Proxy requests to an oci-container's network through nginx

scott · November 13, 2023, 11:36am

Basically I want to do something like

{config, ...}: let ip = config.virtualization.oci-containers.containers.some-service.networks.default.IPAddress
in {
  services.nginx.virtualHosts."some.domain".locations."/".proxyPass = "http://${ip}:8080"
}

is anything resembling this possible?

sorki · November 13, 2023, 12:38pm

Hi!

well the oci-containers are opaque from the point of view of the rest of the configuration - they are just images that are configured to run automatically via either podman or docker runtime.

Something like this should be possible with (nixos-)containers, which use the same configuration and NixOS modules as the host system.

Looking at my older setup - the way to do this is to set i.e. ports = [ "8000:80" ]; and then proxy to 127.0.0.1:8000. Let me know if a full example would help.

scott · November 21, 2023, 11:22am

The disadvantage of this approach (that, ideally, I’d like to avoid) is that this approach flattens all services on a host into a single network. My usual pattern of configuration involves a lot of network segmentation. You say this could work by utilizing NixOS (nspawn) containers – can you embed an OCI container inside of a Nix container for a similar effect?

For clarity, the effect I’m trying to elicit is something along these lines

        internet
           |
         proxy
           |
   external network      internal network
           |                    |
      some-service -------------'------------ database

sorki · November 28, 2023, 11:54am

I think so! You can embed NixOS containers into NixOS containers (ad infinitum) https://github.com/NixOS/nixpkgs/blob/024e4447a42868b4c8f3ac8b3e6a2da83c682de1/nixos/tests/containers-nested.nix and I was running podman inside LXC before, so it might just work (but I haven’t tried). You can try and if it works possibly contribute a similar test to nixpkgs to be sure it won’t ever break.

scott · November 28, 2023, 12:13pm

I’m not sure I understand this correctly…but would that create a separate Podman instance for each service?

sorki · November 30, 2023, 9:53am

Yes, the mechanism used by Docker, Podman, LXC or NixOS containers is pretty much the same - Linux namespaces and you can nest these, so if you run two NixOS containers, each can have a separate Podman instance (or Docker daemon) and even a private network.