jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip: server-factory + firewall refractor

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-27 17:00:13 -06:00
parent 4b81028cde
commit 3d3f49aeec
8 changed files with 107 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/jawz.nix
View File

@ -3,7 +3,9 @@ let
inherit (config.networking) hostName; inherit (config.networking) hostName;
nixosHosts = nixosHosts =
lib.attrNames config.my.ips lib.attrNames config.my.ips
|> lib.filter (name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName); |> lib.filter (
name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName
);
nixosHostsMatch = lib.concatStringsSep " " nixosHosts; nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
in in
{ {

2
flake.nix
View File

@ -99,7 +99,7 @@
workstation = createConfig "workstation" inputs.nixpkgs; workstation = createConfig "workstation" inputs.nixpkgs;
miniserver = createConfig "miniserver" inputs.nixpkgs-small; miniserver = createConfig "miniserver" inputs.nixpkgs-small;
server = createConfig "server" inputs.nixpkgs-small; server = createConfig "server" inputs.nixpkgs-small;
}; };
packages.${system} = (jawz-scripts.packages.${system} or { }); packages.${system} = (jawz-scripts.packages.${system} or { });
devShells.${system} = builtins.listToAttrs ( devShells.${system} = builtins.listToAttrs (

67
hosts/server/configuration.nix
View File

@ -17,6 +17,14 @@
../../secrets/ssh/ed25519_nixworkstation.pub ../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixminiserver.pub ../../secrets/ssh/ed25519_nixminiserver.pub
]; ];
network.firewall.enabledServicePorts = true;
network.firewall.additionalPorts = [
2049 # idk
8384 # syncthing gui
22000 # syncthing relay
3452 # sonarqube
8448 # synapse ssl
];
}; };
nix.buildMachines = [ nix.buildMachines = [
{ {
@ -29,45 +37,28 @@
} }
]; ];
sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml; sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
networking = networking = {
let hostName = "server";
enabledPorts = firewall = {
config.my.servers allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
|> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port)) interfaces.wg0.allowedTCPPorts = [ 8081 ];
|> lib.attrValues
|> map (srv: srv.port);
ports = enabledPorts ++ [
2049 # idk
8384 # syncthing gui
22000 # syncthing relay
3452 # sonarqube
8448 # synapse ssl
config.services.gitea.settings.server.SSH_PORT
];
in
{
hostName = "server";
firewall = {
allowedTCPPorts = ports;
allowedUDPPorts = ports;
interfaces.wg0.allowedTCPPorts = [ 8081 ];
};
wireguard.interfaces.wg0 = {
ips = [ "${config.my.ips.wg-server}/32" ];
privateKeyFile = config.sops.secrets."vps/home/private".path;
peers = [
{
publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
endpoint = "${config.my.ips.vps}:51820";
allowedIPs = [
"${config.my.ips.wg-vps}/32"
"${config.my.ips.wg-friends}/24" # all friends
];
persistentKeepalive = 25;
}
];
};
}; };
wireguard.interfaces.wg0 = {
ips = [ "${config.my.ips.wg-server}/32" ];
privateKeyFile = config.sops.secrets."vps/home/private".path;
peers = [
{
publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
endpoint = "${config.my.ips.vps}:51820";
allowedIPs = [
"${config.my.ips.wg-vps}/32"
"${config.my.ips.wg-friends}/24" # all friends
];
persistentKeepalive = 25;
}
];
};
};
users.users.jawz.packages = builtins.attrValues { users.users.jawz.packages = builtins.attrValues {
inherit (pkgs) podman-compose; inherit (pkgs) podman-compose;
}; };

24
modules/factories/server-factory.nix Normal file
View File

@ -0,0 +1,24 @@
{
lib,
config,
name,
subdomain,
port,
serviceConfig ? { },
nginxConfig ? null,
}:
let
cfg = config.my.servers.${name};
setup = import ./setup.nix { inherit lib config; };
in
{
options.my.servers.${name} = setup.mkOptions name subdomain port;
config = lib.mkIf cfg.enable {
services = serviceConfig // {
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (
if nginxConfig != null then nginxConfig cfg else setup.proxyReverseFix cfg
);
};
};
}

