From ad4a358ba14ecc85a098a28b8ab1b6a542db48f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Mon, 3 Jul 2023 13:20:13 +0200
Subject: [PATCH] Fix concourse & caddy startup

---
 flake.lock                       | 51 +++++++++++++++++++++-----------
 flake.nix                        |  3 +-
 hosts/nougat-2/caddy.nix         |  5 ++--
 hosts/nougat-2/concourse.nix     | 25 +++++++++++++++-
 hosts/nougat-2/configuration.nix |  8 ++---
 hosts/nougat-2/nougat-2.nix      |  4 ++-
 overlays/overrides.nix           |  2 +-
 7 files changed, 71 insertions(+), 27 deletions(-)

diff --git a/flake.lock b/flake.lock
index 42d4f808..a32aaee6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -220,6 +220,38 @@
         "type": "github"
       }
     },
+    "fix-atomic-container-restarts": {
+      "locked": {
+        "lastModified": 1688325567,
+        "narHash": "sha256-7thz5UlbgR9LNWOoPKMtpchI8U1EQpj6p4FhIGe3ZRI=",
+        "owner": "pub-solar",
+        "repo": "nixpkgs",
+        "rev": "2a04ada27acb5a7401f8265e9d0a6db0f259cafb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pub-solar",
+        "ref": "fix/atomic-container-restarts",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "fix-yubikey-agent": {
+      "locked": {
+        "lastModified": 1654372286,
+        "narHash": "sha256-z1WrQkL67Sosz1VnuKQLpzEkEl4ianeLpWJX8Q6bVQY=",
+        "owner": "pub-solar",
+        "repo": "nixpkgs",
+        "rev": "4995a873a796c54cc49e5dca9e1d20350eceec7b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pub-solar",
+        "ref": "fix/use-latest-unstable-yubikey-agent",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -560,28 +592,14 @@
         "type": "github"
       }
     },
-    "pub-solar": {
-      "locked": {
-        "lastModified": 1654372286,
-        "narHash": "sha256-z1WrQkL67Sosz1VnuKQLpzEkEl4ianeLpWJX8Q6bVQY=",
-        "owner": "pub-solar",
-        "repo": "nixpkgs",
-        "rev": "4995a873a796c54cc49e5dca9e1d20350eceec7b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pub-solar",
-        "ref": "fix/use-latest-unstable-yubikey-agent",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "darwin": "darwin",
         "deploy": "deploy",
         "digga": "digga",
+        "fix-atomic-container-restarts": "fix-atomic-container-restarts",
+        "fix-yubikey-agent": "fix-yubikey-agent",
         "flake-compat": "flake-compat",
         "home": "home",
         "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
@@ -590,7 +608,6 @@
         "nixos": "nixos",
         "nixos-generators": "nixos-generators",
         "nixos-hardware": "nixos-hardware",
-        "pub-solar": "pub-solar",
         "scan2paperless": "scan2paperless"
       }
     },
diff --git a/flake.nix b/flake.nix
index 7a9f725d..d62ed08a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,7 +41,8 @@
     keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixos";
 
     master.url = "github:nixos/nixpkgs/master";
-    pub-solar.url = "github:pub-solar/nixpkgs/fix/use-latest-unstable-yubikey-agent";
+    fix-yubikey-agent.url = "github:pub-solar/nixpkgs/fix/use-latest-unstable-yubikey-agent";
+    fix-atomic-container-restarts.url = "github:pub-solar/nixpkgs/fix/atomic-container-restarts";
     scan2paperless.url = "git+https://git.pub.solar/b12f/scan2paperless.git";
   };
 
diff --git a/hosts/nougat-2/caddy.nix b/hosts/nougat-2/caddy.nix
index 33bd5684..6b36eeb5 100644
--- a/hosts/nougat-2/caddy.nix
+++ b/hosts/nougat-2/caddy.nix
@@ -91,8 +91,9 @@ in {
       services.caddy = {
         enable = lib.mkForce true;
 
-        email = "acme@benjaminbaedorf.eu";
-        globalConfig = lib.mkForce "";
+        globalConfig = lib.mkForce ''
+          auto_https disable_certs
+        '';
 
         virtualHosts = {
           "dashboard.nougat-2.b12f.io" = {
diff --git a/hosts/nougat-2/concourse.nix b/hosts/nougat-2/concourse.nix
index 80d6a8f1..c14c55b4 100644
--- a/hosts/nougat-2/concourse.nix
+++ b/hosts/nougat-2/concourse.nix
@@ -43,7 +43,7 @@ in {
   ids.gids.concourse = 995;
 
   systemd.tmpfiles.rules = [
-    "d '/data/concourse/db' 0770 ${builtins.toString config.ids.uids.postgres} postgres - -"
+    "d '/data/concourse/db' 0770 root postgres - -"
   ];
 
   system.activationScripts.mkConcourseNet = let
@@ -53,6 +53,29 @@ in {
     ${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
   '';
 
+  containers.concourse = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.101.0";
+    localAddress = "192.168.107.0";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::7";
+
+    bindMounts = {
+      "/var/lib/postgresql/14" = {
+        hostPath = "/data/concourse/db";
+        isReadOnly = false;
+      };
+
+      "${config.age.secrets.keycloak-database-password.path}" = {
+        hostPath = "${config.age.secrets.keycloak-database-password.path}";
+        isReadOnly = true;
+      };
+    };
+
+    config = {
+      networking.nameservers = ["1.1.1.1"];
+
   virtualisation.oci-containers = {
     containers."concourse-db" = {
       image = "postgres:14";
diff --git a/hosts/nougat-2/configuration.nix b/hosts/nougat-2/configuration.nix
index f163d1cc..22050617 100644
--- a/hosts/nougat-2/configuration.nix
+++ b/hosts/nougat-2/configuration.nix
@@ -66,10 +66,10 @@ in {
   networking.defaultGateway = "135.181.179.65";
 
   networking.interfaces."enp0s31f6".ipv6.addresses = [
-    #{
-    #  address = "2a01:4f9:3a:2170::1";
-    #  prefixLength = 64;
-    #}
+    {
+      address = "2a01:4f9:3a:2170::1";
+      prefixLength = 64;
+    }
   ];
   networking.defaultGateway6 = {
     address = "fe80::1";
diff --git a/hosts/nougat-2/nougat-2.nix b/hosts/nougat-2/nougat-2.nix
index cda9fab0..f23982e6 100644
--- a/hosts/nougat-2/nougat-2.nix
+++ b/hosts/nougat-2/nougat-2.nix
@@ -3,6 +3,7 @@
   pkgs,
   lib,
   self,
+  fix-atomic-container-restartsModulesPath,
   ...
 }:
 with lib; let
@@ -16,6 +17,7 @@ in {
     ./caddy.nix
     ./keycloak.nix
     ./gitea.nix
-    ./concourse.nix
+    # ./concourse.nix
+    # "${fix-atomic-container-restartsModulesPath}/virtualisation/nixos-containers.nix"
   ];
 }
diff --git a/overlays/overrides.nix b/overlays/overrides.nix
index 7ab1237a..faf8c5d4 100644
--- a/overlays/overrides.nix
+++ b/overlays/overrides.nix
@@ -6,7 +6,7 @@ channels: final: prev: {
     ;
 
   inherit
-    (channels.pub-solar)
+    (channels.fix-yubikey-agent)
     yubikey-agent
     ;