diff --git a/container/Change.nix b/container/Change.nix index 2471ef3..c3b4bd8 100644 --- a/container/Change.nix +++ b/container/Change.nix @@ -1,30 +1,24 @@ -{ storage -, domain -, mkContainer -, mkContainerConfig -, mkContainerDir -, ... } @args: let - address = "10.1.0.41"; - path = "${storage}/change"; +{ container, ... } @args: let + cfg = container.config.change; in { - systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [ + systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" ]; - containers.change = mkContainer address { + containers.change = container.mkContainer cfg { bindMounts = { "/var/lib/changedetection-io" = { - hostPath = "${path}/data"; + hostPath = "${cfg.storage}/data"; isReadOnly = false; }; }; - config = { ... }: mkContainerConfig { + config = { ... }: container.mkContainerConfig cfg { services.changedetection-io = { enable = true; - baseURL = "https://change.${domain}"; + baseURL = cfg.domain; behindProxy = true; - listenAddress = address; + listenAddress = cfg.address; }; }; }; diff --git a/container/Cloud.nix b/container/Cloud.nix index c4b98c4..9165443 100644 --- a/container/Cloud.nix +++ b/container/Cloud.nix @@ -1,26 +1,33 @@ -{ storage -, mkContainer -, mkContainerConfig -, mkContainerDir -, ... } @args: let - address = "10.1.0.13"; - path = "${storage}/cloud"; +{ pkgs, container, ... } @args: let + cfg = container.config.cloud; in { - systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [ + systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" ]; - containers.postgres = mkContainer address { + containers.cloud = container.mkContainer cfg { bindMounts = { "/var/www/html" = { - hostPath = "${path}/data"; + hostPath = "${cfg.storage}/data"; isReadOnly = false; }; }; - config = { ... }: mkContainerConfig { + config = { ... }: container.mkContainerConfig cfg { services.nextcloud = { enable = true; + hostName = cfg.domain; + config = { + adminuser = "root"; + adminpassFile = "${pkgs.writeText "NextcloudPassword" "root"}"; + dbtype = "pgsql"; + dbhost = "10.1.0.3"; + + }; + settings = { + trusted_domains = [ cfg.address ]; + trusted_proxies = [ container.config.proxy.address ]; + }; }; }; }; diff --git a/container/Paste.nix b/container/Paste.nix index 49915d3..ff4a698 100644 --- a/container/Paste.nix +++ b/container/Paste.nix @@ -1,44 +1,34 @@ -{ pkgs -, storage -, domain -, util -, mkContainer -, mkContainerConfig -, mkContainerDir -, mkServer -, ... } @args: let - address = "10.1.0.14"; - fqdn = "paste.${domain}"; +{ pkgs, util, container, ... } @args: let + cfg = container.config.paste; package = (pkgs.callPackage ./pastebin args); - path = "${storage}/paste"; in { - systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [ + systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" "tmp" "nginxtmp" ]; - containers.paste = mkContainer address { + containers.paste = container.mkContainer cfg { bindMounts = { "/srv/data" = { - hostPath = "${path}/data"; + hostPath = "${cfg.storage}/data"; isReadOnly = false; }; "/tmp" = { - hostPath = "${path}/tmp"; + hostPath = "${cfg.storage}/tmp"; isReadOnly = false; }; "/var/lib/nginx/tmp" = { - hostPath = "${path}/nginxtmp"; + hostPath = "${cfg.storage}/nginxtmp"; isReadOnly = false; }; "/srv/config" = { - hostPath = "${path}/config"; + hostPath = "${cfg.storage}/config"; isReadOnly = false; }; }; - config = { config, ... }: mkContainerConfig { + config = { config, ... }: container.mkContainerConfig cfg { environment.systemPackages = [ package ]; systemd.packages = [ package ]; @@ -73,7 +63,7 @@ in { services.nginx = { enable = true; - virtualHosts.${fqdn} = mkServer { + virtualHosts.