8
modules/modules.nix
View File

@ -15,7 +15,12 @@ let
config.my.servers.drpp.enable config.my.servers.drpp.enable
config.my.servers.plex-discord-bot.enable config.my.servers.plex-discord-bot.enable
]; ];
filterNames = file: file != "base.nix" && file != "setup.nix" && file != "librewolf.nix"; filterNames =
file:
file != "base.nix"
&& file != "setup.nix"
&& file != "librewolf.nix"
&& file != "server-factory.nix";
autoImport = autoImport =
dir: dir:
builtins.readDir ./${dir} builtins.readDir ./${dir}
@ -34,6 +39,7 @@ in
++ [ ++ [
./nix/build.nix ./nix/build.nix
./users/nixremote.nix ./users/nixremote.nix
./network/firewall.nix
]; ];
options.my = { options.my = {
localhost = lib.mkOption { localhost = lib.mkOption {

32
modules/network/firewall.nix Normal file
View File

@ -0,0 +1,32 @@
{ lib, config, ... }:
{
options.my.network.firewall = {
enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
staticPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ ];
description = "Static ports to always open";
};
additionalPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ ];
description = "Additional ports to open (like syncthing, gitea, etc.)";
};
};
config = lib.mkIf config.my.network.firewall.enabledServicePorts {
networking.firewall.allowedTCPPorts =
config.my.network.firewall.staticPorts
++ config.my.network.firewall.additionalPorts
++ (
config.my.servers
|> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
|> lib.attrValues
|> map (srv: srv.port)
)
++ (lib.optionals config.services.nginx.enable [
80
443
]);
};
}

15
modules/nix/build.nix
View File

@ -14,19 +14,19 @@
]; ];
description = "List of supported nix build features for this system"; description = "List of supported nix build features for this system";
}; };
buildMachines = lib.mkOption { buildMachines = lib.mkOption {
type = lib.types.listOf lib.types.attrs; type = lib.types.listOf lib.types.attrs;
default = []; default = [ ];
description = "List of remote build machines configuration"; description = "List of remote build machines configuration";
}; };
cores = lib.mkOption { cores = lib.mkOption {
type = lib.types.nullOr lib.types.int; type = lib.types.nullOr lib.types.int;
default = null; default = null;
description = "Number of cores to use for builds (null = auto-detect)"; description = "Number of cores to use for builds (null = auto-detect)";
}; };
maxJobs = lib.mkOption { maxJobs = lib.mkOption {
type = lib.types.nullOr lib.types.int; type = lib.types.nullOr lib.types.int;
default = null; default = null;
@ -46,8 +46,7 @@
max-jobs = config.my.nix.maxJobs; max-jobs = config.my.nix.maxJobs;
}) })
]; ];
nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != []) nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != [ ]) config.my.nix.buildMachines;
config.my.nix.buildMachines;
}; };
} }

8
modules/users/nixremote.nix
View File

@ -2,7 +2,7 @@
{ {
options.my.users.nixremote = { options.my.users.nixremote = {
enable = lib.mkEnableOption "nixremote user for distributed builds"; enable = lib.mkEnableOption "nixremote user for distributed builds";
authorizedKeys = lib.mkOption { authorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.path; type = lib.types.listOf lib.types.path;
default = [ default = [
@ -12,13 +12,13 @@
]; ];
description = "List of SSH public key files to authorize for nixremote user"; description = "List of SSH public key files to authorize for nixremote user";
}; };
gid = lib.mkOption { gid = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = 555; default = 555;
description = "Group ID for the nixremote group"; description = "Group ID for the nixremote group";
}; };
home = lib.mkOption { home = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "/var/nixremote/"; default = "/var/nixremote/";
@ -38,4 +38,4 @@
}; };
}; };
}; };
} }