infra/nix/os/devices/sj-srv1/system.nix

{
  pkgs,
  lib,
  config,
  repoFlake,
  nodeFlake,
  nodeName,
  ...
}: let
  hostBridgeAddress = "192.168.101.1";
in {
  imports = [
    ../../snippets/systemd-resolved.nix
  ];

  networking.firewall.enable = true;
  networking.nftables.enable = true;
  networking.nftables.flushRuleset = true;

  networking.firewall.allowedTCPPorts = [
    # iperf3
    5201
  ];

  networking.firewall.logRefusedConnections = false;

  networking.usePredictableInterfaceNames = false;

  networking.useNetworkd = true;
  networking.useDHCP = false;

  networking.nat = {
    enable = true;
    internalInterfaces = ["br0"];
    externalInterface = "dmz0";
  };

  networking.bridges = {
    br0 = {
      interfaces = [];
    };
  };
  networking.interfaces = {
    br0 = {
      ipv4.addresses = [
        {
          address = hostBridgeAddress;
          prefixLength = 24;
        }
      ];
    };
  };

  systemd.network.netdevs."10-dmz0" = {
    enable = true;
    netdevConfig = {
      Name = "dmz0";
      Kind = "macvlan";
      MACAddress = "1c:69:7a:07:08:6f";
    };

    macvlanConfig = {
      Mode = "bridge";
    };
  };

  systemd.network.networks."20-eth0" = {
    enable = true;
    matchConfig.Name = "eth0";

    linkConfig.RequiredForOnline = "carrier";
    networkConfig.LinkLocalAddressing = "no";

    # TODO: i'm not sure if and if so why this is required
    macvlan = [
      "dmz0"
    ];

    DHCP = "no";
  };

  systemd.network.networks."30-dmz0" = {
    enable = true;
    matchConfig.Name = "dmz0";
    DHCP = "yes";
  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.ip_forward" = 1;
  };

  # virtualization
  virtualisation = {docker.enable = false;};

  nix.gc = {automatic = true;};

  sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;

  # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
  services.restic.backups.${nodeName} = let
    btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
  in {
    initialize = true;
    repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";

    paths = [
      "/backup"
    ];

    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 2"
    ];

    timerConfig = {
      OnCalendar = lib.mkDefault "daily";
      Persistent = true;
    };

    passwordFile = config.sops.secrets.restic-password.path;

    backupPrepareCommand = ''
      ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes
    '';
    backupCleanupCommand = ''
      ${btrfs} su delete /backup/container-volumes
    '';
  };

  containers = {
    mailserver = import ../../containers/mailserver.nix {
      specialArgs = {
        inherit repoFlake nodeFlake;
      };

      autoStart = true;

      hostBridge = "br0";
      hostAddress = hostBridgeAddress;
      localAddress = "192.168.101.10/24";

      imapsPort = 993;
      sievePort = 4190;
    };

    webserver =
      import ../../containers/webserver.nix
      {
        specialArgs = {
          inherit repoFlake nodeFlake;
        };

        autoStart = true;

        hostBridge = "br0";
        hostAddress = hostBridgeAddress;
        localAddress = "192.168.101.11/24";

        httpPort = 80;
        httpsPort = 443;
        forgejoSshPort = 2222;
      };

    syncthing = import ../../containers/syncthing.nix {
      specialArgs = {
        inherit repoFlake nodeFlake;
      };
      autoStart = true;

      hostBridge = "br0";
      hostAddress = hostBridgeAddress;
      localAddress = "192.168.101.12/24";

      syncthingPort = 22000;
    };
  };

  virtualisation.libvirtd = {
    enable = true;
    onShutdown = "shutdown";
    parallelShutdown = 3;
  };

  fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D";

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "22.11"; # Did you read the comment?
}
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								{
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								  pkgs,
 								  lib,
 								  config,
 								  repoFlake,
-												fix(*): adapt to nixos-24.05 changes

											
										
