From a7dfb93f42b761857f053269f289c196810a0c12 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Thu, 28 Mar 2024 18:20:08 -0400 Subject: [PATCH 01/14] Setting up nginx via microvm --- flake.lock | 104 +++++++++++++++--- flake.nix | 26 ++++- .../nixos/microvms/nginx-proxy/default.nix | 27 +++++ modules/hosts/nixos/nixnuc/default.nix | 25 ++++- modules/system/common/all-nixos.nix | 8 +- 5 files changed, 170 insertions(+), 20 deletions(-) create mode 100644 modules/hosts/nixos/microvms/nginx-proxy/default.nix diff --git a/flake.lock b/flake.lock index b9edaee..4bfd185 100644 --- a/flake.lock +++ b/flake.lock @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1710906792, - "narHash": "sha256-kFzpfZcInLhBFWHy452NlvFuzNr0BDEkz3w9Sgg2ypo=", + "lastModified": 1711006105, + "narHash": "sha256-pvjqjx4L2Hx/NP3RWcwLjk+ABtMODAJ9+rgreU6fP6I=", "owner": "nix-community", "repo": "disko", - "rev": "e9875b969086a53dff5ec4677575ad3156fc875d", + "rev": "a8c966ee117c278a5aabc6f00b00ef62eb7e28f6", "type": "github" }, "original": { @@ -96,6 +96,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1687709756, "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", @@ -120,11 +138,11 @@ "sqlite3pp": "sqlite3pp" }, "locked": { - "lastModified": 1710948909, - "narHash": "sha256-kESddzTIzBUGToPgBcM2kFiKt1Njyo2wYwPb8GqAhIM=", + "lastModified": 1711144337, + "narHash": "sha256-7nExp0SsiOcKvn+12W1Vp56F5mxmFiPZqctf5JWLB7w=", "owner": "flox", "repo": "flox", - "rev": "21e1a2929eeadfb6e128d6f991f82ae029bf7e07", + "rev": "aaaac2e75eb84a3e3838d31b8db4d01ab834e852", "type": "github" }, "original": { @@ -195,11 +213,11 @@ ] }, "locked": { - "lastModified": 1706981411, - "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", + "lastModified": 1710888565, + "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=", "owner": "nix-community", "repo": "home-manager", - "rev": "652fda4ca6dafeb090943422c34ae9145787af37", + "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce", "type": "github" }, "original": { @@ -209,6 +227,28 @@ "type": "github" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs" + ], + "spectrum": "spectrum" + }, + "locked": { + "lastModified": 1711159783, + "narHash": "sha256-nwl2Cygq7NrV9QcebJE/T/vXv7w+zLERD7ygHz0F5g8=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "d31f7c7d3194c51372134832a3a2a256773c161a", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -265,7 +305,7 @@ "nix-homebrew": { "inputs": { "brew-src": "brew-src", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nix-darwin": "nix-darwin_2", "nixpkgs": "nixpkgs_3" }, @@ -349,11 +389,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1710889954, - "narHash": "sha256-Pr6F5Pmd7JnNEMHHmspZ0qVqIBVxyZ13ik1pJtm2QXk=", + "lastModified": 1711106783, + "narHash": "sha256-PDwAcHahc6hEimyrgGmFdft75gmLrJOZ0txX7lFqq+I=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7872526e9c5332274ea5932a0c3270d6e4724f3b", + "rev": "a3ed7406349a9335cb4c2a71369b697cecd9d351", "type": "github" }, "original": { @@ -394,11 +434,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1710951922, - "narHash": "sha256-FOOBJ3DQenLpTNdxMHR2CpGZmYuctb92gF0lpiirZ30=", + "lastModified": 1711156376, + "narHash": "sha256-gZDInkcCv3lmo578cIOyWpJ7mNgVcI6v2aodMF87oSo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f091af045dff8347d66d186a62d42aceff159456", + "rev": "b94075d5e741439f255799453be7ead01930caf0", "type": "github" }, "original": { @@ -439,6 +479,7 @@ "flox-flake": "flox-flake", "genebean-omp-themes": "genebean-omp-themes", "home-manager": "home-manager", + "microvm": "microvm", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", "nix-homebrew": "nix-homebrew", @@ -468,6 +509,22 @@ "type": "github" } }, + "spectrum": { + "flake": false, + "locked": { + "lastModified": 1708358594, + "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=", + "ref": "refs/heads/main", + "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c", + "revCount": 614, + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + }, + "original": { + "type": "git", + "url": "https://spectrum-os.org/git/spectrum" + } + }, "sqlite3pp": { "inputs": { "nixpkgs": [ @@ -518,6 +575,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ac86e3e..e5ffdab 100644 --- a/flake.nix +++ b/flake.nix @@ -48,8 +48,13 @@ flake = false; }; + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; # end inputs - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, nix-flatpak, disko, sops-nix, flox-flake, genebean-omp-themes, ... }: let + outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, nix-flatpak, disko, sops-nix, flox-flake, microvm, genebean-omp-themes, ... }: let # creates a macOS system config darwinHostConfig = system: hostname: username: nix-darwin.lib.darwinSystem { @@ -127,6 +132,22 @@ ]; }; # end nixosSystem + nixosMicrovmConfig = system: hostname: username: nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + microvm.nixosModules.microvm + { + networking.hostName = "${hostname}"; + users.users.