networking stuff

2024-05-24 22:30:04 +02:00 · 2024-05-24 22:30:04 +02:00 · 3f21fc215d
commit 3f21fc215d
parent b4533a3def
9 changed files with 138 additions and 52 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+cafe.qcow2
--- a/build-vm.sh
+++ b/build-vm.sh
@ -1,5 +1,7 @@
 #!/bin/sh -e
-nixos-rebuild build-vm --flake .#cafe-virt
-rm -f nixos.qcow2
-./result/bin/run-*-vm
-rm -f nixos.qcow2 result
+nixos-rebuild build-vm --flake .#cafe-virt "$@"
+rm -f cafe.qcow2
+echo "[STARTING VM]"
+./result/bin/run-*-vm -nographic
+echo "[STOPPING VM]"
+rm -f cafe.qcow2 result
--- a/flake.nix
+++ b/flake.nix
@ -12,13 +12,15 @@
          nix.registry.nixpkgs.flake = nixpkgs;
          system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
        };
-        # 8888 on host is 80 on guest
+        # 8080 on host is 80 on guest
+        # 2222 on host is 22 on guest
        virt-module = {
          virtualisation.vmVariant = {
            virtualisation.cores = 4;
            virtualisation.memorySize = 4096;
            virtualisation.forwardPorts = [
              { from = "host"; host.port = 8080; guest.port = 80; }
+              { from = "host"; host.port = 2222;  guest.port = 22; }
            ];
          };
        };
--- a/host.nix
+++ b/host.nix
@ -1,34 +1,48 @@
 state-version: { pkgs, ... }:
-let secrets = import ./secrets/secrets.nix;
-    services = with builtins;
-      map (s: import (./services + "/${s}") { inherit pkgs; })
-          (filter (s: ! isNull (match ".*\.nix" s)) 
-                  (attrNames (readDir ./services)));
+let services = with builtins;
+      let services_no_ip =
+        map (s: import (./services + "/${s}") { inherit pkgs; })
+            (filter (s: ! isNull (match ".*\.nix" s)) 
+                    (attrNames (readDir ./services)));
+      in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
+
    lib = import ./lib.nix;
+    secrets = import ./secrets/secrets.nix;
+
+    hostIp = "10.10.0.1";
 in

-lib.foldMap ({ name, ip, config, ports, ... }: 
 { 
-  containers.${name} = {
-    autoStart = true;
-    ephemeral = true;
-    privateNetwork = true;
-    hostAddress = ip.host;
-    localAddress = ip.local;
-    config = config // {
-      boot.isContainer = true;
-      networking.hostName = "${name}";
-      networking.useDHCP = false;
+  containers = 
+lib.foldMap ({ name, config, ip, ports, ... }: 
+{
+  ${name} = {
+      autoStart = true;
+      ephemeral = true;
+      privateNetwork = true;
+      hostAddress = hostIp;
+      localAddress = ip;
+      config = config // {
+        boot.isContainer = true;

-      networking.firewall.enable = true;
-      networking.firewall.allowedTCPPorts = ports.tcp;
-      networking.firewall.allowedUDPPorts = ports.udp;
+        networking = {
+          hostName = "${name}";

-      system.stateVersion = state-version;
+          hosts = lib.foldMap ({ name, ip, ...}:
+            { "${ip}" = [ "${name}.containers" "${name}" ]; }
+          ) services;
+
+          firewall.enable = true;
+          firewall.allowedTCPPorts = ports.tcp;
+          firewall.allowedUDPPorts = ports.udp;
+        };
+
+        system.stateVersion = state-version;
+      };
    };
-  };
 }
-) services
+) services;
+}

