dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/git: Fix container network access
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 30m54s
Details

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-12-09 17:19:18 +00:00
parent 54f628d3a5
commit 027cf2af6b
3 changed files with 28 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/boxes/colony/vms/git/default.nix
View File

@ -84,6 +84,7 @@ in
oci-containers = { oci-containers = {
backend = "podman"; backend = "podman";
}; };
containers.containersConf.settings.network.default_subnet = "10.88.0.0/16";
}; };
systemd.network = { systemd.network = {
@ -108,7 +109,13 @@ in
firewall = { firewall = {
tcp.allowed = [ 19999 ]; tcp.allowed = [ 19999 ];
trustedInterfaces = [ "oci" ]; extraRules = ''
table inet filter {
chain forward {
ip saddr 10.88.0.0/16 accept
}
}
'';
}; };
}; };
} }

2
nixos/boxes/colony/vms/git/gitea-actions.nix
View File

@ -6,7 +6,7 @@ let
cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON { cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
container = { container = {
# network = "colony"; network = "podman";
privileged = true; privileged = true;
}; };
cache = { cache = {

32
nixos/boxes/colony/vms/git/gitea.nix
View File

@ -1,5 +1,6 @@
{ lib, pkgs, config, assignments, allAssignments, ... }: { lib, pkgs, config, assignments, allAssignments, ... }:
let let
inherit (lib) mkMerge;
inherit (lib.my.c) pubDomain; inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) prefixes; inherit (lib.my.c.colony) prefixes;
in in
@ -37,20 +38,25 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
gitea.preStart = gitea = mkMerge [
let (lib.my.systemdAwaitPostgres pkgs.postgresql "colony-psql")
repSec = "${pkgs.replace-secret}/bin/replace-secret"; {
confPath = "${config.services.gitea.customDir}/conf/app.ini"; preStart =
in let
'' repSec = "${pkgs.replace-secret}/bin/replace-secret";
gitea_extra_setup() { confPath = "${config.services.gitea.customDir}/conf/app.ini";
chmod u+w '${confPath}' in
${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}' ''
chmod u-w '${confPath}' gitea_extra_setup() {
} chmod u+w '${confPath}'
${repSec} '#miniosecret#' '${config.age.secrets."gitea/minio.txt".path}' '${confPath}'
chmod u-w '${confPath}'
}
(umask 027; gitea_extra_setup) (umask 027; gitea_extra_setup)
''; '';
}
];
}; };
}; };