containers/amethyst: expose under local nginx

2026-03-15 20:52:24 +11:00 · 2026-03-15 20:52:24 +11:00 · a9e9ae41ac
commit a9e9ae41ac
parent dfd00aad38
2 changed files with 5 additions and 68 deletions
--- a/containers/amethyst/flake.nix
+++ b/containers/amethyst/flake.nix
@ -17,6 +17,11 @@
        internalInterfaces = [ "ve-+" ];
      };

+      services.nginx.virtualHosts."amethyst.local.lava.moe" = {
+        locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
+        listenAddresses = [ "10.0.0.0/24" "fd0d::/16" ];
+      };
+
      systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
      containers.${name} = {
        autoStart = true;
--- a/hosts/dandelion/transmission-container.nix
+++ b/hosts/dandelion/transmission-container.nix
@ -1,68 +0,0 @@
-{ lib, modules, pkgs, gcSecrets, ... }: {
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ "ve-+" ];
-    externalInterface = "enp0s6";
-  };
-
-  networking.firewall = {
-    extraCommands = ''
-        ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE
-    '';
-    extraStopCommands = ''
-        ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true
-    '';
-  };
-
-  services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = {
-    locations."/".proxyPass = "http://10.25.0.11:9091";
-  };
-
-  containers.transmission = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = "10.25.0.10";
-    localAddress = "10.25.0.11";
-    bindMounts."vpn" = {
-      hostPath = "/persist/aus.conf";
-      mountPoint = "/vpn.conf";
-      isReadOnly = true;
-    };
-    bindMounts."transmission" = {
-      hostPath = "/persist/transmission";
-      mountPoint = "/persist/transmission";
-      isReadOnly = false;
-    };
-    config = {
-      system.stateVersion = "23.11";
-      networking.wg-quick.interfaces.wg0 = {
-        configFile = "/vpn.conf";
-        preUp = ''
-          # Try to access the DNS for up to 300s
-          for i in {1..60}; do
-            ${pkgs.iputils}/bin/ping -c1 'google.com' && break
-            echo "Attempt $i: DNS still not available"
-            sleep 5s
-          done
-        '';
-      };
-
-      networking.firewall.enable = false;
-      # https://github.com/NixOS/nixpkgs/issues/258793
-      systemd.services.transmission.serviceConfig = {
-          BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
-          RootDirectoryStartOnly = lib.mkForce false;
-          RootDirectory = lib.mkForce "";
-          PrivateMounts = lib.mkForce false;
-          PrivateUsers = lib.mkForce false;
-      };
-      imports = [ modules.services.transmission ];
-      services.transmission.settings = {
-        rpc-host-whitelist-enabled = false;
-        rpc-whitelist = lib.mkForce "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*";
-        rpc-username = gcSecrets.transmission.username;
-        rpc-password = gcSecrets.transmission.password;
-      };
-    };
-  };
-}