networking stuff

This commit is contained in:
Rachel Lambda Samuelsson 2024-05-24 22:30:04 +02:00
parent b4533a3def
commit 3f21fc215d
9 changed files with 138 additions and 52 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
cafe.qcow2

View File

@ -1,5 +1,7 @@
#!/bin/sh -e #!/bin/sh -e
nixos-rebuild build-vm --flake .#cafe-virt nixos-rebuild build-vm --flake .#cafe-virt "$@"
rm -f nixos.qcow2 rm -f cafe.qcow2
./result/bin/run-*-vm echo "[STARTING VM]"
rm -f nixos.qcow2 result ./result/bin/run-*-vm -nographic
echo "[STOPPING VM]"
rm -f cafe.qcow2 result

View File

@ -12,13 +12,15 @@
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
}; };
# 8888 on host is 80 on guest # 8080 on host is 80 on guest
# 2222 on host is 22 on guest
virt-module = { virt-module = {
virtualisation.vmVariant = { virtualisation.vmVariant = {
virtualisation.cores = 4; virtualisation.cores = 4;
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
virtualisation.forwardPorts = [ virtualisation.forwardPorts = [
{ from = "host"; host.port = 8080; guest.port = 80; } { from = "host"; host.port = 8080; guest.port = 80; }
{ from = "host"; host.port = 2222; guest.port = 22; }
]; ];
}; };
}; };

134
host.nix
View File

@ -1,34 +1,48 @@
state-version: { pkgs, ... }: state-version: { pkgs, ... }:
let secrets = import ./secrets/secrets.nix; let services = with builtins;
services = with builtins; let services_no_ip =
map (s: import (./services + "/${s}") { inherit pkgs; }) map (s: import (./services + "/${s}") { inherit pkgs; })
(filter (s: ! isNull (match ".*\.nix" s)) (filter (s: ! isNull (match ".*\.nix" s))
(attrNames (readDir ./services))); (attrNames (readDir ./services)));
in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
lib = import ./lib.nix; lib = import ./lib.nix;
secrets = import ./secrets/secrets.nix;
hostIp = "10.10.0.1";
in in
lib.foldMap ({ name, ip, config, ports, ... }: {
containers =
lib.foldMap ({ name, config, ip, ports, ... }:
{ {
containers.${name} = { ${name} = {
autoStart = true; autoStart = true;
ephemeral = true; ephemeral = true;
privateNetwork = true; privateNetwork = true;
hostAddress = ip.host; hostAddress = hostIp;
localAddress = ip.local; localAddress = ip;
config = config // { config = config // {
boot.isContainer = true; boot.isContainer = true;
networking.hostName = "${name}";
networking.useDHCP = false;
networking.firewall.enable = true; networking = {
networking.firewall.allowedTCPPorts = ports.tcp; hostName = "${name}";
networking.firewall.allowedUDPPorts = ports.udp;
system.stateVersion = state-version; hosts = lib.foldMap ({ name, ip, ...}:
{ "${ip}" = [ "${name}.containers" "${name}" ]; }
) services;
firewall.enable = true;
firewall.allowedTCPPorts = ports.tcp;
firewall.allowedUDPPorts = ports.udp;
};
system.stateVersion = state-version;
};
}; };
};
} }
) services ) services;
}
// //
@ -38,29 +52,75 @@ lib.foldMap ({ name, ip, config, ports, ... }:
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts = virtualHosts =
lib.foldMap ({ ip, ports, hosts, ... }: lib.foldMap ({ ports, hosts, ip, ... }:
lib.foldMap (host: lib.foldMap (host:
{ if (builtins.isNull ports.http)
"${host}" = { then {}
locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}"; else {
}; "${host}" = {
} locations."/".proxyPass =
"http://${ip}:${builtins.toString ports.http}";
};
}
) hosts ) hosts
) services; ) services;
}; };
# [NETWORK] # [SSHD]
networking.firewall.allowedTCPPorts = [ 80 ]; services.openssh = {
networking.firewall.allowedUDPPorts = [ ]; enable = true;
networking.hostName = "cafe"; settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
# VM test user # [NETWORK]
users.users.admin.isNormalUser = true; networking = {
users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n" hostName = "cafe";
(builtins.readFile ./secrets/admin_password);
users.users.admin.group = "admin"; firewall.allowedTCPPorts = [ 22 80 443 ];
firewall.allowedUDPPorts = [ ];
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "lo";
};
};
# [USER]
users.users.admin = {
isNormalUser = true;
group = "admin";
extraGroups = [ "wheel" ];
hashedPassword = pkgs.lib.removeSuffix "\n"
(builtins.readFile ./secrets/admin_password);
openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
};
users.groups.admin = {}; users.groups.admin = {};
# [SOFTWARE]
programs.bash.interactiveShellInit = ''
set -o vi
'';
# [NIX]
nix = {
settings = {
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "monthly";
options = "--delete-older-than 30d";
};
};
security.sudo.enable = false;
security.doas.enable = true;
system.stateVersion = state-version; system.stateVersion = state-version;
} }

BIN
secrets/gitea_postgres_pass Normal file

Binary file not shown.

BIN
secrets/id_ed25519.pub Normal file

Binary file not shown.

View File

@ -1,15 +1,16 @@
{ pkgs, ... }: { { pkgs, ... }: {
name = "gitea"; name = "gitea";
ip = {
host = "10.10.0.1";
local = "10.10.0.2";
};
config = { config = {
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "My awesome Gitea server"; # Give the site a name appName = "My awesome Gitea server"; # Give the site a name
database = { database = {
type = "sqlite3"; type = "postgres";
host = "postgres.containers";
port = 3306;
name = "gitea";
user = "gitea";
passwordFile = ../secrets/gitea_postgres_pass;
}; };
settings.server = { settings.server = {
DOMAIN = "localhost"; DOMAIN = "localhost";

25
services/postgres.nix Normal file
View File

@ -0,0 +1,25 @@
{ pkgs, ... }: {
name = "postgres";
config = {
services.postgresql = {
enable = true;
enableTCPIP = true;
port = 3306;
ensureDatabases = [ "gitea" ];
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER gitea WITH LOGIN PASSWORD '${pkgs.lib.strings.fileContents ../secrets/gitea_postgres_pass}' CREATEDB;
CREATE DATABASE gitea;
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
'';
authentication = pkgs.lib.mkOverride 10 ''
host all all 10.10.0.0/16 trust
'';
};
};
ports = {
tcp = [ 3306 ];
udp = [];
http = null;
};
hosts = [ ];
}

View File

@ -8,10 +8,6 @@ Services are of the form:
```nix ```nix
{ pkgs, ... }: { { pkgs, ... }: {
name = "name"; name = "name";
ip = {
host = "ip";
local = "ip";
};
config = { ... }; config = { ... };
ports = { ports = {
tcp = [ 80 ]; tcp = [ 80 ];
@ -21,4 +17,3 @@ Services are of the form:
hosts = [ "myservice.domain.mjau" ]; hosts = [ "myservice.domain.mjau" ];
} }
``` ```