sj-srv1,containers: debug and streamline networking config; update and track forgejo here

after an update to nixpkgs on sj-srv1 the networking for the `webserver` container wasn't working. this caused me to debug the situation and changing lots of things around. the culprit was most likely some impure state file on the server that caused the `ve-webserver` interface not to persist its IP. after renaming the webserver container the problem went away. i reverted all the IP changes and am keeping the other changes as opporunistic improvements
2024-07-26 18:02:15 +02:00 · 2024-07-26 18:02:15 +02:00 · 1533077234
commit 1533077234
parent 1a177053ff
8 changed files with 53 additions and 30 deletions
--- a/nix/os/containers/mailserver.nix
+++ b/nix/os/containers/mailserver.nix
@ -14,7 +14,7 @@
    repoFlake,
    ...
  }: {
-    system.stateVersion = "21.11"; # Did you read the comment?
+    system.stateVersion = "22.05"; # Did you read the comment?

    imports = [
      ../profiles/containers/configuration.nix
@ -23,7 +23,6 @@
      ../profiles/common/user.nix
    ];

-    networking.firewall.enable = true;
    networking.firewall.allowedTCPPorts = [
      imapsPort
      sievePort
@ -211,8 +210,6 @@
    };
  };

-  # extraFlags = ["--resolv-conf=bind-host"];
-
  privateNetwork = true;
  forwardPorts = [
    {
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -16,7 +16,6 @@

    imports = [../profiles/containers/configuration.nix];

-    networking.firewall.enable = true;
    networking.firewall.allowedTCPPorts = [
      # syncthing gui
      8384
@ -38,8 +37,6 @@
    };
  };

-  extraFlags = ["--resolv-conf=bind-host"];
-
  privateNetwork = true;
  forwardPorts = [
    {
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -15,6 +15,7 @@ in {
    pkgs,
    lib,
    repoFlake,
+    nodeFlake,
    ...
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?
@ -24,7 +25,7 @@ in {
    ];

    imports = [
-      "${repoFlake.inputs.nixpkgs_forgejo}/nixos/modules/services/misc/forgejo.nix"
+      "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"

      ../profiles/containers/configuration.nix

@ -33,7 +34,6 @@ in {

    sops.defaultSopsFile = ./webserver_secrets.yaml;

-    networking.firewall.enable = true;
    networking.firewall.allowedTCPPorts = [
      httpPort
      httpsPort
@ -48,11 +48,11 @@ in {

    services.caddy = {
      enable = true;
+      logFormat = ''
+        level ERROR
+      '';
      virtualHosts."${domain}" = {
-        extraConfig = let
-          port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
-          path = "${config.services.authelia.instances.default.settings.server.path}";
-        in ''
+        extraConfig = ''
          redir /hedgedoc* https://hedgedoc.${domain}

          file_server /*/* {
@ -245,7 +245,7 @@ in {

    services.forgejo = {
      enable = true;
-      package = repoFlake.inputs.nixpkgs_forgejo.legacyPackages.${pkgs.system}.forgejo;
+      package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
      settings = {
        service.DISABLE_REGISTRATION = true;
        server.HTTP_ADDR = "127.0.0.1";
@ -307,9 +307,6 @@ in {
    };
  };

-  # extraFlags = ["--resolv-conf=bind-host"];
-  # networking.useHostResolvConf = true;
-
  privateNetwork = true;
  forwardPorts = [
    {
--- a/nix/os/devices/sj-srv1/flake.lock
+++ b/nix/os/devices/sj-srv1/flake.lock
@ -23,11 +23,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1721821769,
-        "narHash": "sha256-PhmkdTJs2SfqKzSyDB74rDKp1MH4mGk0pG/+WqrnGEw=",
+        "lastModified": 1721949857,
+        "narHash": "sha256-DID446r8KsmJhbCzx4el8d9SnPiE8qa6+eEQOJ40vR0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d0907b75146a0ccc1ec0d6c3db287ec287588ef6",
+        "rev": "a1cc729dcbc31d9b0d11d86dc7436163548a9665",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1721994782,
-        "narHash": "sha256-wgKA32fOqeIb9FmgnDGVarcu9kBzNpa8XSwITLhCaMk=",
+        "lastModified": 1722006690,
+        "narHash": "sha256-Y84/ZDxUvJhRDaqM67VjHyAbZ26j9/XRKH/zN9fGRBU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8b41014ce0ba673e74049db2da7c030cb27f720c",
+        "rev": "bb7d08ac86ae13fad7166d6082a2d8d0582c6ef3",
        "type": "github"
      },
      "original": {
@ -69,12 +69,29 @@
        "type": "github"
      }
    },
+    "nixpkgs_forgejo": {
+      "locked": {
+        "lastModified": 1717596097,
+        "narHash": "sha256-ozSU3HYgTbUgyXfGEIdYzGNfCRtuV/Xw7O4ECsLigtk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "af4ac075a3e97cb239078e187112afdf380cd47b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "af4ac075a3e97cb239078e187112afdf380cd47b",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "nixpkgs-master": "nixpkgs-master",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "nixpkgs_forgejo": "nixpkgs_forgejo"
      }
    }
  },
--- a/nix/os/devices/sj-srv1/flake.nix
+++ b/nix/os/devices/sj-srv1/flake.nix
@ -8,5 +8,9 @@
    inputs.nixpkgs.follows = "nixpkgs";
  };

+  # remove when https://github.com/NixOS/nixpkgs/pull/312523 is merged and backported
+  inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b";
+  # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419";
+
  outputs = _: {};
 }
--- a/nix/os/devices/sj-srv1/system.nix
+++ b/nix/os/devices/sj-srv1/system.nix
@ -13,6 +13,7 @@

  networking.firewall.enable = true;
  networking.nftables.enable = true;
+  networking.nftables.flushRuleset = true;

  networking.firewall.allowedTCPPorts = [
    # iperf3
@ -31,6 +32,9 @@
    internalInterfaces = ["ve-*"];
    externalInterface = "eth0";
  };
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };

  # virtualization
  virtualisation = {docker.enable = false;};
@ -87,7 +91,7 @@
      sievePort = 4190;
    };

-    webserver =
+    web =
      import ../../containers/webserver.nix
      {
        specialArgs = {
--- a/nix/os/profiles/containers/configuration.nix
+++ b/nix/os/profiles/containers/configuration.nix
@ -1,6 +1,14 @@
-{...}: {
+{pkgs, ...}: {
  networking.useHostResolvConf = false;

+  networking.firewall.enable = true;
+  networking.nftables.enable = true;
+  networking.nftables.flushRuleset = true;
+
+  environment.systemPackages = [
+    pkgs.dnsutils
+  ];
+
  imports = [
    ../../snippets/systemd-resolved.nix
    ../../snippets/nix-settings.nix
--- a/nix/os/snippets/systemd-resolved.nix
+++ b/nix/os/snippets/systemd-resolved.nix
@ -13,9 +13,8 @@
    enable = true;
    dnssec = "true";
    domains = ["~."];
-    extraConfig = ''
+
    # TODO: figure out why "true" doesn't work
-      DNSOverTLS=opportunistic
-    '';
+    dnsovertls = "opportunistic";
  };
 }