tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 9 Pull requests Releases Activity

Compare commits

base: tlaternet:dca90a59f68215fdb8368b255ba18e9526add0be
Branches Tags
tlaternet:master
tlaternet:tlater/with-minecraft
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia
...
compare: tlaternet:91a6a66e298219282b9d45deebe461985446ff67
Branches Tags
tlaternet:tlater/with-minecraft
tlaternet:master
tlaternet:tlater/nixpkgs-formatting
tlaternet:tlater/authelia

5 commits
dca90a59f6 ... 91a6a66e29

Author SHA1 Message Date
Tristan Daniël Maat 91a6a66e29
webserver: Use a hardened systemd unit instead of a container 2022-10-12 23:23:44 +01:00
Tristan Daniël Maat 7ec50d2680
gitea: Use a hardened systemd unit instead of a container 2022-10-12 23:23:42 +01:00
Tristan Daniël Maat 67eab498ff
nextcloud: Use a hardened systemd unit instead of a container 2022-10-12 23:23:38 +01:00
Tristan Daniël Maat 6a81ce4c1d
sops: Improve secrets provisioning to split out staging 2022-10-12 23:22:50 +01:00
Tristan Daniël Maat ab3aa19481
treewide: Perform another nitpicking sweep 2022-10-12 23:22:42 +01:00
18 changed files with 573 additions and 679 deletions
Show stats Expand all files Collapse all files

9
.sops.yaml
View file

@ -1,9 +1,16 @@
keys:
- &tlater 535B61015823443941C744DD12264F6BBDFABA89
- &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
- &server_staging 7762ec55a5727cabada621d961e53f94caa314e4
creation_rules:
- key_groups:
- path_regex: keys/production.yaml
key_groups:
- pgp:
- *tlater
- *server_tlaternet
- path_regex: keys/staging.yaml
key_groups:
- pgp:
- *tlater
- *server_staging

36
configuration/default.nix
View file

@ -1,5 +1,4 @@
{
config,
pkgs,
lib,
...
@ -9,11 +8,11 @@
./services/nextcloud.nix
./services/webserver.nix
./services/starbound.nix
./ids.nix
./services/postgres.nix
./sops.nix
];
nix = {
# Enable flakes
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
@ -26,11 +25,8 @@
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];
sops = {
defaultSopsFile = ../keys/external.yaml;
secrets.steam = {};
};
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = ["highres=off" "nohz=off"];
networking = {
@ -40,7 +36,7 @@
useDHCP = false;
interfaces.eth0.useDHCP = true;
firewall.allowedTCPPorts = [80 443 2222 2221 21025];
firewall.allowedTCPPorts = [80 443 2222 21025];
};
time.timeZone = "Europe/London";
@ -69,32 +65,12 @@
recommendedProxySettings = true;
clientMaxBodySize = "10G";
domain = "tlater.net";
virtualHosts = let
host = port: extra:
lib.recursiveUpdate {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
'';
}
extra;
domain = config.services.nginx.domain;
in {
"${domain}" = host 3002 {serverAliases = ["www.${domain}"];};
"gitea.${domain}" = host 3000 {};
"nextcloud.${domain}" = host 3001 {};
};
};
security.acme = {
email = "tm@tlater.net";
defaults.email = "tm@tlater.net";
acceptTerms = true;
};
virtualisation.oci-containers.backend = "podman";
system.stateVersion = "20.09";
}

11
configuration/ids.nix
View file

@ -1,11 +0,0 @@
{...}: {
ids.uids = {
# System user ids start at 400 (see nixos/modules/programs/shadow.nix)
webserver = 400;
# The limit is 999
};
ids.gids = {
webserver = 400;
};
}

5
configuration/linode.nix
View file

@ -1,9 +1,4 @@
{
config,
lib,
pkgs,
...
}: {
# Required for the lish console
boot.kernelParams = ["console=ttyS0,19200n8"];

167
configuration/services/configs/nginx-nextcloud.conf
View file

@ -1,167 +0,0 @@
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream php-handler {
server localhost:9000;
}
server {
listen 80;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}

69
configuration/services/gitea.nix
View file

@ -1,48 +1,31 @@
{config, ...}: {
users = {
extraUsers.gitea = {
uid = config.ids.uids.git;
isSystemUser = true;
description = "Gitea Service";
group = config.users.extraGroups.gitea.name;
};
extraGroups.gitea = {gid = config.ids.gids.git;};
{config, ...}: let
domain = "gitea.${config.services.nginx.domain}";
in {
services.gitea = {
inherit domain;
enable = true;
httpAddress = "127.0.0.1";
database.type = "postgres";
ssh.clonePort = 2222;
rootUrl = "https://${domain}/";
cookieSecure = true;
appName = "Gitea: Git with a cup of tea";
disableRegistration = true;
};
virtualisation.pods.gitea = {
hostname = "gitea.tlater.net";
publish = ["3000:3000" "2221:2221"];
network = "slirp4netns";
# Set up SSL
services.nginx.virtualHosts."${domain}" = let
inherit (config.services.gitea) httpAddress httpPort;
in {
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
containers = {
gitea = {
image = "gitea/gitea:latest";
volumes = ["gitea:/data:Z" "/etc/localtime:/etc/localtime:ro"];
dependsOn = ["postgres"];
environment = {
DB_TYPE = "postgres";
DB_HOST = "localhost:5432";
DB_NAME = "gitea";
DB_USER = "gitea";
USER_UID = toString config.users.extraUsers.gitea.uid;
USER_GID = toString config.users.extraGroups.gitea.gid;
RUN_MODE = "prod";
DOMAIN = "gitea.tlater.net";
SSH_PORT = "2221";
};
};
postgres = {
image = "postgres:alpine";
environment = {
POSTGRES_DB = "gitea";
POSTGRES_USER = "gitea";
};
volumes = ["gitea-postgres-14:/var/lib/postgresql/data"];
};
};
locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
};
}

