Proxy requests to an oci-container's network through nginx

Basically I want to do something like

{config, ...}: let ip = config.virtualization.oci-containers.containers.some-service.networks.default.IPAddress
in {
  services.nginx.virtualHosts."some.domain".locations."/".proxyPass = "http://${ip}:8080"

is anything resembling this possible?


well the oci-containers are opaque from the point of view of the rest of the configuration - they are just images that are configured to run automatically via either podman or docker runtime.

Something like this should be possible with (nixos-)containers, which use the same configuration and NixOS modules as the host system.

Looking at my older setup - the way to do this is to set i.e. ports = [ "8000:80" ]; and then proxy to Let me know if a full example would help.

The disadvantage of this approach (that, ideally, I’d like to avoid) is that this approach flattens all services on a host into a single network. My usual pattern of configuration involves a lot of network segmentation. You say this could work by utilizing NixOS (nspawn) containers – can you embed an OCI container inside of a Nix container for a similar effect?

For clarity, the effect I’m trying to elicit is something along these lines

   external network      internal network
           |                    |
      some-service -------------'------------ database

I think so! You can embed NixOS containers into NixOS containers (ad infinitum) and I was running podman inside LXC before, so it might just work (but I haven’t tried). You can try and if it works possibly contribute a similar test to nixpkgs to be sure it won’t ever break.

I’m not sure I understand this correctly…but would that create a separate Podman instance for each service?

Yes, the mechanism used by Docker, Podman, LXC or NixOS containers is pretty much the same - Linux namespaces and you can nest these, so if you run two NixOS containers, each can have a separate Podman instance (or Docker daemon) and even a private network.