${username} = { + initialHashedPassword = "$6$FH6xo/OzM9mIAXqx$GTqSEDahPGyxLiDOEY77uxaApdd3xJKOkvddV6X4wplTCxsbuoyXwuOuQjMODS7dhfRs.HwL3VQgUjmok3QM60"; + isNormalUser = true; + }; + } + ./modules/hosts/nixos/microvms/${hostname} # host specific stuff + ]; + + }; # end nixosMicrovmConfig + linuxHomeConfig = system: hostname: username: home-manager.lib.homeManagerConfiguration { extraSpecialArgs = { inherit genebean-omp-themes hostname username; pkgs = import nixpkgs { @@ -167,6 +188,9 @@ hetznix01 = nixosHostConfig "aarch64-linux" "hetznix01" "gene"; nixnuc = nixosHostConfig "x86_64-linux" "nixnuc" "gene"; rainbow-planet = nixosHostConfig "x86_64-linux" "rainbow-planet" "gene"; + + # VMs + nginx-proxy = nixosMicrovmConfig "x86_64-linux" "nginx-proxy" "gene"; }; homeConfigurations = { diff --git a/modules/hosts/nixos/microvms/nginx-proxy/default.nix b/modules/hosts/nixos/microvms/nginx-proxy/default.nix new file mode 100644 index 0000000..3b38306 --- /dev/null +++ b/modules/hosts/nixos/microvms/nginx-proxy/default.nix @@ -0,0 +1,27 @@ +{ inputs, config, hostname, microvm, pkgs, sops-nix, username, ... }: { + microvm = { + hypervisor = "qemu"; + socket = "control.socket"; + vcpu = 1; + volumes = [ + { + #image = "/persist/microvm/${config.networking.hostName}-var.img"; + image = "/tmp/${config.networking.hostName}-var.img"; + mountPoint = "/var"; + size = 1024; + } + ]; + shares = [ + { + # use "virtiofs" for MicroVMs that are started by systemd + proto = "9p"; + tag = "ro-store"; + # a host's /nix/store will be picked up so that no + # squashfs/erofs will be built for it. + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + }; +} + diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index 5b90a09..db7324a 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,5 +1,6 @@ -{ inputs, config, hostname, pkgs, sops-nix, username, ... }: { +{ inputs, config, hostname, microvm, pkgs, sops-nix, username, ... }: { imports = [ + microvm.nixosModules.host ./hardware-configuration.nix ./audiobookshelf.nix ]; @@ -40,6 +41,10 @@ ]; }; + microvm.autostart = [ + #"nginx-proxy" + ]; + networking = { # Open ports in the firewall. firewall.allowedTCPPorts = [ 22 80 ]; @@ -50,6 +55,24 @@ hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 networkmanager.enable = true; + enableIPv6 = true; + useDHCP = true; + vlans = { + vlan23 = { id = 23; interface = "eno1-23"; }; + }; + bridges = { + br1-23 = { interfaces = [ "vlan23" ]; }; + }; + interfaces = { + eno1.ipv4.addresses = [{ + address = "192.168.20.190"; + prefixLength = 24; + }]; + br1-23.ipv4.addresses = [{ + address = "192.168.23.21"; + prefixLength = 24; + }]; + }; }; # Hardware Transcoding for Jellyfin diff --git a/modules/system/common/all-nixos.nix b/modules/system/common/all-nixos.nix index c1df1e3..3aff185 100644 --- a/modules/system/common/all-nixos.nix +++ b/modules/system/common/all-nixos.nix @@ -41,10 +41,14 @@ "flakes" "nix-command" ]; - extra-trusted-public-keys = [ + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs=" ]; - extra-trusted-substituters = [ + substituters = [ + "https://cache.nixos.org" + ]; + trusted-substituters = [ "https://cache.flox.dev" ]; trusted-users = [ "${username}" ]; From 710a5c5c1633c23e0233d08b0ebef7004f589c19 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 30 Mar 2024 12:48:20 -0400 Subject: [PATCH 02/14] More progress, not working though --- flake.nix | 1 + .../nixos/microvms/nginx-proxy/default.nix | 5 ++++ modules/hosts/nixos/nixnuc/default.nix | 23 +++++++++++-------- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index e5ffdab..799a497 100644 --- a/flake.nix +++ b/flake.nix @@ -112,6 +112,7 @@ }; modules = [ disko.nixosModules.disko + microvm.nixosModules.host home-manager.nixosModules.home-manager { home-manager = { diff --git a/modules/hosts/nixos/microvms/nginx-proxy/default.nix b/modules/hosts/nixos/microvms/nginx-proxy/default.nix index 3b38306..afb04a8 100644 --- a/modules/hosts/nixos/microvms/nginx-proxy/default.nix +++ b/modules/hosts/nixos/microvms/nginx-proxy/default.nix @@ -22,6 +22,11 @@ mountPoint = "/nix/.ro-store"; } ]; + interfaces = [{ + type = "tap"; + id = "vm-nginx-proxy"; + mac = "02:00:00:00:00:01"; + }]; }; } diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index db7324a..8efa2d9 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,8 +1,9 @@ { inputs, config, hostname, microvm, pkgs, sops-nix, username, ... }: { imports = [ - microvm.nixosModules.host ./hardware-configuration.nix ./audiobookshelf.nix + #microvm.nixosModules.host + #../microvms/nginx-proxy ]; system.stateVersion = "23.11"; @@ -41,9 +42,9 @@ ]; }; - microvm.autostart = [ + #microvm.autostart = [ #"nginx-proxy" - ]; + #]; networking = { # Open ports in the firewall. @@ -55,24 +56,25 @@ hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 networkmanager.enable = true; - enableIPv6 = true; - useDHCP = true; vlans = { - vlan23 = { id = 23; interface = "eno1-23"; }; + vlan23 = { id = 23; interface = "eno1"; }; }; bridges = { br1-23 = { interfaces = [ "vlan23" ]; }; }; + useDHCP = false; interfaces = { eno1.ipv4.addresses = [{ address = "192.168.20.190"; prefixLength = 24; }]; - br1-23.ipv4.addresses = [{ - address = "192.168.23.21"; - prefixLength = 24; - }]; + #br1-23.ipv4.addresses = [{ + #address = "192.168.23.21"; + #prefixLength = 24; + #}]; }; + defaultGateway = "192.168.20.1"; + nameservers = [ "192.168.20.1" ]; }; # Hardware Transcoding for Jellyfin @@ -106,6 +108,7 @@ enable = true; openFirewall = true; }; + lldpd.enable = true; nginx = { enable = true; virtualHosts."jellyfin" = { From 48f74e7c6af69c3d66f6b37828715125e630038a Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Tue, 2 Apr 2024 23:12:27 -0400 Subject: [PATCH 03/14] Working NixOS Container (systemd-nspawn) w/ Nginx Using https://nixos.wiki/wiki/NixOS_Containers and https://nixos.wiki/wiki/Nginx I can now get to the default Nginx web page from another host on my network. --- flake.nix | 2 +- modules/hosts/nixos/nixnuc/default.nix | 49 +++++++++++++++++--------- 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/flake.nix b/flake.nix index 799a497..d8618f8 100644 --- a/flake.nix +++ b/flake.nix @@ -112,7 +112,7 @@ }; modules = [ disko.nixosModules.disko - microvm.nixosModules.host + #microvm.nixosModules.host home-manager.nixosModules.home-manager { home-manager = { diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index 8efa2d9..f1429b4 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -2,7 +2,6 @@ imports = [ ./hardware-configuration.nix ./audiobookshelf.nix - #microvm.nixosModules.host #../microvms/nginx-proxy ]; @@ -21,6 +20,36 @@ }; }; + containers.nginx-proxy = { + autoStart = true; + privateNetwork = true; + hostBridge = "br1-23"; + localAddress = "192.168.23.21/24"; + config = { config, pkgs, lib, ... }: { + system.stateVersion = "23.11"; + services.nginx = { + enable = true; + virtualHosts.default.listen = [{ + port = 80; + addr = "0.0.0.0"; + }]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 80 ]; + }; + defaultGateway = "192.168.23.1"; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + }; + }; + environment.systemPackages = with pkgs; [ intel-gpu-tools jellyfin @@ -42,10 +71,6 @@ ]; }; - #microvm.autostart = [ - #"nginx-proxy" - #]; - networking = { # Open ports in the firewall. firewall.allowedTCPPorts = [ 22 80 ]; @@ -55,6 +80,7 @@ hostId = "c5826b45"; # head -c4 /dev/urandom | od -A none -t x4 + useDHCP = false; networkmanager.enable = true; vlans = { vlan23 = { id = 23; interface = "eno1"; }; @@ -62,19 +88,10 @@ bridges = { br1-23 = { interfaces = [ "vlan23" ]; }; }; - useDHCP = false; interfaces = { - eno1.ipv4.addresses = [{ - address = "192.168.20.190"; - prefixLength = 24; - }]; - #br1-23.ipv4.addresses = [{ - #address = "192.168.23.21"; - #prefixLength = 24; - #}]; + eno1.useDHCP = true; + br1-23.useDHCP = false; }; - defaultGateway = "192.168.20.1"; - nameservers = [ "192.168.20.1" ]; }; # Hardware Transcoding for Jellyfin From 891be5631ca908b413758037cb04575bca97fb10 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Tue, 2 Apr 2024 23:28:56 -0400 Subject: [PATCH 04/14] Clean up microvm bits --- flake.lock | 104 +++--------------- flake.nix | 27 +---- .../hosts/nixos/containers/nginx-proxy.nix | 31 ++++++ .../nixos/microvms/nginx-proxy/default.nix | 32 ------ modules/hosts/nixos/nixnuc/default.nix | 34 +----- 5 files changed, 50 insertions(+), 178 deletions(-) create mode 100644 modules/hosts/nixos/containers/nginx-proxy.nix delete mode 100644 modules/hosts/nixos/microvms/nginx-proxy/default.nix diff --git a/flake.lock b/flake.lock index 4bfd185..b9edaee 100644 --- a/flake.lock +++ b/flake.lock @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1711006105, - "narHash": "sha256-pvjqjx4L2Hx/NP3RWcwLjk+ABtMODAJ9+rgreU6fP6I=", + "lastModified": 