80
configuration/services/nextcloud.nix
View file

@ -1,53 +1,43 @@
{config, ...}: {
virtualisation.pods.nextcloud = {
hostname = "nextcloud.tlater.net";
publish = ["3001:80"];
network = "slirp4netns";
{
pkgs,
config,
...
}: let
inherit (pkgs) fetchNextcloudApp;
nextcloud = pkgs.nextcloud23;
hostName = "nextcloud.${config.services.nginx.domain}";
in {
services.nextcloud = {
inherit hostName;
containers = {
nextcloud = {
image = "nextcloud:fpm-alpine";
dependsOn = ["postgres"];
volumes = [
"nextcloud-root:/var/www/html"
"nextcloud-apps:/var/www/html/custom_apps"
"nextcloud-config:/var/www/html/config"
"nextcloud-data:/var/www/html/data"
];
environment = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
POSTGRES_HOST = "localhost";
OVERWRITEPROTOCOL = "https";
TRUSTED_PROXIES = "127.0.0.1";
};
package = nextcloud;
enable = true;
maxUploadSize = "2G";
https = true;
config = {
overwriteProtocol = "https";
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminuser = "tlater";
adminpassFile = config.sops.secrets."nextcloud/tlater".path;
defaultPhoneRegion = "AT";
};
cron = {
image = "nextcloud:fpm-alpine";
entrypoint = "/cron.sh";
dependsOn = ["postgres" "nextcloud"];
extraOptions = ["--volumes-from=nextcloud-nextcloud"];
# TODO(tlater): Add redis config. This will be much easier
# starting with 22.11, since this will add an `extraOptions` where
# the necessary redis config can go.
};
nginx = {
image = "nginx:alpine";
dependsOn = ["nextcloud"];
volumes = [
"nextcloud-root:/var/www/html:ro"
"${./configs/nginx-nextcloud.conf}:/etc/nginx/nginx.conf:ro"
];
extraOptions = ["--volumes-from=nextcloud-nextcloud"];
};
# Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = ["postgresql.service"];
postgres = {
image = "postgres:alpine";
environment = {
POSTGRES_DB = "nextcloud";
POSTGRES_USER = "nextcloud";
};
volumes = ["nextcloud-postgres-14:/var/lib/postgresql/data"];
};
};
# Set up SSL
services.nginx.virtualHosts."${hostName}" = {
forceSSL = true;
enableACME = true;
};
}

30
configuration/services/postgres.nix Normal file
View file

@ -0,0 +1,30 @@
{
services.postgresql = {
enable = true;
# Only enable connections via the unix socket, and check with the
# OS to make sure the user matches the database name.
#
# See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
authentication = ''
local sameuser all peer
'';
# Note: The following options with ensure.* are set-only; i.e.,
# when permissions/users/databases are removed from these lists,
# that operation needs to be performed manually on the system as
# well.
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [
"nextcloud"
];
};
}

2
configuration/services/starbound.nix
View file

@ -16,7 +16,7 @@ in {
# Credential loading for steam auth (if necessary; prefer
# anonymous login wherever possible).
LoadCredential = "steam:/run/secrets/steam";
LoadCredential = "steam:/run/secrets/steam/tlater";
# Security settings
DynamicUser = true;

61
configuration/services/webserver.nix
View file

@ -1,47 +1,26 @@
{
config,
pkgs,
...
}: {
users = {
extraUsers.webserver = {
uid = config.ids.uids.webserver;
group = config.users.extraGroups.webserver.name;
isSystemUser = true;
description = "tlater.net web server user";
};
extraGroups.webserver = {gid = config.ids.gids.webserver;};
};
virtualisation.oci-containers.containers.webserver = {
image = "tlaternet/webserver";
imageFile = pkgs.dockerTools.buildImage {
name = "tlaternet/webserver";
tag = "latest";
contents = pkgs.tlaternet-webserver.webserver;
config = let
uid = toString config.users.extraUsers.webserver.uid;
gid = toString config.users.extraGroups.webserver.gid;
{config, ...}: let
domain = config.services.nginx.domain;
in {
Cmd = ["tlaternet-webserver"];
Volumes = {"/srv/mail" = {};};
Env = [
"ROCKET_PORT=3002"
"ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
];
ExposedPorts = {"3002" = {};};
User = "${uid}:${gid}";
services.tlaternet-webserver = {
enable = true;
listen = {
addr = "127.0.0.1";
port = 8000;
};
};
ports = ["3002:3002"];
volumes = ["tlaternet-mail:/srv/mail"];
extraOptions = [
"--hostname=tlater.net"
# Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
"--stop-signal=SIGKILL"
];
# Set up SSL
services.nginx.virtualHosts."${domain}" = let
inherit (config.services.tlaternet-webserver.listen) addr port;
in {
serverAliases = ["www.${domain}"];
forceSSL = true;
enableACME = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
locations."/".proxyPass = "http://${addr}:${toString port}";
};
}

10
configuration/sops.nix Normal file
View file

@ -0,0 +1,10 @@
{
sops = {
defaultSopsFile = ../keys/production.yaml;
secrets."nextcloud/tlater" = {
owner = "nextcloud";
group = "nextcloud";
};
secrets."steam/tlater" = {};
};
}

395
flake.lock
View file

@ -1,63 +1,202 @@
{
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"naersk": {
"alejandra": {
"inputs": {
"fenix": "fenix",
"flakeCompat": "flakeCompat",
"nixpkgs": [
"tlaternet-webserver",
"dream2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1632266297,
"narHash": "sha256-J1yeJk6Gud9ef2pEf6aKQemrfg1pVngYDSh+SAY94xk=",
"owner": "nmattia",
"repo": "naersk",
"rev": "ee7edec50b49ab6d69b06d62f1de554efccb1ccd",
"lastModified": 1658427149,
"narHash": "sha256-ToD/1z/q5VHsLMrS2h96vjJoLho59eNRtknOUd19ey8=",
"owner": "kamadorueda",
"repo": "alejandra",
"rev": "f5a22afd2adfb249b4e68e0b33aa1f0fb73fb1be",
"type": "github"
},
"original": {
"owner": "nmattia",
"repo": "naersk",
"owner": "kamadorueda",
"repo": "alejandra",
"type": "github"
}
},
"crane": {
"flake": false,
"locked": {
"lastModified": 1661875961,
"narHash": "sha256-f1h/2c6Teeu1ofAHWzrS8TwBPcnN+EEu+z1sRVmMQTk=",
"owner": "ipetkov",
"repo": "crane",
"rev": "d9f394e4e20e97c2a60c3ad82c2b6ef99be19e24",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"devshell": {
"flake": false,
"locked": {
"lastModified": 1653917170,
"narHash": "sha256-FyxOnEE/V4PNEcMU62ikY4FfYPo349MOhMM97HS0XEo=",
"owner": "numtide",
"repo": "devshell",
"rev": "fc7a3e3adde9bbcab68af6d1e3c6eb738e296a92",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"dream2nix": {
"inputs": {
"alejandra": "alejandra",
"crane": "crane",
"devshell": "devshell",
"flake-utils-pre-commit": "flake-utils-pre-commit",
"gomod2nix": "gomod2nix",
"mach-nix": "mach-nix",
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1663323895,
"narHash": "sha256-ZmI9C8HNVz2w3OnB79WR/LIgVEY8tDnR8tEPi3hMiJk=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "25be741ec92c77b8308ca6a7ab89593fe37b6542",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "dream2nix",
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"tlaternet-webserver",
"dream2nix",
"alejandra",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1657607339,
"narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"fenix_2": {
"inputs": {
"nixpkgs": [
"tlaternet-webserver",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src_2"
},
"locked": {
"lastModified": 1663396212,
"narHash": "sha256-dlK10QPTDYNpJ/vl2QPKOTrqEbQwAR/v2f4+xsetTkw=",
"owner": "nix-community",
"repo": "fenix",
"rev": "263cd7f991c07a9592a6e825bfc37b23b00eb244",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-utils-pre-commit": {
"locked": {
"lastModified": 1644229661,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakeCompat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"gomod2nix": {
"flake": false,
"locked": {
"lastModified": 1627572165,
"narHash": "sha256-MFpwnkvQpauj799b4QTBJQFEddbD02+Ln5k92QyHOSk=",
"owner": "tweag",
"repo": "gomod2nix",
"rev": "67f22dd738d092c6ba88e420350ada0ed4992ae8",
"type": "github"
},
"original": {
"owner": "tweag",
"repo": "gomod2nix",
"type": "github"
}
},
"mach-nix": {
"flake": false,
"locked": {
"lastModified": 1634711045,
"narHash": "sha256-m5A2Ty88NChLyFhXucECj6+AuiMZPHXNbw+9Kcs7F6Y=",
"owner": "DavHau",
"repo": "mach-nix",
"rev": "4433f74a97b94b596fa6cd9b9c0402104aceef5d",
"type": "github"
},
"original": {
"id": "mach-nix",
"type": "indirect"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1650522846,
"narHash": "sha256-SxWHXRI3qJwswyXAtzsi6PKVY3KLNNnb072KaJthII8=",
"lastModified": 1665321371,
"narHash": "sha256-0SO6MTW0bX6lxZmz1AZW/Xmk+hnTd7/hp1vF7Tp7jg0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "6b4ebea9093c997c5f275c820e679108de4871ab",
"rev": "236ba4df714131059945d7754c0aa3fbe9d2f74c",
"type": "github"
},
"original": {
@ -69,51 +208,134 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1650501692,
