diff --git a/machines/solis/modules.nix b/machines/solis/modules.nix index 2eef00c..0c9e32e 100644 --- a/machines/solis/modules.nix +++ b/machines/solis/modules.nix @@ -1,6 +1,4 @@ -{config, ...}: let - username = config.horseman.username; -in { +{...}: { imports = [ ../../modules ]; @@ -8,15 +6,6 @@ in { config.horseman = { users.default.enable = true; - containers = { - enable = true; - backupDir = "/home/${username}/backups"; - - nginx.enable = true; - vaultwarden.enable = true; - forgejo.enable = true; - }; - base = { nix.enable = true; locale.enable = true; diff --git a/modules/containers/default.nix b/modules/containers/default.nix index 4bc2f02..841dcdb 100644 --- a/modules/containers/default.nix +++ b/modules/containers/default.nix @@ -1,10 +1,5 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf mkEnableOption mkOption types; - cfg = config.horseman.containers; +{lib, ...}: let + inherit (lib) mkOption types; in { imports = [ ./nginx.nix @@ -13,20 +8,17 @@ in { ]; options = { - horseman.containers = { - enable = mkEnableOption "Containers"; - backupDir = mkOption { - type = types.str; - }; + backupDir = mkOption { + type = types.str; }; }; - config = mkIf cfg.enable { + config = { networking.nat = { enable = true; # Use "ve-*" when using nftables instead of iptables internalInterfaces = ["ve-+"]; - externalInterface = "enp2s0"; + externalInterface = "eno1"; # Lazy IPv6 connectivity for the container enableIPv6 = true; }; diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix index 00984df..f8e7a8e 100644 --- a/modules/containers/forgejo.nix +++ b/modules/containers/forgejo.nix @@ -57,8 +57,8 @@ in { containers.forgejoRunner = { autoStart = true; privateNetwork = true; - hostAddress = "172.168.100.2"; - localAddress = "192.168.100.102"; + hostAddress = "172.16.0.2"; + localAddress = "192.168.100.2"; bindMounts = { "/var/lib/secrets" = { @@ -91,7 +91,7 @@ in { systemd.services.startup = { script = '' cd ${config.users.users.runner.home} - ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance ${cfg.url} --secret $(cat /var/lib/secrets/secret) --name runner + ${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner sleep 10 ${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile} ''; @@ -106,8 +106,8 @@ in { containers.forgejo = { autoStart = true; privateNetwork = true; - hostAddress = "192.168.100.3"; - localAddress = "192.168.100.103"; + hostAddress = "172.16.0.3"; + localAddress = "192.168.100.3"; bindMounts = { "/var/lib/forgejo" = { @@ -127,18 +127,6 @@ in { ... }: { environment.systemPackages = [pkgs.forgejo]; - - services.openssh = { - enable = true; - ports = [cfg.sshPort]; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - # AllowUsers = ["git"]; - }; - }; - services.forgejo = { enable = true; @@ -151,7 +139,7 @@ in { ROOT_URL = cfg.url; }; session = { - COOKIE_SECURE = true; + COOKIE_SECURE = false; # TODO Set to true }; service = { DISABLE_REGISTRATION = true; diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix index 6526eae..348447d 100644 --- a/modules/containers/nginx.nix +++ b/modules/containers/nginx.nix @@ -8,6 +8,7 @@ }: let inherit (lib) mkEnableOption mkIf mkOption types; cfg = config.horseman.containers.nginx; + osConfig = config; in { options = { horseman.containers.nginx = { @@ -25,61 +26,81 @@ in { acceptTerms = true; defaults.email = "koen.de.ruiter@hotmail.com"; }; + + containers.nginx = { + autoStart = true; + privateNetwork = true; + hostAddress = "172.16.0.1"; + localAddress = "192.168.100.1"; - services.fail2ban.enable = true; - services.nginx = { - enable = true; - - streamConfig = '' - server { - listen ${toString config.horseman.containers.forgejo.sshPort}; - proxy_pass ${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.sshPort}; - } - ''; - - virtualHosts = { - "${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/portfolio"; - default = true; - extraConfig = '' - error_page 404 /404.html; - ''; + bindMounts = { + "/var/www/portfolio" = { + hostPath = "/var/www/portfolio"; + isReadOnly = true; }; - - "public.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - root = "/var/www/public"; - }; - - "git.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${config.containers.forgejo.localAddress}:${toString config.horseman.containers.forgejo.port}"; - }; - }; - - "vault.${cfg.domain}" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${config.containers.vaultwarden.localAddress}:${toString config.horseman.containers.vaultwarden.port}"; - }; + "/var/www/public" = { + hostPath = "/var/www/public"; + isReadOnly = true; }; }; - }; - networking = { - firewall = { - enable = true; - allowedTCPPorts = [80 443 config.horseman.containers.forgejo.sshPort]; + config = { + config, + pkgs, + lib, + ... + }: { + services.nginx = { + enable = true; + + virtualHosts = { + "${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/portfolio"; + default = true; + extraConfig = '' + error_page 404 /404.html; + ''; + }; + + "public.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + root = "/var/www/public"; + }; + + "git.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}"; + }; + }; + + "vault.${cfg.domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}"; + }; + }; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [80 443]; + }; + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "23.11"; }; }; }; diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix index 02707c3..6d748dc 100644 --- a/modules/containers/vaultwarden.nix +++ b/modules/containers/vaultwarden.nix @@ -52,14 +52,14 @@ in { containers.vaultwarden = { autoStart = true; privateNetwork = true; - hostAddress = "192.168.100.4"; - localAddress = "192.168.100.104"; + hostAddress = "172.16.0.4"; + localAddress = "192.168.100.4"; bindMounts = { - "/var/lib/bitwarden_rs" = { + "/var/lib/vaultwarden" = { hostPath = DATA_DIR; isReadOnly = false; - }; + }; # TODO set correct }; config = {