dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos: Initial jackflix container

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-06-11 19:13:20 +01:00
parent d2deabc6b2
commit 7dc6b5df8c
14 changed files with 246 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
nixos/boxes/colony/vms/default.nix
View File

@@ -75,7 +75,19 @@
(vmLVM "shill" "esp")
(vmLVM "shill" "nix")
(vmLVM "shill" "persist")
{ esp.frontendOpts.bootindex = 0; }
{
esp.frontendOpts.bootindex = 0;
media = {
backend = {
driver = "host_device";
filename = "/dev/hdds/media";
};
format.driver = "raw";
frontend = "virtio-blk";
};
}
]));
};
};

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -4,5 +4,6 @@
./vaultwarden.nix
./colony-psql.nix
./chatterbox.nix
./jackflix
];
}

46
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix Normal file
View File

@@ -0,0 +1,46 @@
{ lib, ... }: {
nixos.systems.jackflix = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "jackflix-ctr";
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}6";
ipv6 = {
iid = "::6";
address = "${lib.my.colony.start.ctrs.v6}6";
};
};
};
configuration = { lib, pkgs, config, ... }:
let
inherit (lib) mkMerge mkIf;
in
{
imports = [ ./networking.nix ];
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [
{ from = "host"; host.port = 8080; guest.port = 80; }
];
};
})
];
};
};
}

109
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix Normal file
View File

@@ -0,0 +1,109 @@
{ lib, pkgs, config, assignments, ... }:
let
inherit (lib) mkMerge;
inherit (lib.my) networkdAssignment;
wg = {
keyFile = "jackflix-wg-privkey.txt";
fwMark = 42;
routeTable = 51820;
};
in
{
config = {
my = {
secrets = {
files."${wg.keyFile}" = {
group = "systemd-network";
mode = "440";
};
};
firewall = {
tcp.allowed = [ ];
};
};
environment.systemPackages = with pkgs; [
wireguard-tools
];
systemd = {
network = {
netdevs."30-vpn" = with wg; {
netdevConfig = {
Name = "vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."${keyFile}".path;
FirewallMark = fwMark;
RouteTable = routeTable;
};
wireguardPeers = [
{
# mlvd-de32
wireguardPeerConfig = {
Endpoint = "146.70.107.194:51820";
PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
};
}
];
};
networks = {
"80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
networkConfig.DNSDefaultRoute = false;
}
];
"90-vpn" = with wg; {
matchConfig.Name = "vpn";
address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
dns = [ "10.64.0.1" ];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v4;
Table = "main";
Priority = 100;
}
{
From = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
To = lib.my.colony.prefixes.all.v6;
Table = "main";
Priority = 100;
}
{
Family = "both";
InvertRule = true;
FirewallMark = fwMark;
Table = routeTable;
Priority = 110;
}
];
};
};
};
};
};
}

34
nixos/boxes/colony/vms/shill/default.nix
View File

@@ -30,7 +30,7 @@
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
inherit (lib) mkIf mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
@@ -53,6 +53,10 @@
fsType = "ext4";
neededForBoot = true;
};
"/mnt/media" = {
device = "/dev/disk/by-label/media";
fsType = "ext4";
};
};
systemd.network = {
@@ -98,14 +102,26 @@
trustedInterfaces = [ "vms" "ctrs" ];
};
containers.instances = mapAttrs (_: c: recursiveUpdate c {
networking.bridge = "ctrs";
}) {
middleman = {};
vaultwarden = {};
colony-psql = {};
chatterbox = {};
};
containers.instances =
let
instances = {
middleman = {};
vaultwarden = {};
colony-psql = {};
chatterbox = {};
jackflix = {
bindMounts = {
"/mnt/media".readOnly = false;
};
};
};
in
mkMerge [
instances
(mapAttrs (n: i: {
networking.bridge = "ctrs";
}) instances)
];
};
}
];

7
nixos/modules/containers.nix
View File

@@ -60,12 +60,13 @@ let
bindMountOpts = with lib.types; { name, ... }: {
options = {
mountPoint = mkOption {
default = name;
example = "/mnt/usb";
type = str;
description = "Mount point on the container file system.";
};
hostPath = mkOption {
default = null;
default = name;
example = "/home/alice";
type = nullOr str;
description = "Location of the host path to be mounted.";
@@ -76,10 +77,6 @@ let
description = "Determine whether the mounted path will be accessed in read-only mode.";
};
};
config = {
mountPoint = mkDefault name;
};
};
containerOpts = with lib.types; { name, ... }: {

8
nixos/modules/tmproot.nix
View File

@@ -259,6 +259,14 @@ in
}
];
})
(mkIf config.services.jackett.enable {
my.tmproot.persistence.config.directories = [
{
directory = "/var/lib/jackett";
inherit (config.services.jackett) user group;
}
];
})
(mkIf config.my.build.isDevVM {
fileSystems = mkVMOverride {
# Hijack the "root" device for persistence in the VM