Add new nixos module with configurable container

2024-01-14 17:30:33 -06:00 · 2024-01-14 17:30:33 -06:00 · 8a9f04dadc
commit 8a9f04dadc
parent 6a94abbc10
2 changed files with 113 additions and 2 deletions
--- a/modules/sneedstr.nix
+++ b/modules/sneedstr.nix
@ -0,0 +1,105 @@
+{ inputs, config, pkgs, lib, ... }:
+with lib;
+let
+  # Define an option to enable/disable the flake
+  cfg = config.services.sneedstr;
+  DB_PATH = "/var/sneedstr";
+
+in {
+  options.services.sneedstr = {
+    enable = mkEnableOption "Sneedstr Nostr relay";
+    host = mkOption {
+      type = types.nullOr types.str;
+      default = "";
+      description = ''
+        domain from which the sneedstr will be acessible.
+      '';
+    };
+    sslEnable = mkEnableOption "Whether to enable ACME SSL for nginx proxy";
+    hostAddress = mkOption {
+      type = types.nullOr types.str;
+      default = "192.168.100.12";
+      description = ''
+        Host machine ip address for nixos-container.
+      '';
+    };
+    localAddress = mkOption {
+      type = types.nullOr types.str;
+      default = "192.168.100.13";
+      description = ''
+        Local nixos-container ip address
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    containers.sneedstr = {
+
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = cfg.hostAddress;
+      localAddress = cfg.localAddress;
+      # hostAddress6 = "fc00::3";
+      # localAddress6 = "fc00::4";
+
+      ephemeral = true;
+
+      bindMounts = {
+        "${DB_PATH}" = {
+          hostPath = "/persist${DB_PATH}";
+          isReadOnly = false;
+        };
+      };
+
+      config = { config, pkgs, packages, ... }: {
+        systemd.services.sneedstr = {
+          enable = true;
+          description = "Sneedstr Nostr relay";
+          environment = { DATABASE_URL = "${DB_PATH}/sneedstr.db"; };
+          startLimitBurst = 1;
+          startLimitIntervalSec = 10;
+          unitConfig = {
+            Type = "simple";
+            # ...
+          };
+          serviceConfig = {
+            ExecStart =
+            "${inputs.sneedstr.packages.x86_64-linux.default}/bin/sneedstr";
+          };
+          wantedBy = [ "multi-user.target" ];
+        };
+
+        system.stateVersion = "23.11";
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ 8080 8085 ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce true;
+        };
+
+        environment.etc."resolv.conf".text = ''
+          nameserver 192.168.122.1
+          nameserver 1.1.1.1
+          nameserver 9.9.9.9
+          options edns0
+        '';
+      };
+    };
+
+    services.nginx.virtualHosts = {
+      "${cfg.host}" = {
+        addSSL = mkIf cfg.sslEnable true;
+        enableACME = mkIf cfg.sslEnable true;
+
+        locations."/" = {
+          proxyPass = "http://${cfg.localAddress}:8080";
+          proxyWebsockets = true; # needed if you need to use WebSocket
+        };
+      };
+    };
+  };
+}