dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Initial jackflix container

Browse Source
This commit is contained in:
Jack O'Sullivan 2022-06-11 19:13:20 +01:00
parent d2deabc6b2
commit 7dc6b5df8c
14 changed files with 246 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nixos/boxes/colony/vms/default.nix
View File

@ -75,7 +75,19 @@
(vmLVM "shill" "esp")
(vmLVM "shill" "nix")
(vmLVM "shill" "persist")
{ esp.frontendOpts.bootindex = 0; }
{
esp.frontendOpts.bootindex = 0;
media = {
backend = {
driver = "host_device";
filename = "/dev/hdds/media";
};
format.driver = "raw";
frontend = "virtio-blk";
};
}
]));
};
};

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@ -4,5 +4,6 @@
./vaultwarden.nix
./colony-psql.nix
./chatterbox.nix
./jackflix
];
}

46
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix Normal file
View File

@ -0,0 +1,46 @@
{ lib, ... }: {
nixos.systems.jackflix = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "jackflix-ctr";
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}6";
ipv6 = {
iid = "::6";
address = "${lib.my.colony.start.ctrs.v6}6";
};
};
};
configuration = { lib, pkgs, config, ... }:
let
inherit (lib) mkMerge mkIf;
in
{
imports = [ ./networking.nix ];
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 8080; guest.port = 80; }
];
};
})
];
};
};
}

109
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix Normal file
View File

@ -0,0 +1,109 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib) mkMerge;
inherit (lib.my) networkdAssignment;
wg = {
keyFile = "jackflix-wg-privkey.txt";
fwMark = 42;
routeTable = 51820;
};
in
{
config = {
my = {
secrets = {
files."${wg.keyFile}" = {
group = "systemd-network";
mode = "440";
};
};
firewall = {
tcp.allowed = [ ];
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
systemd = {
network = {
netdevs."30-vpn" = with wg; {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."${keyFile}".path;
FirewallMark = fwMark;
RouteTable = routeTable;
};
wireguardPeers = [
{
# mlvd-de32
wireguardPeerConfig = {
Endpoint = "146.70.107.194:51820";
PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
}
];
};
networks = {
"80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
networkConfig.DNSDefaultRoute = false;
}
];
"90-vpn" = with wg; {
matchConfig.Name = "vpn";
address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
Family = "both";
InvertRule = true;
FirewallMark = fwMark;
Table = routeTable;
Priority = 110;
}
];
};
};
};
};
};
}

34
nixos/boxes/colony/vms/shill/default.nix
View File

@ -30,7 +30,7 @@
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
@ -53,6 +53,10 @@
fsType = "ext4";
neededForBoot = true;
};
"/mnt/media" = {
device = "/dev/disk/by-label/media";
fsType = "ext4";
};
};
systemd.network = {
@ -98,14 +102,26 @@
trustedInterfaces = [ "vms" "ctrs" ];
};
containers.instances = mapAttrs (_: c: recursiveUpdate c {
networking.bridge = "ctrs";
}) {
middleman = {};
vaultwarden = {};
colony-psql = {};
chatterbox = {};
};
containers.instances =
let
instances = {
middleman = {};
vaultwarden = {};
colony-psql = {};
chatterbox = {};
jackflix = {
bindMounts = {
"/mnt/media".readOnly = false;
};
};
};
in
mkMerge [
instances
(mapAttrs (n: i: {
networking.bridge = "ctrs";
}) instances)
];
};
}
];

7
nixos/modules/containers.nix
View File

@ -60,12 +60,13 @@ let
bindMountOpts = with lib.types; { name, ... }: {
options = {
mountPoint = mkOption {
default = name;
example = "/mnt/usb";
type = str;
description = "Mount point on the container file system.";
};
hostPath = mkOption {
default = null;
default = name;
example = "/home/alice";
type = nullOr str;
description = "Location of the host path to be mounted.";
@ -76,10 +77,6 @@ let
description = "Determine whether the mounted path will be accessed in read-only mode.";
};
};
config = {
mountPoint = mkDefault name;
};
};
containerOpts = with lib.types; { name, ... }: {

8
nixos/modules/tmproot.nix
View File

@ -259,6 +259,14 @@ in
}
];
})
(mkIf config.services.jackett.enable {
my.tmproot.persistence.config.directories = [
{
directory = "/var/lib/jackett";
inherit (config.services.jackett) user group;
}
];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM

BIN
secrets/cloudflare-credentials.conf.age
View File

Binary file not shown.

BIN
secrets/dhparams.pem.age
View File

Binary file not shown.

