use network bridge to make sure container access to intenet

2025-03-06 00:50:29 +08:00 · 2025-03-06 00:50:29 +08:00 · 7871e788aa
commit 7871e788aa
parent c84f295940
7 changed files with 51 additions and 41 deletions
--- a/assets/wallpaper/01.png
+++ b/assets/wallpaper/01.png
--- a/nixos/configurations/Cape/default.nix
+++ b/nixos/configurations/Cape/default.nix
@ -20,6 +20,7 @@
      hostName = "Cape";
    };
    users.deploy.enable = true;
+    containers.interface = "ens3";
    programs = {
      transfer-sh.enable = true;
      rustypaste = {
--- a/nixos/configurations/Cape/forgejo.nix
+++ b/nixos/configurations/Cape/forgejo.nix
@ -5,13 +5,12 @@
    domain = "forgejo.youthlic.fun";
    sshPort = 2222;
    httpPort = 8480;
-    interface = "ens3";
  };
  networking.firewall.allowedTCPPorts = [ 2222 ];
  services.caddy.virtualHosts = {
    "forgejo.${config.youthlic.programs.caddy.baseDomain}" = {
      extraConfig = ''
-        reverse_proxy 10.231.136.102:8480
+        reverse_proxy 192.168.111.101:8480
      '';
    };
  };
--- a/nixos/configurations/Cape/miniflux.nix
+++ b/nixos/configurations/Cape/miniflux.nix
@ -4,13 +4,12 @@
  };
  youthlic.containers.miniflux = {
    enable = true;
-    interface = "ens3";
    adminCredentialsFile = config.sops.secrets."miniflux".path;
  };
  services.caddy.virtualHosts = {
    "miniflux.${config.youthlic.programs.caddy.baseDomain}" = {
      extraConfig = ''
-        reverse_proxy 10.231.137.102:8485
+        reverse_proxy 192.168.111.102:8485
      '';
    };
  };
--- a/nixos/modules/containers/default.nix
+++ b/nixos/modules/containers/default.nix
@ -1,7 +1,46 @@
-{ ... }:
+{ config, lib, ... }:
+let
+  cfg = config.youthlic.containers;
+in
 {
  imports = [
    ./forgejo.nix
    ./miniflux.nix
  ];
+  options = {
+    youthlic.containers = {
+      enable = lib.mkEnableOption "containers";
+      interface = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+      };
+      bridgeName = lib.mkOption {
+        type = lib.types.nonEmptyStr;
+        default = "br0";
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking = {
+      bridges."${cfg.bridgeName}".interfaces = [
+      ];
+      interfaces."${cfg.bridgeName}" = {
+        useDHCP = true;
+        ipv4.addresses = [
+          {
+            address = "192.168.111.1";
+            prefixLength = 24;
+          }
+        ];
+      };
+      nat = {
+        enable = true;
+        internalInterfaces = [
+          cfg.bridgeName
+          "ve-+"
+          "vb-+"
+        ];
+        externalInterface = cfg.interface;
+      };
+    };
+  };
 }
--- a/nixos/modules/containers/forgejo.nix
+++ b/nixos/modules/containers/forgejo.nix
@ -18,25 +18,16 @@ in
        type = lib.types.port;
        default = 8480;
      };
-      interface = lib.mkOption {
-        type = lib.types.nonEmptyStr;
-        example = "ens3";
-      };
    };
  };
  config = lib.mkIf cfg.enable {
-    networking.nat = {
-      enable = true;
-      internalInterfaces = [ "ve-+" ];
-      externalInterface = cfg.interface;
-      enableIPv6 = true;
-    };
+    youthlic.containers.enable = true;
    containers."forgejo" = {
      ephemeral = true;
      autoStart = true;
      privateNetwork = true;
-      hostAddress = "10.231.136.1";
-      localAddress = "10.231.136.102";
+      hostBridge = "${config.youthlic.containers.bridgeName}";
+      localAddress = "192.168.111.101/24";
      bindMounts = {
        "/var/lib/forgejo" = {
          hostPath = "/mnt/containers/forgejo/state";
@ -99,6 +90,7 @@ in
          };

          networking = {
+            defaultGateway = "192.168.111.1";
            firewall = {
              enable = true;
              allowedTCPPorts = [
--- a/nixos/modules/containers/miniflux.nix
+++ b/nixos/modules/containers/miniflux.nix
@ -9,25 +9,16 @@ in
      adminCredentialsFile = lib.mkOption {
        type = lib.types.nonEmptyStr;
      };
-      interface = lib.mkOption {
-        type = lib.types.nonEmptyStr;
-        example = "ens3";
-      };
    };
  };
  config = lib.mkIf cfg.enable {
-    networking.nat = {
-      enable = true;
-      internalInterfaces = [ "ve-+" ];
-      externalInterface = cfg.interface;
-      enableIPv6 = true;
-    };
+    youthlic.containers.enable = true;
    containers."miniflux" = {
      ephemeral = true;
      autoStart = true;
      privateNetwork = true;
-      hostAddress = "10.231.137.1";
-      localAddress = "10.231.137.102";
+      hostBridge = "${config.youthlic.containers.bridgeName}";
+      localAddress = "192.168.111.102/24";
      bindMounts = {
        "/var/lib/miniflux" = {
          hostPath = "/mnt/containers/miniflux/state";
@ -41,18 +32,6 @@ in
          isReadOnly = true;
        };
      };
-      forwardPorts = [
-        {
-          containerPort = 8485;
-          hostPort = 8485;
-          protocol = "tcp";
-        }
-        {
-          containerPort = 8485;
-          hostPort = 8485;
-          protocol = "udp";
-        }
-      ];

      config =
        { lib, ... }:
@ -92,6 +71,7 @@ in
          };

          networking = {
+            defaultGateway = "192.168.111.1";
            firewall = {
              enable = true;
              allowedTCPPorts = [ 8485 ];