youthlic/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use network bridge to make sure container access to intenet

Browse source
This commit is contained in:
ulic-youthlic 2025-03-06 00:50:29 +08:00
parent c84f295940
commit 7871e788aa
Signed by: youthlic
GPG key ID: 63E86C3C14A0D721
7 changed files with 51 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
assets/wallpaper/01.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 133 B

After

Width:  |  Height:  |  Size: 11 MiB

Before After
Before After

1
nixos/configurations/Cape/default.nix
View file

@ -20,6 +20,7 @@
hostName = "Cape"; hostName = "Cape";
}; };
users.deploy.enable = true; users.deploy.enable = true;
containers.interface = "ens3";
programs = { programs = {
transfer-sh.enable = true; transfer-sh.enable = true;
rustypaste = { rustypaste = {

3
nixos/configurations/Cape/forgejo.nix
View file

@ -5,13 +5,12 @@
domain = "forgejo.youthlic.fun"; domain = "forgejo.youthlic.fun";
sshPort = 2222; sshPort = 2222;
httpPort = 8480; httpPort = 8480;
interface = "ens3";
}; };
networking.firewall.allowedTCPPorts = [ 2222 ]; networking.firewall.allowedTCPPorts = [ 2222 ];
services.caddy.virtualHosts = { services.caddy.virtualHosts = {
"forgejo.${config.youthlic.programs.caddy.baseDomain}" = { "forgejo.${config.youthlic.programs.caddy.baseDomain}" = {
extraConfig = '' extraConfig = ''
reverse_proxy 10.231.136.102:8480 reverse_proxy 192.168.111.101:8480
''; '';
}; };
}; };

3
nixos/configurations/Cape/miniflux.nix
View file

@ -4,13 +4,12 @@
}; };
youthlic.containers.miniflux = { youthlic.containers.miniflux = {
enable = true; enable = true;
interface = "ens3";
adminCredentialsFile = config.sops.secrets."miniflux".path; adminCredentialsFile = config.sops.secrets."miniflux".path;
}; };
services.caddy.virtualHosts = { services.caddy.virtualHosts = {
"miniflux.${config.youthlic.programs.caddy.baseDomain}" = { "miniflux.${config.youthlic.programs.caddy.baseDomain}" = {
extraConfig = '' extraConfig = ''
reverse_proxy 10.231.137.102:8485 reverse_proxy 192.168.111.102:8485
''; '';
}; };
}; };

41
nixos/modules/containers/default.nix
View file

@ -1,7 +1,46 @@
{ ... }: { config, lib, ... }:
let
cfg = config.youthlic.containers;
in
{ {
imports = [ imports = [
./forgejo.nix ./forgejo.nix
./miniflux.nix ./miniflux.nix
]; ];
options = {
youthlic.containers = {
enable = lib.mkEnableOption "containers";
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
};
bridgeName = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "br0";
};
};
};
config = lib.mkIf cfg.enable {
networking = {
bridges."${cfg.bridgeName}".interfaces = [
];
interfaces."${cfg.bridgeName}" = {
useDHCP = true;
ipv4.addresses = [
{
address = "192.168.111.1";
prefixLength = 24;
}
];
};
nat = {
enable = true;
internalInterfaces = [
cfg.bridgeName
"ve-+"
"vb-+"
];
externalInterface = cfg.interface;
};
};
};
} }

16
nixos/modules/containers/forgejo.nix
View file

@ -18,25 +18,16 @@ in
type = lib.types.port; type = lib.types.port;
default = 8480; default = 8480;
}; };
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
example = "ens3";
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.nat = { youthlic.containers.enable = true;
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = cfg.interface;
enableIPv6 = true;
};
containers."forgejo" = { containers."forgejo" = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "10.231.136.1"; hostBridge = "${config.youthlic.containers.bridgeName}";
localAddress = "10.231.136.102"; localAddress = "192.168.111.101/24";
bindMounts = { bindMounts = {
"/var/lib/forgejo" = { "/var/lib/forgejo" = {
hostPath = "/mnt/containers/forgejo/state"; hostPath = "/mnt/containers/forgejo/state";
@ -99,6 +90,7 @@ in
}; };
networking = { networking = {
defaultGateway = "192.168.111.1";
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [

28
nixos/modules/containers/miniflux.nix
View file

@ -9,25 +9,16 @@ in
adminCredentialsFile = lib.mkOption { adminCredentialsFile = lib.mkOption {
type = lib.types.nonEmptyStr; type = lib.types.nonEmptyStr;
}; };
interface = lib.mkOption {
type = lib.types.nonEmptyStr;
example = "ens3";
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.nat = { youthlic.containers.enable = true;
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = cfg.interface;
enableIPv6 = true;
};
containers."miniflux" = { containers."miniflux" = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "10.231.137.1"; hostBridge = "${config.youthlic.containers.bridgeName}";
localAddress = "10.231.137.102"; localAddress = "192.168.111.102/24";
bindMounts = { bindMounts = {
"/var/lib/miniflux" = { "/var/lib/miniflux" = {
hostPath = "/mnt/containers/miniflux/state"; hostPath = "/mnt/containers/miniflux/state";
@ -41,18 +32,6 @@ in
isReadOnly = true; isReadOnly = true;
}; };
}; };
forwardPorts = [
{
containerPort = 8485;
hostPort = 8485;
protocol = "tcp";
}
{
containerPort = 8485;
hostPort = 8485;
protocol = "udp";
}
];
config = config =
{ lib, ... }: { lib, ... }:
@ -92,6 +71,7 @@ in
}; };
networking = { networking = {
defaultGateway = "192.168.111.1";
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 8485 ]; allowedTCPPorts = [ 8485 ];