Skip to content

+++ title=”Containers” +++

Containers#

https://cola-gang.industries/containerize-the-nixos-way

AI Suggestions#

link

Here’s how to implement network namespace isolation with Tailscale exit nodes in NixOS:

{ config, pkgs, ... }: {
  systemd.services."netns@" = {
    description = "%I network namespace";
    before = [ "network.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.iproute}/bin/ip netns add %I";
      ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
    };
  };

  services.tailscale = {
    enable = true;
    useRoutingFeatures = "both";
    interfaceName = "tailscale-ns";
  };

  systemd.services.deluge-ns = {
    description = "Deluge in network namespace";
    bindsTo = [ "netns@deluge.service" ];
    after = [ "netns@deluge.service" "tailscale.service" ];

    unitConfig.JoinsNamespaceOf = "netns@deluge.service";

    serviceConfig = {
      PrivateNetwork = true;
      ExecStartPre = let
        tsCmd = pkgs.writeScript "ts-up" ''
          #!${pkgs.bash}/bin/bash
          ${pkgs.iproute}/bin/ip netns exec deluge \
          ${pkgs.tailscale}/bin/tailscale up \
            --exit-node= \
            --authkey=tskey-auth-XXXXXXX
        '';
      in "${tsCmd}";

      ExecStart = "${pkgs.deluge}/bin/deluged -d";

      ExecStopPost = "${pkgs.tailscale}/bin/tailscale down";
    };
  };

  networking.firewall = {
    checkReversePath = "loose";
    allowedUDPPorts = [ 41641 ]; # Tailscale port
    interfaces.tailscale-ns.allowedTCPPorts = [ 8112 58846 ]; # Deluge ports
  };
}

Key Components:

  1. Namespace Creation: - Uses parameterized netns@ service for namespace management[6][7] - Creates isolated deluge namespace with ip netns[5][9]

  2. Tailscale Integration: - Runs Tailscale within namespace using ip netns exec[4][8] - Configures exit node with --exit-node flag[4][8] - Uses userspace networking mode for container compatibility[4]

  3. Service Isolation: - PrivateNetwork=true restricts network access[6][9] - JoinsNamespaceOf binds Deluge to namespace[6][7] - Separate firewall rules for Tailscale interface[4][9]

  4. DNS Configuration: Add to prevent leaks: 

    services.resolved = {
  enable = true;
  fallbackDns = "100.100.100.100"; # Tailscale MagicDNS
};

Verification: 

sudo nsenter --net=/var/run/netns/deluge curl -s https://ifconfig.me/ip
# Should show exit node IP

sudo ip netns exec deluge tailscale status
# Verify exit node connection

Implementation Notes: - Replace ` with actual exit node IP fromtailscale status- Generate ephemeral auth key in Tailscale admin console[4][8] - Usenetworkd-dispatcher` for dynamic namespace routing if needed[2][7]

This configuration isolates Deluge’s network stack while maintaining NixOS declarative style, using techniques from multiple WireGuard/Tailscale namespace implementations[1][3][7].