1710906792, + "narHash": "sha256-kFzpfZcInLhBFWHy452NlvFuzNr0BDEkz3w9Sgg2ypo=", "owner": "nix-community", "repo": "disko", - "rev": "a8c966ee117c278a5aabc6f00b00ef62eb7e28f6", + "rev": "e9875b969086a53dff5ec4677575ad3156fc875d", "type": "github" }, "original": { @@ -96,24 +96,6 @@ "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1687709756, "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", @@ -138,11 +120,11 @@ "sqlite3pp": "sqlite3pp" }, "locked": { - "lastModified": 1711144337, - "narHash": "sha256-7nExp0SsiOcKvn+12W1Vp56F5mxmFiPZqctf5JWLB7w=", + "lastModified": 1710948909, + "narHash": "sha256-kESddzTIzBUGToPgBcM2kFiKt1Njyo2wYwPb8GqAhIM=", "owner": "flox", "repo": "flox", - "rev": "aaaac2e75eb84a3e3838d31b8db4d01ab834e852", + "rev": "21e1a2929eeadfb6e128d6f991f82ae029bf7e07", "type": "github" }, "original": { @@ -213,11 +195,11 @@ ] }, "locked": { - "lastModified": 1710888565, - "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=", + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", "type": "github" }, "original": { @@ -227,28 +209,6 @@ "type": "github" } }, - "microvm": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ], - "spectrum": "spectrum" - }, - "locked": { - "lastModified": 1711159783, - "narHash": "sha256-nwl2Cygq7NrV9QcebJE/T/vXv7w+zLERD7ygHz0F5g8=", - "owner": "astro", - "repo": "microvm.nix", - "rev": "d31f7c7d3194c51372134832a3a2a256773c161a", - "type": "github" - }, - "original": { - "owner": "astro", - "repo": "microvm.nix", - "type": "github" - } - }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -305,7 +265,7 @@ "nix-homebrew": { "inputs": { "brew-src": "brew-src", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nix-darwin": "nix-darwin_2", "nixpkgs": "nixpkgs_3" }, @@ -389,11 +349,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1711106783, - "narHash": "sha256-PDwAcHahc6hEimyrgGmFdft75gmLrJOZ0txX7lFqq+I=", + "lastModified": 1710889954, + "narHash": "sha256-Pr6F5Pmd7JnNEMHHmspZ0qVqIBVxyZ13ik1pJtm2QXk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a3ed7406349a9335cb4c2a71369b697cecd9d351", + "rev": "7872526e9c5332274ea5932a0c3270d6e4724f3b", "type": "github" }, "original": { @@ -434,11 +394,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1711156376, - "narHash": "sha256-gZDInkcCv3lmo578cIOyWpJ7mNgVcI6v2aodMF87oSo=", + "lastModified": 1710951922, + "narHash": "sha256-FOOBJ3DQenLpTNdxMHR2CpGZmYuctb92gF0lpiirZ30=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b94075d5e741439f255799453be7ead01930caf0", + "rev": "f091af045dff8347d66d186a62d42aceff159456", "type": "github" }, "original": { @@ -479,7 +439,6 @@ "flox-flake": "flox-flake", "genebean-omp-themes": "genebean-omp-themes", "home-manager": "home-manager", - "microvm": "microvm", "nix-darwin": "nix-darwin", "nix-flatpak": "nix-flatpak", "nix-homebrew": "nix-homebrew", @@ -509,22 +468,6 @@ "type": "github" } }, - "spectrum": { - "flake": false, - "locked": { - "lastModified": 1708358594, - "narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=", - "ref": "refs/heads/main", - "rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c", - "revCount": 614, - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - }, - "original": { - "type": "git", - "url": "https://spectrum-os.org/git/spectrum" - } - }, "sqlite3pp": { "inputs": { "nixpkgs": [ @@ -575,21 +518,6 @@ "repo": "default", "type": "github" } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d8618f8..ac86e3e 100644 --- a/flake.nix +++ b/flake.nix @@ -48,13 +48,8 @@ flake = false; }; - microvm = { - url = "github:astro/microvm.nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; # end inputs - outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, nix-flatpak, disko, sops-nix, flox-flake, microvm, genebean-omp-themes, ... }: let + outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, nix-darwin, home-manager, nix-homebrew, nix-flatpak, disko, sops-nix, flox-flake, genebean-omp-themes, ... }: let # creates a macOS system config darwinHostConfig = system: hostname: username: nix-darwin.lib.darwinSystem { @@ -112,7 +107,6 @@ }; modules = [ disko.nixosModules.disko - #microvm.nixosModules.host home-manager.nixosModules.home-manager { home-manager = { @@ -133,22 +127,6 @@ ]; }; # end nixosSystem - nixosMicrovmConfig = system: hostname: username: nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - microvm.nixosModules.microvm - { - networking.hostName = "${hostname}"; - users.users.