steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
infra/nix/os/devices/sj-srv1/system.nix
Stefan Junker 1533077234 sj-srv1,containers: debug and streamline networking config; update and track forgejo here 
after an update to nixpkgs on sj-srv1 the networking for the `webserver`
container wasn't working. this caused me to debug the situation and
changing lots of things around. the culprit was most likely some impure
state file on the server that caused the `ve-webserver` interface not to
persist its IP. after renaming the webserver container the problem went
away.

i reverted all the IP changes and am keeping the other changes as opporunistic
improvements
2024-07-26 18:02:52 +02:00

131 lines
3.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
pkgs,
lib,
config,
repoFlake,
nodeFlake,
nodeName,
...
}: {
imports = [
../../snippets/systemd-resolved.nix
];
networking.firewall.enable = true;
networking.nftables.enable = true;
networking.nftables.flushRuleset = true;
networking.firewall.allowedTCPPorts = [
# iperf3
5201
];
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.useNetworkd = true;
networking.useDHCP = true;
networking.nat = {
enable = true;
internalInterfaces = ["ve-*"];
externalInterface = "eth0";
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
};
# virtualization
virtualisation = {docker.enable = false;};
nix.gc = {automatic = true;};
sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
services.restic.backups.${nodeName} = let
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
in {
initialize = true;
repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";
paths = [
"/backup"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 2"
];
timerConfig = {
OnCalendar = lib.mkDefault "daily";
Persistent = true;
};
passwordFile = config.sops.secrets.restic-password.path;
backupPrepareCommand = ''
${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes
'';
backupCleanupCommand = ''
${btrfs} su delete /backup/container-volumes
'';
};
containers = {
mailserver = import ../../containers/mailserver.nix {
specialArgs = {
inherit repoFlake nodeFlake;
};
autoStart = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
imapsPort = 993;
sievePort = 4190;
};
web =
import ../../containers/webserver.nix
{
specialArgs = {
inherit repoFlake nodeFlake;
};
autoStart = true;
hostAddress = "192.168.100.12";
localAddress = "192.168.100.13";
httpPort = 80;
httpsPort = 443;
forgejoSshPort = 2222;
};
syncthing = import ../../containers/syncthing.nix {
specialArgs = {
inherit repoFlake nodeFlake;
};
autoStart = true;
hostAddress = "192.168.100.14";
localAddress = "192.168.100.15";
syncthingPort = 22000;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink