Initial commit

flake.nix

@@ -0,0 +1,12 @@
+{
+  description = "Paris Fudo User Server.";
+
+  inputs.nixpkgs.url = "nixpkgs/nixos.23.11";
+
+  outputs = { self, nixpkgs, ... }: {
+    nixosModules = rec {
+      default = parisContainer;
+      parisContainer = { ... }: { imports = [ ./paris-container.nix ]; };
+    };
+  };
+}

paris-container.nix

@@ -0,0 +1,99 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+
+in {
+  options = {
+    enable = mkEnableOption "Enable Fudo Paris user server.";
+
+    state-directory = mkOption {
+      type = str;
+      description = "Directory at which to store server state.";
+    };
+
+    networking = {
+      interface = mkOption {
+        type = str;
+        description = "Parent host interface on which to listen.";
+      };
+
+      ipv4 = mkOption {
+        type = nullOr (submodule {
+          options = {
+            address = mkOption {
+              type = str;
+              description = "IP address.";
+            };
+            prefixLength = mkOption {
+              type = int;
+              description = "Significant bits in the address.";
+            };
+          };
+        });
+        default = null;
+      };
+
+      ipv6 = mkOption {
+        type = nullOr (submodule {
+          options = {
+            address = mkOption {
+              type = str;
+              description = "IP address.";
+            };
+            prefixLength = mkOption {
+              type = int;
+              description = "Significant bits in the address.";
+            };
+          };
+        });
+        default = null;
+      };
+    };
+  };
+
+  config = {
+    systemd.tmpfiles.rules =
+      [ "d ${cfg.state-directory}/home 0700 root root - -" ];
+
+    containers.paris = {
+      tmpfs = true;
+      macvlans = [ cfg.networking.interface ];
+      bindMounts = {
+        "/home" = {
+          hostPath = "${cfg.state-directory}/home";
+          isReadOnly = false;
+        };
+      };
+      additionalCapabilities = [ "CAP_NET_ADMIN" ];
+      config = {
+        nixpkgs.pkgs = pkgs;
+
+        environment.systemPackages = with pkgs; [ rtorrent ];
+
+        networking = {
+          defaultGateway = {
+            address = getSiteGatewayV4 siteName;
+            interface = "mv-${cfg.networking.interface}";
+          };
+          enableIPv6 = !isNull cfg.networking.ipv6;
+          nameservers = config.networking.nameservers;
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ 22 ] ++ cfg.ports;
+          };
+          interfaces."mv-${cfg.networking.interface}" = {
+            ipv4.addresses = optional (!isNull cfg.networking.ipv4) {
+              address = cfg.networking.ipv4.address;
+              prefixLength = cfg.networking.ipv4.prefixLength;
+            };
+            ipv6.addresses = optional (!isNull cfg.networking.ipv6) {
+              address = cfg.networking.ipv6.address;
+              prefixLength = cfg.networking.ipv6.prefixLength;
+            };
+          };
+        };
+      };
+    };
+  };
+}