flakes/containers/fluorite/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
  outputs = { nixpkgs, ... }:
  let
    name = "fluorite";
    fqdn = "fluorite.lava.moe";
    subnetId = "6";

    subnet = x: "fd0d:1::${subnetId}:${toString x}";
    host = subnet 1;
    client = subnet 2;

    subnet4 = x: "10.30.${subnetId}.${toString x}";
    host4 = subnet4 1;
    client4 = subnet4 2;

    clientTun = "100.67.2.101";

    modules = [
      ./configuration.nix
      {
        networking.useHostResolvConf = false;
        networking.nameservers = [ "8.8.8.8" ];
      }
    ];
  in {
    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
      inherit modules;
    };
    nixosModule = { config, ... }: let
      hostfqdn = "${config.networking.hostName}.lava.moe";
      altfqdn = "fluorite.${hostfqdn}";
      # TODO: HACK
      listenAddr = if (config.networking.hostName == "alyssum")
        then [ "100.67.2.1" ]
        else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
    in {
      networking.nat = {
        enable = true;
        enableIPv6 = true;
        internalInterfaces = [ "ve-${name}" ];
      };
      networking.firewall.allowedTCPPorts = [ 50300 ];

      services.nginx.virtualHosts."${fqdn}" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        locations."/".proxyPass = "http://${clientTun}:5030";
        listenAddresses = listenAddr;
      };

      security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; };
      services.nginx.virtualHosts."${altfqdn}" = {
        useACMEHost = hostfqdn;
        forceSSL = true;
        locations."/".proxyPass = "http://${clientTun}:5030";
        listenAddresses = listenAddr;
      };

      systemd.tmpfiles.rules = [
        "d /persist/containers/${name} 755 root users"
        "d /persist/media/music 075 nobody users"
      ];
      containers.${name} = {
        autoStart = true;
        privateNetwork = true;
        enableTun = true;
        hostAddress = host4;
        localAddress = client4;
        hostAddress6 = host;
        localAddress6 = client;
        # privateUsers = "pick";
        nixpkgs = nixpkgs;
        ephemeral = true;
        config = { imports = modules; };
        specialArgs = { inherit fqdn; };

        forwardPorts = [
          {
            containerPort = 50300;
            hostPort = 50300;
            protocol = "tcp";
          }
        ];

        bindMounts."persist" = {
          hostPath = "/persist/containers/${name}";
          mountPoint = "/persist";
          isReadOnly = false;
        };
        bindMounts."music" = {
          hostPath = "/persist/media/music";
          mountPoint = "/binds/music";
          isReadOnly = true;
        };
        bindMounts."slskd_env" = {
          hostPath = config.age.secrets.slskd_env.path;
          mountPoint = "/binds/slskd_env";
          isReadOnly = true;
        };
        bindMounts."tailscale_auth" = {
          hostPath = config.age.secrets.tailscale_auth.path;
          mountPoint = "/binds/tailscale_auth";
          isReadOnly = true;
        };
        # flake = "path:" + ./.;
      };
    };
  };
}
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`{`
			`inputs = {`
			`nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";`
			`};`
			`outputs = { nixpkgs, ... }:`
			`let`
			`name = "fluorite";`
			`fqdn = "fluorite.lava.moe";`
			`subnetId = "6";`

			`subnet = x: "fd0d:1::${subnetId}:${toString x}";`
			`host = subnet 1;`
			`client = subnet 2;`

			`subnet4 = x: "10.30.${subnetId}.${toString x}";`
			`host4 = subnet4 1;`
			`client4 = subnet4 2;`

containers/fluorite: use tun address for proxy 2026-06-17 01:02:59 +10:00			`clientTun = "100.67.2.101";`