"narHash": "sha256-ApKf0/dc0SyB7zZ6yiiOQgcXAhCXxbSDyihHfRDIzx0=",
"lastModified": 1665466769,
"narHash": "sha256-L+qcHpb4Ac3PipMXJY/Ktbu1+KXy23WCZ8pXWmsf7zY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9887f024766aa27704d1f89f623efd1d063da92a",
"rev": "0b20bf89e0035b6d62ad58f9db8fdbc99c2b01e8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-21.11",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1665279158,
"narHash": "sha256-TpbWNzoJ5RaZ302dzvjY2o//WxtOJuYT3CnDj5N69Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b3783bcfb8ec54e0de26feccfc6cc36b8e202ed5",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1657638268,
"narHash": "sha256-blBNtQSslAFkg0Gym9fWNJk+bPxGSZib4SOcPrmTPi4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d80993b5f885515254746ba6d1917276ee386149",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"poetry2nix": {
"flake": false,
"locked": {
"lastModified": 1632969109,
"narHash": "sha256-jPDclkkiAy5m2gGLBlKgH+lQtbF7tL4XxBrbSzw+Ioc=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "aee8f04296c39d88155e05d25cfc59dfdd41cc77",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "1.21.0",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-utils": [
"tlaternet-webserver",
"dream2nix",
"flake-utils-pre-commit"
],
"nixpkgs": [
"tlaternet-webserver",
"dream2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1646153636,
"narHash": "sha256-AlWHMzK+xJ1mG267FdT8dCq/HvLCA6jwmx2ZUy5O8tY=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "b6bc0b21e1617e2b07d8205e7fae7224036dfa4b",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix",
"tlaternet-templates": "tlaternet-templates",
"tlaternet-webserver": "tlaternet-webserver"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"tlaternet-webserver",
"flake-utils"
],
"nixpkgs": [
"tlaternet-webserver",
"nixpkgs"
]
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1633400100,
"narHash": "sha256-kHQV7jZ2vVHVI9sfda1mUROVBbQbdfKcbIpKG9WdqGo=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "9c2fc6a62ccbc6f420d71ecac6bf0b84dbbee64f",
"lastModified": 1657557289,
"narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "caf23f29144b371035b864a1017dbc32573ad56d",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"rust-analyzer-src_2": {
"flake": false,
"locked": {
"lastModified": 1662896065,
"narHash": "sha256-1LkSsXzI1JTAmP/GMTz4fTJd8y/tw8R79l96q+h7mu8=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "2e9f1204ca01c3e20898d4a67c8b84899d394a88",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
@ -121,14 +343,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1649756291,
"narHash": "sha256-KTll8bCINAzIUGaaMrbn9wb5nfhkXRLgmFrWGR/Dku0=",
"lastModified": 1665289655,
"narHash": "sha256-j1Q9mNBhbzeJykhObiXwEGres9qvP4vH7gxdJ+ihkLI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8",
"rev": "0ce0449e6404c4ff9d1b7bd657794ae5ca54deb3",
"type": "github"
},
"original": {
@ -137,42 +360,20 @@
"type": "github"
}
},
"tlaternet-templates": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1633432574,
"narHash": "sha256-IjGaJAQuFIJ1Is9gtHXsryPOnTDE6tlA61PUKuS8dzw=",
"ref": "master",
"rev": "555a2949bdf643c74b535bd0c623d98f99d33628",
"revCount": 61,
"type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet-templates.git"
},
"original": {
"type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet-templates.git"
}
},
"tlaternet-webserver": {
"inputs": {
"flake-utils": "flake-utils_2",
"naersk": "naersk",
"dream2nix": "dream2nix",
"fenix": "fenix_2",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
]
},
"locked": {
"lastModified": 1633433130,
"narHash": "sha256-jkW+HV8cJvE86gppOEXQl2ke+bDHJ7SAp8eJp8pJ0N8=",
"lastModified": 1665402451,
"narHash": "sha256-zWaEzUJh0WFVoaLQsMoIj2D+QFhUBJw+f+XzoYqw3es=",
"ref": "master",
"rev": "1232950c06ae16bf17fb16ac1f5f2231e971936b",
"revCount": 16,
"rev": "6c29bc5db001e75f5ca06fec726369b87d007a03",
"revCount": 47,
"type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
},