										
											2024-06-01 21:46:09 +02:00
+								  nodeFlake,
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								  nodeName,
 								  ...
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								}: let
 								  hostBridgeAddress = "192.168.101.1";
 								in {
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								  imports = [
 								    ../../snippets/systemd-resolved.nix
 								  ];
 								  networking.firewall.enable = true;
 								  networking.nftables.enable = true;
-												sj-srv1,containers: debug and streamline networking config; update and track forgejo here

after an update to nixpkgs on sj-srv1 the networking for the `webserver`
container wasn't working. this caused me to debug the situation and
changing lots of things around. the culprit was most likely some impure
state file on the server that caused the `ve-webserver` interface not to
persist its IP. after renaming the webserver container the problem went
away.

i reverted all the IP changes and am keeping the other changes as opporunistic
improvements

											
										
										
											2024-07-26 18:02:15 +02:00
+								  networking.nftables.flushRuleset = true;
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								  networking.firewall.allowedTCPPorts = [
 								    # iperf3
 
 								  ];
 								  networking.firewall.logRefusedConnections = false;
 								  networking.usePredictableInterfaceNames = false;
 								  networking.useNetworkd = true;
-												feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap
connection.

											
										
										
											2024-08-24 00:18:17 +02:00
+								  networking.useDHCP = false;
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								  networking.nat = {
 								    enable = true;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								    internalInterfaces = ["br0"];
-												feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap
connection.

											
										
										
											2024-08-24 00:18:17 +02:00
+								    externalInterface = "dmz0";
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								  };
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
 								  networking.bridges = {
 								    br0 = {
 								      interfaces = [];
 								    };
 								  };
 								  networking.interfaces = {
 								    br0 = {
 								      ipv4.addresses = [
 								        {
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								          address = hostBridgeAddress;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								          prefixLength = 24;
 								        }
 								      ];
 								    };
 								  };
-												feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap
connection.

											
										
										
											2024-08-24 00:18:17 +02:00
+								  systemd.network.netdevs."10-dmz0" = {
 								    enable = true;
 								    netdevConfig = {
 								      Name = "dmz0";
 								      Kind = "macvlan";
 								      MACAddress = "1c:69:7a:07:08:6f";
 								    };
 								    macvlanConfig = {
 								      Mode = "bridge";
 								    };
 								  };
 								  systemd.network.networks."20-eth0" = {
 								    enable = true;
 								    matchConfig.Name = "eth0";
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								    linkConfig.RequiredForOnline = "carrier";
 								    networkConfig.LinkLocalAddressing = "no";
-												feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap
connection.

											
										
										
											2024-08-24 00:18:17 +02:00
+								    # TODO: i'm not sure if and if so why this is required
 								    macvlan = [
 								      "dmz0"
 								    ];
 								    DHCP = "no";
 								  };
 								  systemd.network.networks."30-dmz0" = {
 								    enable = true;
 								    matchConfig.Name = "dmz0";
 								    DHCP = "yes";
 								  };
-												sj-srv1,containers: debug and streamline networking config; update and track forgejo here

after an update to nixpkgs on sj-srv1 the networking for the `webserver`
container wasn't working. this caused me to debug the situation and
changing lots of things around. the culprit was most likely some impure
state file on the server that caused the `ve-webserver` interface not to
persist its IP. after renaming the webserver container the problem went
away.

i reverted all the IP changes and am keeping the other changes as opporunistic
improvements

											
										
										
											2024-07-26 18:02:15 +02:00
+								  boot.kernel.sysctl = {
 								    "net.ipv4.ip_forward" = 1;
-												feat(router0-dmz0,sj-srv1): use bridged macvlan as main dmz interface

this allows guest VMs to communicate with the host via their macvtap
connection.

