feat(167.233.1.14): migrate all containers here

2023-03-08 19:13:59 +01:00 · 2023-03-08 19:13:59 +01:00 · 7a10782170
commit 7a10782170
parent 855c463a93
28 changed files with 310 additions and 1022 deletions
--- a/nix/os/containers/ipxe.nix
+++ b/nix/os/containers/ipxe.nix
@ -1,170 +0,0 @@
-{
-  hostAddress,
-  localAddress,
-  httpPort ? 80,
-  httpsPort ? 443,
-}: let
-  passwords = import ../../variables/passwords.crypt.nix;
-in {
-  config = {
-    config,
-    pkgs,
-    lib,
-    ...
-  }: {
-    imports = [../profiles/containers/configuration.nix];
-
-    networking.firewall.enable = false;
-
-    services.ddclientovh = {
-      enable = true;
-      domain = "www.stefanjunker.de";
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
-      preliminarySelfsigned = true;
-
-      # can be used for debugging
-      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-    };
-
-    services.nginx.enable = true;
-    services.nginx.recommendedProxySettings = true;
-    services.nginx.virtualHosts."www.stefanjunker.de" = {
-      default = true;
-      addSSL = true;
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = httpPort;
-          ssl = false;
-        }
-        {
-          addr = "0.0.0.0";
-          port = httpsPort;
-          ssl = true;
-        }
-      ];
-
-      root = "/var/www/stefanjunker.de/htdocs";
-
-      enableACME = true;
-      # serverAliases = [
-      #   "www.stefanjunker.de"
-      # ];
-      # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
-      # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
-
-      locations."/fi" = {index = "index.php";};
-
-      locations."~ ^(.+.php)(.*)$".extraConfig = ''
-        fastcgi_split_path_info  ^(.+\.php)(.*)$;
-
-        fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
-        fastcgi_index index.php;
-      '';
-
-      locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
-
-      locations."/hedgedoc/socket.io/" = {
-        proxyPass = "http://127.0.0.1:3000/socket.io/";
-        proxyWebsockets = true;
-      };
-    };
-
-    services.phpfpm.pools.mypool = {
-      user = "nobody";
-      phpPackage = pkgs.php5;
-      settings = {
-        "listen.owner" = config.services.nginx.user;
-        "pm" = "dynamic";
-        "pm.max_children" = 5;
-        "pm.start_servers" = 2;
-        "pm.min_spare_servers" = 1;
-        "pm.max_spare_servers" = 3;
-        "pm.max_requests" = 500;
-
-        "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
-      };
-    };
-
-    # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
-    systemd.services."phpfpm-mypool" = {
-      serviceConfig = {Type = lib.mkForce "simple";};
-    };
-
-    services.mysql = {
-      enable = true;
-      package = pkgs.mariadb;
-    };
-
-    services.hedgedoc = {
-      enable = true;
-      configuration = {
-        domain = "www.stefanjunker.de";
-        urlPath = "hedgedoc";
-        protocolUseSSL = true;
-        db = {
-          dialect = "sqlite";
-          storage = "/var/lib/codimd/db.codimd.sqlite";
-        };
-
-        allowAnonymous = false;
-        allowAnonymousEdits = false;
-        allowGravatar = false;
-        allowFreeURL = false;
-        defaultPermission = "private";
-        allowEmailRegister = false;
-
-        # oauth2 provider config
-        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
-
-        uploadsPath = "/var/lib/codimd/uploads";
-      };
-    };
-  };
-
-  autoStart = true;
-
-  bindMounts = {
-    "/etc/secrets/" = {
-      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
-      isReadOnly = true;
-    };
-
-    "/var/www" = {
-      hostPath = "/var/lib/container-volumes/webserver/var-www";
-      isReadOnly = false;
-    };
-
-    "/var/lib/mysql" = {
-      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
-      isReadOnly = false;
-    };
-
-    "/var/lib/codimd" = {
-      hostPath = "/var/lib/container-volumes/webserver/var-lib-codimd";
-      isReadOnly = false;
-    };
-  };
-
-  privateNetwork = true;
-  forwardPorts = [
-    {
-      # http
-      containerPort = 80;
-      hostPort = httpPort;
-      protocol = "tcp";
-    }
-    {
-      # https
-      containerPort = 443;
-      hostPort = httpsPort;
-      protocol = "tcp";
-    }
-  ];
-
-  inherit hostAddress localAddress;
-}
--- a/nix/os/containers/syncthing.nix
+++ b/nix/os/containers/syncthing.nix
@ -1,31 +1,31 @@
-{
-  hostAddress,
-  localAddress,
-  syncthingPort ? 22000,
-  syncthingLocalAnnouncePort ? 21027,
-  autoStart ? false,
+{ hostAddress
+, localAddress
+, syncthingPort ? 22000
+, syncthingLocalAnnouncePort ? 21027
+, autoStart ? false
+,
 }: {
-  config = {
-    config,
-    pkgs,
-    ...
-  }: {
-    system.stateVersion = "20.05"; # Did you read the comment?
+  config =
+    { config
+    , pkgs
+    , ...
+    }: {
+      system.stateVersion = "20.05"; # Did you read the comment?

