cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

containers/amethyst: expose under local nginx

Browse source
This commit is contained in:
Cilly Leang 2026-03-15 20:52:24 +11:00
parent dfd00aad38
commit a9e9ae41ac
Signed by: cilly
GPG key ID: 6500251E087653C9
2 changed files with 5 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

5
containers/amethyst/flake.nix
View file

@ -17,6 +17,11 @@
internalInterfaces = [ "ve-+" ]; internalInterfaces = [ "ve-+" ];
}; };
services.nginx.virtualHosts."amethyst.local.lava.moe" = {
locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
listenAddresses = [ "10.0.0.0/24" "fd0d::/16" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ]; systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = { containers.${name} = {
autoStart = true; autoStart = true;

68
hosts/dandelion/transmission-container.nix
View file

@ -1,68 +0,0 @@
{ lib, modules, pkgs, gcSecrets, ... }: {
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp0s6";
};
networking.firewall = {
extraCommands = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE
'';
extraStopCommands = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -d 10.25.0.11 -p tcp -m tcp --dport 9091 -j MASQUERADE || true
'';
};
services.nginx.virtualHosts."tr.dandelion.gw.lava.moe" = {
locations."/".proxyPass = "http://10.25.0.11:9091";
};
containers.transmission = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.25.0.10";
localAddress = "10.25.0.11";
bindMounts."vpn" = {
hostPath = "/persist/aus.conf";
mountPoint = "/vpn.conf";
isReadOnly = true;
};
bindMounts."transmission" = {
hostPath = "/persist/transmission";
mountPoint = "/persist/transmission";
isReadOnly = false;
};
config = {
system.stateVersion = "23.11";
networking.wg-quick.interfaces.wg0 = {
configFile = "/vpn.conf";
preUp = ''
# Try to access the DNS for up to 300s
for i in {1..60}; do
${pkgs.iputils}/bin/ping -c1 'google.com' && break
echo "Attempt $i: DNS still not available"
sleep 5s
done
'';
};
networking.firewall.enable = false;
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
RootDirectoryStartOnly = lib.mkForce false;
RootDirectory = lib.mkForce "";
PrivateMounts = lib.mkForce false;
PrivateUsers = lib.mkForce false;
};
imports = [ modules.services.transmission ];
services.transmission.settings = {
rpc-host-whitelist-enabled = false;
rpc-whitelist = lib.mkForce "10.100.0.*,10.0.0.*,10.25.0.*,192.168.100.*";
rpc-username = gcSecrets.transmission.username;
rpc-password = gcSecrets.transmission.password;
};
};
};
}