-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcontainers.nix
129 lines (107 loc) · 3.31 KB
/
containers.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
{ pkgs, lib, ... }:
let
ipPrefix = "10.200.100";
numBitcoinBlocks = 100;
modules.deterministicSecrets = {
nix-bitcoin.generateSecretsCmds._deterministicSecrets = ''
makePasswordSecret() {
[[ -e $1 ]] || echo aaaaaaaa > "$1"
}
'';
};
ip = "${pkgs.iproute}/bin/ip";
iptables = "${pkgs.iptables}/bin/iptables";
in
{
# Run bridge setup/teardown before/after container `node1`
systemd.services."container@node1" = {
preStart = ''
${ip} link add name br-containers type bridge
${ip} link set br-containers up
${ip} addr add ${ipPrefix}.1/24 dev br-containers
# Enable WAN access
${iptables} -w -t nat -A POSTROUTING -s ${ipPrefix}.0/24 -j MASQUERADE
'';
postStop = ''
${iptables} -w -t nat -D POSTROUTING -s ${ipPrefix}.0/24 -j MASQUERADE || true
${ip} link del br-containers || true
'';
};
# Start container `node2` after the bridge setup has finished
systemd.services."container@node2" = rec {
requires = [ "[email protected]" ];
after = requires;
};
containers = {
node1 = {
privateNetwork = true;
localAddress = "${ipPrefix}.2/24";
hostBridge = "br-containers";
config = { config, ... }: let
bitcoind = config.services.bitcoind;
in {
networking.defaultGateway.address = "${ipPrefix}.1";
imports = [
<nix-bitcoin/modules/modules.nix>
modules.deterministicSecrets
];
nix-bitcoin.generateSecrets = true;
services.bitcoind = {
enable = true;
regtest = true;
listen = true;
listenWhitelisted = true; # Needed by electrs
address = "0.0.0.0";
rpc.address = "0.0.0.0";
rpc.allowip = [
"0.0.0.0/0" # Allow all addresses
];
};
# Create regtest blocks
systemd.services.bitcoind.postStart = lib.mkAfter ''
cli=${bitcoind.cli}/bin/bitcoin-cli
if ! $cli listwallets | ${pkgs.jq}/bin/jq -e 'index("test")'; then
$cli -named createwallet wallet_name=test load_on_startup=true
address=$($cli -rpcwallet=test getnewaddress)
$cli generatetoaddress ${toString numBitcoinBlocks} $address
fi
'';
networking.firewall.allowedTCPPorts = [
bitcoind.port
bitcoind.whitelistedPort
bitcoind.rpc.port
];
};
};
node2 = {
privateNetwork = true;
localAddress = "${ipPrefix}.3/24";
hostBridge = "br-containers";
config = { config, ... }: let
inherit (config.services) electrs bitcoind;
in {
networking.defaultGateway.address = "${ipPrefix}.1";
imports = [
<nix-bitcoin/modules/modules.nix>
modules.deterministicSecrets
<nix-bitcoin/modules/presets/bitcoind-remote.nix>
];
nix-bitcoin.generateSecrets = true;
# Use bitcoind from container `node1`
services.bitcoind = {
enable = true;
regtest = true;
address = "${ipPrefix}.2";
rpc.address = "${ipPrefix}.2";
};
services.electrs = {
enable = true;
address = "0.0.0.0";
};
networking.firewall.allowedTCPPorts = [
electrs.port
];
};
};
};
}