Add initial nginx container

nixos/boxes/colony/vms/estuary/default.nix

@@ -146,14 +146,26 @@
                   enable = true;
                   externalInterface = "wan";
                 };
-                extraRules = ''
+                extraRules =
+                let
+                  aa = allAssignments;
+                  matchInet = rule: sys: ''
+                    ip daddr ${aa."${sys}".internal.ipv4.address} ${rule}
+                    ip6 daddr ${aa."${sys}".internal.ipv6.address} ${rule}
+                  '';
+                in
+                ''
                   table inet filter {
                     chain routing-tcp {
                       # Safe enough to allow all SSH
                       tcp dport ssh accept
+
+                      ${matchInet "tcp dport { http, https } accept" "middleman"}
+
+                      return
                     }
                     chain routing-udp {
-
+                      return
                     }
                     chain filter-routing {
                       tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
+    ./middleman.nix
     ./vaultwarden.nix
   ];
 }

nixos/boxes/colony/vms/shill/containers/middleman.nix

@@ -0,0 +1,63 @@
+{
+  nixos.systems.middleman = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "middleman-ctr";
+        altNames = [ "http" ];
+        ipv4.address = "10.100.2.2";
+        ipv6 = rec {
+          iid = "::2";
+          address = "2a0e:97c0:4d0:bbb2${iid}";
+        };
+      };
+    };
+
+    configuration = { lib, config, assignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip";
+            };
+
+            firewall = {
+              tcp.allowed = [ "http" "https" ];
+            };
+
+            tmproot.persistence.config.directories = [
+            ];
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+          };
+
+          services = {
+            nginx = {
+              enable = true;
+              enableReload = true;
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 8080; guest.port = 80; }
+              { from = "host"; host.port = 8443; guest.port = 443; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}

nixos/boxes/colony/vms/shill/containers/vaultwarden.nix

@@ -6,9 +6,9 @@
     assignments = {
       internal = {
         name = "vaultwarden-ctr";
-        ipv4.address = "10.100.2.2";
+        ipv4.address = "10.100.2.3";
         ipv6 = rec {
-          iid = "::2";
+          iid = "::3";
           address = "2a0e:97c0:4d0:bbb2${iid}";
         };
       };

nixos/boxes/colony/vms/shill/default.nix

@@ -26,7 +26,8 @@
 
     configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
       let
-        inherit (lib) mkIf mkMerge mkForce;
+        inherit (builtins) mapAttrs;
+        inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
         inherit (lib.my) networkdAssignment;
       in
       {
@@ -96,10 +97,11 @@
                 trustedInterfaces = [ "vms" "ctrs" ];
               };
 
-              containers = {
+              containers.instances = mapAttrs (_: c: recursiveUpdate c {
-                instances.vaultwarden = {
                 networking.bridge = "ctrs";
-                };
+              }) {
+                middleman = {};
+                vaultwarden = {};
               };
             };
           }

nixos/modules/containers.nix

@@ -216,7 +216,6 @@ in
           reload =
           # `switch-to-configuration test` switches config without trying to update bootloader
           ''
-            # TODO: This still breaks on first deploy over the dummy...
             [ -e "${system}"/bin/switch-to-configuration ] && \
               systemd-run --pipe --machine ${n} -- "${containerSystem}"/bin/switch-to-configuration test
           '';

nixos/modules/deploy-rs.nix

@@ -27,9 +27,15 @@ let
     name = "container-${n}";
     value = {
       path = pkgs.deploy-rs.lib.activate.custom ctrConfig.my.buildAs.container
-        ''
+        (if c.hotReload then ''
-          systemctl ${if c.hotReload then "reload" else "restart"} systemd-nspawn@${n}
+          if systemctl show -p StatusText systemd-nspawn@${n} | grep -q "Dummy container"; then
-        '';
+            action=restart
+          else
+            action=reload
+          fi
+
+          systemctl "$action" systemd-nspawn@${n}
+        '' else "systemctl restart systemd-nspawn@${n}");
       profilePath = "/nix/var/nix/profiles/per-container/${n}/system";
 
