diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index ff23344..bed7d76 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -146,14 +146,26 @@ enable = true; externalInterface = "wan"; }; - extraRules = '' + extraRules = + let + aa = allAssignments; + matchInet = rule: sys: '' + ip daddr ${aa."${sys}".internal.ipv4.address} ${rule} + ip6 daddr ${aa."${sys}".internal.ipv6.address} ${rule} + ''; + in + '' table inet filter { chain routing-tcp { # Safe enough to allow all SSH tcp dport ssh accept + + ${matchInet "tcp dport { http, https } accept" "middleman"} + + return } chain routing-udp { - + return } chain filter-routing { tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp diff --git a/nixos/boxes/colony/vms/shill/containers/default.nix b/nixos/boxes/colony/vms/shill/containers/default.nix index 67600d5..1f91f77 100644 --- a/nixos/boxes/colony/vms/shill/containers/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./middleman.nix ./vaultwarden.nix ]; } diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix new file mode 100644 index 0000000..1a015a7 --- /dev/null +++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix @@ -0,0 +1,63 @@ +{ + nixos.systems.middleman = { + system = "x86_64-linux"; + nixpkgs = "mine"; + + assignments = { + internal = { + name = "middleman-ctr"; + altNames = [ "http" ]; + ipv4.address = "10.100.2.2"; + ipv6 = rec { + iid = "::2"; + address = "2a0e:97c0:4d0:bbb2${iid}"; + }; + }; + }; + + configuration = { lib, config, assignments, ... }: + let + inherit (lib) mkMerge mkIf; + inherit (lib.my) networkdAssignment; + in + { + config = mkMerge [ + { + my = { + server.enable = true; + + secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; + }; + + firewall = { + tcp.allowed = [ "http" "https" ]; + }; + + tmproot.persistence.config.directories = [ + ]; + }; + + systemd = { + network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; + }; + + services = { + nginx = { + enable = true; + enableReload = true; + }; + }; + } + (mkIf config.my.build.isDevVM { + virtualisation = { + forwardPorts = [ + { from = "host"; host.port = 8080; guest.port = 80; } + { from = "host"; host.port = 8443; guest.port = 443; } + ]; + }; + }) + ]; + }; + }; +} diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix index 6e66aff..4360907 100644 --- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix +++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix @@ -6,9 +6,9 @@ assignments = { internal = { name = "vaultwarden-ctr"; - ipv4.address = "10.100.2.2"; + ipv4.address = "10.100.2.3"; ipv6 = rec { - iid = "::2"; + iid = "::3"; address = "2a0e:97c0:4d0:bbb2${iid}"; }; }; diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 5e0c506..ddb57e3 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -26,7 +26,8 @@ configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: let - inherit (lib) mkIf mkMerge mkForce; + inherit (builtins) mapAttrs; + inherit (lib) mkIf mkMerge mkForce recursiveUpdate; inherit (lib.my) networkdAssignment; in { @@ -96,10 +97,11 @@ trustedInterfaces = [ "vms" "ctrs" ]; }; - containers = { - instances.vaultwarden = { - networking.bridge = "ctrs"; - }; + containers.instances = mapAttrs (_: c: recursiveUpdate c { + networking.bridge = "ctrs"; + }) { + middleman = {}; + vaultwarden = {}; }; }; } diff --git a/nixos/modules/containers.nix b/nixos/modules/containers.nix index 9455c36..bf340e2 100644 --- a/nixos/modules/containers.nix +++ b/nixos/modules/containers.nix @@ -216,7 +216,6 @@ in reload = # `switch-to-configuration test` switches config without trying to update bootloader '' - # TODO: This still breaks on first deploy over the dummy... [ -e "${system}"/bin/switch-to-configuration ] && \ systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test ''; diff --git a/nixos/modules/deploy-rs.nix b/nixos/modules/deploy-rs.nix index 8c227d9..d40a24e 100644 --- a/nixos/modules/deploy-rs.nix +++ b/nixos/modules/deploy-rs.nix @@ -27,9 +27,15 @@ let name = "container-${n}"; value = { path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container - '' - systemctl ${if c.hotReload then "reload" else "restart"} systemd-nspawn@${n} - ''; + (if c.hotReload then '' + if systemctl show -p StatusText systemd-nspawn@${n} | grep -q "Dummy container"; then + action=restart + else + action=reload + fi + + systemctl "$action" systemd-nspawn@${n} + '' else "systemctl restart systemd-nspawn@${n}"); profilePath = "/nix/var/nix/profiles/per-container/${n}/system"; user = "root"; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 4c2cca7..1f1ca66 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -83,9 +83,11 @@ in table inet filter { chain wan-tcp { ${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP} + return } chain wan-udp { ${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP} + return } chain wan { diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 70b9e84..b0d6b93 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -113,6 +113,8 @@ in # Auto-generated (on activation?) "/root/.nix-channels" "/root/.nix-defexpr" + + "/var/lib/logrotate.status" ]; persistence.config = { # In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the @@ -166,6 +168,9 @@ in (mkIf config.security.doas.enable { my.tmproot.unsaved.ignore = [ "/etc/doas.conf" ]; }) + (mkIf config.services.resolved.enable { + my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ]; + }) (mkIf config.my.build.isDevVM { my.tmproot.unsaved.ignore = [ "/nix" ]; @@ -220,9 +225,6 @@ in my.tmproot.persistence.config.files = concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys; }) - (mkIf config.services.logrotate.enable { - my.tmproot.persistence.config.files = [ "/var/lib/logrotate.status" ]; - }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index c1d89ce..17e0909 100644 Binary files a/secrets/user-passwd.txt.age and b/secrets/user-passwd.txt.age differ diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index ddc5a5f..e729478 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Lqn0Yw VmwYgZn0wfCPNmwMot88E5HIt5KQDOQI6ylzQ5WJeg0 -qxaprd2nOEmNjq5uMfN/SG3VYOANsl1mgB0o/7T+2Ek --> X25519 8JIr+LQxrTRS4E9EyLFKSB/0J207foeHRDhWjLVOZEw -evAK6VTgfMucDrQL2zRu4CI52gIK/TNXH2Tx0iYEMVM --> <"8l}KO-grease -Rd7ooeg76wEs9x+a5HhTFlS5Y+RK7wZK1SUdI4SknztHMjMwO/FC/w ---- 7c/+kShXCtzYStmGvEF/XzrLiE/LpSHX4g1whtZEBYk - ~O,4H&b9]-SK-l^DJ6aÂ-ɠ) X:NԬ#~&i{pU+ϷUw>b:N/R \ No newline at end of file +-> ssh-ed25519 Lqn0Yw 8O/4DNOBVj9N2QBh4iAcpQPFYKK884dVYBGii6QvMFs +enBLaFlBILu61uFQwV6v8PyWG0M0JkmSfpk/tztrLls +-> X25519 6X2M/VOMrMTIdgg9dRlVQmF2LWq5W53rNLzZ8UAJWVM +xFEKeZD+w68RyK+jlyFB82oQ6a6+FCBmYcjvc/8Wg9M +-> uVBC-grease +70cjnfhD0khuuiGtBG7MwE2CSEgmClW9/wQeZhAdOQ4 +--- hykfNiGB0dkhlbOabguSHtVFYtAtlFK6ld7GU8E3+WI +L;s5M%u ӆ3#%5#1gujtc79r^OȸߥɗbcobvÊN郑`R ;6?ʱ!' \ No newline at end of file