From bcff4d2cbeef292be494ad60c2ab68059697f90c Mon Sep 17 00:00:00 2001 From: Toast Date: Sat, 25 Jan 2025 15:37:45 +0100 Subject: [PATCH 1/5] Server/immich: add too rust-motd service status --- roles/server/immich.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/server/immich.nix b/roles/server/immich.nix index e9a2999..5992181 100644 --- a/roles/server/immich.nix +++ b/roles/server/immich.nix @@ -21,4 +21,5 @@ reverse_proxy localhost:2283 ''; }; + programs.rust-motd.settings.service_status."Immich" = "immich-server"; } From f8bf8ed7a42b80e01d85f54684644b6c37ca1a49 Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 27 Jan 2025 10:55:28 +0100 Subject: [PATCH 2/5] Flake: update lock file --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 5345bb4..96bd81a 100644 --- a/flake.lock +++ b/flake.lock @@ -706,11 +706,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1736417093, - "narHash": "sha256-3MRzAQaYpggkWuhZBofBjDQm02NGhUk1K4LJhf9z4k0=", + "lastModified": 1737970846, + "narHash": "sha256-+b44nvv+rKiRdABSHGaTLbp9ysRaHE+s/CuUsA9zNac=", "ref": "refs/heads/main", - "rev": "48d048bb2089631e758072561d95b4b7d1130178", - "revCount": 27, + "rev": "d8262fb108d0810d21c5e098b54a105e867e72ce", + "revCount": 28, "type": "git", "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" }, From 786e3967e3164ea90e417fda982ef39564b7926c Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 27 Jan 2025 10:59:00 +0100 Subject: [PATCH 3/5] Server: add school container This container is for hosting things that I need for school I don't trust my code to be secure yet, so that's why it's in a container --- roles/server/default.nix | 1 + roles/server/school.nix | 110 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 roles/server/school.nix diff --git a/roles/server/default.nix b/roles/server/default.nix index 05fa471..701062f 100755 --- a/roles/server/default.nix +++ b/roles/server/default.nix @@ -19,5 +19,6 @@ ./prometheus.nix ./changedetection-io.nix ./immich.nix + ./school.nix ]; } diff --git a/roles/server/school.nix b/roles/server/school.nix new file mode 100644 index 0000000..bd8ca21 --- /dev/null +++ b/roles/server/school.nix @@ -0,0 +1,110 @@ +{ + flakeSelf, + config, + ... +}: let + hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; +in { + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "eno1"; + }; + + age.secrets.mongodb-uri = { + file = hostSecrets + "mongodb-uri.age"; + }; + + containers.school = { + autoStart = true; + privateNetwork = true; + ephemeral = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + specialArgs = { + showsApi = flakeSelf.inputs.shows-api; + }; + bindMounts = { + secret = { + mountPoint = "/mongodb.env"; + isReadOnly = true; + hostPath = config.age.secrets.mongodb-uri.path; + }; + }; + config = { + config, + pkgs, + lib, + showsApi, + ... + }: { + environment.systemPackages = [pkgs.htop]; + + users.users.shows = { + name = "shows"; + group = "shows"; + isSystemUser = true; + }; + users.groups.shows = {}; + + systemd.services = let + commonServiceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 3; + + # Hardening + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateUsers = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateMounts = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + in { + shows-api = { + description = "NestJS API to store info about shows on a MongoDB database"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + serviceConfig = + commonServiceConfig + // { + ExecStart = lib.getExe showsApi.packages.x86_64-linux.default; + StateDirectory = ["shows-api"]; + RuntimeDirectory = ["shows-api"]; + User = "shows"; + Group = "shows"; + EnvironmentFile = "/mongodb.env"; + }; + }; + }; + + networking = { + firewall.allowedTCPPorts = [3000]; + + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + + system.stateVersion = "24.11"; + }; + }; +} From 8a700174b1ce1c1da24262f05845d116bc14ceac Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 27 Jan 2025 11:17:09 +0100 Subject: [PATCH 4/5] Flake: add shows-api input --- flake.lock | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++- flake.nix | 2 ++ 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 96bd81a..4a15203 100644 --- a/flake.lock +++ b/flake.lock @@ -613,6 +613,18 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 0, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "path": "/nix/store/l9nb64iii15y0nr37qrs1cfm6rlpg6gh-source", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts", @@ -700,7 +712,8 @@ "nixpkgs-unstable-raw": "nixpkgs-unstable-raw", "nur": "nur", "plasma-manager": "plasma-manager", - "secrets": "secrets" + "secrets": "secrets", + "shows-api": "shows-api" } }, "secrets": { @@ -719,6 +732,25 @@ "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets" } }, + "shows-api": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "utils": "utils" + }, + "locked": { + "lastModified": 1737914989, + "narHash": "sha256-9rOs5bFZ3BQb3SgGn0dF3fCdVQZ0Zdr9nj2LhO+t5uc=", + "ref": "refs/heads/main", + "rev": "be97a926ce75b9fbe278e4ba519e9273c238316c", + "revCount": 13, + "type": "git", + "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/shows-api.git" + }, + "original": { + "type": "git", + "url": "ssh://forgejo@git.everest.tailscale:4222/Toast/shows-api.git" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -779,6 +811,21 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -799,6 +846,24 @@ "repo": "treefmt-nix", "type": "github" } + }, + "utils": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index bc6be42..92cad5f 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,8 @@ url = "github:catppuccin/konsole"; flake = false; }; + + shows-api.url = "git+ssh://forgejo@git.everest.tailscale:4222/Toast/shows-api.git"; }; outputs = {...} @ inputs: From ac36661d4e7808a6e07cfa8e46a5bfb68c6c519b Mon Sep 17 00:00:00 2001 From: Toast Date: Mon, 27 Jan 2025 13:29:31 +0100 Subject: [PATCH 5/5] Server/school: add dns record and caddy reverse proxy --- roles/server/school.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/roles/server/school.nix b/roles/server/school.nix index bd8ca21..e255c1f 100644 --- a/roles/server/school.nix +++ b/roles/server/school.nix @@ -107,4 +107,32 @@ in { system.stateVersion = "24.11"; }; }; + services = { + headscale.settings.dns.extra_records = [ + { + name = "shows.everest.tailscale"; + type = "A"; + value = "100.100.0.1"; + } + ]; + caddy.virtualHosts.shows= { + hostName = "shows.everest.tailscale"; + extraConfig = '' + import tailscale + handle { + respond "Ionic app goes here" + } + + redir /admin /admin/ + handle_path /admin/* { + respond "Angular admin panel goes here" + } + + redir /api /api/ + handle_path /api/* { + reverse_proxy ${config.containers.school.localAddress}:3000 + } + ''; + }; + }; }