From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Sun, 7 Apr 2019 10:58:10 +0000 (+0200)
Subject: Add ipv6 to websites
X-Git-Tag: nur_publish~169
X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=d68bb46bc6d04b450bb0bd995b4286f3d46b2557

Add ipv6 to websites

This adds ipv6 to websites, and moves the ip address handling to
environment.

Fixes https://git.immae.eu/mantisbt/view.php?id=103
---

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 3e346d4..f254a05 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -15,14 +15,20 @@
       myconfig = {
         inherit privateFiles;
         env = import "${privateFiles}/environment.nix";
-        ips = {
-          main = "176.9.151.89";
-          production = "176.9.151.154";
-          integration = "176.9.151.155";
-        };
       };
     };
 
+    networking = {
+      firewall.enable = true;
+      # 176.9.151.89 declared in nixops -> infra / tools
+      interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+        (n: ips: { address = ips.ip4; prefixLength = 32; })
+        (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips);
+      interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+        (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+        myconfig.env.servers.eldiron.ips);
+    };
+
     imports = [
       ./modules/ssh
       ./modules/certificates.nix
@@ -53,14 +59,13 @@
       MaxLevelStore="warning"
       MaxRetentionSec="1year"
       '';
-    networking.firewall.enable = true;
 
     deployment = {
       targetEnv = "hetzner";
       hetzner = {
         robotUser = myconfig.env.hetzner.user;
         robotPass = myconfig.env.hetzner.pass;
-        mainIPv4 = myconfig.ips.main;
+        mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4;
         partitions = ''
           clearpart --all --initlabel --drives=sda,sdb
 
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 14f2116..228966f 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -10,16 +10,14 @@ let
       sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
       sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
       logFormat = "combinedVhost";
-      listen = [
-        { ip = cfg.ip;  port = 443; }
-      ];
+      listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
       hostName = builtins.head vhostConf.hosts;
       serverAliases = builtins.tail vhostConf.hosts or [];
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
     nosslVhost = {
-      listen = [ { ip = cfg.ip; port = 80; } ];
+      listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
       hostName = "nossl.immae.eu";
       enableSSL = false;
       logFormat = "combinedVhost";
@@ -36,7 +34,7 @@ let
         '';
     };
     redirectVhost = { # Should go last, catchall http -> https redirect
-      listen = [ { ip = cfg.ip; port = 80; } ];
+      listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
       hostName = "redirectSSL";
       serverAliases = [ "*" ];
       enableSSL = false;
@@ -59,9 +57,7 @@ let
     };
   in rec {
     enable = true;
-    listen = [
-      { ip = cfg.ip;  port = 443; }
-    ];
+    listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
     stateDir = "/run/httpd_${name}";
     logPerVirtualHost = true;
     multiProcessingModule = "worker";
@@ -74,12 +70,15 @@ let
       ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
       ++ [ redirectVhost ];
   };
-  makeServiceOptions = name: ip: {
+  makeServiceOptions = name: {
     enable = lib.mkEnableOption "enable websites in ${name}";
-    ip = lib.mkOption {
-      type = lib.types.string;
-      default = ip;
-      description = "${name} ip to listen to";
+    ips = lib.mkOption {
+      type = lib.types.listOf lib.types.string;
+      default = let
+        ips = myconfig.env.servers.eldiron.ips.${name};
+      in
+        [ips.ip4] ++ (ips.ip6 or []);
+      description = "${name} ips to listen to";
     };
     modules = lib.mkOption {
       type = lib.types.listOf (lib.types.str);
@@ -143,9 +142,9 @@ in
   ];
 
   options.services.myWebsites = {
-    production = makeServiceOptions "production" myconfig.ips.production;
-    integration = makeServiceOptions "integration" myconfig.ips.integration;
-    tools = makeServiceOptions "tools" myconfig.ips.main;
+    production = makeServiceOptions "production";
+    integration = makeServiceOptions "integration";
+    tools = makeServiceOptions "main";
 
     apacheConfig = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule {
@@ -167,17 +166,7 @@ in
   };
 
   config = {
-    networking = {
-      firewall = {
-        enable = true;
-        allowedTCPPorts = [ 80 443 ];
-      };
-      interfaces."eth0".ipv4.addresses = [
-        # 176.9.151.89 declared in nixops -> infra / tools
-        { address = myconfig.ips.production; prefixLength = 32; }
-        { address = myconfig.ips.integration; prefixLength = 32; }
-      ];
-    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     nixpkgs.overlays = [ (self: super: rec {
       php = php72;