From 1533077234997c0bc88be77550cbd8dc7ef4b18c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 26 Jul 2024 18:02:15 +0200 Subject: [PATCH] sj-srv1,containers: debug and streamline networking config; update and track forgejo here after an update to nixpkgs on sj-srv1 the networking for the `webserver` container wasn't working. this caused me to debug the situation and changing lots of things around. the culprit was most likely some impure state file on the server that caused the `ve-webserver` interface not to persist its IP. after renaming the webserver container the problem went away. i reverted all the IP changes and am keeping the other changes as opporunistic improvements --- nix/os/containers/mailserver.nix | 5 +--- nix/os/containers/syncthing.nix | 3 -- nix/os/containers/webserver.nix | 17 +++++------ nix/os/devices/sj-srv1/flake.lock | 31 +++++++++++++++----- nix/os/devices/sj-srv1/flake.nix | 4 +++ nix/os/devices/sj-srv1/system.nix | 6 +++- nix/os/profiles/containers/configuration.nix | 10 ++++++- nix/os/snippets/systemd-resolved.nix | 7 ++--- 8 files changed, 53 insertions(+), 30 deletions(-) diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 48483a1..b906d8b 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -14,7 +14,7 @@ repoFlake, ... }: { - system.stateVersion = "21.11"; # Did you read the comment? + system.stateVersion = "22.05"; # Did you read the comment? imports = [ ../profiles/containers/configuration.nix @@ -23,7 +23,6 @@ ../profiles/common/user.nix ]; - networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ imapsPort sievePort @@ -211,8 +210,6 @@ }; }; - # extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index d2fc85f..12421c7 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -16,7 +16,6 @@ imports = [../profiles/containers/configuration.nix]; - networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # syncthing gui 8384 @@ -38,8 +37,6 @@ }; }; - extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 31dd49b..c2c166c 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -15,6 +15,7 @@ in { pkgs, lib, repoFlake, + nodeFlake, ... }: { system.stateVersion = "22.05"; # Did you read the comment? @@ -24,7 +25,7 @@ in { ]; imports = [ - "${repoFlake.inputs.nixpkgs_forgejo}/nixos/modules/services/misc/forgejo.nix" + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" ../profiles/containers/configuration.nix @@ -33,7 +34,6 @@ in { sops.defaultSopsFile = ./webserver_secrets.yaml; - networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ httpPort httpsPort @@ -48,11 +48,11 @@ in { services.caddy = { enable = true; + logFormat = '' + level ERROR + ''; virtualHosts."${domain}" = { - extraConfig = let - port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; - path = "${config.services.authelia.instances.default.settings.server.path}"; - in '' + extraConfig = '' redir /hedgedoc* https://hedgedoc.${domain} file_server /*/* { @@ -245,7 +245,7 @@ in { services.forgejo = { enable = true; - package = repoFlake.inputs.nixpkgs_forgejo.legacyPackages.${pkgs.system}.forgejo; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; settings = { service.DISABLE_REGISTRATION = true; server.HTTP_ADDR = "127.0.0.1"; @@ -307,9 +307,6 @@ in { }; }; - # extraFlags = ["--resolv-conf=bind-host"]; - # networking.useHostResolvConf = true; - privateNetwork = true; forwardPorts = [ { diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock index c9a9b7b..5985819 100644 --- a/nix/os/devices/sj-srv1/flake.lock +++ b/nix/os/devices/sj-srv1/flake.lock @@ -23,11 +23,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1721821769, - "narHash": "sha256-PhmkdTJs2SfqKzSyDB74rDKp1MH4mGk0pG/+WqrnGEw=", + "lastModified": 1721949857, + "narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d0907b75146a0ccc1ec0d6c3db287ec287588ef6", + "rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665", "type": "github" }, "original": { @@ -39,11 +39,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1721994782, - "narHash": "sha256-wgKA32fOqeIb9FmgnDGVarcu9kBzNpa8XSwITLhCaMk=", + "lastModified": 1722006690, + "narHash": "sha256-Y84/ZDxUvJhRDaqM67VjHyAbZ26j9/XRKH/zN9fGRBU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8b41014ce0ba673e74049db2da7c030cb27f720c", + "rev": "bb7d08ac86ae13fad7166d6082a2d8d0582c6ef3", "type": "github" }, "original": { @@ -69,12 +69,29 @@ "type": "github" } }, + "nixpkgs_forgejo": { + "locked": { + "lastModified": 1717596097, + "narHash": "sha256-ozSU3HYgTbUgyXfGEIdYzGNfCRtuV/Xw7O4ECsLigtk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "af4ac075a3e97cb239078e187112afdf380cd47b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "af4ac075a3e97cb239078e187112afdf380cd47b", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs_forgejo": "nixpkgs_forgejo" } } }, diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix index f2af929..5d25964 100644 --- a/nix/os/devices/sj-srv1/flake.nix +++ b/nix/os/devices/sj-srv1/flake.nix @@ -8,5 +8,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # remove when https://github.com/NixOS/nixpkgs/pull/312523 is merged and backported + inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b"; + # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419"; + outputs = _: {}; } diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 434cf27..dcb3658 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -13,6 +13,7 @@ networking.firewall.enable = true; networking.nftables.enable = true; + networking.nftables.flushRuleset = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -31,6 +32,9 @@ internalInterfaces = ["ve-*"]; externalInterface = "eth0"; }; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; # virtualization virtualisation = {docker.enable = false;}; @@ -87,7 +91,7 @@ sievePort = 4190; }; - webserver = + web = import ../../containers/webserver.nix { specialArgs = { diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 6c0b092..84f749a 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,6 +1,14 @@ -{...}: { +{pkgs, ...}: { networking.useHostResolvConf = false; + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + environment.systemPackages = [ + pkgs.dnsutils + ]; + imports = [ ../../snippets/systemd-resolved.nix ../../snippets/nix-settings.nix diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index 57dfb86..8ade1e2 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -13,9 +13,8 @@ enable = true; dnssec = "true"; domains = ["~."]; - extraConfig = '' - # TODO: figure out why "true" doesn't work - DNSOverTLS=opportunistic - ''; + + # TODO: figure out why "true" doesn't work + dnsovertls = "opportunistic"; }; }