nixos: Initial jackflix container

2022-06-11 19:13:20 +01:00
parent d2deabc6b2
commit 7dc6b5df8c
14 changed files with 246 additions and 44 deletions
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -75,7 +75,19 @@
              (vmLVM "shill" "esp")
              (vmLVM "shill" "nix")
              (vmLVM "shill" "persist")
-              { esp.frontendOpts.bootindex = 0; }
+
+              {
+                esp.frontendOpts.bootindex = 0;
+
+                media = {
+                  backend = {
+                    driver = "host_device";
+                    filename = "/dev/hdds/media";
+                  };
+                  format.driver = "raw";
+                  frontend = "virtio-blk";
+                };
+              }
            ]));
          };
        };
--- a/nixos/boxes/colony/vms/shill/containers/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/default.nix
@@ -4,5 +4,6 @@
    ./vaultwarden.nix
    ./colony-psql.nix
    ./chatterbox.nix
+    ./jackflix
  ];
 }
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -0,0 +1,46 @@
+{ lib, ... }: {
+  nixos.systems.jackflix = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "jackflix-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}6";
+        ipv6 = {
+          iid = "::6";
+          address = "${lib.my.colony.start.ctrs.v6}6";
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, ... }:
+    let
+      inherit (lib) mkMerge mkIf;
+    in
+    {
+      imports = [ ./networking.nix ];
+
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
+            };
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = [
+              { from = "host"; host.port = 8080; guest.port = 80; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -0,0 +1,109 @@
+{ lib, pkgs, config, assignments, ... }:
+let
+  inherit (lib) mkMerge;
+  inherit (lib.my) networkdAssignment;
+
+  wg = {
+    keyFile = "jackflix-wg-privkey.txt";
+    fwMark = 42;
+    routeTable = 51820;
+  };
+in
+{
+  config = {
+    my = {
+      secrets = {
+        files."${wg.keyFile}" = {
+          group = "systemd-network";
+          mode = "440";
+        };
+      };
+
+      firewall = {
+        tcp.allowed = [ ];
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+
+    systemd = {
+      network = {
+        netdevs."30-vpn" = with wg; {
+          netdevConfig = {
+            Name = "vpn";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.age.secrets."${keyFile}".path;
+            FirewallMark = fwMark;
+            RouteTable = routeTable;
+          };
+          wireguardPeers = [
+            {
+              # mlvd-de32
+              wireguardPeerConfig = {
+                Endpoint = "146.70.107.194:51820";
+                PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
+                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+              };
+            }
+          ];
+        };
+
+        networks = {
+          "80-container-host0" = mkMerge [
+            (networkdAssignment "host0" assignments.internal)
+            {
+              networkConfig.DNSDefaultRoute = false;
+            }
+          ];
+          "90-vpn" = with wg; {
+            matchConfig.Name = "vpn";
+            address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
+            dns = [ "10.64.0.1" ];
+            routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+              {
+                Family = "both";
+                SuppressPrefixLength = 0;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                From = lib.my.colony.prefixes.all.v4;
+                Table = "main";
+                Priority = 100;
+              }
+              {
+                To = lib.my.colony.prefixes.all.v4;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                From = lib.my.colony.prefixes.all.v6;
+                Table = "main";
+                Priority = 100;
+              }
+              {
+                To = lib.my.colony.prefixes.all.v6;
+                Table = "main";
+                Priority = 100;
+              }
+
+              {
+                Family = "both";
+                InvertRule = true;
+                FirewallMark = fwMark;
+                Table = routeTable;
+                Priority = 110;
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
--- a/nixos/boxes/colony/vms/shill/default.nix
+++ b/nixos/boxes/colony/vms/shill/default.nix
@@ -30,7 +30,7 @@
    configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
      let
        inherit (builtins) mapAttrs;
-        inherit (lib) mkIf mkMerge mkForce recursiveUpdate;
+        inherit (lib) mkIf mkMerge mkForce;
        inherit (lib.my) networkdAssignment;
      in
      {
@@ -53,6 +53,10 @@
                fsType = "ext4";
                neededForBoot = true;
              };
+              "/mnt/media" = {
+                device = "/dev/disk/by-label/media";
+                fsType = "ext4";
+              };
            };

            systemd.network = {
@@ -98,14 +102,26 @@
                trustedInterfaces = [ "vms" "ctrs" ];
              };

-              containers.instances = mapAttrs (_: c: recursiveUpdate c {
-                networking.bridge = "ctrs";
-              }) {
-                middleman = {};
-                vaultwarden = {};
-                colony-psql = {};
-                chatterbox = {};
-              };
+              containers.instances =
+              let
+                instances = {
+                  middleman = {};
+                  vaultwarden = {};
+                  colony-psql = {};
+                  chatterbox = {};
+                  jackflix = {
+                    bindMounts = {
+                      "/mnt/media".readOnly = false;
+                    };
+                  };
+                };
+              in
+              mkMerge [
+                instances
+                (mapAttrs (n: i: {
+                  networking.bridge = "ctrs";
+                }) instances)
+              ];
            };
          }
        ];