nixconfig/modules/server/containers/builder.nix

{ config, lib, pkgs, serverCfg }:
let 
  contBuilder =
    { image ? null, imageStream ? null, imageFile ? null
    , secret ? null
    , subdomain ? null, subpath?null, port ? null
    , extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
    , overrides ? { }
    }:
    let 
      routerName = if subpath != null 
                  then "${subdomain}-${lib.strings.sanitizeDerivationName subpath}" 
                  else subdomain;
      base = {
      image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}" 
              else if imageFile != null then "${imageFile.imageName}:${imageFile.imageTag}" else image;
      imageStream = imageStream;
      imageFile = imageFile;

      environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
      environment = {
        TZ = config.time.timeZone;
      } // extraEnv;

      labels = (if subdomain!=null then ({
        "traefik.enable" = "true";
        "traefik.http.routers.${routerName}.entrypoints" = "web-secure";
        "traefik.http.routers.${routerName}.rule" = if subpath != null 
          then "Host(`${subdomain}.${serverCfg.domain}`) && PathPrefix(`/${subpath}`)"
          else "Host(`${subdomain}.${serverCfg.domain}`)";
        "traefik.http.routers.${routerName}.tls" = "true";
      } // lib.optionalAttrs (port!=null) {
        "traefik.http.services.${routerName}.loadbalancer.server.port" = toString port;
      }) else {
        "traefik.enable" = "false";
      }) // extraLabels;

      extraOptions = [
        "--add-host=host.containers.internal:host-gateway"
      ] ++ extraOptions;
    };
    in lib.recursiveUpdate base overrides;
  vmBuilder = { name, vm }: ((import "${pkgs.path}/nixos/lib/eval-config.nix" {
      system = "x86_64-linux";
      modules = [ vm.cfg
        ({ config, lib, modulesPath, ... }: {
        imports = [
          "${modulesPath}/profiles/qemu-guest.nix"
          "${modulesPath}/virtualisation/qemu-vm.nix"
        ];
        networking.hostName = name;
        networking.useDHCP = true; 
        networking.firewall.enable = false;
        services.qemuGuest.enable = true;
        system.stateVersion = "26.05"; 
        virtualisation = {
          memorySize = vm.memory or 2048;
          cores = vm.cores or 2;
          forwardPorts = let
            parsePortString = port: {
              from = "host";
              host.port = port;
              guest.port = port;
            };
          in if (vm ? portForward && vm.portForward != null) then map parsePortString vm.portForward else [];
        };})
      ];
    }).config.system.build.vm);
in {
  mkContainer = contBuilder;
  mkVm = vmBuilder;
  mkApp = name: app:
    let
      # Keep legacy app modules working while storing a stricter internal contract.
      legacySetup =
        if app ? setup then app.setup else null;
    in {
      inherit name;
      requires = {
        secrets =
          if app ? requires && app.requires ? secrets then app.requires.secrets
          else if app ? sops && app.sops then [ name ]
          else [ ];
        databases =
          if app ? requires && app.requires ? databases then app.requires.databases
          else if app ? db && app.db then [ name ]
          else [ ];
      };
      exports = {
        authentik = {
          blueprints =
            if app ? exports && app.exports ? authentik && app.exports.authentik ? blueprints
            then app.exports.authentik.blueprints
            else [ ];
        };
      };
      runtime = {
        paths =
          if app ? runtime && app.runtime ? paths then app.runtime.paths
          else if app ? paths then app.paths
          else [ ];
        containers =
          if app ? runtime && app.runtime ? containers then app.runtime.containers
          else if app ? containers then app.containers
          else { };
        vm =
          if app ? runtime && app.runtime ? vm then app.runtime.vm
          else if app ? vm then app.vm
          else null;
        cron =
          if app ? runtime && app.runtime ? cron then app.runtime.cron
          else if app ? cron then app.cron
          else [ ];
        setup =
          if app ? runtime && app.runtime ? setup then app.runtime.setup
          else ({
            trigger = "";
            script = null;
            envFile = [ ];
          } // (if legacySetup != null then legacySetup else { }));
      };
    };
  mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
    mkdir -p $out
    cp -r ${./data + "/${dir}"}/. $out/
    find $out -type f | while read file; do
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
        substituteInPlace "$file" --replace "@${n}@" "${toString v}"
      '') vars)}
    done
  '';
  host = "host.containers.internal"; 
  hostIp =  if (config.virtualisation.podman.defaultNetwork.settings ? subnets) 
    then (builtins.elemAt config.virtualisation.podman.defaultNetwork.settings.subnets 0).gateway
    else "10.88.0.1"; 
}