clara/nix-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

set up birbs website

Browse source
This commit is contained in:
CDaut 2025-11-24 18:27:08 +01:00
parent 75212dff9c
commit 56c3c4c479
Signed by: clara
GPG key ID: 223391B52FAD4463
8 changed files with 194 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

1
configs/container_config.nix
View file

@ -22,6 +22,7 @@
sudo
mtr
nettools
tcpdump
];
# because getting a nix shell is super annoying otherwise

24
configs/containers/cube/farewellbird.nix Normal file
View file

@ -0,0 +1,24 @@
{ lib, pkgs, config, ... }: {
deployment = {
targetHost = "10.10.0.5";
targetPort = 22;
targetUser = "root";
tags = [ "cube" ];
};
networking = {
hostName = "farewellbird";
interfaces.eth0 = {
ipAddress = "10.10.0.5";
prefixLength = 32;
};
defaultGateway = {
address = "10.10.0.254";
interface = "eth0";
};
};
imports = [
../../container_config.nix
../../services/farewellbird.nix
];
}

45
configs/services/farewellbird.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, pkgs, config, inputs, ... }:
let
repoDir = "/var/www/site";
in
{
services.nginx =
{
enable = true;
virtualHosts =
{
"farewellbird.de" = {
locations."/" = {
root = repoDir;
};
};
};
};
systemd.timers."clone-repo" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10s";
OnUnitActiveSec = "5m";
Unit = "clone-repo.service";
};
};
systemd.services."clone-repo" = {
script = ''
set -eu
if test -d ${repoDir}; then
cd ${repoDir}
${pkgs.git}/bin/git pull
else
mkdir mkdir -p $(dirname ${repoDir})
${pkgs.git}/bin/git clone -b pages https://codeberg.org/YourLocalFops/farewellbird.git ${repoDir}
fi
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
}

7
configs/services/nginx_cube.nix
View file

@ -17,6 +17,13 @@
";
};
};
"farewellbird.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://10.10.0.5";
};
};
};
};

40
configs/services/wireguard_cube.nix
View file

@ -22,18 +22,50 @@ in {
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Open ports in the firewall
firewall = {
rejectPackets = true;
trustedInterfaces = [ "wg0" ];
trustedInterfaces = [ "wgbr" "wg0" ];
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 wg_port ];
};
interfaces.wgbr.ipv4 = {
routes = [ ];
addresses = [
{
address = "10.8.2.1";
prefixLength = 24;
}
];
};
defaultGateway = {
address = "10.10.0.254";
interface = "eth0";
};
interfaces.eth0.ipv4 = {
routes = [
{
address = "10.10.0.0";
prefixLength = 16;
via = "10.10.0.254";
}
];
addresses = [
{
address = "10.10.0.4";
prefixLength = 24;
}
];
};
wg-quick.interfaces = {
wg0 = {
# Determines the IP address and subnet of the client's end of the tunnel interface.
address = [ "10.8.0.1/16" ];
address = [ "10.8.0.1/24" ];
listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file (see sops).
@ -43,13 +75,13 @@ in {
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
'';
# Undo the above
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE
'';
peers = [