Add a11ywatch and related configurations for Podman and Nginx

- Introduced a new module for a11ywatch with Podman support, creating a bridge network and defining backend and frontend containers. - Configured Nginx to serve the a11ywatch application with SSL and ACME support. - Added user and group configurations for a11ywatch. - Created a systemd service to ensure the Podman network exists on boot. Implement Firefox Container Controller extension and host - Added a module for the Firefox Container Controller extension, allowing installation via Nix. - Created a native messaging host for the extension to communicate with the container controller. - Included CLI helpers to enqueue commands for showing and hiding containers. Enable fingerprint authentication in PAM - Configured fingerprint authentication for login, sudo, and swaylock services. Setup Raspberry Pi OS image creation script - Developed a script to create a read-only Raspberry Pi OS Lite image with Snapcast client. - Included configuration for Wi-Fi, hostname, and Snapcast server. - Implemented user and group setup for Snapcast client and ensured necessary services are enabled. Document Raspberry Pi Zero W setup instructions - Added detailed instructions for configuring Raspberry Pi OS on Zero W, including disabling unused services and setting up Snapcast client. Create test configuration script for NixOS - Implemented a script to perform dry-builds for NixOS configurations, allowing for easy validation of host configurations.
2025-05-29 00:10:07 +02:00
parent 8e52274edd
commit 53d73142ae
32 changed files with 1280 additions and 104 deletions
--- a/hosts/fw/modules/allywatch.nix
+++ b/hosts/fw/modules/allywatch.nix
@@ -0,0 +1,94 @@
+{ config, pkgs, lib, ... }:
+
+let
+  domain = "a11ywatch.cloonar.com";
+  confDir = "/var/lib/a11ywatch";
+
+  json = pkgs.formats.json { };
+in {
+  # 1) Enable Podman (daemonless, drop-in for docker)
+  virtualisation.podman.enable = true;                             # :contentReference[oaicite:0]{index=0}
+  virtualisation.podman.dockerCompat = true;                       # :contentReference[oaicite:1]{index=1}
+  virtualisation.podman.defaultNetwork.settings.dns_enabled = true;# :contentReference[oaicite:2]{index=2}
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:3000/";
+    };
+  };
+
+  environment.etc."containers/networks/a11ywatch-net.json" = {
+    source = json.generate "a11ywatch-net.json" ({
+      name = "a11ywatch-net";
+      id = "ccb4b7fb90d2df26db27ef0995765b04f52d318db752c9474b470c5ef4d7978d";
+      driver = "bridge";
+      network_interface = "podman1";
+      subnets = [
+        {
+          subnet = "10.89.0.0/24";
+          gateway = "10.89.0.1";
+        }
+      ];
+      ipv6_enabled = false;
+      internal = false;
+      dns_enabled = true;
+      ipam_options = {
+        driver = "host-local";
+      };
+    });
+  };
+
+  users.users.a11ywatch = {
+    isSystemUser = true;
+    group = "a11ywatch";
+    home = "/var/lib/a11ywatch";
+    createHome = true;
+  };
+  users.groups.a11ywatch = { };
+  users.groups.docker.members = [ "a11ywatch" ];
+
+  # 2) Create the bridge network on boot via a oneshot systemd service
+  systemd.services.a11ywatch-net = {
+    description = "Ensure a11ywatch-net Podman network exists";
+    wants      = [ "podman.service" ];
+    after      = [ "podman.service" ];
+    serviceConfig = {
+      Type             = "oneshot";
+      ExecStart        = ''
+        ${pkgs.podman}/bin/podman network inspect a11ywatch-net >/dev/null 2>&1 \
+          || ${pkgs.podman}/bin/podman network create a11ywatch-net
+      '';
+      RemainAfterExit  = true;
+    };
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  # 3) Declare your two containers using the podman backend
+  virtualisation.oci-containers = {
+    backend = "podman";  # :contentReference[oaicite:3]{index=3}
+    containers = {
+      a11ywatch-backend = {
+        image       = "docker.io/a11ywatch/a11ywatch:latest";
+        autoStart   = true;
+        ports       = [ "3280:3280" ];
+        volumes  = [ "${confDir}:/a11ywatch/conf" ];
+        environment = { SUPER_MODE = "true"; };
+        extraOptions = [ "--network=a11ywatch-net" ];
+      };
+      a11ywatch-frontend = {
+        image       = "docker.io/a11ywatch/web:latest";
+        autoStart   = true;
+        ports       = [ "3000:3000" ];
+        volumes  = [ "${confDir}:/a11ywatch/conf" ];
+        environment = { SUPER_MODE = "true"; };
+        extraOptions = [ 
+          "--network=a11ywatch-net"
+        ];
+      };
+    };
+  };
+}