steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

sj-srv1,containers: debug and streamline networking config; update and track forgejo here

Browse source 
after an update to nixpkgs on sj-srv1 the networking for the `webserver`
container wasn't working. this caused me to debug the situation and
changing lots of things around. the culprit was most likely some impure
state file on the server that caused the `ve-webserver` interface not to
persist its IP. after renaming the webserver container the problem went
away.

i reverted all the IP changes and am keeping the other changes as opporunistic
improvements
This commit is contained in:
steveej 2024-07-26 18:02:15 +02:00
parent 1a177053ff
commit 1533077234
8 changed files with 53 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

5
nix/os/containers/mailserver.nix
View file

@ -14,7 +14,7 @@
repoFlake, repoFlake,
... ...
}: { }: {
system.stateVersion = "21.11"; # Did you read the comment? system.stateVersion = "22.05"; # Did you read the comment?
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
@ -23,7 +23,6 @@
../profiles/common/user.nix ../profiles/common/user.nix
]; ];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
imapsPort imapsPort
sievePort sievePort
@ -211,8 +210,6 @@
}; };
}; };
# extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {

3
nix/os/containers/syncthing.nix
View file

@ -16,7 +16,6 @@
imports = [../profiles/containers/configuration.nix]; imports = [../profiles/containers/configuration.nix];
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# syncthing gui # syncthing gui
8384 8384
@ -38,8 +37,6 @@
}; };
}; };
extraFlags = ["--resolv-conf=bind-host"];
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {

17
nix/os/containers/webserver.nix
View file

@ -15,6 +15,7 @@ in {
pkgs, pkgs,
lib, lib,
repoFlake, repoFlake,
nodeFlake,
... ...
}: { }: {
system.stateVersion = "22.05"; # Did you read the comment? system.stateVersion = "22.05"; # Did you read the comment?
@ -24,7 +25,7 @@ in {
]; ];
imports = [ imports = [
"${repoFlake.inputs.nixpkgs_forgejo}/nixos/modules/services/misc/forgejo.nix" "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
@ -33,7 +34,6 @@ in {
sops.defaultSopsFile = ./webserver_secrets.yaml; sops.defaultSopsFile = ./webserver_secrets.yaml;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
httpPort httpPort
httpsPort httpsPort
@ -48,11 +48,11 @@ in {
services.caddy = { services.caddy = {
enable = true; enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = { virtualHosts."${domain}" = {
extraConfig = let extraConfig = ''
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${domain} redir /hedgedoc* https://hedgedoc.${domain}
file_server /*/* { file_server /*/* {
@ -245,7 +245,7 @@ in {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = repoFlake.inputs.nixpkgs_forgejo.legacyPackages.${pkgs.system}.forgejo; package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = { settings = {
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1"; server.HTTP_ADDR = "127.0.0.1";
@ -307,9 +307,6 @@ in {
}; };
}; };
# extraFlags = ["--resolv-conf=bind-host"];
# networking.useHostResolvConf = true;
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {

31
nix/os/devices/sj-srv1/flake.lock generated
View file

@ -23,11 +23,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1721821769, "lastModified": 1721949857,
"narHash": "sha256-PhmkdTJs2SfqKzSyDB74rDKp1MH4mGk0pG/+WqrnGEw=", "narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d0907b75146a0ccc1ec0d6c3db287ec287588ef6", "rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +39,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1721994782, "lastModified": 1722006690,
"narHash": "sha256-wgKA32fOqeIb9FmgnDGVarcu9kBzNpa8XSwITLhCaMk=", "narHash": "sha256-Y84/ZDxUvJhRDaqM67VjHyAbZ26j9/XRKH/zN9fGRBU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8b41014ce0ba673e74049db2da7c030cb27f720c", "rev": "bb7d08ac86ae13fad7166d6082a2d8d0582c6ef3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,12 +69,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_forgejo": {
"locked": {
"lastModified": 1717596097,
"narHash": "sha256-ozSU3HYgTbUgyXfGEIdYzGNfCRtuV/Xw7O4ECsLigtk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "af4ac075a3e97cb239078e187112afdf380cd47b",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "af4ac075a3e97cb239078e187112afdf380cd47b",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable",
"nixpkgs_forgejo": "nixpkgs_forgejo"
} }
} }
}, },

4
nix/os/devices/sj-srv1/flake.nix
View file

@ -8,5 +8,9 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# remove when https://github.com/NixOS/nixpkgs/pull/312523 is merged and backported
inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b";
# nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419";
outputs = _: {}; outputs = _: {};
} }

6
nix/os/devices/sj-srv1/system.nix
View file

@ -13,6 +13,7 @@
networking.firewall.enable = true; networking.firewall.enable = true;
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.flushRuleset = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# iperf3 # iperf3
@ -31,6 +32,9 @@
internalInterfaces = ["ve-*"]; internalInterfaces = ["ve-*"];
externalInterface = "eth0"; externalInterface = "eth0";
}; };
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
# virtualization # virtualization
virtualisation = {docker.enable = false;}; virtualisation = {docker.enable = false;};
@ -87,7 +91,7 @@
sievePort = 4190; sievePort = 4190;
}; };
webserver = web =
import ../../containers/webserver.nix import ../../containers/webserver.nix
{ {
specialArgs = { specialArgs = {

10
nix/os/profiles/containers/configuration.nix
View file

@ -1,6 +1,14 @@
{...}: { {pkgs, ...}: {
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
networking.firewall.enable = true;
networking.nftables.enable = true;
networking.nftables.flushRuleset = true;
environment.systemPackages = [
pkgs.dnsutils
];
imports = [ imports = [
../../snippets/systemd-resolved.nix ../../snippets/systemd-resolved.nix
../../snippets/nix-settings.nix ../../snippets/nix-settings.nix

7
nix/os/snippets/systemd-resolved.nix
View file

@ -13,9 +13,8 @@
enable = true; enable = true;
dnssec = "true"; dnssec = "true";
domains = ["~."]; domains = ["~."];
extraConfig = ''
# TODO: figure out why "true" doesn't work # TODO: figure out why "true" doesn't work
DNSOverTLS=opportunistic dnsovertls = "opportunistic";
'';
}; };
} }