 //

@ -38,29 +52,75 @@ lib.foldMap ({ name, ip, config, ports, ... }:
    enable = true;
    recommendedProxySettings = true;
    virtualHosts =
-      lib.foldMap ({ ip, ports, hosts, ... }: 
+      lib.foldMap ({ ports, hosts, ip, ... }: 
        lib.foldMap (host: 
-        {
-          "${host}" = {
-            locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}";
-          };
-        }
+          if (builtins.isNull ports.http) 
+            then {}
+            else {
+              "${host}" = {
+                locations."/".proxyPass = 
+                  "http://${ip}:${builtins.toString ports.http}";
+              };
+            }
        ) hosts
      ) services;
  };

-  # [NETWORK]
-  networking.firewall.allowedTCPPorts = [ 80 ];
-  networking.firewall.allowedUDPPorts = [ ];
-  networking.hostName = "cafe";
+  # [SSHD]
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };

-  # VM test user
-  users.users.admin.isNormalUser = true;
-  users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n" 
-    (builtins.readFile ./secrets/admin_password);
-  users.users.admin.group = "admin";
+  # [NETWORK]
+  networking = {
+    hostName = "cafe";
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+    firewall.allowedUDPPorts = [ ];
+
+    nat = {
+      enable = true;
+      internalInterfaces = ["ve-+"];
+      externalInterface = "lo";
+    };
+  };
+
+  # [USER]
+  users.users.admin = {
+    isNormalUser = true;
+    group = "admin";
+    extraGroups = [ "wheel" ];
+    hashedPassword = pkgs.lib.removeSuffix "\n" 
+      (builtins.readFile ./secrets/admin_password);
+    openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
+  };
  users.groups.admin = {};

+  # [SOFTWARE]
+  programs.bash.interactiveShellInit = ''
+    set -o vi
+  '';
+
+  # [NIX]
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+    };
+    gc = {
+      automatic = true;
+      dates = "monthly";
+      options = "--delete-older-than 30d";
+    };
+  };
+
+  security.sudo.enable = false;
+  security.doas.enable = true;
+
  system.stateVersion = state-version;

 }
--- a/secrets/gitea_postgres_pass
+++ b/secrets/gitea_postgres_pass
--- a/secrets/id_ed25519.pub
+++ b/secrets/id_ed25519.pub
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -1,15 +1,16 @@
 { pkgs, ... }: {
  name = "gitea";
-  ip = {
-    host = "10.10.0.1";
-    local = "10.10.0.2";
-  };
  config = {
    services.gitea = {
      enable = true;
      appName = "My awesome Gitea server"; # Give the site a name
      database = {
-        type = "sqlite3";
+        type = "postgres";
+        host = "postgres.containers";
+        port = 3306;
+        name = "gitea";
+        user = "gitea";
+        passwordFile = ../secrets/gitea_postgres_pass;
      };
      settings.server = {
        DOMAIN = "localhost";
--- a/services/postgres.nix
+++ b/services/postgres.nix
@ -0,0 +1,25 @@
+{ pkgs, ... }: {
+  name = "postgres";
+  config = {
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      port = 3306;
+      ensureDatabases = [ "gitea" ];
+      initialScript = pkgs.writeText "backend-initScript" ''
+        CREATE USER gitea WITH LOGIN PASSWORD '${pkgs.lib.strings.fileContents ../secrets/gitea_postgres_pass}' CREATEDB;
+        CREATE DATABASE gitea;
+        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+      '';
+      authentication = pkgs.lib.mkOverride 10 ''
+        host  all      all     10.10.0.0/16   trust
+      '';
+    };
+  };
+  ports = {
+    tcp = [ 3306 ];
+    udp = [];
+    http = null;
+  };
+  hosts = [ ];
+}
--- a/services/readme.md
+++ b/services/readme.md
@ -8,10 +8,6 @@ Services are of the form:
 ```nix
 { pkgs, ... }: {
  name = "name";
-  ip = {
-    host = "ip";
-    local = "ip";
-  };
  config = { ... };
  ports = {
    tcp = [ 80 ];
@ -21,4 +17,3 @@ Services are of the form:
  hosts = [ "myservice.domain.mjau" ];
 }
 ```
-