${cfg.domain} = container.mkServer { default = true; root = "${package}"; diff --git a/container/Postgres.nix b/container/Postgres.nix index 8d9efdb..6988a4a 100644 --- a/container/Postgres.nix +++ b/container/Postgres.nix @@ -1,28 +1,23 @@ -{ storage -, host -, mkContainer -, mkContainerConfig -, mkContainerDir -, ... } @args: let - address = "10.1.0.3"; - path = "${storage}/postgres"; +{ container, ... } @args: let + cfg = container.config.postgres; in { - systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [ + systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" ]; - containers.postgres = mkContainer address { + containers.postgres = container.mkContainer cfg { bindMounts = { "/var/lib/postgresql/data" = { - hostPath = "${path}/data"; + hostPath = "${cfg.storage}/data"; isReadOnly = false; }; }; - config = { pkgs, ... }: mkContainerConfig { + config = { pkgs, ... }: container.mkContainerConfig cfg { services.postgresql = let databases = [ "privatebin" + "nextcloud" ]; in { enable = true; @@ -30,8 +25,9 @@ in { dataDir = "/var/lib/postgresql/data/14"; enableTCPIP = true; authentication = '' - host all all ${host}/32 trust - host privatebin privatebin 10.1.0.14/32 trust + host all all ${container.host}/32 trust + host privatebin privatebin ${container.config.paste.address}/32 trust + host nextcloud nextcloud ${container.config.cloud.address}/32 trust ''; ensureDatabases = databases; ensureUsers = map (name: { diff --git a/container/Proxy.nix b/container/Proxy.nix index 9a8cbe1..437f057 100644 --- a/container/Proxy.nix +++ b/container/Proxy.nix @@ -1,32 +1,25 @@ -{ storage -, util -, domain -, mkContainer -, mkContainerConfig -, mkContainerDir -, ... } @args: let - address = "10.1.0.2"; - path = "${storage}/proxy"; +{ domain, util, container, ... } @args: let + cfg = container.config.proxy; virtualHosts = util.catSet (util.ls ./proxy/host) args; in { - systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [ + systemd.tmpfiles.rules = container.mkContainerDir cfg [ "challenge" "letsencrypt" ]; - containers.proxy = mkContainer address { + containers.proxy = container.mkContainer cfg { bindMounts = { "/etc/letsencrypt" = { - hostPath = "${path}/letsencrypt"; + hostPath = "${cfg.storage}/letsencrypt"; isReadOnly = true; }; "/var/www/.well-known" = { - hostPath = "${path}/challenge"; + hostPath = "${cfg.storage}/challenge"; isReadOnly = false; }; }; - config = { pkgs, ... }: mkContainerConfig { + config = { pkgs, ... }: container.mkContainerConfig cfg { environment.systemPackages = with pkgs; [ certbot ]; services.nginx = { diff --git a/container/default.nix b/container/default.nix new file mode 100644 index 0000000..02debf5 --- /dev/null +++ b/container/default.nix @@ -0,0 +1,59 @@ +{ lib +, const +, host +, storage +, domain +, ... }: { + inherit host; + + mkContainer = config: cfg: lib.recursiveUpdate cfg { + autoStart = true; + hostAddress = host; + localAddress = config.address; + privateNetwork = true; + }; + + mkContainerConfig = config: cfg: lib.recursiveUpdate cfg { + system.stateVersion = const.stateVersion; + + users.users.root.password = ""; + users.mutableUsers = false; + + networking = { + useHostResolvConf = lib.mkForce false; + firewall.enable = false; + }; + }; + + mkContainerDir = cfg: dirs: map (path: "d '${cfg.storage}/${path}' 1777 root root - -") dirs; + + mkServer = cfg: lib.recursiveUpdate cfg { + forceSSL = false; + }; + + config = { + change = { + address = "10.1.0.41"; + domain = "change.${domain}"; + storage = "${storage}/change"; + }; + cloud = { + address = "10.1.0.13"; + domain = "cloud.${domain}"; + storage = "${storage}/cloud"; + }; + paste = { + address = "10.1.0.14"; + domain = "paste.${domain}"; + storage = "${storage}/paste"; + }; + proxy = { + address = "10.1.0.2"; + storage = "${storage}/proxy"; + }; + postgres = { + address = "10.1.0.3"; + storage = "${storage}/postgres"; + }; + }; +} diff --git a/container/proxy/host/Change.nix b/container/proxy/host/Change.nix index 9c855d7..0da2a3b 100644 --- a/container/proxy/host/Change.nix +++ b/container/proxy/host/Change.nix @@ -1,8 +1,10 @@ -{ domain, util, mkServer, ... }: { - "change.