diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index e2c3685..720961b 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -75,7 +75,19 @@ (vmLVM "shill" "esp") (vmLVM "shill" "nix") (vmLVM "shill" "persist") - { esp.frontendOpts.bootindex = 0; } + + { + esp.frontendOpts.bootindex = 0; + + media = { + backend = { + driver = "host_device"; + filename = "/dev/hdds/media"; + }; + format.driver = "raw"; + frontend = "virtio-blk"; + }; + } ])); }; }; diff --git a/nixos/boxes/colony/vms/shill/containers/default.nix b/nixos/boxes/colony/vms/shill/containers/default.nix index 3fe62eb..34376df 100644 --- a/nixos/boxes/colony/vms/shill/containers/default.nix +++ b/nixos/boxes/colony/vms/shill/containers/default.nix @@ -4,5 +4,6 @@ ./vaultwarden.nix ./colony-psql.nix ./chatterbox.nix + ./jackflix ]; } diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix new file mode 100644 index 0000000..fed08cc --- /dev/null +++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix @@ -0,0 +1,46 @@ +{ lib, ... }: { + nixos.systems.jackflix = { + system = "x86_64-linux"; + nixpkgs = "mine"; + + assignments = { + internal = { + name = "jackflix-ctr"; + domain = lib.my.colony.domain; + ipv4.address = "${lib.my.colony.start.ctrs.v4}6"; + ipv6 = { + iid = "::6"; + address = "${lib.my.colony.start.ctrs.v6}6"; + }; + }; + }; + + configuration = { lib, pkgs, config, ... }: + let + inherit (lib) mkMerge mkIf; + in + { + imports = [ ./networking.nix ]; + + config = mkMerge [ + { + my = { + deploy.enable = false; + server.enable = true; + + secrets = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU"; + }; + }; + } + (mkIf config.my.build.isDevVM { + virtualisation = { + forwardPorts = [ + { from = "host"; host.port = 8080; guest.port = 80; } + ]; + }; + }) + ]; + }; + }; +} diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix new file mode 100644 index 0000000..0fb640e --- /dev/null +++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix @@ -0,0 +1,109 @@ +{ lib, pkgs, config, assignments, ... }: +let + inherit (lib) mkMerge; + inherit (lib.my) networkdAssignment; + + wg = { + keyFile = "jackflix-wg-privkey.txt"; + fwMark = 42; + routeTable = 51820; + }; +in +{ + config = { + my = { + secrets = { + files."${wg.keyFile}" = { + group = "systemd-network"; + mode = "440"; + }; + }; + + firewall = { + tcp.allowed = [ ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + systemd = { + network = { + netdevs."30-vpn" = with wg; { + netdevConfig = { + Name = "vpn"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."