Add podman-service unit

This enables the service for binding to podman over a socket which is in
turn used by Tealok for managing the services on the server.

quinn/etc/nixos/configuration.nix

@@ -10,6 +10,12 @@
       ./hardware-configuration.nix
     ];
 
+  # Enable forwarding for containers
+  # I have not yet confirmed that this is necessary.
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -58,6 +64,7 @@
   # Enable touchpad support (enabled default in most desktopManager).
   # services.libinput.enable = true;
 
+  users.groups.podman-service = {};
   users.groups.scanner = {};
   users.groups.step = {};
 
@@ -71,6 +78,12 @@
   #     tree
   #   ];
    };
+  users.users.podman-service = {
+    group = "podman-service";
+    isNormalUser = false;
+    isSystemUser = true;
+    description = "User for podman daemon";
+  };
   users.users.scanner = {
     group = "scanner";
     isNormalUser = false;
@@ -93,7 +106,7 @@
     git
     htop
     lsof
-    #mongodb
+    ndisc6
     neovim
     nginx
     poetry
@@ -101,11 +114,9 @@
     step-ca
     step-cli
     tmux
-    #unifi8
     wget
   ];
 
-
   networking.hostName = "quinn";
   # Allow specific unfree packages
   nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
@@ -113,6 +124,19 @@
     "unifi-controller"
   ];
 
+  # Enable the helpful "command-not-found" that tells which packages may have the command in question.
+  # This makes system configuration troubleshooting much faster since I can attempt a basic command 'foo'
+  # and if 'foo' isn't installed it suggests an installation target.
+  # If you run 'command-not-found' and it complains about
+  #  DBI connect('dbname=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite','',...) failed: unable to open database file at /run/current-system/sw/bin/command-not-found line 13.
+  #  cannot open database `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite' at /run/current-system/sw/bin/command-not-found line 13.
+  #
+  # Then you can recreate the SQLite DB with 'sudo nix-channel --list' and making sure a channel like 'nixos https://nixos.org/channels/nixos-24.05' is present.
+  # Anything that ends in 'nixos-...' should work.
+  # Then run 'sudo nix-channel --update'
+  # See https://discourse.nixos.org/t/command-not-found-unable-to-open-database/3807/7
+  programs.command-not-found.enable = true;
+
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
@@ -183,7 +207,7 @@
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
-  # Disable the resolved stub listener, let Pihole do it
+  # Disable the resolved stub listener, let Pihole bind port 53 on all interfaces.
   services.resolved = {
     extraConfig = ''
       DNSStubListener=no
@@ -222,10 +246,10 @@
   '';
   # Open ports in the firewall.
   networking.firewall = {
-    enable = true;
+    enable = false;
     allowPing = true;
-    allowedTCPPorts = [ 80 443 ];
+    allowedTCPPorts = [ 80 443 5353 ];
-    allowedUDPPortRanges = [
+    allowedUDPPortRanges = [ 5353
       #{ from = 4000; to = 4007; }
       #{ from = 8000; to = 8010; }
     ];
@@ -263,28 +287,49 @@
   systemd.network.enable = true;
   systemd.network.networks."10-wan" = {
     matchConfig.Name = "enp2s0";
+    dhcpV6Config = {
+      PrefixDelegationHint = "::/60";
+    };
     networkConfig = {
       # start a DHCP Client for IPv4 Addressing/Routing
       DHCP = "ipv4";
       # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
       IPv6AcceptRA = true;
+      # Allow mDNS .local address resolution
+      MulticastDNS = true;
     };
     addresses = [{
       addressConfig = {
         Address="fd00::2/64";
       };
-    } {
-      addressConfig = {
-        Address="::/0";
-	Scope="global";
-      };
     }];
+    ipv6PrefixDelegationConfig = {
+      Managed = true;
+    };
+    ipv6AcceptRAConfig = {
+      DHCPv6Client="always";
+      Token="prefixstable";
+    };
 
 
     # make routing on this interface a dependency for network-online.target
     linkConfig.RequiredForOnline = "routable";
   };
 
+  # Useful for debugging systemd networkd
+  systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
+
+  systemd.services.podman-api = {
+    enable = true;
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    description = "Daemon for handling podman requests from Tealok";
+    serviceConfig = {
+      User = "root";
+      WorkingDirectory = "/tmp";
+      ExecStart = "${pkgs.podman}/bin/podman system service -t 0";
+    };
+  };
   systemd.services.scan-uploader = {
     enable = true;
     wantedBy = [ "multi-user.target" ];
@@ -303,41 +348,6 @@
   ];
   # Enable podman since we are on NixOS 21.05
   virtualisation.docker.enable = false;
-  virtualisation.oci-containers.backend = "podman";
-  virtualisation.oci-containers.containers = {
-    pihole = {
-      autoStart = true;
-      environment = {
-        TZ = "America/Phoenix";
-        DNSMASQ_LISTENING = "all";
-      };
-      extraOptions = ["--network=bridge"];
-      image = "docker.io/pihole/pihole:2024.07.0";
-      ports = [
-        "53:53/tcp"
-        "53:53/udp"
-        "67:67"
-        "127.0.0.1:10000:80"
-      ];
-      volumes = [
-        "/etc/pihole/config:/etc/pihole"
-        "/etc/pihole/dnsmasq.d:/etc/dnsmasq.d"
-      ];
-    };
-  };
   virtualisation.podman.enable = true;
-  virtualisation.podman.dockerSocket.enable = true;
-  virtualisation.podman.defaultNetwork.settings = {
-    dns_enabled = false;
-    ipv6_enabled = true;
-    subnets = [{
-      gateway = "10.88.0.1";
-      subnet = "10.88.0.0/16";
-    }
-    {
-      gateway = "fd00::1:8:1";
-      subnet = "fd00::1:8:0/122";
-    }];
-  };
 }