Add initial nginx container

2022-05-31 21:25:51 +01:00
parent e79fd4234c
commit 11dbc01ba0
11 changed files with 111 additions and 24 deletions
--- a/nixos/modules/containers.nix
+++ b/nixos/modules/containers.nix
@@ -216,7 +216,6 @@ in
          reload =
          # `switch-to-configuration test` switches config without trying to update bootloader
          ''
-            # TODO: This still breaks on first deploy over the dummy...
            [ -e "${system}"/bin/switch-to-configuration ] && \
              systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test
          '';
--- a/nixos/modules/deploy-rs.nix
+++ b/nixos/modules/deploy-rs.nix
@@ -27,9 +27,15 @@ let
    name = "container-${n}";
    value = {
      path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container
-        ''
-          systemctl ${if c.hotReload then "reload" else "restart"} systemd-nspawn@${n}
-        '';
+        (if c.hotReload then ''
+          if systemctl show -p StatusText systemd-nspawn@${n} | grep -q "Dummy container"; then
+            action=restart
+          else
+            action=reload
+          fi
+
+          systemctl "$action" systemd-nspawn@${n}
+        '' else "systemctl restart systemd-nspawn@${n}");
      profilePath = "/nix/var/nix/profiles/per-container/${n}/system";

      user = "root";
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@@ -83,9 +83,11 @@ in
              table inet filter {
                chain wan-tcp {
                  ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") openTCP}
+                  return
                }
                chain wan-udp {
                  ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") openUDP}
+                  return
                }

                chain wan {
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@@ -113,6 +113,8 @@ in
          # Auto-generated (on activation?)
          "/root/.nix-channels"
          "/root/.nix-defexpr"
+
+          "/var/lib/logrotate.status"
        ];
        persistence.config = {
          # In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the
@@ -166,6 +168,9 @@ in
    (mkIf config.security.doas.enable {
      my.tmproot.unsaved.ignore = [ "/etc/doas.conf" ];
    })
+    (mkIf config.services.resolved.enable {
+      my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
+    })
    (mkIf config.my.build.isDevVM {
      my.tmproot.unsaved.ignore = [ "/nix" ];

@@ -220,9 +225,6 @@ in
        my.tmproot.persistence.config.files =
          concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
      })
-      (mkIf config.services.logrotate.enable {
-        my.tmproot.persistence.config.files = [ "/var/lib/logrotate.status" ];
-      })
      (mkIf config.my.build.isDevVM {
        fileSystems = mkVMOverride {
          # Hijack the "root" device for persistence in the VM