16
flake.nix
View file

@ -2,7 +2,7 @@
description = "tlater.net host configuration";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
nixos-hardware.url = "github:nixos/nixos-hardware/master";
sops-nix = {
url = "github:Mic92/sops-nix";
@ -13,10 +13,6 @@
url = "git+https://gitea.tlater.net/tlaternet/tlaternet.git";
inputs.nixpkgs.follows = "nixpkgs";
};
tlaternet-templates = {
url = "git+https://gitea.tlater.net/tlaternet/tlaternet-templates.git";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
@ -25,16 +21,11 @@
nixos-hardware,
sops-nix,
tlaternet-webserver,
tlaternet-templates,
}: let
system = "x86_64-linux";
overlays = [
(final: prev: {
tlaternet-webserver =
tlaternet-webserver.legacyPackages.${prev.system}.packages;
tlaternet-templates =
tlaternet-templates.legacyPackages.${prev.system}.packages;
local = import ./pkgs {
pkgs = prev;
};
@ -59,6 +50,7 @@
(import ./configuration/linode.nix)
(import ./configuration/hardware-configuration.nix)
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
];
};
@ -74,6 +66,7 @@
(import ./configuration)
sops-nix.nixosModules.sops
tlaternet-webserver.nixosModules.default
({lib, ...}: {
users.users.tlater.password = "insecure";
@ -84,6 +77,9 @@
# can easily test locally with the VM.
services.nginx.domain = lib.mkOverride 99 "localhost";
# Use the staging secrets
sops.defaultSopsFile = lib.mkOverride 99 ./keys/staging.yaml;
# # Set up VM settings to match real VPS
# virtualisation.memorySize = 3941;
# virtualisation.cores = 2;

28
keys/hosts/staging.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEAC32/CXnt4LDPdPZppQ0GcJAxVFHFu8SCl5WnU/PVPEnwgRkV8V
ZeyQN4qgT5LPWgPYyDyAqUHBUwRxvVcguw0fOlDBZ3nECKQxZ53OVlay7xfhgXO1
luNu657u5VYtxfLqx7lVHfY/TWp5DBOOEpOtoKfz031Zbg11+kdxW5eEg2ypCTvn
+MVQgRH9AQI+0+jegQ9On3X9UaVdc8etuY/F8BAEwLCCbYpLUEUXwOo4YLB36Kg3
P27q15Nl6g5P/oFEdS3fhHbh9636lJnxJcTTjAfJaDoQJ5rGDASiT8HJnkNWfrf/
yzLMOiy6fRRIz8HTXKeZNeRvCPu1uHaWYi0RprWMu1HZ0cLzr5N2lHKcWgL8En5b
fPyqldFfJBlY36L59F7hTk10QBgqFhibcXB44iK96jnYw6LgSuFkbfrJr7fx67JN
lM2Xi4WXvzkp3gboDxd2Xy3ChQrQXmXcVAl8XNs78f5AQh5MJP6iC7ayiIsHq4aH
rGVLhbncfKpw4OL9jVNTyRinwpvl5qibLAJbDA7arn8XqT6FT0KjeLa91jTFLHGn
9IkJol+L0/zYrpyiid5ZKNJMousxJoXymzRkeYllr+nLjKNLv0L3MCnsiPEZ23iL
y2/UZ6Vcjrs50L46VuiewCEaVbBp1H9Ps5eUa2YoJ65sfe7wnscXI8oOpQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQYeU/lMqjFOQCGw8CGQEAAEKvEABZo9JRHnwrKr7UGmynctmF
aR+1KApeWrqahhobgfvMjJLfnUV7UDSeiuf3juoZC+L1d8LqEp0czcqU1YuGtjTT
Yk/4WDwc7G9MjHDgVXPZlQ/qxSYBFwowbUkfhj49UA4Np2PW3yLtoZnBHLz6tmaD
mTtdNjzEw+L0GQ9Wi2pQYSUV4I9URF/NH7NGmurNl8Y5SHb3rqFQ4CPGXk5UQYL5
s0ZdArwgWNH+ceC1Kq0baKu5WJINFfCIJbJajATBqgPy6FPEmhUdgt8awOp01oEc
zs2930sc6YY5GJVEGnxR/qBLTA5lANS1mpqHd9s4YF7jj8h/q8SV4iegTeKHrLox
v1bP+QzHquCn7BpO9V6GD/eaqBKfx6k6+HDb5YmKnBvBV/c3yJ6wiv1H32nauWs1
CgiJNYV+A/+YnWf0uPRqelAzT06JUtnSBZ0ppKLR68X3IKisXVNzW/3pM/ZWWfFM
uKHCoppH2iuStn2wPkdjJD4UHduAFyF1oj1jFwP9r+EuhhPH1qr40405jRdOR98P
RuPhrSkLBdWiUlNintDOyFzNbKXMZlreZeATeT5y/H+IF3CDvgAhBo7KqhfBfgUK
6P/1xk8DozTmlsKY/cOsK0aL47CJcg8LU6tHrxa8uP6qV2HbUD31WbCRr1eL8k2G
xszxEVPuKG8ckw58WpT4vA==
=kJ/7
-----END PGP PUBLIC KEY BLOCK-----

