containers/citrine: init

2026-03-16 00:48:51 +11:00 · 2026-03-16 00:48:51 +11:00 · 36f214f2a4
commit 36f214f2a4
parent 249942280d
6 changed files with 133 additions and 5 deletions
--- a/containers/citrine/configuration.nix
+++ b/containers/citrine/configuration.nix
@ -0,0 +1,19 @@
+{ ... }: {
+  system.stateVersion = "25.11";
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+  networking.firewall.allowedUDPPorts = [ 3000 ];
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "garden.lava.moe";
+        ROOT_URL = "https://garden.lava.moe/";
+        HTTP_PORT = 3000;
+      };
+      service.DISABLE_REGISTRATION = false;
+    };
+    stateDir = "/persist/forgejo";
+  };
+}
--- a/containers/citrine/flake.lock
+++ b/containers/citrine/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1773282481,
+        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/containers/citrine/flake.nix
+++ b/containers/citrine/flake.nix
@ -0,0 +1,48 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  };
+  outputs = { nixpkgs, ... }: {
+    nixosConfigurations.container = nixpkgs.lib.nixosSystem {
+      modules = [ ./configuration.nix ];
+    };
+    nixosModule = { ... }:
+    let
+      name = "citrine";
+      subnet = "3";
+    in {
+      # networking.nat = {
+      #   enable = true;
+      #   enableIPv6 = true;
+      #   internalInterfaces = [ "ve-${name}" ];
+      # };
+
+      services.nginx.virtualHosts."garden.lava.moe" = {
+        useACMEHost = "lava.moe";
+        forceSSL = true;
+        locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:3000";
+      };
+
+      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
+      containers.${name} = {
+        autoStart = true;
+        privateNetwork = true;
+        hostAddress = "10.30.${subnet}.1";
+        localAddress = "10.30.${subnet}.2";
+        hostAddress6 = "fd0d:1::${subnet}:1";
+        localAddress6 = "fd0d:1::${subnet}:2";
+        # privateUsers = "pick";
+        nixpkgs = nixpkgs;
+        ephemeral = true;
+        config = { imports = [ ./configuration.nix ]; };
+
+        bindMounts."persist" = {
+          hostPath = "/persist/containers/${name}";
+          mountPoint = "/persist";
+          isReadOnly = false;
+        };
+        # flake = "path:" + ./.;
+      };
+    };
+  };
+}