Citations: [1] https://discourse.nixos.org/t/understanding-wireguard-network-namespaces-and-running-services-in-them/2829 [2] https://github.com/NixOS/nixpkgs/issues/52411 [3] https://samasaur1.github.io/blog/multiple-vpns-on-nixos [4] https://nixos.wiki/wiki/Tailscale [5] https://learn-docker.it-sziget.hu/en/latest/pages/advanced/kernel-namespaces-network.html [6] https://discourse.nixos.org/t/run-systemd-service-in-network-namespace/3179 [7] https://discourse.nixos.org/t/setting-up-wireguard-in-a-network-namespace-for-selectively-routing-traffic-through-vpn/10252 [8] https://martin.baillie.id/wrote/tailscale-support-for-nixos/ [9] https://github.com/fort-nix/nix-bitcoin/blob/master/modules/netns-isolation.nix [10] https://vtimofeenko.com/posts/wireguard-namespace-flake/ [11] https://nixos.wiki/wiki/Networking [12] https://github.com/NixOS/nixpkgs/issues/372414 [13] https://mth.st/blog/nixos-wireguard-netns/ [14] https://lantian.pub/en/article/modify-website/nixos-why.lantian/ [15] https://unix.stackexchange.com/questions/633919/how-to-assign-a-name-to-the-existing-anonymous-network-namespace [16] https://discourse.nixos.org/t/syncthing-network-namespace/26657 [17] https://gist.github.com/c0deaddict/53aedbb69c8cbfebfec8f4428dc03102 [18] https://nlewo.github.io/nixos-manual-sphinx/administration/declarative-containers.xml.html [19] https://www.reddit.com/r/Tailscale/comments/1fmu8gl/packet_filetered_while_using_exit_nodes_on_nixos/ [20] https://www.joshuamlee.com/nixos-proxmox-tailscale/ [21] https://samasaur1.github.io/blog/multiple-vpns-on-nixos [22] https://tailscale.com/kb/1408/quick-guide-exit-nodes [23] https://tailscale.com/blog/nixos-minecraft [24] https://peter.demin.dev/12_articles/25-tailscale.html [25] https://tailscale.com/kb/1103/exit-nodes [26] https://github.com/NixOS/nixpkgs/issues/209119 [27] https://discourse.nixos.org/t/setting-up-wireguard-in-a-network-namespace-for-selectively-routing-traffic-through-vpn/10252 [28] https://github.com/tailscale/tailscale/issues/4432 [29] https://discourse.nixos.org/t/tailscale-and-immich-on-new-system-port-not-responding/59648 [30] https://search.nixos.org/options?channel=unstable&show=services.tailscale.useRoutingFeatures&size=50&sort=relevance&type=packages&query=tailscale [31] https://discourse.nixos.org/t/port-forwading-of-a-network-namespaced-container/54926 [32] https://www.ljlapierre.com/books/linux-documentation/page/docker-inside-nixos-containers [33] https://www.reddit.com/r/NixOS/comments/18rex0p/should_i_containerize_my_nixos_server/ [34] https://discourse.nixos.org/t/no-internet-through-docker/25073 [35] http://sandervanderburg.blogspot.com/2020/07/on-using-nix-and-docker-as-deployment.html [36] https://discourse.nixos.org/t/deploying-docker-containers-declaratively/693 [37] https://wiki.nixos.org/wiki/Docker [38] https://github.com/NixOS/nixpkgs/issues/69414 [39] https://mirosval.sk/blog/2023/nix-macvlan-networking/ [40] https://github.com/NixOS/nixpkgs/issues/298165 [41] https://nixcademy.com/posts/nixos-nspawn/ [42] https://www.reddit.com/r/NixOS/comments/1e4gvh1/wireguard_in_network_namespace_connected_to/ [43] https://pavluk.org/blog/2022/01/26/nixos_router.html [44] https://www.reddit.com/r/NixOS/comments/1box9ij/tailscale_and_systemd_on_nixos/ [45] https://github.com/NixOS/nixpkgs/issues/247377 [46] https://carlosvaz.com/posts/setting-up-headscale-on-nixos/ [47] https://discourse.nixos.org/t/tailscale-exit-node-not-working-on-nixos/39897 [48] https://maulana.id/soft-dev/2023–01–30–00–using-tailscale-with-nix/ [49] https://discourse.nixos.org/t/understanding-wireguard-network-namespaces-and-running-services-in-them/2829 [50] https://discourse.nixos.org/t/how-to-create-docker-network-in-nixos-configuration-correctly/16945 [51] https://www.reddit.com/r/NixOS/comments/1jc2zvx/help_for_config_with_container_and_network_wg/ [52] https://stackoverflow.com/questions/46100966/how-to-make-nixos-container-visible-to-the-external-network [53] https://github.com/NixOS/nixpkgs/issues/52411 [54] https://www.reddit.com/r/NixOS/comments/118utfi/docker_workflow_under_nixos/

Answer from Perplexity: pplx.ai/share