50
keys/production.yaml Normal file
View file

@ -0,0 +1,50 @@
nextcloud:
tlater: ENC[AES256_GCM,data:zNsPm4uFaIRe3LjcwmayRg==,iv:5wam6bP5zP708jC9UrLV0s8qspl3Pm4fPzbMFYBUyPQ=,tag:apnJUMeJwMn9q0NhO4ptmA==,type:str]
steam:
tlater: ENC[AES256_GCM,data:HNsve/Wid40ftclO9n09yXg=,iv:VQxAz4eR9lfxEvM0zl1FpJpbKrEFxjIYLyCqL9Aool0=,tag:LHcpHCXAHe8p2kOvOnKXyw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-10-12T13:13:37Z"
mac: ENC[AES256_GCM,data:+EuA0rblxZYk+0tZs3vUFtr1cVKhdrLi4Ww0QjeITZn2k+SL8Y2gRl3gNVQOe00WHUgSKN53QKhxDj4q6Rd0LfwASxRRjz78Mk8yHDRDIfdDS960EasgKON4HPW/eMd2Fp4+flv57KYywQQWp3AlD8JqxIf5wNhyywn5LlW3PCQ=,iv:YFIk0LrRjV8417QJ5cp5EuIm7bezyG8ZulKcu1xhIF4=,tag:vtq5hCuLEXOvRjE2D/5cCQ==,type:str]
pgp:
- created_at: "2022-10-12T00:46:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA7x7stsXx45CAQf9Hivg5x2NEKp3icdAIXKoBVTp5jnqJ2S5xDpK4cbCUwRd
Z2VyNjxAXdTgKsviXseWbtsEbqo41oqjtpZwXK36gT/miKSPYyBSLb689L70RpWR
aC4QzOHbYr1Trr1whkTVaQG1vd2u9ZEyxsi13ItiYVylu7tgMqaDqzE4Y47RPZtz
FWFY4chO5Tq/DL0blP8oCTLFx4LSL82JbZswCfqrSHX44HGZ/OELHqNhYNF6hkCr
DgYYh7l7s08farE+PnTbWt808Kd3kP8fCRaLm9nt1X1c5QQElaWBjGIscK9fOsV4
iVFQfPBdwBi8aawCmwvXOcg6sX050Ow3NeYQBJVICtJeAeHyetxxEYip6CrADsiq
UG1Np+p6Pcbq/k6E1vT6bsRrhUWPYC4yuh6Edg5p/jxa4DAlsq/OgDI9pquE9aIt
F8cQMHfIkNP8/HiM/KwmdHoTJiy8YCwqP/UalSJdVw==
=lnlW
-----END PGP MESSAGE-----
fp: 535B61015823443941C744DD12264F6BBDFABA89
- created_at: "2022-10-12T00:46:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA9ahl2ynTH87AQ/+ID/6Dcbat+YRvT8VpfKpZf2O6EFbI3dlPDkZ+f4yFW0R
uGKkLR69utM8FoEn1XUkPG3klDk5t/gQikS/d1lPZ6cPOsVzY4P2Te6LizP25vCE
cHkztZG/IuBCBfLp8xsEjF1OXEDnb7Klqd3aJuYrvJNm3SreNydRAGyM1E94+iQL
zLrHF0WbD+dVdVG+ZoHKouGHVVmcxTkfi8Ce63pHKxOiMgqJLnImC357mle4DlJV
1My0CPV9Y1ElY+W5s+a7sRgursR0AVOkuvWYT39VW+RmFpUZyRCgyW+L6ilCEcOV
VXJHf0IFylkqevh11BssIetHAtT8anqZ+wo3ON4gEHjcahufc1h8rOxEEsWe/qUC
XZzfwilOsY/vKJ+GTz5Cp8XAviozQL5o2O5H9PiHxQl019QHZgprJclGMlukCBkR
Uo3h1Rl2na8JqcolAlFGQ1/QxsOnJ/KAmOpUZ7fZqG2qnsXnFjXcuqo+0e58odaT
sZLIspvsEHBHKzsvUa6BT8bTc+GlsB3hFolBVdX4y9kTWuzxy0K6bKA9HMTf4FPW
w2hIlvYhlgEx9MVqKLbemN3ye2rC3GRUBXxVXmlXBmb7nXPZCOGqL6nrvtsQ1E4h
D9+sN+cvYh5lYPByjXYinT8TqFVpqX++qnpgHC+5c6WtDHlhRAyfIQK51wCyiZbS
UAG6iDEbCWwD7uHZjDmVycC2R/0HnO+o9xMBI6teKYziFhvn8m7R9gzr7zn/0x3t
dVMXtojhfbMPzYK0gT6xOn8SbYGH0MV7ddOm7+Kl3Z8Y
=zDer
-----END PGP MESSAGE-----
fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
unencrypted_suffix: _unencrypted
version: 3.7.2

