Configure nginx and containers / virtualisation for zoldene

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-02-11 00:28:56 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-02-24 12:22:45 +0100
commit: d3a40bd942537c35e3eb6cf9282798d704720290 (patch)
tree: ecee4d3a7d8bd48706ff79f98c2da3994bc48e56
parent: ce983e8b05d17adbf6b8228b990e5a512835ca56 (diff)
download: Nix-d3a40bd942537c35e3eb6cf9282798d704720290.tar.gz
Nix-d3a40bd942537c35e3eb6cf9282798d704720290.tar.zst
Nix-d3a40bd942537c35e3eb6cf9282798d704720290.zip
7 files changed, 90 insertions, 10 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index 74f3cb3..711f7ea 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",
+        "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
        "path": "../flakes",
        "type": "path"
      },
@@ -3974,7 +3974,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+        "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
        "path": "../systems/zoldene",
        "type": "path"
      },
@@ -8888,11 +8888,11 @@
        "nixpkgs": "nixpkgs_106"
      },
      "locked": {
-        "lastModified": 1700953172,
+        "lastModified": 1708773401,
-        "narHash": "sha256-KcFb43yLFsVOMevka1G2ddTE5JFsS72h+6XfjO7ivAs=",
+        "narHash": "sha256-5UeCrBFAypxoiJ3TkmtXw40g1durDVV6AiPmzaumeQk=",
        "ref": "master",
-        "rev": "4518b25634f2274d2a65bf5bfc4c78c4ab450787",
+        "rev": "890a76ab7f560b8a8d547d2066fe5e10083b0689",
-        "revCount": 715,
+        "revCount": 721,
        "type": "git",
        "url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
      },
diff --git a/flake.lock b/flake.lock
index 19de0cb..2b6bd18 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",
+        "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
        "path": "./flakes",
        "type": "path"
      },
@@ -3990,7 +3990,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+        "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
        "path": "../systems/zoldene",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 051086e..f4e88e4 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3895,7 +3895,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+        "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
        "path": "../systems/zoldene",
        "type": "path"
      },
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 8ca5d52..2c0a461 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -1,4 +1,4 @@
-{ name, config, lib, pkgs, secrets, ... }:
+{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
 let
  # udev rules to be able to boot from qemu in a rescue
  udev-qemu-rules =
@@ -9,6 +9,12 @@ let
    '') (builtins.attrNames disks));
 in
 {
+  imports = [
+    secrets.nixosModules.users-config-zoldene
+    ./virtualisation.nix
+    ./certificates.nix
+  ];
  services.openssh = {
    settings.KbdInteractiveAuthentication = false;
    hostKeys = [
@@ -119,4 +125,6 @@ in
  secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
  # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
  secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
 }
diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix
new file mode 100644
index 0000000..d6ffd12
--- /dev/null
+++ b/systems/zoldene/certificates.nix
@@ -0,0 +1,23 @@
+{ ... }:
+{
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
+  environment.persistence."/persist/zfast".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+  ];
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+}
diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix
index 42466e8..7b7b4b7 100644
--- a/systems/zoldene/flake.nix
+++ b/systems/zoldene/flake.nix
@@ -14,6 +14,9 @@
      system = "x86_64-linux";
      targetHost = "88.198.39.152";
      targetUser = "root";
+      moduleArgs = {
+        pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
+      };
      nixosModules = with inputs; {
        impermanence = impermanence.nixosModule;
        base = ./base.nix;
diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix
new file mode 100644
index 0000000..d2212fe
--- /dev/null
+++ b/systems/zoldene/virtualisation.nix
@@ -0,0 +1,46 @@
+{ pkgs-no-overlay, ... }:
+{
+  boot.kernelModules = [ "nf_nat_ftp" ];
+  ### Enable Docker
+  virtualisation.docker.enable = true;
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
+  ### Enable LXC
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
+  virtualisation.lxc = {
+    enable = true;
+    lxcfs.enable = true;
+  };
+  ### Enable libvirtd
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs-no-overlay.qemu;
+  };
+  ### Persistence for LXC / Docker
+  environment.persistence."/persist/zfast".directories = [
+    {
+      directory = "/var/lib/lxc";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+    {
+      directory = "/var/lib/docker";
+      user = "root";
+      group = "root";
+      mode = "0750";
+    }
+  ];
+  # ip forwarding is needed for NAT'ing to work in containers/VMs.
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv4.conf.default.forwarding" = true;
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-02-11 00:28:56 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-02-24 12:22:45 +0100
commit	d3a40bd942537c35e3eb6cf9282798d704720290 (patch)
tree	ecee4d3a7d8bd48706ff79f98c2da3994bc48e56
parent	ce983e8b05d17adbf6b8228b990e5a512835ca56 (diff)
download	Nix-d3a40bd942537c35e3eb6cf9282798d704720290.tar.gz Nix-d3a40bd942537c35e3eb6cf9282798d704720290.tar.zst Nix-d3a40bd942537c35e3eb6cf9282798d704720290.zip

