nixos/git: Fix container network access

2023-12-09 17:19:18 +00:00
parent 54f628d3a5
commit 027cf2af6b
3 changed files with 28 additions and 15 deletions
--- a/nixos/boxes/colony/vms/git/default.nix
+++ b/nixos/boxes/colony/vms/git/default.nix
@@ -84,6 +84,7 @@ in
              oci-containers = {
                backend = "podman";
              };
+              containers.containersConf.settings.network.default_subnet = "10.88.0.0/16";
            };

            systemd.network = {
@@ -108,7 +109,13 @@ in

              firewall = {
                tcp.allowed = [ 19999 ];
-                trustedInterfaces = [ "oci" ];
+                extraRules = ''
+                  table inet filter {
+                    chain forward {
+                      ip saddr 10.88.0.0/16 accept
+                    }
+                  }
+                '';
              };
            };
          }
--- a/nixos/boxes/colony/vms/git/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/git/gitea-actions.nix
@@ -6,7 +6,7 @@ let

  cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
    container = {
-      # network = "colony";
+      network = "podman";
      privileged = true;
    };
    cache = {
--- a/nixos/boxes/colony/vms/git/gitea.nix
+++ b/nixos/boxes/colony/vms/git/gitea.nix
@@ -1,5 +1,6 @@
 { lib, pkgs, config, assignments, allAssignments, ... }:
 let
+  inherit (lib) mkMerge;
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) prefixes;
 in
@@ -37,20 +38,25 @@ in
          wantedBy = [ "multi-user.target" ];
        };

-        gitea.preStart =
-        let
-          repSec = "${pkgs.replace-secret}/bin/replace-secret";
-          confPath = "${config.services.gitea.customDir}/conf/app.ini";
-        in
-        ''
-          gitea_extra_setup() {
-            chmod u+w '${confPath}'
-            ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
-            chmod u-w '${confPath}'
-          }
+        gitea = mkMerge [
+          (lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql")
+          {
+            preStart =
+            let
+              repSec = "${pkgs.replace-secret}/bin/replace-secret";
+              confPath = "${config.services.gitea.customDir}/conf/app.ini";
+            in
+            ''
+              gitea_extra_setup() {
+                chmod u+w '${confPath}'
+                ${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
+                chmod u-w '${confPath}'
+              }

-          (umask 027; gitea_extra_setup)
-        '';
+              (umask 027; gitea_extra_setup)
+            '';
+          }
+        ];
      };
    };