50
keys/staging.yaml Normal file
View file

@ -0,0 +1,50 @@
nextcloud:
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
steam:
tlater: ENC[AES256_GCM,data:jcW4wacGzOQ=,iv:KstKGHflscSWDFXGbnAZUcsqGN4Ot+w7sRbsAUwZNHQ=,tag:n9sRWvaKSgagpIgV/NF/Og==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-10-12T13:14:20Z"
mac: ENC[AES256_GCM,data:IlU8Jr+HD/ZHHsd7eaaSGp3tRxGy8/yhbSejkWmHFeL1WsvdWsToHM7yah2WzX+uY7s/i7atHQdhbHITCi6gBIFociVVPwziK5YOmTXv1fHlcD60U4ClRbTtgMVMtvc5tXrxdLQGhaX+DJ5xXBhTlCSwwqgYP0I7vJmEUF9mz7g=,iv:IM1ebqQB1UO5EN92kipHL20iGtFTKJhUiN/XR6psWBM=,tag:WweauZ5pA7/YMuUuq8C/xQ==,type:str]
pgp:
- created_at: "2022-10-12T16:48:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA7x7stsXx45CAQf/QKXxlgFzUn5ZS02JDiOLds6wjsiTbwQeIy+den+qH9KF
CyfC/8WhxojyhliG0zUzQ7oHtYYkbknF2DyrR7J4+S3SyvMS6MDGTUUn5dIcGwBO
2/Q2bt4ayOJFNTPePA0IfuMYNUiMl5B/0GCFRV9DE+gG/dcsOzM5q1Uya/yJ1966
RndWwbnE4j5yP4Nj2o3OiZFhlNi6W6UffYB0hsTTPmmebIZltDRbmLSSpKcfNEYw
h3st3WaJ0BCuQC5i/kvYTfJyBCoYnvFrb3RmXm3h+MvW0JZwHzfbST3nJCBHh5XJ
fVquF17oDJzn5S7EdWMhUbWwHgZwz2J6sZMgGEQ6WdJeAf2IlCuRYGjQMcB1WhxH
GCgbzUGoOGrxT3euzz9R1J98d1HQqtpFgeg9JgWndUdhoF80+AU7Wpyy6qOg2n/4
wCcb4pcqG1OqFezauEu8+sFdE07vfLoWzxJIark8WA==
=pc2z
-----END PGP MESSAGE-----
fp: 535B61015823443941C744DD12264F6BBDFABA89
- created_at: "2022-10-12T16:48:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2HlP5TKoxTkARAAl+2Y+pd5oraYLgiiJ0CbMFef0zCpFwBwUCyzykMOICGa
TWCYs8K6hChjepe0p8+oZnp0wi8U1qrmgRtFljQfHoXq5EXDYKydkz8XHHDI7/W7
1BmETajv9Mx7j4BFNB3z0XvLJTPeNhygemuHhox5pA8CUt5FkYahpzYR9AlLiAwx
NtU+csrcGUqYllT5WYIKFVIwFk07IvgK/7vj3filO5G2GMiH7lsV6p7W/MYqCFTV
grE383/bGCT18XmHpe3Uu0NcotexiqKSXpnFNntWOgd/KynBn8Oa/DMr8ci/4QSF
rEV4+IGJSmfAzQYaIfzNRGyTQJKBFiXWQv53GWT9Y5EbdEYEBhyqlIaV5fp/61X+
8zhLz3b6QMkNkI6mNVVLK96g2p0dhVoq+R3Wlj/RIVDw/BzH+vJIArQhc8T2NEOX
lmLFTMoTRXPrw/UZKMoO+JSDwt2p3WI0sb/ThS+bd7eymxt5lFW1Ikc4Jgd/iHHu
JtUZ78i8jAV/nBJPaAYXoRxfpcAMFqJCnxTwCoF7vYP6hHeYW9PPqsClPxQ97TrO
/Ei01e9YSfdtIzKcwkOThffRr+7hxwEGQ3EZ+2ShOW9ASfLkIo4MgoLtDAoHCK5E
vc2JGWP+vlylTVnZ46Hp8BMRlSjdkS/qGU0lSTPC3q+PllCF2gkN6ZcdLv5L2DDS
UAFD70TIN2QAiYEZW6jxg2UtO9ULLT5NgrvfHD9aGAk7jIxeY+nH3S7KqFgmA21c
IkNZJSX/J85d13+kJADms3vI7uMOcSUiInaQHy9Cqjrr
=fnOr
-----END PGP MESSAGE-----
fp: 7762ec55a5727cabada621d961e53f94caa314e4
unencrypted_suffix: _unencrypted
version: 3.7.2

11
modules/default.nix
View file

@ -1,9 +1,8 @@
{lib, ...}:
with lib; {
imports = [./virtualisation/pods.nix];
options.services.nginx.domain = mkOption {
type = types.str;
{lib, ...}: let
inherit (lib) mkOption types;
in {
options.services.nginx.domain = lib.mkOption {
type = lib.types.str;
description = "The base domain name to append to virtual domain names";
};
}