-    imports = [../profiles/containers/configuration.nix];
+      imports = [ ../profiles/containers/configuration.nix ];

-    networking.firewall.enable = true;
-    networking.firewall.allowedTCPPorts = [
-      # syncthing gui
-      8384
-    ];
+      networking.firewall.enable = true;
+      networking.firewall.allowedTCPPorts = [
+        # syncthing gui
+        8384
+      ];

-    services.syncthing = {
-      enable = true;
-      openDefaultPorts = true;
-      guiAddress = "0.0.0.0:8384";
+      services.syncthing = {
+        enable = true;
+        openDefaultPorts = true;
+        guiAddress = "0.0.0.0:8384";
+      };
    };
-  };

  inherit autoStart;

@ -36,7 +36,7 @@
    };
  };

-  extraFlags = ["--resolv-conf=bind-host"];
+  extraFlags = [ "--resolv-conf=bind-host" ];

  privateNetwork = true;
  forwardPorts = [
@ -45,10 +45,15 @@
      hostPort = syncthingPort;
      protocol = "tcp";
    }
+    {
+      containerPort = 22000;
+      hostPort = syncthingPort;
+      protocol = "udp";
+    }
    {
      containerPort = 21027;
      hostPort = syncthingLocalAnnouncePort;
-      protocol = "tcp";
+      protocol = "udp";
    }
  ];

--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,133 +1,95 @@
-{
-  hostAddress,
-  localAddress,
-  httpPort ? 80,
-  httpsPort ? 443,
-  autoStart ? false,
-}: let
+{ hostAddress
+, localAddress
+, httpPort ? 80
+, httpsPort ? 443
+, autoStart ? false
+,
+}:
+let
  passwords = import ../../variables/passwords.crypt.nix;
-in {
-  config = {
-    config,
-    pkgs,
-    lib,
-    ...
-  }: {
-    system.stateVersion = "22.05"; # Did you read the comment?
+in
+{
+  config =
+    { config
+    , pkgs
+    , lib
+    , ...
+    }: {
+      system.stateVersion = "22.05"; # Did you read the comment?

-    imports = [../profiles/containers/configuration.nix];
+      imports = [ ../profiles/containers/configuration.nix ];

-    networking.firewall.enable = false;
+      networking.firewall.enable = false;

