dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/kelder: Move nginx to separate container

Browse Source
This commit is contained in:
Jack O'Sullivan
2023-05-27 23:45:53 +01:00
parent 44c5a9ded9
commit a6db08acda
39 changed files with 607 additions and 491 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/boxes/kelder/containers/default.nix
View File

@@ -1,5 +1,6 @@
{
imports = [
./acquisition
./spoder
];
}

91
nixos/boxes/kelder/containers/spoder/default.nix Normal file
View File

@@ -0,0 +1,91 @@
{ lib, ... }:
let
inherit (lib) mkForce mkMerge;
inherit (lib.my) net;
inherit (lib.my.kelder) domain prefixes;
in
{
nixos.systems.kelder-spoder = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "spoder-ctr";
inherit domain;
ipv4.address = net.cidr.host 3 prefixes.ctrs.v4;
};
};
configuration = { lib, pkgs, config, assignments, ... }:
let
inherit (lib.my) networkdAssignment;
in
{
imports = [ ./nginx.nix ];
config = {
my = {
deploy.enable = false;
server.enable = true;
user.config.name = "kontent";
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdYyebQv/bBLbat1Csnr1/VMPKsi99PiLOXyKeQb7oX";
files = {
"kelder/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
};
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "dev@nul.ie";
server = "https://acme-v02.api.letsencrypt.org/directory";
reloadServices = [ "nginx" ];
dnsResolver = "8.8.8.8";
};
certs = {
"${lib.my.kelder.domain}" = {
extraDomainNames = [
"*.${lib.my.kelder.domain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
};
};
};
users = {
groups.storage.gid = lib.my.kelder.groups.storage;
users = {
nginx.extraGroups = [ "acme" ];
"${config.my.user.config.name}".extraGroups = [ "storage" ];
};
};
systemd = {
network.networks."80-container-host0" = mkMerge [
(networkdAssignment "host0" assignments.internal)
{
linkConfig.MTUBytes = "1420";
}
];
services = {
radarr.serviceConfig.UMask = "0002";
sonarr.serviceConfig.UMask = "0002";
};
};
services = {
resolved.extraConfig = mkForce "";
};
};
};
};
}

40
nixos/boxes/kelder/nginx.nix → nixos/boxes/kelder/containers/spoder/nginx.nix
View File

@@ -16,11 +16,6 @@ in
group = "acme";
mode = "440";
};
"kelder/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
};
"kelder/ddclient-cloudflare.key" = {};
};
firewall = {
@@ -28,42 +23,7 @@ in
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "dev@nul.ie";
server = "https://acme-v02.api.letsencrypt.org/directory";
reloadServices = [ "nginx" ];
dnsResolver = "8.8.8.8";
};
certs = {
"${lib.my.kelder.domain}" = {
extraDomainNames = [
"*.${lib.my.kelder.domain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
};
};
};
users = {
users = {
nginx.extraGroups = [ "acme" ];
};
};
services = {
ddclient = {
enable = true;
use = "if, if=et1g0";
protocol = "cloudflare";
zone = lib.my.kelder.domain;
domains = [ "kelder-local.${lib.my.kelder.domain}" ];
username = "token";
passwordFile = config.age.secrets."kelder/ddclient-cloudflare.key".path;
};
nginx = {
package = pkgs.openresty;
enable = true;

55
nixos/boxes/kelder/default.nix
View File

@@ -36,9 +36,10 @@ in
inherit (lib.my) networkdAssignment;
vpnTable = 51820;
dnatMark = 123;
in
{
imports = [ ./boot.nix ./nginx.nix ];
imports = [ ./boot.nix ];
config = {
hardware = {
@@ -109,6 +110,17 @@ in
greetingLine = ''Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l'';
helpLine = "\nCall Jack for help.";
};
ddclient = {
enable = true;
use = "if, if=et1g0";
protocol = "cloudflare";
zone = lib.my.kelder.domain;
domains = [ "kelder-local.${lib.my.kelder.domain}" ];
username = "token";
passwordFile = config.age.secrets."kelder/ddclient-cloudflare.key".path;
};
};
networking = {
@@ -169,11 +181,23 @@ in
(with ipv4; "${address}/${toString mask}")
];
routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 100;
}
{
From = assignments.estuary.ipv4.address;
Table = vpnTable;
Priority = 100;
}
{
FirewallMark = dnatMark;
Table = vpnTable;
Priority = 100;
}
];
};
};
@@ -201,6 +225,7 @@ in
"kelder/estuary-wg.key" = {
owner = "systemd-network";
};
"kelder/ddclient-cloudflare.key" = {};
};
};
@@ -208,9 +233,30 @@ in
trustedInterfaces = [ "ctrs" ];
nat = {
enable = true;
externalInterface = "et1g0";
externalInterface = "{ et1g0, estuary }";
forwardPorts = [
{
port = "http";
dst = allAssignments.kelder-spoder.internal.ipv4.address;
}
{
port = "https";
dst = allAssignments.kelder-spoder.internal.ipv4.address;
}
];
};
extraRules = ''
table inet raw {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
ip daddr ${assignments.estuary.ipv4.address} ct state new ct mark set ${toString dnatMark}
ip saddr ${lib.my.kelder.prefixes.all.v4} ct mark != 0 meta mark set ct mark log
}
chain output {
type filter hook output priority mangle; policy accept;
ct mark != 0 meta mark set ct mark
}
}
table inet nat {
chain postrouting {
ip saddr ${lib.my.kelder.prefixes.all.v4} oifname et1g0 masquerade
@@ -231,6 +277,11 @@ in
};
};
};
kelder-spoder = {
bindMounts = {
"/mnt/storage".readOnly = false;
};
};
};
in
mkMerge [

2
nixos/modules/firewall.nix
View File

@@ -200,7 +200,7 @@ in
chain prerouting {
${optionalString
(cfg.nat.externalInterface != null)
"${optionalString (cfg.nat.externalIP != null) "ip daddr ${cfg.nat.externalIP} "}jump port-forward"}
"${if (cfg.nat.externalIP != null) then "ip daddr ${cfg.nat.externalIP}" else "iifname ${cfg.nat.externalInterface}"} jump port-forward"}
}
}
'';