222
modules/virtualisation/pods.nix
View file

@ -1,222 +0,0 @@
{
lib,
config,
options,
...
}:
with lib; let
cfg = config.virtualisation.pods;
list-to-args = arg: list:
concatStringsSep " " (map (e: "--${arg}=${escapeShellArg e}") list);
possibly-unset-arg = arg: val: (optionalString (val != null) "--${arg}=${escapeShellArg val}");
mkPod = name: pod: rec {
path = [config.virtualisation.podman.package];
wants = ["network.target"];
after = ["network-online.target"];
wantedBy = ["multi-user.target" "default.target"];
environment.PODMAN_SYSTEMD_UNIT = "%n";
preStart = concatStringsSep " " [
"mkdir -p /run/podman/pods/ ;"
"podman pod create"
"--infra-conmon-pidfile=${escapeShellArg "/run/podman/pods/${name}.pid"}"
"--name=${escapeShellArg name}"
"--replace"
(list-to-args "add-host" pod.added-hosts)
(possibly-unset-arg "cgroup-parent" pod.cgroup-parent)
(list-to-args "dns" pod.dns)
(list-to-args "dns-opt" pod.dns-opt)
(list-to-args "dns-search" pod.dns-search)
(possibly-unset-arg "hostname" pod.hostname)
(possibly-unset-arg "infra" pod.infra)
(possibly-unset-arg "infra-command" pod.infra-command)
(possibly-unset-arg "infra-image" pod.infra-image)
(possibly-unset-arg "ip" pod.ip)
(possibly-unset-arg "mac-address" pod.mac-address)
(possibly-unset-arg "network" pod.network)
(possibly-unset-arg "network-alias" pod.network-alias)
(possibly-unset-arg "no-hosts" pod.no-hosts)
(list-to-args "publish" pod.publish)
(list-to-args "share" pod.share)
];
script = "podman pod start ${escapeShellArg name}";
preStop = "podman pod stop ${escapeShellArg name}";
# `podman generate systemd` generates a second stop after the
# first; not sure why but clearly it's recommended.
postStop = preStop;
serviceConfig = rec {
Type = "forking";
TimeoutStopSec = 70;
Restart = "on-failure";
PIDFile = "/run/podman/pods/${name}.pid";
};
};
in {
options.virtualisation.pods = mkOption {
type = with types;
attrsOf (submodule {
options = {
added-hosts = mkOption {
type = listOf str;
default = [];
description = "Additional hosts to add to /etc/hosts for each container.";
example = literalExample ''
[ "database:10.0.0.1" ]
'';
};
cgroup-parent = mkOption {
type = nullOr str;
default = null;
description = "The cgroups path under which the pod cgroup will be created.";
};
dns = mkOption {
type = listOf str;
default = [];
description = "The dns servers to set in /etc/resolv.conf.";
};
dns-opt = mkOption {
type = listOf str;
default = [];
description = "dns options to set in /etc/resolv.conf.";
};
dns-search = mkOption {
type = listOf str;
default = [];
description = "Search domains to set in /etc/resolv.conf.";
};
hostname = mkOption {
type = nullOr str;
default = null;
description = "The pod hostname.";
};
infra = mkOption {
type = nullOr bool;
default = null;
description = "Whether to create the infra container for the pod.";
};
infra-command = mkOption {
type = nullOr str;
default = null;
description = "The command to run in the infra container.";
};
infra-image = mkOption {
type = nullOr str;
default = null;
description = "The image to use for the infra container.";
};
ip = mkOption {
type = nullOr str;
default = null;
description = "A static IP address for the pod network.";
};
# TODO: set up label file stuff.
#
# labels = mkOption {};
mac-address = mkOption {
type = nullOr str;
default = null;
description = "A static mac address for the pod network.";
};
network = mkOption {
type = nullOr str;
default = null;
description = "Network configuration for the pod.";
};
network-alias = mkOption {
type = nullOr str;
default = null;
description = "DNS alias for the pod.";
};
no-hosts = mkOption {
type = nullOr bool;
default = null;
description = "Whether to disable /etc/hosts creation for the pod.";
};
publish = mkOption {
type = listOf str;
default = [];
description = "List of ports to publish from the pod.";
};
share = mkOption {
type = listOf str;
default = [];
description = "List of kernel namespaces to share.";
};
containers = options.virtualisation.oci-containers.containers;
};
});
default = {};
description = "Podman pods to run as systemd services.";
};
config = let
# Merge a list of attribute sets together
#
# TODO: See if there's a generic version for this somewhere in the
# pkgs lib?
mergeAttrs = attrList: foldr (a: b: a // b) {} attrList;
# Create services for all defined pods
pod-services = mapAttrs' (n: v: nameValuePair "pod-${n}" (mkPod n v)) cfg;
# Override the systemd-specific settings of containers defined in
# pods.
#
# I.e., make a systemd unit dependency on the pod service.
pod-container-services = mergeAttrs (mapAttrsToList (pname: pod:
mapAttrs' (cname: container:
nameValuePair "podman-${pname}-${cname}" rec {
after = ["pod-${pname}.service"];
requires = after;
})
pod.containers)
cfg);
# Override the oci-container settings for containers defined in pods.
#
# I.e., set the --pod=podname setting, and update the dependsOn so
# it points to containers in the same pod.
podifyContainer = container: podname:
container
// {
dependsOn =
map (dependency: "${podname}-${dependency}") container.dependsOn;
extraOptions = container.extraOptions ++ ["--pod=${podname}"];
};
in
lib.mkIf (cfg != {}) {
virtualisation.podman.enable = true;
virtualisation.oci-containers.backend = "podman";
systemd.services = pod-services // pod-container-services;
virtualisation.oci-containers.containers = mergeAttrs (mapAttrsToList
(pname: pod:
mapAttrs' (cname: container:
nameValuePair "${pname}-${cname}" (podifyContainer container pname))
pod.containers)
cfg);
};
}