${keyFile}".path; + FirewallMark = fwMark; + RouteTable = routeTable; + }; + wireguardPeers = [ + { + # mlvd-de32 + wireguardPeerConfig = { + Endpoint = "146.70.107.194:51820"; + PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc="; + AllowedIPs = [ "0.0.0.0/0" "::/0" ]; + }; + } + ]; + }; + + networks = { + "80-container-host0" = mkMerge [ + (networkdAssignment "host0" assignments.internal) + { + networkConfig.DNSDefaultRoute = false; + } + ]; + "90-vpn" = with wg; { + matchConfig.Name = "vpn"; + address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ]; + dns = [ "10.64.0.1" ]; + routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [ + { + Family = "both"; + SuppressPrefixLength = 0; + Table = "main"; + Priority = 100; + } + + { + From = lib.my.colony.prefixes.all.v4; + Table = "main"; + Priority = 100; + } + { + To = lib.my.colony.prefixes.all.v4; + Table = "main"; + Priority = 100; + } + + { + From = lib.my.colony.prefixes.all.v6; + Table = "main"; + Priority = 100; + } + { + To = lib.my.colony.prefixes.all.v6; + Table = "main"; + Priority = 100; + } + + { + Family = "both"; + InvertRule = true; + FirewallMark = fwMark; + Table = routeTable; + Priority = 110; + } + ]; + }; + }; + }; + }; + }; +} diff --git a/nixos/boxes/colony/vms/shill/default.nix b/nixos/boxes/colony/vms/shill/default.nix index 364b6af..a8bb84f 100644 --- a/nixos/boxes/colony/vms/shill/default.nix +++ b/nixos/boxes/colony/vms/shill/default.nix @@ -30,7 +30,7 @@ configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }: let inherit (builtins) mapAttrs; - inherit (lib) mkIf mkMerge mkForce recursiveUpdate; + inherit (lib) mkIf mkMerge mkForce; inherit (lib.my) networkdAssignment; in { @@ -53,6 +53,10 @@ fsType = "ext4"; neededForBoot = true; }; + "/mnt/media" = { + device = "/dev/disk/by-label/media"; + fsType = "ext4"; + }; }; systemd.network = { @@ -98,14 +102,26 @@ trustedInterfaces = [ "vms" "ctrs" ]; }; - containers.instances = mapAttrs (_: c: recursiveUpdate c { - networking.bridge = "ctrs"; - }) { - middleman = {}; - vaultwarden = {}; - colony-psql = {}; - chatterbox = {}; - }; + containers.instances = + let + instances = { + middleman = {}; + vaultwarden = {}; + colony-psql = {}; + chatterbox = {}; + jackflix = { + bindMounts = { + "/mnt/media".readOnly = false; + }; + }; + }; + in + mkMerge [ + instances + (mapAttrs (n: i: { + networking.bridge = "ctrs"; + }) instances) + ]; }; } ]; diff --git a/nixos/modules/containers.nix b/nixos/modules/containers.nix index 3c766a9..d26b1ff 100644 --- a/nixos/modules/containers.nix +++ b/nixos/modules/containers.nix @@ -60,12 +60,13 @@ let bindMountOpts = with lib.types; { name, ... }: { options = { mountPoint = mkOption { + default = name; example = "/mnt/usb"; type = str; description = "Mount point on the container file system."; }; hostPath = mkOption { - default = null; + default = name; example = "/home/alice"; type = nullOr str; description = "Location of the host path to be mounted."; @@ -76,10 +77,6 @@ let description = "Determine whether the mounted path will be accessed in read-only mode."; }; }; - - config = { - mountPoint = mkDefault name; - }; }; containerOpts = with lib.types; { name, ... }: { diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index af68fc6..5644962 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -259,6 +259,14 @@ in } ]; }) + (mkIf config.services.jackett.enable { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/lib/jackett"; + inherit (config.services.jackett) user group; + } + ]; + }) (mkIf config.my.build.isDevVM { fileSystems = mkVMOverride { # Hijack the "root" device for persistence in the VM diff --git a/secrets/cloudflare-credentials.conf.age b/secrets/cloudflare-credentials.conf.age index ff62f69..f117731 100644 Binary files a/secrets/cloudflare-credentials.conf.age and b/secrets/cloudflare-credentials.conf.age differ diff --git a/secrets/dhparams.pem.age b/secrets/dhparams.pem.age index 459f729..d302214 100644 Binary files a/secrets/dhparams.pem.age and b/secrets/dhparams.pem.age differ diff --git a/secrets/jackflix-wg-privkey.txt.age b/secrets/jackflix-wg-privkey.txt.age new file mode 100644 index 0000000..03dbb6e --- /dev/null +++ b/secrets/jackflix-wg-privkey.txt.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 vf+WVg urUmX8GQaZ9N5s4im5LjHdrqF7G1cUmOhRwJ4C6QiDo +rgzuokfwMMjYtbPBCBNa+9Jg4QHbdd4ynqrsVX5LSWM +-> X25519 Kr0gKsPYyLt3PFVZlv6m1NlLedJJYxSNKvmKx9canyc +1Ki72qamPIaor+FCYy0SLVSm0GVCVsjFiRteSNv5hCA +-> MT&kccY-grease k k>D#= -/DFm:' ufBE\ +1HfnD0ef5OnLrhBZL+pyaMVLjCadk+vLszSORTxyarFPKD5wqor5nPn/mMLotY79 +mpKSMQq8ehwB+Ruv6fjys3q/1A +--- J8tifBtzNpEgeFqTxpfq+Md0vdmzU23rizI3C39gkc4 +29A7JȔ،\r=Jwx xlՕAddԬQ#rɚ}ay0Pl& +dF|- \ No newline at end of file diff --git a/secrets/pdns-file-records.key.age b/secrets/pdns-file-records.key.age index 47e4152..e35409f 100644 Binary files a/secrets/pdns-file-records.key.age and b/secrets/pdns-file-records.key.age differ diff --git a/secrets/synapse.yaml.age b/secrets/synapse.yaml.age index 30e3317..03dd300 100644 Binary files a/secrets/synapse.yaml.age and b/secrets/synapse.yaml.age differ diff --git a/secrets/user-passwd.txt.age b/secrets/user-passwd.txt.age index ea1ed56..33ab7cf 100644 --- a/secrets/user-passwd.txt.age +++ b/secrets/user-passwd.txt.age @@ -1,21 +1,23 @@ age-encryption.org/v1 --> ssh-ed25519 FAIX7A PkWyLLijQZgNyFSvjEcWkYTYIyOpbxsu69hczCKx1g4 -qGruVJb5SjTNm6EhRMbaO+aZc8hXQdU9jcfRN4CVAC8 --> ssh-ed25519 SKXJUw JIFQcXOdHl/9uLcvmriKLBmtXEHKrKUII99KgOkqPFI -ODO2TuI3VYWcPJnwAmpQi38a8CXV0C6pAFwd5otrh+w --> ssh-ed25519 wbGjmA rZm8T6+N1cw3vpXrtrAIufUdjTpzu8wXLsERZAjVwHQ -MdfU6LwTZpiBEJwVvsY+BPUmN+955Ty1Xc6c0PfwH+o --> ssh-ed25519 B9K/XQ XQiWYiYiEcVrrcjkel5TDwZSxIommrxk1cVNvDoiFSo -EE7VDprouGZ/MpNFPjhh7TSr1jzr0ZeIOmmO3G6JAeU --> ssh-ed25519 