											
										
										
											2024-08-24 00:18:17 +02:00
+								    "net.ipv6.ip_forward" = 1;
-												sj-srv1,containers: debug and streamline networking config; update and track forgejo here

after an update to nixpkgs on sj-srv1 the networking for the `webserver`
container wasn't working. this caused me to debug the situation and
changing lots of things around. the culprit was most likely some impure
state file on the server that caused the `ve-webserver` interface not to
persist its IP. after renaming the webserver container the problem went
away.

i reverted all the IP changes and am keeping the other changes as opporunistic
improvements

											
										
										
											2024-07-26 18:02:15 +02:00
+								  };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								  # virtualization
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								  virtualisation = {docker.enable = false;};
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								  nix.gc = {automatic = true;};
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								  sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
 								  # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								  services.restic.backups.${nodeName} = let
 								    btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
 								  in {
 								    initialize = true;
 								    repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";
 								    paths = [
 								      "/backup"
 								    ];
 								    pruneOpts = [
 								      "--keep-daily 7"
 								      "--keep-weekly 5"
 								      "--keep-monthly 12"
 								      "--keep-yearly 2"
 								    ];
 								    timerConfig = {
 								      OnCalendar = lib.mkDefault "daily";
 								      Persistent = true;
 								    };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								    passwordFile = config.sops.secrets.restic-password.path;
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								    backupPrepareCommand = ''
 								      ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes
 								    '';
 								    backupCleanupCommand = ''
 								      ${btrfs} su delete /backup/container-volumes
 								    '';
 								  };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								  containers = {
 								    mailserver = import ../../containers/mailserver.nix {
-												fix(*): adapt to nixos-24.05 changes

											
										
										
											2024-06-01 21:46:09 +02:00
+								      specialArgs = {
 								        inherit repoFlake nodeFlake;
 								      };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								      autoStart = true;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								      hostBridge = "br0";
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								      hostAddress = hostBridgeAddress;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								      localAddress = "192.168.101.10/24";
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								      imapsPort = 993;
 								      sievePort = 4190;
 								    };
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								    webserver =
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								      import ../../containers/webserver.nix
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								      {
-												fix(*): adapt to nixos-24.05 changes

											
										
										
											2024-06-01 21:46:09 +02:00
+								        specialArgs = {
 								          inherit repoFlake nodeFlake;
 								        };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								        autoStart = true;
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								        hostBridge = "br0";
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								        hostAddress = hostBridgeAddress;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								        localAddress = "192.168.101.11/24";
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								        httpPort = 80;
 								        httpsPort = 443;
-												feat(webserver/forgejo): set up SSH

											
										
										
											2024-06-12 22:22:46 +02:00
+								        forgejoSshPort = 2222;
-												nix fmt

											
										
										
											2024-02-08 20:53:22 +01:00
+								      };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								    syncthing = import ../../containers/syncthing.nix {
-												fix(*): adapt to nixos-24.05 changes

											
										
										
											2024-06-01 21:46:09 +02:00
+								      specialArgs = {
 								        inherit repoFlake nodeFlake;
 								      };
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								      autoStart = true;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								      hostBridge = "br0";
-												fix(sj-srv1): DRY hostAddress and eth0 link status

											
										
										
											2024-08-24 01:02:59 +02:00
+								      hostAddress = hostBridgeAddress;
-												feat(sj-srv1): switch to hostBridge set up

the hostside veth interfaces seem to be buggy and this is more efficient
anyway.

											
										
										
											2024-08-24 00:16:29 +02:00
+								      localAddress = "192.168.101.12/24";
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
 								      syncthingPort = 22000;
 								    };
 								  };
-												sj-srv1: configure libvirt and external filesystem

											
										
										
											2024-08-22 14:33:39 +02:00
+								  virtualisation.libvirtd = {
 								    enable = true;
 								    onShutdown = "shutdown";
 								    parallelShutdown = 3;
 								  };
 								  fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D";
-												sj-srv1: init with restic backup

											
										
										
											2024-01-18 21:06:45 +00:00
+								  # This value determines the NixOS release from which the default
 								  # settings for stateful data, like file locations and database versions
 								  # on your system were taken. It‘s perfectly fine and recommended to leave
 								  # this value at the release version of the first install of this system.
 								  # Before changing this value read the documentation for this option
 								  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
 								  system.stateVersion = "22.11"; # Did you read the comment?
 								}