dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Add initial nginx container

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-05-31 21:25:51 +01:00
parent e79fd4234c
commit 11dbc01ba0
11 changed files with 111 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/boxes/colony/vms/estuary/default.nix
View File

@@ -146,14 +146,26 @@
enable = true;
externalInterface = "wan";
};
extraRules = ''
extraRules =
let
aa = allAssignments;
matchInet = rule: sys: ''
ip daddr ${aa."${sys}".internal.ipv4.address} ${rule}
ip6 daddr ${aa."${sys}".internal.ipv6.address} ${rule}
'';
in
''
table inet filter {
chain routing-tcp {
# Safe enough to allow all SSH
tcp dport ssh accept
${matchInet "tcp dport { http, https } accept" "middleman"}
return
}
chain routing-udp {
return
}
chain filter-routing {
tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -1,5 +1,6 @@
{
imports = [
./middleman.nix
./vaultwarden.nix
];
}

63
nixos/boxes/colony/vms/shill/containers/middleman.nix Normal file
View File

@@ -0,0 +1,63 @@
{
nixos.systems.middleman = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "middleman-ctr";
altNames = [ "http" ];
ipv4.address = "10.100.2.2";
ipv6 = rec {
iid = "::2";
address = "2a0e:97c0:4d0:bbb2${iid}";
};
};
};
configuration = { lib, config, assignments, ... }:
let
inherit (lib) mkMerge mkIf;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
};
firewall = {
tcp.allowed = [ "http" "https" ];
};
tmproot.persistence.config.directories = [
];
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
};
services = {
nginx = {
enable = true;
enableReload = true;
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 8080; guest.port = 80; }
{ from = "host"; host.port = 8443; guest.port = 443; }
];
};
})
];
};
};
}

4
nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
View File

@@ -6,9 +6,9 @@
assignments = {
internal = {
name = "vaultwarden-ctr";
ipv4.address = "10.100.2.2";
ipv4.address = "10.100.2.3";
ipv6 = rec {
iid = "::2";
iid = "::3";
address = "2a0e:97c0:4d0:bbb2${iid}";
};
};

12
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -26,7 +26,8 @@
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (lib) mkIf mkMerge mkForce;
inherit (builtins) mapAttrs;
inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
inherit (lib.my) networkdAssignment;
in
{
@@ -96,10 +97,11 @@
trustedInterfaces = [ "vms" "ctrs" ];
};
containers = {
instances.vaultwarden = {
networking.bridge = "ctrs";
};
containers.instances = mapAttrs (_: c: recursiveUpdate c {
networking.bridge = "ctrs";
}) {
middleman = {};
vaultwarden = {};
};
};
}

1
nixos/modules/containers.nix
View File

@@ -216,7 +216,6 @@ in
reload =
# `switch-to-configuration test` switches config without trying to update bootloader
''
# TODO: This still breaks on first deploy over the dummy...
[ -e "${system}"/bin/switch-to-configuration ] && \
systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test
'';

12
nixos/modules/deploy-rs.nix
View File

@@ -27,9 +27,15 @@ let
name = "container-${n}";
value = {
path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container
''
systemctl ${if c.hotReload then "reload" else "restart"} systemd-nspawn@${n}
'';
(if c.hotReload then ''
if systemctl show -p StatusText systemd-nspawn@${n} | grep -q "Dummy container"; then
action=restart
else
action=reload
fi
systemctl "$action" systemd-nspawn@${n}
'' else "systemctl restart systemd-nspawn@${n}");
profilePath = "/nix/var/nix/profiles/per-container/${n}/system";
user = "root";

2
nixos/modules/firewall.nix
View File

@@ -83,9 +83,11 @@ in
table inet filter {
chain wan-tcp {
${concatMapStringsSep "\n " (p: "tcp dport ${toString p} accept") openTCP}
return
}
chain wan-udp {
${concatMapStringsSep "\n " (p: "udp dport ${toString p} accept") openUDP}
return
}
chain wan {

8
nixos/modules/tmproot.nix
View File

@@ -113,6 +113,8 @@ in
# Auto-generated (on activation?)
"/root/.nix-channels"
"/root/.nix-defexpr"
"/var/lib/logrotate.status"
];
persistence.config = {
# In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the
@@ -166,6 +168,9 @@ in
(mkIf config.security.doas.enable {
my.tmproot.unsaved.ignore = [ "/etc/doas.conf" ];
})
(mkIf config.services.resolved.enable {
my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
})
(mkIf config.my.build.isDevVM {
my.tmproot.unsaved.ignore = [ "/nix" ];
@@ -220,9 +225,6 @@ in
my.tmproot.persistence.config.files =
concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
})
(mkIf config.services.logrotate.enable {
my.tmproot.persistence.config.files = [ "/var/lib/logrotate.status" ];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM