networking stuff

2024-05-24 22:30:04 +02:00 · 2024-05-24 22:30:04 +02:00 · 3f21fc215d
commit 3f21fc215d
parent b4533a3def
9 changed files with 138 additions and 52 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 cafe.qcow2
--- a/build-vm.sh
+++ b/build-vm.sh
@ -1,5 +1,7 @@
 #!/bin/sh -e
-nixos-rebuild build-vm --flake .#cafe-virt
+nixos-rebuild build-vm --flake .#cafe-virt "$@"
-rm -f nixos.qcow2
+rm -f cafe.qcow2
-./result/bin/run-*-vm
+echo "[STARTING VM]"
-rm -f nixos.qcow2 result
+./result/bin/run-*-vm -nographic
 echo "[STOPPING VM]"
 rm -f cafe.qcow2 result
--- a/flake.nix
+++ b/flake.nix
@ -12,13 +12,15 @@
          nix.registry.nixpkgs.flake = nixpkgs;
          system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
        };
-        # 8888 on host is 80 on guest
+        # 8080 on host is 80 on guest
        # 2222 on host is 22 on guest
        virt-module = {
          virtualisation.vmVariant = {
            virtualisation.cores = 4;
            virtualisation.memorySize = 4096;
            virtualisation.forwardPorts = [
              { from = "host"; host.port = 8080; guest.port = 80; }
              { from = "host"; host.port = 2222;  guest.port = 22; }
            ];
          };
        };
--- a/host.nix
+++ b/host.nix
@ -1,34 +1,48 @@
 state-version: { pkgs, ... }:
-let secrets = import ./secrets/secrets.nix;
+let services = with builtins;
-    services = with builtins;
+      let services_no_ip =
-      map (s: import (./services + "/${s}") { inherit pkgs; })
+        map (s: import (./services + "/${s}") { inherit pkgs; })
-          (filter (s: ! isNull (match ".*\.nix" s)) 
+            (filter (s: ! isNull (match ".*\.nix" s)) 
-                  (attrNames (readDir ./services)));
+                    (attrNames (readDir ./services)));
      in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
    lib = import ./lib.nix;
    secrets = import ./secrets/secrets.nix;
    hostIp = "10.10.0.1";
 in
-lib.foldMap ({ name, ip, config, ports, ... }: 
+{ 
  containers = 
 lib.foldMap ({ name, config, ip, ports, ... }: 
 {
-  containers.${name} = {
+  ${name} = {
-    autoStart = true;
+      autoStart = true;
-    ephemeral = true;
+      ephemeral = true;
-    privateNetwork = true;
+      privateNetwork = true;
-    hostAddress = ip.host;
+      hostAddress = hostIp;
-    localAddress = ip.local;
+      localAddress = ip;
-    config = config // {
+      config = config // {
-      boot.isContainer = true;
+        boot.isContainer = true;
      networking.hostName = "${name}";
      networking.useDHCP = false;
-      networking.firewall.enable = true;
+        networking = {
-      networking.firewall.allowedTCPPorts = ports.tcp;
+          hostName = "${name}";
      networking.firewall.allowedUDPPorts = ports.udp;
-      system.stateVersion = state-version;
+          hosts = lib.foldMap ({ name, ip, ...}:
            { "${ip}" = [ "${name}.containers" "${name}" ]; }
          ) services;
          firewall.enable = true;
          firewall.allowedTCPPorts = ports.tcp;
          firewall.allowedUDPPorts = ports.udp;
        };
        system.stateVersion = state-version;
      };
    };
  };
 }
-) services
+) services;
 }
 //
@ -38,29 +52,75 @@ lib.foldMap ({ name, ip, config, ports, ... }:
    enable = true;
    recommendedProxySettings = true;
    virtualHosts =
-      lib.foldMap ({ ip, ports, hosts, ... }: 
+      lib.foldMap ({ ports, hosts, ip, ... }: 
        lib.foldMap (host: 
-        {
+          if (builtins.isNull ports.http) 
-          "${host}" = {
+            then {}
