Hi,
I’m having an issue with my Git-Crypt based secrets. It’s been working fine everywhere, except when I attempt to import a module it into a container.
Any idea how I can do this? Feels a bit like I’m bashing my head against a wall at the moment.
Thanks,
wireguard.nix
{ inputs, outputs, config, pkgs, lib, secrets, ... }:
let
hostName = "${config.networking.hostName}";
keySource = "../secrets/wireguard/${hostName}.key";
addressIP = "${secrets.${hostName}.wireguard.addressIP}";
addressDNS = "${secrets.${hostName}.wireguard.addressDNS}";
publicKey = "${secrets.${hostName}.wireguard.publicKey}";
serverIP = "${secrets.${hostName}.wireguard.serverIP}";
port = "${secrets.${hostName}.wireguard.port}";
in
{
environment.etc = {
wgKey.source = "${keySource}";
};
networking.wg-quick.interfaces = {
wg0 = {
# IP address of this machine in the *tunnel network*
address = [ "${addressIP}" ];
dns = [ "${addressDNS}" ];
autostart = true;
listenPort = "${port}";
privateKeyFile = "/etc/wgKey";
peers = [{
publicKey = "${publicKey}";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "${serverIP}:${port}";
persistentKeepalive = 25;
}];
};
};
}
transmisson.nix
{serverName}: { inputs, outputs, config, pkgs, lib, secrets, ... }:
let
hostname = "transmission";
mac = "${secrets.${serverName}.containers.${hostname}.mac}";
in
{
containers."${hostname}" = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
# Filesystem mount points
bindMounts = {
"/var/lib/transmission" = {
hostPath = "/home/container/${hostname}";
isReadOnly = false;
};
"/var/lib/transmission/Downloads" = {
hostPath = "/home/media/Downloads";
isReadOnly = false;
};
"/var/lib/transmission/.incomplete" = {
hostPath = "/home/media/Downloads/.incomplete";
isReadOnly = false;
};
};
config = { inputs, outputs, config, pkgs, lib, secrets, ... }: {
system.stateVersion = "24.05";
imports = [
../../modules/wireguard.nix
];
networking = {
hostName = "${hostname}";
networkmanager.enable = true;
# networkmanager.ethernet.macAddress = "${secrets.${serverName}.containers.${hostname}.mac}";
networkmanager.ethernet.macAddress = "${mac}";
firewall = {
enable = true;
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
# Fix for transmission failing to start
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
RootDirectoryStartOnly = lib.mkForce false;
RootDirectory = lib.mkForce "";
};
# Add service definitions here.
services.transmission = {
enable = true;
openRPCPort = true;
openPeerPorts = true;
settings = {
rpc-host-whitelist = "${hostname}.fair";
rpc-bind-address = "0.0.0.0";
rpc-whitelist-enabled = false;
download-dir = "/var/lib/transmission/Downloads";
incomplete-dir = "/var/lib/transmission/.incomplete";
umask = 2;
};
};
};
};
}