From 9cabd6d3afb172f4c00aecfd49022a8bd0b04d0a Mon Sep 17 00:00:00 2001
From: niten <niten@fudo.org>
Date: Mon, 27 May 2024 17:30:16 -0700
Subject: [PATCH] Initial commit

---
 flake.nix           | 12 ++++++
 paris-container.nix | 99 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 111 insertions(+)
 create mode 100644 flake.nix
 create mode 100644 paris-container.nix

diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..6b431ec
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,12 @@
+{
+  description = "Paris Fudo User Server.";
+
+  inputs.nixpkgs.url = "nixpkgs/nixos.23.11";
+
+  outputs = { self, nixpkgs, ... }: {
+    nixosModules = rec {
+      default = parisContainer;
+      parisContainer = { ... }: { imports = [ ./paris-container.nix ]; };
+    };
+  };
+}
diff --git a/paris-container.nix b/paris-container.nix
new file mode 100644
index 0000000..9793a25
--- /dev/null
+++ b/paris-container.nix
@@ -0,0 +1,99 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+
+in {
+  options = {
+    enable = mkEnableOption "Enable Fudo Paris user server.";
+
+    state-directory = mkOption {
+      type = str;
+      description = "Directory at which to store server state.";
+    };
+
+    networking = {
+      interface = mkOption {
+        type = str;
+        description = "Parent host interface on which to listen.";
+      };
+
+      ipv4 = mkOption {
+        type = nullOr (submodule {
+          options = {
+            address = mkOption {
+              type = str;
+              description = "IP address.";
+            };
+            prefixLength = mkOption {
+              type = int;
+              description = "Significant bits in the address.";
+            };
+          };
+        });
+        default = null;
+      };
+
+      ipv6 = mkOption {
+        type = nullOr (submodule {
+          options = {
+            address = mkOption {
+              type = str;
+              description = "IP address.";
+            };
+            prefixLength = mkOption {
+              type = int;
+              description = "Significant bits in the address.";
+            };
+          };
+        });
+        default = null;
+      };
+    };
+  };
+
+  config = {
+    systemd.tmpfiles.rules =
+      [ "d ${cfg.state-directory}/home 0700 root root - -" ];
+
+    containers.paris = {
+      tmpfs = true;
+      macvlans = [ cfg.networking.interface ];
+      bindMounts = {
+        "/home" = {
+          hostPath = "${cfg.state-directory}/home";
+          isReadOnly = false;
+        };
+      };
+      additionalCapabilities = [ "CAP_NET_ADMIN" ];
+      config = {
+        nixpkgs.pkgs = pkgs;
+
+        environment.systemPackages = with pkgs; [ rtorrent ];
+
+        networking = {
+          defaultGateway = {
+            address = getSiteGatewayV4 siteName;
+            interface = "mv-${cfg.networking.interface}";
+          };
+          enableIPv6 = !isNull cfg.networking.ipv6;
+          nameservers = config.networking.nameservers;
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ 22 ] ++ cfg.ports;
+          };
+          interfaces."mv-${cfg.networking.interface}" = {
+            ipv4.addresses = optional (!isNull cfg.networking.ipv4) {
+              address = cfg.networking.ipv4.address;
+              prefixLength = cfg.networking.ipv4.prefixLength;
+            };
+            ipv6.addresses = optional (!isNull cfg.networking.ipv6) {
+              address = cfg.networking.ipv6.address;
+              prefixLength = cfg.networking.ipv6.prefixLength;
+            };
+          };
+        };
+      };
+    };
+  };
+}