containers/fluorite: init 2026-03-18 01:52:34 +11:00			`modules = [`
			`./configuration.nix`
containers/{emerald,fluorite}: fix dns 2026-03-18 03:14:59 +11:00			`{`
			`networking.useHostResolvConf = false;`
containers/fluorite: wrap dns as str 2026-06-17 00:12:01 +10:00			`networking.nameservers = [ "8.8.8.8" ];`
containers/{emerald,fluorite}: fix dns 2026-03-18 03:14:59 +11:00			`}`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`];`
			`in {`
			`nixosConfigurations.container = nixpkgs.lib.nixosSystem {`
			`inherit modules;`
			`};`
containers/fluorite: fixup multiple hosts 2026-06-16 23:15:49 +10:00			`nixosModule = { config, ... }: let`
containers/fluorite: configure ssl cert correctly 2026-06-16 23:22:18 +10:00			`hostfqdn = "${config.networking.hostName}.lava.moe";`
			`altfqdn = "fluorite.${hostfqdn}";`
containers/fluorite: fixup multiple hosts 2026-06-16 23:15:49 +10:00			`# TODO: HACK`
			`listenAddr = if (config.networking.hostName == "alyssum")`
			`then [ "100.67.2.1" ]`
			`else [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];`
			`in {`
containers/fluorite: provide internet access 2026-03-18 02:25:27 +11:00			`networking.nat = {`
			`enable = true;`
			`enableIPv6 = true;`
			`internalInterfaces = [ "ve-${name}" ];`
			`};`
containers/fluorite: forward ports 2026-03-18 03:43:35 +11:00			`networking.firewall.allowedTCPPorts = [ 50300 ];`
containers/fluorite: provide internet access 2026-03-18 02:25:27 +11:00
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`services.nginx.virtualHosts."${fqdn}" = {`
			`useACMEHost = "lava.moe";`
			`forceSSL = true;`
containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu 2026-06-17 01:05:23 +10:00			`locations."/".proxyPass = "http://${clientTun}:5030";`
containers/fluorite: fixup multiple hosts 2026-06-16 23:15:49 +10:00			`listenAddresses = listenAddr;`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`};`

containers/fluorite: configure ssl cert correctly 2026-06-16 23:22:18 +10:00			`security.acme.certs.${hostfqdn} = { extraDomainNames = [ "*.${hostfqdn}" ]; };`
containers/fluorite: fixup multiple hosts 2026-06-16 23:15:49 +10:00			`services.nginx.virtualHosts."${altfqdn}" = {`
containers/fluorite: configure ssl cert correctly 2026-06-16 23:22:18 +10:00			`useACMEHost = hostfqdn;`
services/soulbeet: init and add to alyssum 2026-06-16 23:02:43 +10:00			`forceSSL = true;`
containers/fluorite: uuuuuuuuuuuuuuuuuuuuuuu 2026-06-17 01:05:23 +10:00			`locations."/".proxyPass = "http://${clientTun}:5030";`
containers/fluorite: fixup multiple hosts 2026-06-16 23:15:49 +10:00			`listenAddresses = listenAddr;`
services/soulbeet: init and add to alyssum 2026-06-16 23:02:43 +10:00			`};`

containers/fluorite: ensure music folder exists 2026-03-18 02:12:41 +11:00			`systemd.tmpfiles.rules = [`
			`"d /persist/containers/${name} 755 root users"`
			`"d /persist/media/music 075 nobody users"`
			`];`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`containers.${name} = {`
			`autoStart = true;`
			`privateNetwork = true;`
containers/fluorite: enable tun 2026-06-17 00:56:02 +10:00			`enableTun = true;`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`hostAddress = host4;`
			`localAddress = client4;`
			`hostAddress6 = host;`
			`localAddress6 = client;`
			`# privateUsers = "pick";`
			`nixpkgs = nixpkgs;`
			`ephemeral = true;`
			`config = { imports = modules; };`
			`specialArgs = { inherit fqdn; };`

containers/fluorite: forward ports 2026-03-18 03:43:35 +11:00			`forwardPorts = [`
			`{`
			`containerPort = 50300;`
			`hostPort = 50300;`
			`protocol = "tcp";`
			`}`
			`];`

containers/fluorite: init 2026-03-18 01:52:34 +11:00			`bindMounts."persist" = {`
			`hostPath = "/persist/containers/${name}";`
			`mountPoint = "/persist";`
			`isReadOnly = false;`
			`};`
containers/fluorite: store all data 2026-03-18 21:39:02 +11:00			`bindMounts."music" = {`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`hostPath = "/persist/media/music";`
containers/fluorite: store all data 2026-03-18 21:39:02 +11:00			`mountPoint = "/binds/music";`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`isReadOnly = true;`
			`};`
containers/fluorite: setup env file 2026-03-18 02:09:54 +11:00			`bindMounts."slskd_env" = {`
			`hostPath = config.age.secrets.slskd_env.path;`
			`mountPoint = "/binds/slskd_env";`
			`isReadOnly = true;`
			`};`
containers/fluorite: socks5 via tailscale 2026-06-17 00:07:01 +10:00			`bindMounts."tailscale_auth" = {`
			`hostPath = config.age.secrets.tailscale_auth.path;`
			`mountPoint = "/binds/tailscale_auth";`
			`isReadOnly = true;`
			`};`
containers/fluorite: init 2026-03-18 01:52:34 +11:00			`# flake = "path:" + ./.;`
			`};`
			`};`
			`};`
			`}`