From 027cf2af6b70192bc997b74c3b0b92e7dcd3e265 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sat, 9 Dec 2023 17:19:18 +0000
Subject: [PATCH] nixos/git: Fix container network access

---
 nixos/boxes/colony/vms/git/default.nix       |  9 +++++-
 nixos/boxes/colony/vms/git/gitea-actions.nix |  2 +-
 nixos/boxes/colony/vms/git/gitea.nix         | 32 ++++++++++++--------
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/nixos/boxes/colony/vms/git/default.nix b/nixos/boxes/colony/vms/git/default.nix
index d0781ea..3b82f47 100644
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -84,6 +84,7 @@ in
               oci-containers = {
                 backend = "podman";
               };
+              containers.containersConf.settings.network.default_subnet = "10.88.0.0/16";
             };
 
             systemd.network = {
@@ -108,7 +109,13 @@ in
 
               firewall = {
                 tcp.allowed = [ 19999 ];
-                trustedInterfaces = [ "oci" ];
+                extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      ip saddr 10.88.0.0/16 accept
+                    }
+                  }
+                '';
               };
             };
           }
diff --git a/nixos/boxes/colony/vms/git/gitea-actions.nix b/nixos/boxes/colony/vms/git/gitea-actions.nix
index 028f0ca..ba84b97 100644
--- a/nixos/boxes/colony/vms/git/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/git/gitea-actions.nix
@@ -6,7 +6,7 @@ let
 
   cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
     container = {
-      # network = "colony";
+      network = "podman";
       privileged = true;
     };
     cache = {
diff --git a/nixos/boxes/colony/vms/git/gitea.nix b/nixos/boxes/colony/vms/git/gitea.nix
index 3f89323..3d2451f 100644
--- a/nixos/boxes/colony/vms/git/gitea.nix
+++ b/nixos/boxes/colony/vms/git/gitea.nix
@@ -1,5 +1,6 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
+  inherit (lib) mkMerge;
   inherit (lib.my.c) pubDomain;
   inherit (lib.my.c.colony) prefixes;
 in
@@ -37,20 +38,25 @@ in
           wantedBy = [ "multi-user.target" ];
         };
 
-        gitea.preStart =
-        let
-          repSec = "${pkgs.replace-secret}/bin/replace-secret";
-          confPath = "${config.services.gitea.customDir}/conf/app.ini";
-        in
-        ''
-          gitea_extra_setup() {
-            chmod u+w '${confPath}'
-            ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
-            chmod u-w '${confPath}'
-          }
+        gitea = mkMerge [
+          (lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql")
+          {
+            preStart =
+            let
+              repSec = "${pkgs.replace-secret}/bin/replace-secret";
+              confPath = "${config.services.gitea.customDir}/conf/app.ini";
+            in
+            ''
+              gitea_extra_setup() {
+                chmod u+w '${confPath}'
+                ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
+                chmod u-w '${confPath}'
+              }
 
-          (umask 027; gitea_extra_setup)
-        '';
+              (umask 027; gitea_extra_setup)
+            '';
+          }
+        ];
       };
     };