       user = "root";

nixos/modules/firewall.nix

@@ -83,9 +83,11 @@ in
               table inet filter {
                 chain wan-tcp {
                   ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") openTCP}
+                  return
                 }
                 chain wan-udp {
                   ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") openUDP}
+                  return
                 }
 
                 chain wan {

nixos/modules/tmproot.nix

@@ -113,6 +113,8 @@ in
           # Auto-generated (on activation?)
           "/root/.nix-channels"
           "/root/.nix-defexpr"
+
+          "/var/lib/logrotate.status"
         ];
         persistence.config = {
           # In impermanence the key in `environment.persistence.*` (aka name passed the attrsOf submodule) sets the
@@ -166,6 +168,9 @@ in
     (mkIf config.security.doas.enable {
       my.tmproot.unsaved.ignore = [ "/etc/doas.conf" ];
     })
+    (mkIf config.services.resolved.enable {
+      my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
+    })
     (mkIf config.my.build.isDevVM {
       my.tmproot.unsaved.ignore = [ "/nix" ];
 
@@ -220,9 +225,6 @@ in
         my.tmproot.persistence.config.files =
           concatMap (k: [ k.path "${k.path}.pub" ]) config.services.openssh.hostKeys;
       })
-      (mkIf config.services.logrotate.enable {
-        my.tmproot.persistence.config.files = [ "/var/lib/logrotate.status" ];
-      })
       (mkIf config.my.build.isDevVM {
         fileSystems = mkVMOverride {
           # Hijack the "root" device for persistence in the VM

secrets/vaultwarden.env.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Lqn0Yw VmwYgZn0wfCPNmwMot88E5HIt5KQDOQI6ylzQ5WJeg0
+-> ssh-ed25519 Lqn0Yw 8O/4DNOBVj9N2QBh4iAcpQPFYKK884dVYBGii6QvMFs
-qxaprd2nOEmNjq5uMfN/SG3VYOANsl1mgB0o/7T+2Ek
+enBLaFlBILu61uFQwV6v8PyWG0M0JkmSfpk/tztrLls
--> X25519 8JIr+LQxrTRS4E9EyLFKSB/0J207foeHRDhWjLVOZEw
+-> X25519 6X2M/VOMrMTIdgg9dRlVQmF2LWq5W53rNLzZ8UAJWVM
-evAK6VTgfMucDrQL2zRu4CI52gIK/TNXH2Tx0iYEMVM
+xFEKeZD+w68RyK+jlyFB82oQ6a6+FCBmYcjvc/8Wg9M
--> <"8l}KO-grease
+-> uVBC-grease
-Rd7ooeg76wEs9x+a5HhTFlS5Y+RK7wZK1SUdI4SknztHMjMwO/FC/w
+70cjnfhD0khuuiGtBG7MwE2CSEgmClW9/wQeZhAdOQ4
---- 7c/+kShXCtzYStmGvEF/XzrLiE/LpSHX4g1whtZEBYk
+--- hykfNiGB0dkhlbOabguSHtVFYtAtlFK6ld7GU8E3+WI
-Ý~O,”œ4 ¾H&b‚9]-ÃSKœ-ÎØãæl²Üá^ôè¤ÍDJž™6aù«Â-ÙÉ )´	ŸšXÒ:N·æÆÌÔ¬‰#Œ<>Ø~ýÍ&‡i{âÛÕõpU+Ï·­U“Ìw>bµà®:N/R
+Låú;sâ‹É5MÄ%²u «Ó††3#%5«#‰1gõuû¡Újt¦ËïÜc“7<E2809C><37>™žì9¬r^­ìªOȸߥ´É—·bcobvÊNæ¼éƒ‘©`½Rù»÷ŠÌ;èƒØ6æ?ʱ!'â<>ªØ