networking stuff
This commit is contained in:
parent
b4533a3def
commit
3f21fc215d
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
cafe.qcow2
|
10
build-vm.sh
10
build-vm.sh
|
@ -1,5 +1,7 @@
|
||||||
#!/bin/sh -e
|
#!/bin/sh -e
|
||||||
nixos-rebuild build-vm --flake .#cafe-virt
|
nixos-rebuild build-vm --flake .#cafe-virt "$@"
|
||||||
rm -f nixos.qcow2
|
rm -f cafe.qcow2
|
||||||
./result/bin/run-*-vm
|
echo "[STARTING VM]"
|
||||||
rm -f nixos.qcow2 result
|
./result/bin/run-*-vm -nographic
|
||||||
|
echo "[STOPPING VM]"
|
||||||
|
rm -f cafe.qcow2 result
|
||||||
|
|
|
@ -12,13 +12,15 @@
|
||||||
nix.registry.nixpkgs.flake = nixpkgs;
|
nix.registry.nixpkgs.flake = nixpkgs;
|
||||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||||
};
|
};
|
||||||
# 8888 on host is 80 on guest
|
# 8080 on host is 80 on guest
|
||||||
|
# 2222 on host is 22 on guest
|
||||||
virt-module = {
|
virt-module = {
|
||||||
virtualisation.vmVariant = {
|
virtualisation.vmVariant = {
|
||||||
virtualisation.cores = 4;
|
virtualisation.cores = 4;
|
||||||
virtualisation.memorySize = 4096;
|
virtualisation.memorySize = 4096;
|
||||||
virtualisation.forwardPorts = [
|
virtualisation.forwardPorts = [
|
||||||
{ from = "host"; host.port = 8080; guest.port = 80; }
|
{ from = "host"; host.port = 8080; guest.port = 80; }
|
||||||
|
{ from = "host"; host.port = 2222; guest.port = 22; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
134
host.nix
134
host.nix
|
@ -1,34 +1,48 @@
|
||||||
state-version: { pkgs, ... }:
|
state-version: { pkgs, ... }:
|
||||||
let secrets = import ./secrets/secrets.nix;
|
let services = with builtins;
|
||||||
services = with builtins;
|
let services_no_ip =
|
||||||
map (s: import (./services + "/${s}") { inherit pkgs; })
|
map (s: import (./services + "/${s}") { inherit pkgs; })
|
||||||
(filter (s: ! isNull (match ".*\.nix" s))
|
(filter (s: ! isNull (match ".*\.nix" s))
|
||||||
(attrNames (readDir ./services)));
|
(attrNames (readDir ./services)));
|
||||||
|
in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
|
||||||
|
|
||||||
lib = import ./lib.nix;
|
lib = import ./lib.nix;
|
||||||
|
secrets = import ./secrets/secrets.nix;
|
||||||
|
|
||||||
|
hostIp = "10.10.0.1";
|
||||||
in
|
in
|
||||||
|
|
||||||
lib.foldMap ({ name, ip, config, ports, ... }:
|
{
|
||||||
|
containers =
|
||||||
|
lib.foldMap ({ name, config, ip, ports, ... }:
|
||||||
{
|
{
|
||||||
containers.${name} = {
|
${name} = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
ephemeral = true;
|
ephemeral = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostAddress = ip.host;
|
hostAddress = hostIp;
|
||||||
localAddress = ip.local;
|
localAddress = ip;
|
||||||
config = config // {
|
config = config // {
|
||||||
boot.isContainer = true;
|
boot.isContainer = true;
|
||||||
networking.hostName = "${name}";
|
|
||||||
networking.useDHCP = false;
|
|
||||||
|
|
||||||
networking.firewall.enable = true;
|
networking = {
|
||||||
networking.firewall.allowedTCPPorts = ports.tcp;
|
hostName = "${name}";
|
||||||
networking.firewall.allowedUDPPorts = ports.udp;
|
|
||||||
|
|
||||||
system.stateVersion = state-version;
|
hosts = lib.foldMap ({ name, ip, ...}:
|
||||||
|
{ "${ip}" = [ "${name}.containers" "${name}" ]; }
|
||||||
|
) services;
|
||||||
|
|
||||||
|
firewall.enable = true;
|
||||||
|
firewall.allowedTCPPorts = ports.tcp;
|
||||||
|
firewall.allowedUDPPorts = ports.udp;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = state-version;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
}
|
}
|
||||||
) services
|
) services;
|
||||||
|
}
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
||||||
|
@ -38,29 +52,75 @@ lib.foldMap ({ name, ip, config, ports, ... }:
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts =
|
virtualHosts =
|
||||||
lib.foldMap ({ ip, ports, hosts, ... }:
|
lib.foldMap ({ ports, hosts, ip, ... }:
|
||||||
lib.foldMap (host:
|
lib.foldMap (host:
|
||||||
{
|
if (builtins.isNull ports.http)
|
||||||
"${host}" = {
|
then {}
|
||||||
locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}";
|
else {
|
||||||
};
|
"${host}" = {
|
||||||
}
|
locations."/".proxyPass =
|
||||||
|
"http://${ip}:${builtins.toString ports.http}";
|
||||||
|
};
|
||||||
|
}
|
||||||
) hosts
|
) hosts
|
||||||
) services;
|
) services;
|
||||||
};
|
};
|
||||||
|
|
