Add newt module

modules/newt.nix

@@ -0,0 +1,72 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+
+  cfg = config.services.newt-docker;
+
+in {
+
+  options.services.newt-docker = {
+    enable = lib.mkEnableOption "Newt, user space tunnel client for Pangolin";
+    pangolinEndpoint = lib.mkOption {
+      description = "External URL of the Pangolin instance";
+      type = lib.types.str;
+    };
+    connectionSecret = lib.mkOption {
+      description = "Secrets for Pangolin authentication.";
+      type = lib.types.anything;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers = {
+      newt = {
+        image = "fosrl/newt:1.9.0";
+        autoStart = true;
+        networks = [
+          "pangolin"
+        ];
+        environment = {
+          PANGOLIN_ENDPOINT = cfg.pangolinEndpoint;
+          DOCKER_SOCKET = "/var/run/docker.sock";
+        };
+        environmentFiles = [ cfg.connectionSecret.path ];
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock:ro"
+        ];
+        extraOptions = [
+          "--add-host=host.docker.internal:host-gateway"
+        ];
+      };
+    };
+
+    systemd.services."docker-pangolin" = {
+      after = [
+        "docker-network-pangolin.service"
+      ];
+      requires = [
+        "docker-network-pangolin.service"
+      ];
+    };
+
+    systemd.services."docker-network-pangolin" = {
+      path = [ pkgs.docker ];
+      serviceConfig = {
+        Type = "oneshot";
+      };
+      script = ''
+        docker network inspect pangolin || docker network create pangolin --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
+      '';
+    };
+
+    networking.firewall.extraCommands = ''
+      iptables -A INPUT -p icmp --source 100.89.128.0/24 -j ACCEPT
+      iptables -A INPUT -p tcp --source 172.18.0.0/12 --dport 22 -j ACCEPT
+    '';
+
+  };
+}