-    services.ddclientovh = {
-      enable = true;
-      domain = "www.stefanjunker.de";
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
-      preliminarySelfsigned = true;
-
-      # can be used for debugging
-      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-    };
-
-    services.nginx.enable = true;
-    services.nginx.recommendedProxySettings = true;
-    services.nginx.virtualHosts."www.stefanjunker.de" = {
-      default = true;
-      addSSL = true;
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = httpPort;
-          ssl = false;
-        }
-        {
-          addr = "0.0.0.0";
-          port = httpsPort;
-          ssl = true;
-        }
-      ];
-
-      root = "/var/www/stefanjunker.de/htdocs";
-
-      enableACME = true;
-      # serverAliases = [
-      #   "www.stefanjunker.de"
-      # ];
-      # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
-      # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
-
-      locations."/fi" = {index = "index.php";};
-
-      locations."~ ^(.+.php)(.*)$".extraConfig = ''
-        fastcgi_split_path_info  ^(.+\.php)(.*)$;
-
-        fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket};
-        fastcgi_index index.php;
-      '';
-
-      locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";};
-
-      locations."/hedgedoc/socket.io/" = {
-        proxyPass = "http://127.0.0.1:3000/socket.io/";
-        proxyWebsockets = true;
-      };
-    };
-
-    services.phpfpm.pools.mypool = {
-      user = "nobody";
-      phpPackage = pkgs.php5;
-      settings = {
-        "listen.owner" = config.services.nginx.user;
-        "pm" = "dynamic";
-        "pm.max_children" = 5;
-        "pm.start_servers" = 2;
-        "pm.min_spare_servers" = 1;
-        "pm.max_spare_servers" = 3;
-        "pm.max_requests" = 500;
-
-        "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED";
-      };
-    };
-
-    # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work
-    systemd.services."phpfpm-mypool" = {
-      serviceConfig = {Type = lib.mkForce "simple";};
-    };
-
-    services.mysql = {
-      enable = true;
-      package = pkgs.mariadb_104;
-    };
-
-    services.hedgedoc = {
-      enable = true;
-      configuration = {
+      services.ddclientovh = {
+        enable = true;
        domain = "www.stefanjunker.de";
-        urlPath = "hedgedoc";
-        protocolUseSSL = true;
-        db = {
-          dialect = "sqlite";
-          storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
+      };
+
+      security.acme = {
+        acceptTerms = true;
+        certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
+        preliminarySelfsigned = true;
+
+        # can be used for debugging
+        # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      };
+
+      services.nginx.enable = true;
+      services.nginx.recommendedProxySettings = true;
+      services.nginx.virtualHosts."www.stefanjunker.de" = {
+        default = true;
+        addSSL = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = httpPort;
+            ssl = false;
+          }
+          {
+            addr = "0.0.0.0";
+            port = httpsPort;
+            ssl = true;
+          }
+        ];
+
+        root = "/var/www/stefanjunker.de/htdocs";
+
+        enableACME = true;
+
+        locations."/hedgedoc/" = { proxyPass = "http://[::1]:3000/"; };
+
+        locations."/hedgedoc/socket.io/" = {
+          proxyPass = "http://[::1]:3000/socket.io/";
+          proxyWebsockets = true;
        };
+      };

-        allowAnonymous = false;
-        allowAnonymousEdits = false;
-        allowGravatar = false;
-        allowFreeURL = false;
-        defaultPermission = "private";
-        allowEmailRegister = false;
+      services.hedgedoc = {
+        enable = true;
+        settings = {
+          domain = "www.stefanjunker.de";
+          urlPath = "hedgedoc";
+          protocolUseSSL = true;
+          db = {
+            dialect = "sqlite";
+            storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
+          };

-        # oauth2 provider config
-        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
+          allowAnonymous = false;
+          allowAnonymousEdits = false;
+          allowGravatar = false;
+          allowFreeURL = false;
+          defaultPermission = "private";
+          allowEmailRegister = false;

-        uploadsPath = "/var/lib/codimd/uploads";
+          # oauth2 provider config
+          inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
+
+          uploadsPath = "/var/lib/hedgedoc/uploads";
+        };
      };
    };
-  };

  inherit autoStart;

@ -153,7 +115,7 @@ in {
    };
  };

-  extraFlags = ["--resolv-conf=bind-host"];
+  extraFlags = [ "--resolv-conf=bind-host" ];

  privateNetwork = true;
  forwardPorts = [