-            locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}";
+            else {
-          };
+              "${host}" = {
-        }
+                locations."/".proxyPass = 
                  "http://${ip}:${builtins.toString ports.http}";
              };
            }
        ) hosts
      ) services;
  };
-  # [NETWORK]
+  # [SSHD]
-  networking.firewall.allowedTCPPorts = [ 80 ];
+  services.openssh = {
-  networking.firewall.allowedUDPPorts = [ ];
+    enable = true;
-  networking.hostName = "cafe";
+    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };
-  # VM test user
+  # [NETWORK]
-  users.users.admin.isNormalUser = true;
+  networking = {
-  users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n" 
+    hostName = "cafe";
-    (builtins.readFile ./secrets/admin_password);
+
-  users.users.admin.group = "admin";
+    firewall.allowedTCPPorts = [ 22 80 443 ];
    firewall.allowedUDPPorts = [ ];
    nat = {
      enable = true;
      internalInterfaces = ["ve-+"];
      externalInterface = "lo";
    };
  };
  # [USER]
  users.users.admin = {
    isNormalUser = true;
    group = "admin";
    extraGroups = [ "wheel" ];
    hashedPassword = pkgs.lib.removeSuffix "\n" 
      (builtins.readFile ./secrets/admin_password);
    openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
  };
  users.groups.admin = {};
  # [SOFTWARE]
  programs.bash.interactiveShellInit = ''
    set -o vi
  '';
  # [NIX]
  nix = {
    settings = {
      experimental-features = [ "nix-command" "flakes" ];
      auto-optimise-store = true;
    };
    gc = {
      automatic = true;
      dates = "monthly";
      options = "--delete-older-than 30d";
    };
  };
  security.sudo.enable = false;
  security.doas.enable = true;
  system.stateVersion = state-version;
 }
--- a/secrets/gitea_postgres_pass
+++ b/secrets/gitea_postgres_pass
--- a/secrets/id_ed25519.pub
+++ b/secrets/id_ed25519.pub
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -1,15 +1,16 @@
 { pkgs, ... }: {
  name = "gitea";
  ip = {
    host = "10.10.0.1";
    local = "10.10.0.2";
  };
  config = {
    services.gitea = {
      enable = true;
      appName = "My awesome Gitea server"; # Give the site a name
      database = {
-        type = "sqlite3";
+        type = "postgres";
        host = "postgres.containers";
        port = 3306;
        name = "gitea";
        user = "gitea";
        passwordFile = ../secrets/gitea_postgres_pass;
      };
      settings.server = {
        DOMAIN = "localhost";
--- a/services/postgres.nix
+++ b/services/postgres.nix
@ -0,0 +1,25 @@
 { pkgs, ... }: {
  name = "postgres";
  config = {
    services.postgresql = {
      enable = true;
      enableTCPIP = true;
      port = 3306;
      ensureDatabases = [ "gitea" ];
      initialScript = pkgs.writeText "backend-initScript" ''
        CREATE USER gitea WITH LOGIN PASSWORD '${pkgs.lib.strings.fileContents ../secrets/gitea_postgres_pass}' CREATEDB;
        CREATE DATABASE gitea;
        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
      '';
      authentication = pkgs.lib.mkOverride 10 ''
        host  all      all     10.10.0.0/16   trust
      '';
    };
  };
  ports = {
    tcp = [ 3306 ];
    udp = [];
    http = null;
  };
  hosts = [ ];
 }
--- a/services/readme.md
+++ b/services/readme.md
@ -8,10 +8,6 @@ Services are of the form:
 ```nix
 { pkgs, ... }: {
  name = "name";
  ip = {
    host = "ip";
    local = "ip";
  };
  config = { ... };
  ports = {
    tcp = [ 80 ];
@ -21,4 +17,3 @@ Services are of the form:
  hosts = [ "myservice.domain.mjau" ];
 }
 ```