diff --git a/deploy/flake.lock b/deploy/flake.lock index 74f3cb3..711f7ea 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783	},	2783	},
2784	"locked": {	2784	"locked": {
2785	"lastModified": 1,	2785	"lastModified": 1,
2786	"narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",	2786	"narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
2787	"path": "../flakes",	2787	"path": "../flakes",
2788	"type": "path"	2788	"type": "path"
2789	},	2789	},
@@ -3974,7 +3974,7 @@
3974	},	3974	},
3975	"locked": {	3975	"locked": {
3976	"lastModified": 1,	3976	"lastModified": 1,
3977	"narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",	3977	"narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3978	"path": "../systems/zoldene",	3978	"path": "../systems/zoldene",
3979	"type": "path"	3979	"type": "path"
3980	},	3980	},
@@ -8888,11 +8888,11 @@
8888	"nixpkgs": "nixpkgs_106"	8888	"nixpkgs": "nixpkgs_106"
8889	},	8889	},
8890	"locked": {	8890	"locked": {
8891	"lastModified": 1700953172,	8891	"lastModified": 1708773401,
8892	"narHash": "sha256-KcFb43yLFsVOMevka1G2ddTE5JFsS72h+6XfjO7ivAs=",	8892	"narHash": "sha256-5UeCrBFAypxoiJ3TkmtXw40g1durDVV6AiPmzaumeQk=",
8893	"ref": "master",	8893	"ref": "master",
8894	"rev": "4518b25634f2274d2a65bf5bfc4c78c4ab450787",	8894	"rev": "890a76ab7f560b8a8d547d2066fe5e10083b0689",
8895	"revCount": 715,	8895	"revCount": 721,
8896	"type": "git",	8896	"type": "git",
8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"	8897	"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
8898	},	8898	},


diff --git a/flake.lock b/flake.lock index 19de0cb..2b6bd18 100644 --- a/flake.lock +++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664	},	2664	},
2665	"locked": {	2665	"locked": {
2666	"lastModified": 1,	2666	"lastModified": 1,
2667	"narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",	2667	"narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
2668	"path": "./flakes",	2668	"path": "./flakes",
2669	"type": "path"	2669	"type": "path"
2670	},	2670	},
@@ -3990,7 +3990,7 @@
3990	},	3990	},
3991	"locked": {	3991	"locked": {
3992	"lastModified": 1,	3992	"lastModified": 1,
3993	"narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",	3993	"narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3994	"path": "../systems/zoldene",	3994	"path": "../systems/zoldene",
3995	"type": "path"	3995	"type": "path"
3996	},	3996	},


diff --git a/flakes/flake.lock b/flakes/flake.lock index 051086e..f4e88e4 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -3895,7 +3895,7 @@
3895	},	3895	},
3896	"locked": {	3896	"locked": {
3897	"lastModified": 1,	3897	"lastModified": 1,
3898	"narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",	3898	"narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
3899	"path": "../systems/zoldene",	3899	"path": "../systems/zoldene",
3900	"type": "path"	3900	"type": "path"
3901	},	3901	},


diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix index 8ca5d52..2c0a461 100644 --- a/systems/zoldene/base.nix +++ b/systems/zoldene/base.nix
@@ -1,4 +1,4 @@
1	{ name, config, lib, pkgs, secrets, ... }:	1	{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
2	let	2	let
3	# udev rules to be able to boot from qemu in a rescue	3	# udev rules to be able to boot from qemu in a rescue
4	udev-qemu-rules =	4	udev-qemu-rules =
@@ -9,6 +9,12 @@ let
9	'') (builtins.attrNames disks));	9	'') (builtins.attrNames disks));
10	in	10	in
11	{	11	{
		12	imports = [
		13	secrets.nixosModules.users-config-zoldene
		14	./virtualisation.nix
		15	./certificates.nix
		16	];
		17
12	services.openssh = {	18	services.openssh = {
13	settings.KbdInteractiveAuthentication = false;	19	settings.KbdInteractiveAuthentication = false;
14	hostKeys = [	20	hostKeys = [
@@ -119,4 +125,6 @@ in
119	secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";	125	secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
120	# ssh-keyscan zoldene \| nix-shell -p ssh-to-age --run ssh-to-age	126	# ssh-keyscan zoldene \| nix-shell -p ssh-to-age --run ssh-to-age
121	secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];	127	secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
		128
		129
122	}	130	}


diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix new file mode 100644 index 0000000..d6ffd12 --- /dev/null +++ b/systems/zoldene/certificates.nix
@@ -0,0 +1,23 @@
		1	{ ... }:
		2	{
		3	disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
		4	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
		5
		6	environment.persistence."/persist/zfast".directories = [
		7	{
		8	directory = "/var/lib/acme";
		9	user = "root";
		10	group = "root";
		11	mode = "0755";
		12	}
		13	];
		14
		15	users.users.nginx.extraGroups = [ "acme" ];
		16	services.nginx = {
		17	enable = true;
		18	recommendedOptimisation = true;
		19	recommendedGzipSettings = true;
		20	recommendedProxySettings = true;
		21	};
		22
		23	}


diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix index 42466e8..7b7b4b7 100644 --- a/systems/zoldene/flake.nix +++ b/systems/zoldene/flake.nix
@@ -14,6 +14,9 @@
14	system = "x86_64-linux";	14	system = "x86_64-linux";
15	targetHost = "88.198.39.152";	15	targetHost = "88.198.39.152";
16	targetUser = "root";	16	targetUser = "root";
		17	moduleArgs = {
		18	pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
		19	};
17	nixosModules = with inputs; {	20	nixosModules = with inputs; {
18	impermanence = impermanence.nixosModule;	21	impermanence = impermanence.nixosModule;
19	base = ./base.nix;	22	base = ./base.nix;


diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix new file mode 100644 index 0000000..d2212fe --- /dev/null +++ b/systems/zoldene/virtualisation.nix
@@ -0,0 +1,46 @@
		1	{ pkgs-no-overlay, ... }:
		2	{
		3	boot.kernelModules = [ "nf_nat_ftp" ];
		4
		5	### Enable Docker
		6	virtualisation.docker.enable = true;
		7	disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
		8	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
		9
		10	### Enable LXC
		11	disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
		12	{ type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
		13	virtualisation.lxc = {
		14	enable = true;
		15	lxcfs.enable = true;
		16	};
		17
		18	### Enable libvirtd
		19	virtualisation.libvirtd = {
		20	enable = true;
		21	qemu.package = pkgs-no-overlay.qemu;
		22	};
		23
		24	### Persistence for LXC / Docker
		25	environment.persistence."/persist/zfast".directories = [
		26	{
		27	directory = "/var/lib/lxc";
		28	user = "root";
		29	group = "root";
		30	mode = "0755";
		31	}
		32	{
		33	directory = "/var/lib/docker";
		34	user = "root";
		35	group = "root";
		36	mode = "0750";
		37	}
		38	];
		39
		40	# ip forwarding is needed for NAT'ing to work in containers/VMs.
		41	boot.kernel.sysctl = {
		42	"net.ipv4.conf.all.forwarding" = true;
		43	"net.ipv4.conf.default.forwarding" = true;
		44	};
		45	}
		46