||||||
# [NETWORK]
|
# [SSHD]
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
services.openssh = {
|
||||||
networking.firewall.allowedUDPPorts = [ ];
|
enable = true;
|
||||||
networking.hostName = "cafe";
|
settings = {
|
||||||
|
PermitRootLogin = "no";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# VM test user
|
# [NETWORK]
|
||||||
users.users.admin.isNormalUser = true;
|
networking = {
|
||||||
users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n"
|
hostName = "cafe";
|
||||||
(builtins.readFile ./secrets/admin_password);
|
|
||||||
users.users.admin.group = "admin";
|
firewall.allowedTCPPorts = [ 22 80 443 ];
|
||||||
|
firewall.allowedUDPPorts = [ ];
|
||||||
|
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
internalInterfaces = ["ve-+"];
|
||||||
|
externalInterface = "lo";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# [USER]
|
||||||
|
users.users.admin = {
|
||||||
|
isNormalUser = true;
|
||||||
|
group = "admin";
|
||||||
|
extraGroups = [ "wheel" ];
|
||||||
|
hashedPassword = pkgs.lib.removeSuffix "\n"
|
||||||
|
(builtins.readFile ./secrets/admin_password);
|
||||||
|
openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
|
||||||
|
};
|
||||||
users.groups.admin = {};
|
users.groups.admin = {};
|
||||||
|
|
||||||
|
# [SOFTWARE]
|
||||||
|
programs.bash.interactiveShellInit = ''
|
||||||
|
set -o vi
|
||||||
|
'';
|
||||||
|
|
||||||
|
# [NIX]
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
auto-optimise-store = true;
|
||||||
|
};
|
||||||
|
gc = {
|
||||||
|
automatic = true;
|
||||||
|
dates = "monthly";
|
||||||
|
options = "--delete-older-than 30d";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.sudo.enable = false;
|
||||||
|
security.doas.enable = true;
|
||||||
|
|
||||||
system.stateVersion = state-version;
|
system.stateVersion = state-version;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
BIN
secrets/gitea_postgres_pass
Normal file
BIN
secrets/gitea_postgres_pass
Normal file
Binary file not shown.
BIN
secrets/id_ed25519.pub
Normal file
BIN
secrets/id_ed25519.pub
Normal file
Binary file not shown.
|
@ -1,15 +1,16 @@
|
||||||
{ pkgs, ... }: {
|
{ pkgs, ... }: {
|
||||||
name = "gitea";
|
name = "gitea";
|
||||||
ip = {
|
|
||||||
host = "10.10.0.1";
|
|
||||||
local = "10.10.0.2";
|
|
||||||
};
|
|
||||||
config = {
|
config = {
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
appName = "My awesome Gitea server"; # Give the site a name
|
appName = "My awesome Gitea server"; # Give the site a name
|
||||||
database = {
|
database = {
|
||||||
type = "sqlite3";
|
type = "postgres";
|
||||||
|
host = "postgres.containers";
|
||||||
|
port = 3306;
|
||||||
|
name = "gitea";
|
||||||
|
user = "gitea";
|
||||||
|
passwordFile = ../secrets/gitea_postgres_pass;
|
||||||
};
|
};
|
||||||
settings.server = {
|
settings.server = {
|
||||||
DOMAIN = "localhost";
|
DOMAIN = "localhost";
|
||||||
|
|
25
services/postgres.nix
Normal file
25
services/postgres.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
name = "postgres";
|
||||||
|
config = {
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
enableTCPIP = true;
|
||||||
|
port = 3306;
|
||||||
|
ensureDatabases = [ "gitea" ];
|
||||||
|
initialScript = pkgs.writeText "backend-initScript" ''
|
||||||
|
CREATE USER gitea WITH LOGIN PASSWORD '${pkgs.lib.strings.fileContents ../secrets/gitea_postgres_pass}' CREATEDB;
|
||||||
|
CREATE DATABASE gitea;
|
||||||
|
GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
|
||||||
|
'';
|
||||||
|
authentication = pkgs.lib.mkOverride 10 ''
|
||||||
|
host all all 10.10.0.0/16 trust
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ports = {
|
||||||
|
tcp = [ 3306 ];
|
||||||
|
udp = [];
|
||||||
|
http = null;
|
||||||
|
};
|
||||||
|
hosts = [ ];
|
||||||
|
}
|
|
@ -8,10 +8,6 @@ Services are of the form:
|
||||||
```nix
|
```nix
|
||||||
{ pkgs, ... }: {
|
{ pkgs, ... }: {
|
||||||
name = "name";
|
name = "name";
|
||||||
ip = {
|
|
||||||
host = "ip";
|
|
||||||
local = "ip";
|
|
||||||
};
|
|
||||||
config = { ... };
|
config = { ... };
|
||||||
ports = {
|
ports = {
|
||||||
tcp = [ 80 ];
|
tcp = [ 80 ];
|
||||||
|
@ -21,4 +17,3 @@ Services are of the form:
|
||||||
hosts = [ "myservice.domain.mjau" ];
|
hosts = [ "myservice.domain.mjau" ];
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user