${domain}" = mkServer { +{ domain, util, container, ... }: let + cfg = container.config.change; +in { + ${cfg.domain} = container.mkServer { extraConfig = util.trimTabs '' listen 443 ssl; - set $change 10.1.0.41:5000; + set $change ${cfg.address}:5000; location / { allow 192.168.1.0/24; diff --git a/container/proxy/host/Cloud.nix b/container/proxy/host/Cloud.nix new file mode 100644 index 0000000..971c21a --- /dev/null +++ b/container/proxy/host/Cloud.nix @@ -0,0 +1,26 @@ +{ domain, util, container, ... }: let + cfg = container.config.cloud; +in { + ${cfg.domain} = container.mkServer { + extraConfig = util.trimTabs '' + listen 443 ssl; + set $cloud ${cfg.address}:80; + + location ~ ^/(settings/admin|settings/users|settings/apps|login|api) { + allow 192.168.1.0/24; + allow 10.1.0.1; + deny all; + proxy_pass http://$cloud$request_uri; + } + location / { + proxy_pass http://$cloud$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; + }; +} + diff --git a/container/proxy/host/Paste.nix b/container/proxy/host/Paste.nix index b053571..1e677d0 100644 --- a/container/proxy/host/Paste.nix +++ b/container/proxy/host/Paste.nix @@ -1,8 +1,10 @@ -{ domain, util, mkServer, ... }: { - "paste.${domain}" = mkServer { +{ domain, util, container, ... }: let + cfg = container.config.paste; +in { + ${cfg.domain} = container.mkServer { extraConfig = util.trimTabs '' listen 443 ssl; - set $paste 10.1.0.14:80; + set $paste ${cfg.address}:80; location = / { return 403; diff --git a/flake.nix b/flake.nix index b819e46..d14d6de 100644 --- a/flake.nix +++ b/flake.nix @@ -125,7 +125,7 @@ # Constant values. const = { droidStateVersion = "22.11"; - stateVersion = "23.11"; + stateVersion = "24.05"; timeZone = "Europe/Moscow"; url = "https://git.voronind.com/voronind/nixos.git"; }; diff --git a/host/desktop/Container.nix b/host/desktop/Container.nix index 591d288..f11a4e0 100644 --- a/host/desktop/Container.nix +++ b/host/desktop/Container.nix @@ -6,30 +6,7 @@ in { inherit storage domain host pkgs const lib config util; - mkContainer = address: cfg: lib.recursiveUpdate cfg { - autoStart = true; - hostAddress = host; - localAddress = address; - privateNetwork = true; - }; - - mkContainerConfig = cfg: lib.recursiveUpdate cfg { - system.stateVersion = const.stateVersion; - - users.users.root.password = ""; - users.mutableUsers = false; - - networking = { - useHostResolvConf = lib.mkForce false; - firewall.enable = false; - }; - }; - - mkContainerDir = path: "d '${path}' 1777 root root - -"; - - mkServer = cfg: lib.recursiveUpdate cfg { - forceSSL = false; - }; + container = import ../../container args; }; in { networking.nat = { @@ -40,13 +17,15 @@ in { # TODO: Remove this. networking.extraHosts = '' - 10.1.0.2 paste.local 10.1.0.2 change.local + 10.1.0.2 cloud.local + 10.1.0.2 paste.local 10.1.0.2 local ''; imports = [ (import ../../container/Change.nix args) + (import ../../container/Cloud.nix args) (import ../../container/Paste.nix args) (import ../../container/Postgres.nix args) (import ../../container/Proxy.nix args) diff --git a/host/work/Container.nix b/host/work/Container.nix index fcb3216..a79278b 100644 --- a/host/work/Container.nix +++ b/host/work/Container.nix @@ -5,26 +5,6 @@ host = "192.168.0.174"; in { inherit storage domain host pkgs const lib config util; - - mkContainer = cfg: lib.recursiveUpdate cfg { - hostAddress = host; - }; - - mkContainerConfig = cfg: lib.recursiveUpdate cfg { - system.stateVersion = const.stateVersion; - - users.users.root.password = ""; - users.mutableUsers = false; - - networking = { - useHostResolvConf = lib.mkForce false; - firewall.enable = false; - }; - }; - - mkServer = cfg: lib.recursiveUpdate cfg { - forceSSL = false; - }; }; in { networking.nat = {