multiple configurations that employ the same strategy. 2024-04-05 16:09:51 +02:00			`inherit nix-config;`
feat: Simplify imports by importing with specialArgs This change makes it possible to import the modules that are required from the flake inputs in the output modules themselves, thus preventing users from having to manually import those modules. This simplifies things overall and was made possible by the specialArgs option that allowed these flake inputs to be passed into our container. 2024-04-05 15:36:21 +02:00			`};`
refactor(containers): Abstract common config This makes it possible to create multiple containers without duplicating code. This may be useful for having an internet container and a no internet container. 2023-08-31 20:08:35 +02:00			`};`
chore: Fix formatting 2023-08-31 20:16:29 +02:00			`in`
			`{`
meta: Move sakaya to containers module 2024-09-10 05:08:01 +02:00			`environment.systemPackages = mkIf (pkgs.system == "x86_64-linux") (`
			`with nix-config.inputs.sakaya.packages.${pkgs.system}; [ sakaya ]`
			`);`

phone: Move containers config out of container module We should explicitly enable it instead of conditionally disable it. 2024-07-17 11:55:08 +02:00			`containers = mkIf enableContainers {`
containers: Fix warning when containers are disabled Now it's possible to disable the containers without getting a warning that containers.<name> is being defined. 2024-04-06 14:08:06 +02:00			`wine = template // {`
			`hostAddress = "192.168.100.34";`
			`localAddress = "192.168.100.49";`
meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00			`config =`
			`{`
			`nix-config,`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

			`let`
			`inherit (nix-config.inputs.sakaya.packages.${pkgs.system}) sakaya;`
			`inherit (config.modules.system) username;`
			`inherit (lib) getExe;`
			`in`
			`{`
			`imports = with nix-config.nixosModules; [`
			`shell`
			`desktop`
			`system`
			`stylix`
			`fonts`
			`];`

			`home-manager.sharedModules = with nix-config.homeModules; [`
			`fish`
			`git`
			`gtk`
			`kitty`
			`neovim`
			`xresources`
			`yazi`
			`];`

			`nixpkgs.overlays = builtins.attrValues nix-config.overlays;`

			`environment = {`
			`systemPackages =`
			`(with pkgs; [`
			`wineWowPackages.waylandFull`
			`winetricks`
containers(wine): remove useless systemPackage 2024-10-22 07:40:41 +02:00			`]);`
meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00
			`variables = {`
			`TERM = "xterm-kitty";`
			`};`

			`sessionVariables = {`
			`WAYLAND_DISPLAY = "wayland-1";`
			`QT_QPA_PLATFORM = "wayland";`
			`QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";`
			`SDL_VIDEODRIVER = "wayland";`
			`CLUTTER_BACKEND = "wayland";`
			`MOZ_ENABLE_WAYLAND = "1";`
			`XDG_RUNTIME_DIR = "/run/user/1000";`
			`DISPLAY = ":0";`
			`QT_IM_MODULE = "fcitx";`
			`XMODIFIERS = "@im=fcitx";`
			`SDL_IM_MODULE = "fcitx";`
			`GLFW_IM_MODULE = "ibus";`
			`LC_ALL = "ja_JP.UTF-8";`
			`TZ = "Asia/Tokyo";`
			`};`
			`};`

			`hardware.graphics.enable = true;`

containers(wine): simplify 2024-10-22 07:40:08 +02:00			`networking.firewall.allowedTCPPorts = [ 39493 ];`
meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00
			`systemd.services.sakaya = {`
			`enable = true;`
			`description = "sakaya server";`
containers(wine): simplify 2024-10-22 07:40:08 +02:00			`unitConfig.Type = "simple";`
meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00			`path = with pkgs; [ su ];`
containers(wine): simplify 2024-10-22 07:40:08 +02:00			`serviceConfig.ExecStart = "/usr/bin/env su ${username} --command=${getExe sakaya}";`
meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00			`wantedBy = [ "multi-user.target" ];`
			`};`
			`};`
nix: Simplify 2023-06-11 15:51:26 +02:00			`};`
containers: add wordpress This is the start of my fun attempt at using NixOS containers for web services as a Docker replacement. After spending some time on other servers I realized that I don't actually need my dotfiles on those servers, so it becomes significantly faster to build these containers without worrying about home-manager and command-line programs I use on the host. Main advantages include web service configuration with Nix instead of Docker. Disadvantages include increased complexity for anything that isn't already maintained by others in nixpkgs. 2024-10-11 22:28:15 +02:00
			`wordpress = {`
			`privateNetwork = true;`
			`ephemeral = true;`
			`autoStart = true;`

			`hostAddress = "192.168.100.24";`
			`localAddress = "192.168.100.39";`

			`specialArgs = {`
			`inherit nix-config;`
			`};`

meta: move container configs into containers module This is part of making the config easier to understand for users by only having directories that directly map to flake outputs. This also simplifies using the config a bit since it's possible to remove containers entirely by simply deleting the containers.nix file. 2024-10-21 15:07:43 +02:00			`config =`
			`{ nix-config, pkgs, ... }:`
			`{`
			`imports = with nix-config.nixosModules; [`
			`system`
			`];`

			`users.defaultUserShell = pkgs.fish;`

			`programs = {`
			`fish.enable = true;`
			`neovim.enable = true;`
			`};`

			`environment = {`
			`systemPackages = with pkgs; [ kitty ];`
			`shells = with pkgs; [ fish ];`

			`variables = {`
			`TERM = "xterm-kitty";`
			`};`
			`};`

			`networking = {`
			`firewall.allowedTCPPorts = [ 80 ];`
			`};`

			`services.wordpress.sites.localhost = { };`
			`};`
containers: add wordpress This is the start of my fun attempt at using NixOS containers for web services as a Docker replacement. After spending some time on other servers I realized that I don't actually need my dotfiles on those servers, so it becomes significantly faster to build these containers without worrying about home-manager and command-line programs I use on the host. Main advantages include web service configuration with Nix instead of Docker. Disadvantages include increased complexity for anything that isn't already maintained by others in nixpkgs. 2024-10-11 22:28:15 +02:00			`};`
Add base wine container I figured out how to get wine working on Nix, and it works surprisingly well, however I'd like to avoid programs from writing wherever they want and don't want to rely on a solution like firejail. As it turns out, systemd-nspawn containers enable us to run wine applications in a reasonably private container without access to neither the files of the host nor its internet connection. 2023-06-03 21:29:49 +02:00			`};`
			`}`