11
secrets/jackflix-wg-privkey.txt.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 vf+WVg urUmX8GQaZ9N5s4im5LjHdrqF7G1cUmOhRwJ4C6QiDo
rgzuokfwMMjYtbPBCBNa+9Jg4QHbdd4ynqrsVX5LSWM
-> X25519 Kr0gKsPYyLt3PFVZlv6m1NlLedJJYxSNKvmKx9canyc
1Ki72qamPIaor+FCYy0SLVSm0GVCVsjFiRteSNv5hCA
-> MT&kccY-grease k k>D#= -/DFm:' ufBE\
1HfnD0ef5OnLrhBZL+pyaMVLjCadk+vLszSORTxyarFPKD5wqor5nPn/mMLotY79
mpKSMQq8ehwB+Ruv6fjys3q/1A
--- J8tifBtzNpEgeFqTxpfq+Md0vdmzU23rizI3C39gkc4
29ÐA7”JȔ،\r=ŒÖÖJw¡êx xlüÕ•Aädd‰<64>Ô¬¼ÓQ¬ïð­ŠÛ#rúÉš™}ay<61>0Põl†Öö&Ñ
dF¹|€-

BIN
secrets/pdns-file-records.key.age
View File

Binary file not shown.

BIN
secrets/synapse.yaml.age
View File

Binary file not shown.

42
secrets/user-passwd.txt.age
View File

@ -1,21 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 FAIX7A PkWyLLijQZgNyFSvjEcWkYTYIyOpbxsu69hczCKx1g4
qGruVJb5SjTNm6EhRMbaO+aZc8hXQdU9jcfRN4CVAC8
-> ssh-ed25519 SKXJUw JIFQcXOdHl/9uLcvmriKLBmtXEHKrKUII99KgOkqPFI
ODO2TuI3VYWcPJnwAmpQi38a8CXV0C6pAFwd5otrh+w
-> ssh-ed25519 wbGjmA rZm8T6+N1cw3vpXrtrAIufUdjTpzu8wXLsERZAjVwHQ
MdfU6LwTZpiBEJwVvsY+BPUmN+955Ty1Xc6c0PfwH+o
-> ssh-ed25519 B9K/XQ XQiWYiYiEcVrrcjkel5TDwZSxIommrxk1cVNvDoiFSo
EE7VDprouGZ/MpNFPjhh7TSr1jzr0ZeIOmmO3G6JAeU
-> ssh-ed25519 H162lQ ce5lAulJBRSzeCKnJBNuSy1HE1R5TG20Wdx5kavPNTg
BPXI69PEmSP0BmO3f8MAPqGyBR29hts798DbevMUATg
-> ssh-ed25519 b6YMqg w0JygLSUv/Y5j1zWlUY5zoeTwX3s+URX1yJxc99rg1Y
01VfQiWgldlCBNPTBoudyKVpXXfVbrXhaVMq+MBFhVM
-> ssh-ed25519 Lqn0Yw TWRasWvKcfxukcFX95KJ6QnRwNfJSF/RCz40IrsfSGY
/CSufoexTjNSVK225VjCD3pm/z2gK6Moud7fST9tjuc
-> X25519 bFnUlqUCBjMxEPrBiMpOeQTqR4qpmBQhMzIvtLKuHUk
PEYj+yEbPfUWDKRTsYMUPUcM+i3KZ0Zu0YQ4JE3zFEE
-> T-grease NFmx4<h Dqu[ eL! o!=j{Ly
+LGjt+Z9HFtj3TJDY1Y41Q
--- 4QYQUgsOOGqXgYQ+PxShmUhezpwPXOEIKcEIfcFAFdk
€sÞÊ=_ØnwzœÏߚ؉+5~¸ëäTãGãË-}R‰hOv˜†[Tr°sH<÷@»£ŠªÄ¨Í²°ì•zÀèW¸QaÝšô§údTŠœØ@vœo BÛ¦¦ÜO•âMÙ“Çd(hX帼¶m÷v᥆X£-Qpä*¤u‰y<E280B0>S⻓c1ˆ3³ÐÆë
-> ssh-ed25519 FAIX7A 9lwGzxHbaj59re00D+VBn31xh6lXBdqlocUWbuGl0lk
WWXUSz//VWPGWwNRNDOY9rNZHEMj74gJDPyPzntmONk
-> ssh-ed25519 SKXJUw 9espI6g1Y0xAOf8RZaYTnw6Y7YSTN5Wv/9JqHMOe5Wo
ZaujblPPK14BYY67ffHCmRg33xljYwl/4YygG9efKQc
-> ssh-ed25519 wbGjmA U6GrN0iOmz77kOwa1VQ/0Cn7v/EiAJh1ZUOhJuqloVA
xB8Uu6+tVXNbAqCSkHYMvBla/oJA0nOHayrHtN4yCGQ
-> ssh-ed25519 B9K/XQ gMQEYYshD9fFvI0vrUER/2OWZYRICGem5bX7ZIP16kQ
9QwTY23a5C8TZ+1wUeqYWLWM4zSQNNzUoaqhkhQLxG4
-> ssh-ed25519 vf+WVg 3MU9AIwghf/IDoMuAZEX3GuFz1w7vYtSso5I5BDY/hM
b1U0PexxCj4DTQB41bDi6bKktoOiA+xDDMLZYPHCMlA
-> ssh-ed25519 H162lQ 99SwlUFFeKMu8VH2264WyjJVugRKYcAFHF2aHtCGyE8
LL2cJEdKtqrylLZWQVCoZQ9bGkCD6xPeY0K5C+sMrm0
-> ssh-ed25519 b6YMqg ME2+OkaFz7ZkAy4izG26lmYMl47AF5NZFojEhawj0nU
FsMXB4ymF0e/FyySdEjE3LAJw3q0Ax5BQk9m0Zsu4cg
-> ssh-ed25519 Lqn0Yw CwGVxMt//mUhJp2Dv1juO8oWFVNML0Q+zTqsqncEo0U
/YzScABKV/949EQnf8ztFzNQGzjGOWPj9iXHy2uFDYM
-> X25519 I0lKCScunZXPMiHBpGhFa7nAGFg3NeAslOdutKkyuFo
csAlkN1jWUbUxlWRF/mAX1TT95ZU7iTDUa7uGi3Gtjk
-> Q?#-grease @c:
CXkWEsR63Q4TflQd95UiFCazSFterOzSMmqRaCR/uQBhUEkyPc0
--- aOjcucJdwzcZQ2eT5PBsU7P0o1xlCgCMqPDWczEWY28
7ÊÞBä"ËûtŠÅÖ šG6þÆÑøÂB?¢`ŽÌ-ÒraÇ^Jlcl5øg<C3B8>àˆŠ–[÷9M#­jÁè&M˜n‰ê]S ÈevúÀoÞ¹}¨_<C2A8>nþ5;ðܺÇ/1„·Ã|º§cêL¯ÂñC¤f<>¾!=ó*A»¶€t{­

