nixos: Initial jackflix container

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -4,5 +4,6 @@
     ./vaultwarden.nix
     ./colony-psql.nix
     ./chatterbox.nix
+    ./jackflix
   ];
 }

nixos/boxes/colony/vms/shill/containers/jackflix/default.nix

@@ -0,0 +1,46 @@
+{ lib, ... }: {
+  nixos.systems.jackflix = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "jackflix-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}6";
+        ipv6 = {
+          iid = "::6";
+          address = "${lib.my.colony.start.ctrs.v6}6";
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+    in
+    {
+      imports = [ ./networking.nix ];
+
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 8080; guest.port = 80; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}

nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix

@@ -0,0 +1,109 @@
+{ lib, pkgs, config, assignments, ... }:
+let
+  inherit (lib) mkMerge;
+  inherit (lib.my) networkdAssignment;
+
+  wg = {
+    keyFile = "jackflix-wg-privkey.txt";
+    fwMark = 42;
+    routeTable = 51820;
+  };
+in
+{
+  config = {
+    my = {
+      secrets = {
+        files."${wg.keyFile}" = {
+          group = "systemd-network";
+          mode = "440";
+        };
+      };
+
+      firewall = {
+        tcp.allowed = [ ];
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+
+    systemd = {
+      network = {
+        netdevs."30-vpn" = with wg; {
+          netdevConfig = {
+            Name = "vpn";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.age.secrets."${keyFile}".path;
+            FirewallMark = fwMark;
+            RouteTable = routeTable;
+          };
+          wireguardPeers = [
+            {
+              # mlvd-de32
+              wireguardPeerConfig = {
+                Endpoint = "146.70.107.194:51820";
+                PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
+                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+              };
+            }
+          ];
+        };
+
+        networks = {
+          "80-container-host0" = mkMerge [
+            (networkdAssignment "host0" assignments.internal)
+            {
+              networkConfig.DNSDefaultRoute = false;
+            }
+          ];
+          "90-vpn" = with wg; {
+            matchConfig.Name = "vpn";
+            address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
+            dns = [ "10.64.0.1" ];
+            routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+              {
+                Family = "both";
+                SuppressPrefixLength = 0;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                From = lib.my.colony.prefixes.all.v4;
+                Table = "main";
+                Priority = 100;
+              }
+              {
+                To = lib.my.colony.prefixes.all.v4;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                From = lib.my.colony.prefixes.all.v6;
+                Table = "main";
+                Priority = 100;
+              }
+              {
+                To = lib.my.colony.prefixes.all.v6;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                Family = "both";
+                InvertRule = true;
+                FirewallMark = fwMark;
+                Table = routeTable;
+                Priority = 110;
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}

nixos/boxes/colony/vms/shill/default.nix

@@ -30,7 +30,7 @@
     configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
       let
         inherit (builtins) mapAttrs;
-        inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
+        inherit (lib) mkIf mkMerge mkForce;
         inherit (lib.my) networkdAssignment;
       in
       {
@@ -53,6 +53,10 @@
                 fsType = "ext4";
                 neededForBoot = true;
               };
+              "/mnt/media" = {
+                device = "/dev/disk/by-label/media";
+                fsType = "ext4";
+              };
             };
 
             systemd.network = {
@@ -98,14 +102,26 @@
                 trustedInterfaces = [ "vms" "ctrs" ];
               };
 
-              containers.instances = mapAttrs (_: c: recursiveUpdate c {
-                networking.bridge = "ctrs";
-              }) {
-                middleman = {};
-                vaultwarden = {};
-                colony-psql = {};
-                chatterbox = {};
-              };
+              containers.instances =
+              let
+                instances = {
+                  middleman = {};
+                  vaultwarden = {};
+                  colony-psql = {};
+                  chatterbox = {};
+                  jackflix = {
+                    bindMounts = {
+                      "/mnt/media".readOnly = false;
+                    };
+                  };
+                };
+              in
+              mkMerge [
+                instances
+                (mapAttrs (n: i: {
+                  networking.bridge = "ctrs";
+                }) instances)
+              ];
             };
           }
         ];