From 11dbc01ba011a5b0b31b82041493ce0ce098fbc1 Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Tue, 31 May 2022 21:25:51 +0100 Subject: [PATCH] Add initial nginx container --- nixos/boxes/colony/vms/estuary/default.nix | 16 ++++- .../colony/vms/shill/containers/default.nix | 1 + .../colony/vms/shill/containers/middleman.nix | 63 ++++++++++++++++++ .../vms/shill/containers/vaultwarden.nix | 4 +- nixos/boxes/colony/vms/shill/default.nix | 12 ++-- nixos/modules/containers.nix | 1 - nixos/modules/deploy-rs.nix | 12 +++- nixos/modules/firewall.nix | 2 + nixos/modules/tmproot.nix | 8 ++- secrets/user-passwd.txt.age | Bin 843 -> 987 bytes secrets/vaultwarden.env.age | 16 ++--- 11 files changed, 111 insertions(+), 24 deletions(-) create mode 100644 nixos/boxes/colony/vms/shill/containers/middleman.nix diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index ff23344..bed7d76 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -146,14 +146,26 @@ enable = true; externalInterface = "wan"; }; - extraRules = '' + extraRules = + let + aa = allAssignments; + matchInet = rule: sys: '' + ip daddr ${aa."${sys}".internal.ipv4.address} ${rule} + ip6 daddr ${aa."${sys}".internal.ipv6.address} ${rule} + ''; + in + '' table inet filter { chain routing-tcp { # Safe enough to allow all SSH tcp dport ssh accept + + ${matchInet "tcp dport { http, https } accept" "middleman"} + + return } chain routing-udp { - + return } chain filter-routing { tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp diff --git a/nixos/boxes/colony/vms/shill/containers/default.nix b/nixos/boxes/colony/vms/shill/containers/default.nix index 67600d5..1f91f77 100644 --- a/nixos/boxes/colony/vms/shill/containers/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./middleman.nix ./vaultwarden.nix ]; } diff --git a/nixos/boxes/colony/vms/shill/containers/middleman.nix b/nixos/boxes/colony/vms/shill/containers/middleman.nix new file mode 100644 index 0000000..1a015a7 --- /dev/null +++ b/nixos/boxes/colony/vms/shill/containers/middleman.nix @@ -0,0 +1,63 @@ +{ + nixos.systems.middleman = { + system = "x86_64-linux"; + nixpkgs = "mine"; + + assignments = { + internal = { + name = "middleman-ctr"; + altNames = [ "http" ]; + ipv4.address = "10.100.2.2"; + ipv6 = rec { + iid = "::2"; + address = "2a0e:97c0:4d0:bbb2${iid}"; + }; + }; + }; + + configuration = { lib, config, assignments, ... }: + let + inherit (lib) mkMerge mkIf; + inherit (lib.my) networkdAssignment; + in + { + config = mkMerge [ + { + my = { + server.enable = true; + + secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; + }; + + firewall = { + tcp.allowed = [ "http" "https" ]; + }; + + tmproot.persistence.config.directories = [ + ]; + }; + + systemd = { + network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; + }; + + services = { + nginx = { + enable = true; + enableReload = true; + }; + }; + } + (mkIf config.my.build.isDevVM { + virtualisation = { + forwardPorts = [ + { from = "host"; host.port = 8080; guest.port = 80; } + { from = "host"; host.port = 8443; guest.port = 443; } + ]; + }; + }) + ]; + }; + }; +} diff --git a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix index 6e66aff..4360907 100644 --- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix +++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix @@ -6,9 +6,9 @@ assignments = { internal = { name = "vaultwarden-ctr"; - ipv4.address = "10.100.2.2"; + ipv4.address = "10.100.2.3"; ipv6 = rec { - iid = "::2"; + iid = "::3"; address = "2a0e:97c0:4d0:bbb2${iid}"; }; }; diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 5e0c506..ddb57e3 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -26,7 +26,8 @@ configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: let - inherit (lib) mkIf mkMerge mkForce; + inherit (builtins) mapAttrs; + inherit (lib) mkIf mkMerge mkForce recursiveUpdate; inherit (lib.my) networkdAssignment; in { @@ -96,10 +97,11 @@ trustedInterfaces = [ "vms" "ctrs" ]; }; - containers = { - instances.vaultwarden = { - networking.bridge = "ctrs"; - }; + containers.instances = mapAttrs (_: c: recursiveUpdate c { + networking.bridge = "ctrs"; + }) { + middleman = {}; + vaultwarden = {}; }; }; } diff --git a/nixos/modules/containers.nix b/nixos/modules/containers.nix index 9455c36..bf340e2 100644 --- a/nixos/modules/containers.nix +++ b/nixos/modules/containers.nix @@ -216,7 +216,6 @@ in reload = # `switch-to-configuration test` switches config without trying to update bootloader '' - # TODO: This still breaks on first deploy over the dummy... [ -e "${system}"/bin/switch-to-configuration ] && \ systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test ''; diff --git a/nixos/modules/deploy-rs.nix b/nixos/modules/deploy-rs.nix index 8c227d9..d40a24e 100644 --- a/nixos/modules/deploy-rs.nix +++ b/nixos/modules/deploy-rs.nix @@ -27,9 +27,15 @@ let name = "container-${n}"; value = { path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container - '' - systemctl ${if c.hotReload then "reload" else "restart"} systemd-nspawn@${n} - ''; + (if c.hotReload then '' + if systemctl show -p StatusText systemd-nspawn@${n} | grep -q "Dummy container"; then + action=restart + else + action=reload + fi + + systemctl "$action" systemd-nspawn@${n} + '' else "systemctl restart systemd-nspawn@${n}"); profilePath = "/nix/var/nix/profiles/per-container/${n}/system"; user = "root"; diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 4c2cca7..1f1ca66 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -83,9 +83,11 @@ in table inet filter { chain wan-tcp { ${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP} + return } chain wan-udp { ${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP} + return } chain wan { diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 70b9e84..b0d6b93 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -113,6 +113,8 @@ in # Auto-generated (on activation?) "/root/.nix-channels" "/root/.nix-defexpr" + + "/var/lib/logrotate.status" ]; persistence.config = { # In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the @@ -166,6 +168,9 @@ in (mkIf config.security.doas.enable { my.tmproot.unsaved.ignore = [ "/etc/doas.conf" ]; }) + (mkIf config.services.resolved.enable { + my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ]; + }) (mkIf config.my.build.isDevVM { my.tmproot.unsaved.ignore = [ "/nix" ]; @@ -220,9 +225,6 @@ in my.tmproot.persistence.config.files = concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys; }) - (mkIf config.services.logrotate.enable { - my.tmproot.persistence.config.files = [ "/var/lib/logrotate.status" ]; - }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index c1d89ce69807b1c304bf5a07021c682518dd5d2c..17e090938230cc874de63e5dd4fd539b64ff74c4 100644 GIT binary patch literal 987 zcmZ9~&CA<#0Kjn%JLMoEA`XQGHkcavq)GGAA}DEI+B8X%w8_)7&tN8LnwO^erAeAJ z(Tjq(iwHXi>cAHmySUqfm-!C}qM~d}WH86niyoYyUKAbPp1a++! zasVP0p8~y{ZAP*@q*se_loJvFTm24ZOlet5(4k^+?!&2Of z(0aNb4?w>xK!K^MHccx>4C~!Gi2@_YmQzPl#lgyIShRgobEvtp^vLUZcBgJhqLoyOm9onHa=`!MU{2)mp9Bn!c*~ z>L}qj%s;8g+oV0O;5r(ojxmK|)VRz=Yo|X>3z!(TWGdY|D(; zutb7tXFLAF#=Yq*oy0zbIN`wI%W!|l1su;ZXu~LVY>(NTR4T4$FBIQT1%sL#iVp?n z)wA)-otIjE=GnOiH%D-|8nf`TA%H_Q7&KFBhQLdQ5wv;^=mvff*r$ zlFfG4lQ}QC)V>qeYcW&+0=P&*j8$I|HsKtKG?nI?RU)bGpkOmtOx_45X*tD`v#>v3KvO*FU;;<@l>h*lTB= fyk)-i#;N-kZ$J3t{FQol_4;3reDmj{=J|gC9W+?p literal 843 zcmZ9}%j??&0KjpCF(l$endsc1sK~I^rft$BFbDlLk2a6y)#h~=OY>@)=KX4N5EPFx zVJLd?heriL-25TpK?JXY14Z!jGfp;>_z; z1E6=YljobBV-I0?fOTX>qgQoDEr}807ev6;n&#VN12eLp?T68f&N#Um<^!>?RSlI% z5$JBjATb>z!O^L0Tb9}<0?pLJ2yl9bimf6Fas=l7^uodKk|M ztbklNMPSlz>^Okz9a(Xkl><#!(A&j;vIrxV;~Ier9aECA<+O6ZEy>1w&hcB)j|iz< zPxUpdtWIj{vCgGlCu_A*H4re#3$nrnf`w&7tBqSR77(H(*QS!PZP7Y7;Q^#;=c%h^ z>PAV%m=2Bu&ZgPGhh)Rbm#*j~RKP1JPpJAyjZGs^uRHY!DnK=xWphx&birrJw3zfg zC|bj1ms?5joZIZpJqA$|AP&)8xSN{D8n(&h%v-8~OM$ewixHVB{|RJNrE4?>kH`ON z+W*V?cvr_4=B#YD_8@gv3MIE()u%#dWFdqbO(e&t{p})~tpF}XEqFXQAh*IIaVlNk z8?m_4nleyhx=*GvuJI&gZldgeub3yfo|idh?f_PLkn$X(RC_SMP1k3bk>9RGez>Jo zya26w&?5eP#}8+sg*RCf7W1I?SC#?d(RRwC07wb_hSvCf-3omc=>ol8uY)TB=zQ6F%(}$0rVy+!uJ$3$vyWhSvJ&QNLKl04O=iWQI z^C$PjA1|CfI`h?AkG=cA>~NWXR$jR&AAfS~P3Y_EhaX;givIDH8!vxJ+Gn19^p{(& cJ|Cj*f8KuZ>!)uB@7#XvzUb1`*Nt0$0|>G!F#rGn diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index ddc5a5f..e729478 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 Lqn0Yw VmwYgZn0wfCPNmwMot88E5HIt5KQDOQI6ylzQ5WJeg0 -qxaprd2nOEmNjq5uMfN/SG3VYOANsl1mgB0o/7T+2Ek --> X25519 8JIr+LQxrTRS4E9EyLFKSB/0J207foeHRDhWjLVOZEw -evAK6VTgfMucDrQL2zRu4CI52gIK/TNXH2Tx0iYEMVM --> <"8l}KO-grease -Rd7ooeg76wEs9x+a5HhTFlS5Y+RK7wZK1SUdI4SknztHMjMwO/FC/w ---- 7c/+kShXCtzYStmGvEF/XzrLiE/LpSHX4g1whtZEBYk - ~O,4H&b9]-SK-l^DJ6aÂ-ɠ) X:NԬ#~&i{pU+ϷUw>b:N/R \ No newline at end of file +-> ssh-ed25519 Lqn0Yw 8O/4DNOBVj9N2QBh4iAcpQPFYKK884dVYBGii6QvMFs +enBLaFlBILu61uFQwV6v8PyWG0M0JkmSfpk/tztrLls +-> X25519 6X2M/VOMrMTIdgg9dRlVQmF2LWq5W53rNLzZ8UAJWVM +xFEKeZD+w68RyK+jlyFB82oQ6a6+FCBmYcjvc/8Wg9M +-> uVBC-grease +70cjnfhD0khuuiGtBG7MwE2CSEgmClW9/wQeZhAdOQ4 +--- hykfNiGB0dkhlbOabguSHtVFYtAtlFK6ld7GU8E3+WI +L;s5M%u ӆ3#%5#1gujtc79r^OȸߥɗbcobvÊN郑`R ;6?ʱ!' \ No newline at end of file