From d3a40bd942537c35e3eb6cf9282798d704720290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sun, 11 Feb 2024 00:28:56 +0100
Subject: Configure nginx and containers / virtualisation for zoldene

---
 systems/zoldene/base.nix           | 10 ++++++++-
 systems/zoldene/certificates.nix   | 23 +++++++++++++++++++
 systems/zoldene/flake.nix          |  3 +++
 systems/zoldene/virtualisation.nix | 46 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 systems/zoldene/certificates.nix
 create mode 100644 systems/zoldene/virtualisation.nix

(limited to 'systems')

diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 8ca5d52..2c0a461 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -1,4 +1,4 @@
-{ name, config, lib, pkgs, secrets, ... }:
+{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
 let
   # udev rules to be able to boot from qemu in a rescue
   udev-qemu-rules =
@@ -9,6 +9,12 @@ let
     '') (builtins.attrNames disks));
 in
 {
+  imports = [
+    secrets.nixosModules.users-config-zoldene
+    ./virtualisation.nix
+    ./certificates.nix
+  ];
+
   services.openssh = {
     settings.KbdInteractiveAuthentication = false;
     hostKeys = [
@@ -119,4 +125,6 @@ in
   secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
   # ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
   secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
+
+
 }
diff --git a/systems/zoldene/certificates.nix b/systems/zoldene/certificates.nix
new file mode 100644
index 0000000..d6ffd12
--- /dev/null
+++ b/systems/zoldene/certificates.nix
@@ -0,0 +1,23 @@
+{ ... }:
+{
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
+
+  environment.persistence."/persist/zfast".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+  ];
+
+  users.users.nginx.extraGroups = [ "acme" ];
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+  };
+
+}
diff --git a/systems/zoldene/flake.nix b/systems/zoldene/flake.nix
index 42466e8..7b7b4b7 100644
--- a/systems/zoldene/flake.nix
+++ b/systems/zoldene/flake.nix
@@ -14,6 +14,9 @@
       system = "x86_64-linux";
       targetHost = "88.198.39.152";
       targetUser = "root";
+      moduleArgs = {
+        pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
+      };
       nixosModules = with inputs; {
         impermanence = impermanence.nixosModule;
         base = ./base.nix;
diff --git a/systems/zoldene/virtualisation.nix b/systems/zoldene/virtualisation.nix
new file mode 100644
index 0000000..d2212fe
--- /dev/null
+++ b/systems/zoldene/virtualisation.nix
@@ -0,0 +1,46 @@
+{ pkgs-no-overlay, ... }:
+{
+  boot.kernelModules = [ "nf_nat_ftp" ];
+
+  ### Enable Docker
+  virtualisation.docker.enable = true;
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
+
+  ### Enable LXC
+  disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
+    { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
+  virtualisation.lxc = {
+    enable = true;
+    lxcfs.enable = true;
+  };
+
+  ### Enable libvirtd
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.package = pkgs-no-overlay.qemu;
+  };
+
+  ### Persistence for LXC / Docker
+  environment.persistence."/persist/zfast".directories = [
+    {
+      directory = "/var/lib/lxc";
+      user = "root";
+      group = "root";
+      mode = "0755";
+    }
+    {
+      directory = "/var/lib/docker";
+      user = "root";
+      group = "root";
+      mode = "0750";
+    }
+  ];
+
+  # ip forwarding is needed for NAT'ing to work in containers/VMs.
+  boot.kernel.sysctl = {
+    "net.ipv4.conf.all.forwarding" = true;
+    "net.ipv4.conf.default.forwarding" = true;
+  };
+}
+
-- 
cgit v1.2.3