${username} = { - initialHashedPassword = "$6$FH6xo/OzM9mIAXqx$GTqSEDahPGyxLiDOEY77uxaApdd3xJKOkvddV6X4wplTCxsbuoyXwuOuQjMODS7dhfRs.HwL3VQgUjmok3QM60"; - isNormalUser = true; - }; - } - ./modules/hosts/nixos/microvms/${hostname} # host specific stuff - ]; - - }; # end nixosMicrovmConfig - linuxHomeConfig = system: hostname: username: home-manager.lib.homeManagerConfiguration { extraSpecialArgs = { inherit genebean-omp-themes hostname username; pkgs = import nixpkgs { @@ -189,9 +167,6 @@ hetznix01 = nixosHostConfig "aarch64-linux" "hetznix01" "gene"; nixnuc = nixosHostConfig "x86_64-linux" "nixnuc" "gene"; rainbow-planet = nixosHostConfig "x86_64-linux" "rainbow-planet" "gene"; - - # VMs - nginx-proxy = nixosMicrovmConfig "x86_64-linux" "nginx-proxy" "gene"; }; homeConfigurations = { diff --git a/modules/hosts/nixos/containers/nginx-proxy.nix b/modules/hosts/nixos/containers/nginx-proxy.nix new file mode 100644 index 0000000..a46ba8f --- /dev/null +++ b/modules/hosts/nixos/containers/nginx-proxy.nix @@ -0,0 +1,31 @@ +{ ... }: { + containers.nginx-proxy = { + autoStart = true; + privateNetwork = true; + hostBridge = "br1-23"; + localAddress = "192.168.23.21/24"; + config = { config, pkgs, lib, ... }: { + system.stateVersion = "23.11"; + services.nginx = { + enable = true; + virtualHosts.default.listen = [{ + port = 80; + addr = "0.0.0.0"; + }]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 80 ]; + }; + defaultGateway = "192.168.23.1"; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + }; + }; +} diff --git a/modules/hosts/nixos/microvms/nginx-proxy/default.nix b/modules/hosts/nixos/microvms/nginx-proxy/default.nix deleted file mode 100644 index afb04a8..0000000 --- a/modules/hosts/nixos/microvms/nginx-proxy/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ inputs, config, hostname, microvm, pkgs, sops-nix, username, ... }: { - microvm = { - hypervisor = "qemu"; - socket = "control.socket"; - vcpu = 1; - volumes = [ - { - #image = "/persist/microvm/${config.networking.hostName}-var.img"; - image = "/tmp/${config.networking.hostName}-var.img"; - mountPoint = "/var"; - size = 1024; - } - ]; - shares = [ - { - # use "virtiofs" for MicroVMs that are started by systemd - proto = "9p"; - tag = "ro-store"; - # a host's /nix/store will be picked up so that no - # squashfs/erofs will be built for it. - source = "/nix/store"; - mountPoint = "/nix/.ro-store"; - } - ]; - interfaces = [{ - type = "tap"; - id = "vm-nginx-proxy"; - mac = "02:00:00:00:00:01"; - }]; - }; -} - diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index f1429b4..a11c263 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,8 +1,8 @@ -{ inputs, config, hostname, microvm, pkgs, sops-nix, username, ... }: { +{ inputs, config, hostname, pkgs, sops-nix, username, ... }: { imports = [ ./hardware-configuration.nix ./audiobookshelf.nix - #../microvms/nginx-proxy + ../containers/nginx-proxy.nix ]; system.stateVersion = "23.11"; @@ -20,36 +20,6 @@ }; }; - containers.nginx-proxy = { - autoStart = true; - privateNetwork = true; - hostBridge = "br1-23"; - localAddress = "192.168.23.21/24"; - config = { config, pkgs, lib, ... }: { - system.stateVersion = "23.11"; - services.nginx = { - enable = true; - virtualHosts.default.listen = [{ - port = 80; - addr = "0.0.0.0"; - }]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 80 ]; - }; - defaultGateway = "192.168.23.1"; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - }; - }; - environment.systemPackages = with pkgs; [ intel-gpu-tools jellyfin From e282662919dcb9a777ce5bffa3c7c11de4286592 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Tue, 2 Apr 2024 23:33:07 -0400 Subject: [PATCH 05/14] Reorganize --- modules/hosts/nixos/{ => nixnuc}/containers/nginx-proxy.nix | 0 modules/hosts/nixos/nixnuc/default.nix | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename modules/hosts/nixos/{ => nixnuc}/containers/nginx-proxy.nix (100%) diff --git a/modules/hosts/nixos/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix similarity index 100% rename from modules/hosts/nixos/containers/nginx-proxy.nix rename to modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index a11c263..1bffce6 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -2,7 +2,7 @@ imports = [ ./hardware-configuration.nix ./audiobookshelf.nix - ../containers/nginx-proxy.nix + ./containers/nginx-proxy.nix ]; system.stateVersion = "23.11"; From f149ed3b1b112bd379290c8153de29f9d1baa8f8 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Thu, 4 Apr 2024 18:19:08 -0400 Subject: [PATCH 06/14] More nginx settings --- .../nixos/nixnuc/containers/nginx-proxy.nix | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index a46ba8f..bd07530 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -1,4 +1,7 @@ -{ ... }: { +{ ... }: let + http_port = 8080; + https_port = 8444; +in { containers.nginx-proxy = { autoStart = true; privateNetwork = true; @@ -8,16 +11,33 @@ system.stateVersion = "23.11"; services.nginx = { enable = true; - virtualHosts.default.listen = [{ - port = 80; - addr = "0.0.0.0"; - }]; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "nix-tester.home.technicalissues.us" = { + default = true; + listen = [ + { port = http_port; addr = "0.0.0.0"; } + { port = https_port; addr = "0.0.0.0"; } + ]; + enableACME = true; + forceSSL = false; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "lets-encrypt@technicalissues.us"; }; networking = { firewall = { enable = true; - allowedTCPPorts = [ 80 ]; + allowedTCPPorts = [ http_port https_port ]; }; defaultGateway = "192.168.23.1"; # Use systemd-resolved inside the container From e9793beb7b58f97eede0a1ca170151b0d89d7c9d Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Thu, 4 Apr 2024 23:41:46 -0400 Subject: [PATCH 07/14] Got dns-01 based certs --- .../nixos/nixnuc/containers/nginx-proxy.nix | 31 +++++++- modules/hosts/nixos/nixnuc/default.nix | 2 +- modules/system/common/secrets.yaml | 76 +++++++++++++++++++ 3 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 modules/system/common/secrets.yaml diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index bd07530..d1c22cd 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -1,8 +1,25 @@ -{ ... }: let +{ config, ... }: let http_port = 8080; https_port = 8444; + gandi_api = "${config.sops.secrets.gandi_api.path}"; + #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}"; in { + sops.secrets.gandi_api = { + sopsFile = ../../../../system/common/secrets.yaml; + restartUnits = [ + "container@nginx-proxy.service" + ]; + }; + #sops.secrets.gandi_dns_pat = { + # sopsFile = ../../../../system/common/secrets.yaml; + # restartUnits = [ + # "container@nginx-proxy.service" + # ]; + #}; + containers.nginx-proxy = { + bindMounts."${gandi_api}".isReadOnly = true; + #bindMounts."${gandi_dns_pat}".isReadOnly = true; autoStart = true; privateNetwork = true; hostBridge = "br1-23"; @@ -17,13 +34,14 @@ in { recommendedTlsSettings = true; virtualHosts = { - "nix-tester.home.technicalissues.us" = { + "nix-tester.h.technicalissues.us" = { default = true; listen = [ { port = http_port; addr = "0.0.0.0"; } { port = https_port; addr = "0.0.0.0"; } ]; enableACME = true; + acmeRoot = null; forceSSL = false; }; }; @@ -31,7 +49,14 @@ in { security.acme = { acceptTerms = true; - defaults.email = "lets-encrypt@technicalissues.us"; + defaults = { + email = "lets-encrypt@technicalissues.us"; + credentialFiles = { "GANDIV5_API_KEY_FILE" = gandi_api; }; + #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; }; + dnsProvider = "gandiv5"; + }; + # uncomment below for testing + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; networking = { diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index 1bffce6..82e73ba 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -1,4 +1,4 @@ -{ inputs, config, hostname, pkgs, sops-nix, username, ... }: { +{ config, pkgs, username, ... }: { imports = [ ./hardware-configuration.nix ./audiobookshelf.nix diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml new file mode 100644 index 0000000..8064289 --- /dev/null +++ b/modules/system/common/secrets.yaml @@ -0,0 +1,76 @@ +gandi_dns_pat: ENC[AES256_GCM,data:81tlAE6e655+RgKZVJgwYg6V59VtMmuVk5spkGZq1U6AgxYXO3wvsA==,iv:Dp5csrqHIAYloi5XkrBgDMqeIX/W+JFJ1avKbTnEU/Y=,tag:QjhdX4gv9OmWtQp7r06+RA==,type:str] +gandi_api: ENC[AES256_GCM,data:YsdDMk75miIKO4LkCZjfwJw6gxfrmsTL,iv:BOPRxB661sPJnUH1AUKEALIJfBeyAHZpkWJEDbY+7i8=,tag:TvtW7qhPbOqi9kKDcIe28w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a652ev7gekx4aj589s8fd27ul9j5ugpdwg7pxhmqcwdjwwq9gf2qv38um9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseHFTeDZoMElxVUZpWFVa + dmxvWEFkS0p6aTFraUNyNmtITTQ4bFdLNFVZCnlsTlE3TUVvMWdXS0psb0FOQVdP + UGtTVVQ3ZExQVUdvekFEa0lYZmRxdEkKLS0tIEEyMXdkZ0JyV0orSnVwL3hMWVpy + TTAvb09FUE1JaXpNSm80Mmx3Z292eVUKjJ8Q9y2PhU9NpgCjKYne7zY+I+fXvIhs + BB/lskZG/AVuGdBDHRf0yIVFd/j6inTWbP1u3wJ+Mf+dBnPAlS9rXg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g24zhwvgenpc4wqejt63thvgd4rn5x9n7nnwwme7dm83nfqpp93se2vmq4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYWWVCd0ZjMzkxZVdIR1JC + Q1plamZveGg1Z1FaK2VPb29CUVVia0Q4aFZ3CkNKUjl0S090SUMwU1dJenRONEpJ + WnZ6aEFwV2lrelBZV0p0UUQvaWdmS0kKLS0tIGh2OE5iTTRObFEraUpxN0YyTVpx + Mk5Sb0VCN1VjMnNNdzBBZWY3Q2FsUFkK7d9MAUNRL7GSF6diz/5X21BmMsyE5Cu3 + 18ycNiMLtUwGHsfxh+aLliFDBO32LwMI64/tKHDtx4sHQSBGoppsfQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UEc1M2UwTkduWnEyMG8x + TGVYaUpsSlNVcnBxdHZRWU8ydUJvMnZXTTNZCmtIenlWeDdvM0xQemI3Y1dXNlox + SUhNcG5iZE44WGhWL0NwUTZjSzhPNFkKLS0tIHIyaU1DOUxSV0VWVTRaQmhBbXVP + dGVWRnhIek1mV2FJemF1dzVwMjZqWUUKNvkzOwi6OR369S5e5y6TSfGA4/EH09WK + MWlH3fzABkCN+IeRmOmtU/L3MdHIiWanDWp6KdWCJJ3OnBO8cjMEig== + -----END AGE ENCRYPTED FILE----- + - recipient: age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLOE5pYXFDdXQzblI1N01i + eFROYzVvK3cxN1pJMHlScW0rZjBScG9SMzBnCko4VDllS0pQMU5NdU5NbndWQWpq + NmhWK1RJSHpITktFWTZIN2JHRklqS2cKLS0tIFFjRE9Ia3Z0TzIyd2MrS2RRWU9k + d3FIL3dqTHRtQVJiS255aVVWZ1p3UjQKb+65IgxbWXtkidmlb5w5Cu11izXh5QgR + I1YAckCX6RlR3Mlcs/5cTyLakpc3ibm/g4+N9+EhlIQz4wIxmxAtHQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2hxZElESWd4eTFycFI1 + YWpKS1ZpWmtYcy9JK2ZPQ1QzSXFjWXM5VzFjCk1CcmJmdE5yL0J1Q2RBN3Npa2hn + WWxZTHkwTnhZaXBYanpZTkRTRUdTcWcKLS0tIFA3SkVuVFFVT2NsbVBlNUdFRlUx + UE9sMXVVOW1ib3JBYUR5LzVFRFp3ZWcK2hwlxaEUexjqHcg86dSpJU37b8bkWO6r + mSygDEjU71u20G6sdMeoSyxepPtWJsVhnAMukFsnKZf6LyfiiCseAQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZndiK3FMOUptbDRGOVQ0 + QnNSSEtlVHZtaUlRQlRySzJNUmdqbzRQRFZFCnNyOHRtNFhsWGEvTFRkNTRUbit6 + OWh6cVRRTXhlQmxpY3JpNVFRdStuWkkKLS0tIElYZGRVVWVSTlBhRHhVYWRFSFhC + NERwYVhzTjRZUDBmbTM2QzEyay9vT2MK9QIINuuaagTz2wyF9NiNzE0aiwoAHquH + GK203V5jVnLXftOV09NIg3027m8KCRc7yEWOtcbH5UkGZxZCqESv9Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNY2xrM1BFRDdtckRGZkIz + Mkc5VzNHQzV5aC9xTzU4US80czFMcHNpbXpzCnlqUWliUjlra1U0Y0dJTDByMGFQ + MlRTd2FaT1QzMXFWZ3piVjZsZ1ZDemsKLS0tIENRdlVvNE5VT3VOc2hqM2ZnVUVY + ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc + 3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-05T03:17:40Z" + mac: ENC[AES256_GCM,data:4u2rpoc20qDv3W6s3lgtYU+35cfaK1tOmMySuji07s7IxqXqmkAn/giynH7y+PQRLACV6XvKnysLwuTPanekmXqQx/cOPOIPPrXOwz4oDLncFILI+7H/ShFuRN3KKUq9+OZElO4lLO0PDL+6flo3Mq6oSbzzeqxqVXUvt5gG8So=,iv:WEoiZzIWxAsxr3+nUY7b/jewYn6YRraU+zIPBhin8JI=,tag:BN5zLe8jdrvvCFU0BbfiaQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 From 8e1b2bb05e42158de71be66fa32e718cd420f042 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 09:30:41 -0400 Subject: [PATCH 08/14] Working nginx with tls --- modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index d1c22cd..d1d4367 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -38,10 +38,11 @@ in { default = true; listen = [ { port = http_port; addr = "0.0.0.0"; } - { port = https_port; addr = "0.0.0.0"; } + { port = https_port; addr = "0.0.0.0"; ssl = true; } ]; enableACME = true; acmeRoot = null; + addSSL = true; forceSSL = false; }; }; @@ -54,9 +55,9 @@ in { credentialFiles = { "GANDIV5_API_KEY_FILE" = gandi_api; }; #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; }; dnsProvider = "gandiv5"; + # uncomment below for testing + #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; - # uncomment below for testing - defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; networking = { From 28f2b32c20789da54a00c29b83e8a97d6ce6e20b Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 14:46:18 -0400 Subject: [PATCH 09/14] ddclient and real domain --- .../nixos/nixnuc/containers/nginx-proxy.nix | 28 ++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index d1d4367..f395eda 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -3,6 +3,7 @@ https_port = 8444; gandi_api = "${config.sops.secrets.gandi_api.path}"; #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}"; + home_domain = "home.technicalissues.us"; in { sops.secrets.gandi_api = { sopsFile = ../../../../system/common/secrets.yaml; @@ -17,6 +18,31 @@ in { # ]; #}; + ## + ## Gandi (gandi.net) + ## + ## Single host update + # protocol=gandi + # zone=example.com + # password=my-gandi-access-token + # use-personal-access-token=yes + # ttl=10800 # optional + # myhost.example.com + services.ddclient = { + enable = true; + protocol = "gandi"; + zone = "technicalissues.us"; + domains = [ home_domain ]; + username = "unused"; + extraConfig = '' + #usev4=webv4,webv4=ipify-ipv4 + usev4=webv4 + usev6=webv6 + #use-personal-access-token=yes + ttl=300 + ''; + passwordFile = gandi_api; }; + containers.nginx-proxy = { bindMounts."${gandi_api}".isReadOnly = true; #bindMounts."${gandi_dns_pat}".isReadOnly = true; @@ -34,7 +60,7 @@ in { recommendedTlsSettings = true; virtualHosts = { - "nix-tester.h.technicalissues.us" = { + "nix-tester.