From 31539cd0969f6edeb95b540785ddd106c71b9770 Mon Sep 17 00:00:00 2001
From: ChUrl <christoph.urlacher@protonmail.com>
Date: Wed, 24 May 2023 20:25:08 +0200
Subject: [PATCH] Add virtualisation lib

---
 lib/default.nix        |  1 +
 lib/virtualisation.nix | 52 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 lib/virtualisation.nix

diff --git a/lib/default.nix b/lib/default.nix
index d093b6ca..665dabea 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -7,4 +7,5 @@
   nixos = import ./nixos.nix {inherit inputs pkgs lib;};
   modules = import ./modules.nix {inherit inputs pkgs lib;};
   networking = import ./networking.nix {inherit inputs pkgs lib;};
+  virtualisation = import ./virtualisation.nix {inherit inputs pkgs lib;};
 }
diff --git a/lib/virtualisation.nix b/lib/virtualisation.nix
new file mode 100644
index 00000000..9c40d2ac
--- /dev/null
+++ b/lib/virtualisation.nix
@@ -0,0 +1,52 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}: rec {
+  mkOciContainer = {
+    image,
+    autoStart ? false,
+    id-ports ? [],
+    ports ? [],
+    vols ? [],
+    env ? {},
+    opts ? [],
+    netns ? "",
+    netdns ? "",
+  }: let
+    expanded-id-ports = map (port: "${toString port}:${toString port}") id-ports;
+    additional-opts =
+      []
+      ++ (lib.optionals (netns != "") [
+        "--network=ns:/var/run/netns/${netns}"
+      ])
+      ++ (lib.optionals (netdns != "") [
+        "--dns=${netdns}"
+      ]);
+  in {
+    image = image;
+    autoStart = autoStart;
+    ports = ports ++ expanded-id-ports;
+    volumes = vols;
+    environment = lib.mergeAttrs env {
+      PUID = "1000";
+      PGID = "1000";
+      TZ = "Europe/Berlin";
+    };
+    extraOptions = opts ++ additional-opts;
+  };
+
+  # Filter all system service attributes that the user units don't have and add some required attributes
+  # Example: podman-stablediffusion = mkOciUserService config.systemd.services.podman-stablediffusion;
+  # NOTE: This doesn't work, since the cidfile is located in /run, which is not writable for regular users...
+  mkOciUserService = attrs:
+    lib.mergeAttrs (lib.attrsets.filterAttrs (n: v:
+      !((n == "confinement")
+        || (n == "runner")
+        || (n == "environment")))
+    attrs) {
+      startLimitIntervalSec = 1;
+      startLimitBurst = 5;
+    };
+}