From d3a40bd942537c35e3eb6cf9282798d704720290 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 11 Feb 2024 00:28:56 +0100 Subject: [PATCH] Configure nginx and containers / virtualisation for zoldene --- deploy/flake.lock | 12 ++++---- flake.lock | 4 +-- flakes/flake.lock | 2 +- systems/zoldene/base.nix | 10 ++++++- systems/zoldene/certificates.nix | 23 +++++++++++++++ systems/zoldene/flake.nix | 3 ++ systems/zoldene/virtualisation.nix | 46 ++++++++++++++++++++++++++++++ 7 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 systems/zoldene/certificates.nix create mode 100644 systems/zoldene/virtualisation.nix diff --git a/deploy/flake.lock b/deploy/flake.lock index 74f3cb3..711f7ea 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock @@ -2783,7 +2783,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=", + "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=", "path": "../flakes", "type": "path" }, @@ -3974,7 +3974,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", + "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=", "path": "../systems/zoldene", "type": "path" }, @@ -8888,11 +8888,11 @@ "nixpkgs": "nixpkgs_106" }, "locked": { - "lastModified": 1700953172, - "narHash": "sha256-KcFb43yLFsVOMevka1G2ddTE5JFsS72h+6XfjO7ivAs=", + "lastModified": 1708773401, + "narHash": "sha256-5UeCrBFAypxoiJ3TkmtXw40g1durDVV6AiPmzaumeQk=", "ref": "master", - "rev": "4518b25634f2274d2a65bf5bfc4c78c4ab450787", - "revCount": 715, + "rev": "890a76ab7f560b8a8d547d2066fe5e10083b0689", + "revCount": 721, "type": "git", "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets" }, diff --git a/flake.lock b/flake.lock index 19de0cb..2b6bd18 100644 --- a/flake.lock +++ b/flake.lock @@ -2664,7 +2664,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=", + "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=", "path": "./flakes", "type": "path" }, @@ -3990,7 +3990,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", + "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=", "path": "../systems/zoldene", "type": "path" }, diff --git a/flakes/flake.lock b/flakes/flake.lock index 051086e..f4e88e4 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock @@ -3895,7 +3895,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=", + "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=", "path": "../systems/zoldene", "type": "path" }, diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix index 8ca5d52..2c0a461 100644 --- a/systems/zoldene/base.nix +++ b/systems/zoldene/base.nix @@ -1,4 +1,4 @@ -{ name, config, lib, pkgs, secrets, ... }: +{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }: let # udev rules to be able to boot from qemu in a rescue udev-qemu-rules = @@ -9,6 +9,12 @@ let '') (builtins.attrNames disks)); in { + imports = [ + secrets.nixosModules.users-config-zoldene + ./virtualisation.nix + ./certificates.nix + ]; + services.openssh = { settings.KbdInteractiveAuthentication = false; hostKeys = [ @@ -119,4 +125,6 @@ in secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key"; # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ]; + + } diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix new file mode 100644 index 0000000..d6ffd12 --- /dev/null +++ b/systems/zoldene/certificates.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" = + { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; }; + + environment.persistence."/persist/zfast".directories = [ + { + directory = "/var/lib/acme"; + user = "root"; + group = "root"; + mode = "0755"; + } + ]; + + users.users.nginx.extraGroups = [ "acme" ]; + services.nginx = { + enable = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; + +} diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix index 42466e8..7b7b4b7 100644 --- a/systems/zoldene/flake.nix +++ b/systems/zoldene/flake.nix @@ -14,6 +14,9 @@ system = "x86_64-linux"; targetHost = "88.198.39.152"; targetUser = "root"; + moduleArgs = { + pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux; + }; nixosModules = with inputs; { impermanence = impermanence.nixosModule; base = ./base.nix; diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix new file mode 100644 index 0000000..d2212fe --- /dev/null +++ b/systems/zoldene/virtualisation.nix @@ -0,0 +1,46 @@ +{ pkgs-no-overlay, ... }: +{ + boot.kernelModules = [ "nf_nat_ftp" ]; + + ### Enable Docker + virtualisation.docker.enable = true; + disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" = + { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; }; + + ### Enable LXC + disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" = + { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; }; + virtualisation.lxc = { + enable = true; + lxcfs.enable = true; + }; + + ### Enable libvirtd + virtualisation.libvirtd = { + enable = true; + qemu.package = pkgs-no-overlay.qemu; + }; + + ### Persistence for LXC / Docker + environment.persistence."/persist/zfast".directories = [ + { + directory = "/var/lib/lxc"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/var/lib/docker"; + user = "root"; + group = "root"; + mode = "0750"; + } + ]; + + # ip forwarding is needed for NAT'ing to work in containers/VMs. + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv4.conf.default.forwarding" = true; + }; +} + -- 2.41.0