${home_domain}" = { default = true; listen = [ { port = http_port; addr = "0.0.0.0"; } From aeb15468790f5ffa89fcd88df3b235a31965133c Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 15:07:42 -0400 Subject: [PATCH 10/14] Just use IPv4 for now --- modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index f395eda..ecb15aa 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -35,9 +35,8 @@ in { domains = [ home_domain ]; username = "unused"; extraConfig = '' - #usev4=webv4,webv4=ipify-ipv4 usev4=webv4 - usev6=webv6 + #usev6=webv6 #use-personal-access-token=yes ttl=300 ''; From 2396277028efc6762d20ad7b1edf9a154999b2d4 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 21:18:06 -0400 Subject: [PATCH 11/14] Setup virtualhosts back by mini-watcher --- .../nixos/nixnuc/containers/nginx-proxy.nix | 76 ++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index ecb15aa..b26c530 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -4,6 +4,8 @@ gandi_api = "${config.sops.secrets.gandi_api.path}"; #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}"; home_domain = "home.technicalissues.us"; + backend_ip = "192.168.20.190"; + mini_watcher = "192.168.23.20"; in { sops.secrets.gandi_api = { sopsFile = ../../../../system/common/secrets.yaml; @@ -57,9 +59,18 @@ in { recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + appendHttpConfig = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000 always;"; + } + add_header Strict-Transport-Security $hsts_header; + ''; virtualHosts = { - "nix-tester.${home_domain}" = { + "${home_domain}" = { + serverAliases = [ "nix-tester.${home_domain}" ]; default = true; listen = [ { port = http_port; addr = "0.0.0.0"; } @@ -69,6 +80,69 @@ in { acmeRoot = null; addSSL = true; forceSSL = false; + locations."/" = { + return = "200 '

Hello world ;)

'"; + extraConfig = '' + add_header Content-Type text/html; + ''; + }; + }; + "ab.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:13378"; + }; + "atuin.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:9999"; + }; + "nc.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + extraConfig = '' + client_max_body_size 0; + underscores_in_headers on; + ''; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8081"; + locations."/".extraConfig = '' + # these are added per https://www.nicemicro.com/tutorials/debian-snap-nextcloud.html + add_header Front-End-Https on; + proxy_headers_hash_max_size 512; + proxy_headers_hash_bucket_size 64; + proxy_buffering off; + proxy_max_temp_file_size 0; + ''; + }; + "onlyoffice.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyWebsockets = true; + locations."/".proxyPass = "http://${mini_watcher}:8888"; + }; + "readit.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:8090"; + }; + "tandoor.${home_domain}" = { + listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }]; + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${mini_watcher}:8080"; }; }; }; From 0d49a28dc2167fbf4dfddade4c639db5917536c3 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 21:19:03 -0400 Subject: [PATCH 12/14] Use Gandi's name server as acme resolver --- modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index b26c530..28d954c 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -154,6 +154,7 @@ in { credentialFiles = { "GANDIV5_API_KEY_FILE" = gandi_api; }; #credentialFiles = { "GANDIV5_PERSONAL_ACCESS_TOKEN_FILE" = gandi_dns_pat; }; dnsProvider = "gandiv5"; + dnsResolver = "ns1.gandi.net"; # uncomment below for testing #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; From 080790dfee48ea1f1746f5bd001fe2deb3d5acc5 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 21:19:47 -0400 Subject: [PATCH 13/14] Give the container enough time to actually get started When dealing with a bunch of new certs, it takes more than 1 minute to start --- modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index 28d954c..7e02110 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -48,6 +48,7 @@ in { bindMounts."${gandi_api}".isReadOnly = true; #bindMounts."${gandi_dns_pat}".isReadOnly = true; autoStart = true; + timeoutStartSec = "5min"; privateNetwork = true; hostBridge = "br1-23"; localAddress = "192.168.23.21/24"; From 15fdeb66ea97f362db3dcd5fdca9afa5469ff2e2 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 5 Apr 2024 21:20:09 -0400 Subject: [PATCH 14/14] Cut over to "production" ports :) --- modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix index 7e02110..13e93d1 100644 --- a/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix +++ b/modules/hosts/nixos/nixnuc/containers/nginx-proxy.nix @@ -1,6 +1,6 @@ { config, ... }: let - http_port = 8080; - https_port = 8444; + http_port = 80; + https_port = 443; gandi_api = "${config.sops.secrets.gandi_api.path}"; #gandi_dns_pat = "${config.sops.secrets.gandi_dns_pat.path}"; home_domain = "home.technicalissues.us";