18
secrets/vaultwarden.env.age
View File

@ -1,10 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 Lqn0Yw COtpnkiIOsiZ6sI7GpZW6DSrMdP+V8SFm+G6VSx6Tlg
foNXyNZ/u5RVNdijDQr0mGn5BQaPDhOqLhD9gxEP5e4
-> X25519 xbW4hHBb8lJ9fIwnRsfBpTmLGO74ZBkwmdXpWQ1H9CA
ucFk4TvPIxiQNyuNgQ/dHKy+p9LvePmwWLYd2e60AT0
-> "d-grease
7zl7veXnoG49diEebRbI1ok+U0CMgjo7AQK8rsCsOa4tDR8L460m4CfSOSEMEqzK
QjEjuxC9NY0liwnNsRLNWccKxa3V1LQLL68RhA
--- exAOdELiQNGSJcweG5qVkiX4SLNMq8x9uNyp77pCrWA
B·;Ö ØiAîöo,ULbñ(ÂG«eÛa?HÄØåƉÆ f¸«ÔhzàÛë+«š^¯¿”²°iŒj0Ô%ΫKìÄ<C3AC>¸Íö3<>azsðU]ô§LŒ!Y×ÇD>v|â'W!!¥ÍêKÕ'
-> ssh-ed25519 Lqn0Yw r7XhdzWjjBP5HLeX+RwIek+vTZP1wZhhO5sr0LppdwI
4HH91EuAKYOQ5E37/dH7fgFKShxE1aX7v/njbL4cNMU
-> X25519 itbc3rl6K9BmbhNsMo/FaeOynrtrpZj5Zt0VF3McYmw
Cc0jPYLqyp5X4+KPfpy821mpCVSDke+z+Al/8Hp7vc0
-> WQA%nPY-grease n&Oc2@ sf 05
aC3qV0yeKogkc/OdfKhxW2rv4GDlT4mMlPA5FoqMA/2lq6yCoeMjGffwzXVEsauq
IRyYz3R/53ZrFtfefkBS5P4d4d/OmI6lsA
--- KYxAUYn/NHyfCJO+WqH0JKJKQZMCQYSeMryS/Kw3n8s
;iˆ7KÁ†,T&{1^™]WVñÛðÞzL¸K·s Yóá™é\¤ó|@z`b'„-­Žlk·P'aëT¯'À'mZök7¸iKøÔ*-tŠ  1:ŠmÊUIûÖqNчމsÎt™ì)#¢ô