modules/system/settei: containers module

2024-03-23 19:30:17 +01:00 · 2024-03-23 19:30:17 +01:00 · 1eceee7c6a
commit 1eceee7c6a
parent 008bf7c80e
2 changed files with 117 additions and 0 deletions
--- a/modules/system/settei/containers.nix
+++ b/modules/system/settei/containers.nix
@ -0,0 +1,116 @@
+{ isLinux }:
+{
+  config,
+  options,
+  lib,
+  ...
+}:
+let
+  containerModule =
+    { name, ... }:
+    {
+      options = {
+        config = lib.mkOption { type = lib.types.deferredModule; };
+        hostAddress = lib.mkOption {
+          type = lib.types.str;
+          readOnly = true;
+        };
+        localAddress = lib.mkOption {
+          type = lib.types.str;
+          readOnly = true;
+        };
+        hostAddress6 = lib.mkOption {
+          type = lib.types.str;
+          readOnly = true;
+        };
+        localAddress6 = lib.mkOption {
+          type = lib.types.str;
+          readOnly = true;
+        };
+        autoStart = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+        };
+        bindMounts = lib.mkOption {
+          type =
+            with lib.types;
+            attrsOf (submodule {
+              options = {
+                hostPath = lib.mkOption {
+                  default = null;
+                  example = "/home/alice";
+                  type = nullOr str;
+                  description = lib.mdDoc "Location of the host path to be mounted.";
+                };
+                isReadOnly = lib.mkOption {
+                  default = true;
+                  type = bool;
+                  description = lib.mdDoc "Determine whether the mounted path will be accessed in read-only mode.";
+                };
+              };
+            });
+          default = { };
+        };
+      };
+
+      config =
+        let
+          fullHash = builtins.hashString "sha256" name;
+          getByte =
+            idx:
+            let
+              i = idx * 2;
+              s = builtins.substring i 2 fullHash;
+            in
+            (builtins.fromTOML "value = 0x${s}").value;
+          netAddr = lib.genList getByte 2;
+          net4 = "10.${lib.concatMapStringsSep "." toString netAddr}";
+          net6 = "fc00:${lib.concatMapStrings lib.toHexString netAddr}:";
+        in
+        {
+          hostAddress = "${net4}.1";
+          localAddress = "${net4}.2";
+          hostAddress6 = "${net6}:1";
+          localAddress6 = "${net6}:2";
+        };
+    };
+
+  linuxConfig = lib.optionalAttrs isLinux {
+    containers = lib.mapAttrs (
+      _: container:
+      container
+      // {
+        config = {
+          imports = [ container.config ];
+
+          services.openssh.hostKeys = [ ];
+          system.stateVersion = lib.mkDefault config.system.stateVersion;
+        };
+
+        bindMounts = {
+          # Pass in host's system key to allow decrypting secrets inside containers
+          "/etc/ssh/ssh_host_ed25519_key" = { };
+        } // container.bindMounts;
+
+        privateNetwork = lib.mkForce true;
+      }
+    ) config.settei.containers;
+  };
+
+  darwinConfig = lib.optionalAttrs (!isLinux) {
+    warnings = lib.optional options.settei.containers.isDefined "settei.containers doesn't do anything on darwin yet";
+  };
+in
+{
+  _file = ./containers.nix;
+
+  options.settei.containers = lib.mkOption {
+    type = with lib.types; attrsOf (submodule containerModule);
+    default = { };
+  };
+
+  config = lib.mkMerge [
+    linuxConfig
+    darwinConfig
+  ];
+}
--- a/modules/system/settei/default.nix
+++ b/modules/system/settei/default.nix
@ -19,6 +19,7 @@
    ./user.nix
    (import ./programs { inherit isLinux; })
    (import ./tailscale.nix { inherit isLinux; })
+    (import ./containers.nix { inherit isLinux; })
  ];

  options.settei = with lib; {