H162lQ ce5lAulJBRSzeCKnJBNuSy1HE1R5TG20Wdx5kavPNTg -BPXI69PEmSP0BmO3f8MAPqGyBR29hts798DbevMUATg --> ssh-ed25519 b6YMqg w0JygLSUv/Y5j1zWlUY5zoeTwX3s+URX1yJxc99rg1Y -01VfQiWgldlCBNPTBoudyKVpXXfVbrXhaVMq+MBFhVM --> ssh-ed25519 Lqn0Yw TWRasWvKcfxukcFX95KJ6QnRwNfJSF/RCz40IrsfSGY -/CSufoexTjNSVK225VjCD3pm/z2gK6Moud7fST9tjuc --> X25519 bFnUlqUCBjMxEPrBiMpOeQTqR4qpmBQhMzIvtLKuHUk -PEYj+yEbPfUWDKRTsYMUPUcM+i3KZ0Zu0YQ4JE3zFEE --> T-grease NFmx4 ssh-ed25519 FAIX7A 9lwGzxHbaj59re00D+VBn31xh6lXBdqlocUWbuGl0lk +WWXUSz//VWPGWwNRNDOY9rNZHEMj74gJDPyPzntmONk +-> ssh-ed25519 SKXJUw 9espI6g1Y0xAOf8RZaYTnw6Y7YSTN5Wv/9JqHMOe5Wo +ZaujblPPK14BYY67ffHCmRg33xljYwl/4YygG9efKQc +-> ssh-ed25519 wbGjmA U6GrN0iOmz77kOwa1VQ/0Cn7v/EiAJh1ZUOhJuqloVA +xB8Uu6+tVXNbAqCSkHYMvBla/oJA0nOHayrHtN4yCGQ +-> ssh-ed25519 B9K/XQ gMQEYYshD9fFvI0vrUER/2OWZYRICGem5bX7ZIP16kQ +9QwTY23a5C8TZ+1wUeqYWLWM4zSQNNzUoaqhkhQLxG4 +-> ssh-ed25519 vf+WVg 3MU9AIwghf/IDoMuAZEX3GuFz1w7vYtSso5I5BDY/hM +b1U0PexxCj4DTQB41bDi6bKktoOiA+xDDMLZYPHCMlA +-> ssh-ed25519 H162lQ 99SwlUFFeKMu8VH2264WyjJVugRKYcAFHF2aHtCGyE8 +LL2cJEdKtqrylLZWQVCoZQ9bGkCD6xPeY0K5C+sMrm0 +-> ssh-ed25519 b6YMqg ME2+OkaFz7ZkAy4izG26lmYMl47AF5NZFojEhawj0nU +FsMXB4ymF0e/FyySdEjE3LAJw3q0Ax5BQk9m0Zsu4cg +-> ssh-ed25519 Lqn0Yw CwGVxMt//mUhJp2Dv1juO8oWFVNML0Q+zTqsqncEo0U +/YzScABKV/949EQnf8ztFzNQGzjGOWPj9iXHy2uFDYM +-> X25519 I0lKCScunZXPMiHBpGhFa7nAGFg3NeAslOdutKkyuFo +csAlkN1jWUbUxlWRF/mAX1TT95ZU7iTDUa7uGi3Gtjk +-> Q?#-grease @c: +CXkWEsR63Q4TflQd95UiFCazSFterOzSMmqRaCR/uQBhUEkyPc0 +--- aOjcucJdwzcZQ2eT5PBsU7P0o1xlCgCMqPDWczEWY28 +7B"t G6B?`-ra^Jlcl5g[9M#Fj&Mn]Sevo޹}_n5;ܺ/1|cLCf!=*At{ \ No newline at end of file diff --git a/secrets/vaultwarden.env.age b/secrets/vaultwarden.env.age index 227c6d1..b60971d 100644 --- a/secrets/vaultwarden.env.age +++ b/secrets/vaultwarden.env.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 Lqn0Yw COtpnkiIOsiZ6sI7GpZW6DSrMdP+V8SFm+G6VSx6Tlg -foNXyNZ/u5RVNdijDQr0mGn5BQaPDhOqLhD9gxEP5e4 --> X25519 xbW4hHBb8lJ9fIwnRsfBpTmLGO74ZBkwmdXpWQ1H9CA -ucFk4TvPIxiQNyuNgQ/dHKy+p9LvePmwWLYd2e60AT0 --> "d-grease -7zl7veXnoG49diEebRbI1ok+U0CMgjo7AQK8rsCsOa4tDR8L460m4CfSOSEMEqzK -QjEjuxC9NY0liwnNsRLNWccKxa3V1LQLL68RhA ---- exAOdELiQNGSJcweG5qVkiX4SLNMq8x9uNyp77pCrWA -B; iAo,ULb(Gea?H؋Ɖfhz+^ij0%ΫKā3azsU]L!YD>v|'W!!K' \ No newline at end of file +-> ssh-ed25519 Lqn0Yw r7XhdzWjjBP5HLeX+RwIek+vTZP1wZhhO5sr0LppdwI +4HH91EuAKYOQ5E37/dH7fgFKShxE1aX7v/njbL4cNMU +-> X25519 itbc3rl6K9BmbhNsMo/FaeOynrtrpZj5Zt0VF3McYmw +Cc0jPYLqyp5X4+KPfpy821mpCVSDke+z+Al/8Hp7vc0 +-> WQA%nPY-grease n&Oc2@ sf 05 +aC3qV0yeKogkc/OdfKhxW2rv4GDlT4mMlPA5FoqMA/2lq6yCoeMjGffwzXVEsauq +IRyYz3R/53ZrFtfefkBS5P4d4d/OmI6lsA +--- KYxAUYn/NHyfCJO+WqH0JKJKQZMCQYSeMryS/Kw3n8s +;i7K,T&{1^]WVzLKs Y\|@z`b'-lkP'aT''mZk76iK*-t 1:mUIqNчމst)# \ No newline at end of file