diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/yellow/config.nix | 9 | ||||
| -rw-r--r-- | lass/2configs/gg23.nix | 24 | ||||
| -rw-r--r-- | lass/2configs/riot.nix | 14 | ||||
| -rw-r--r-- | lass/3modules/sync-containers3.nix | 30 |
4 files changed, 59 insertions, 18 deletions
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 06561e9cf..73d7f3780 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -40,6 +40,7 @@ in { security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -152,6 +153,14 @@ in { proxy_set_header Accept-Encoding ""; ''; }; + virtualHosts."transmission.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:9091/; + proxy_set_header Accept-Encoding ""; + ''; + }; virtualHosts."radar.r" = { enableACME = true; addSSL = true; diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 51db9a40a..1af2fa226 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -2,9 +2,11 @@ with import <stockholm/lib>; { + # ipv6 from vodafone is really really flaky + boot.kernel.sysctl."net.ipv6.conf.et0.disable_ipv6" = 1; systemd.network.networks."50-et0" = { matchConfig.Name = "et0"; - DHCP = "yes"; + DHCP = "ipv4"; # dhcpV4Config.UseDNS = false; # dhcpV6Config.UseDNS = false; linkConfig = { @@ -23,14 +25,15 @@ with import <stockholm/lib>; # Managed = true; # }; }; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; systemd.network.networks."50-int0" = { name = "int0"; address = [ "10.42.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; # IPv6SendRA = "yes"; @@ -49,9 +52,16 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "MASQUERADE"; } + ]; networking.domain = "gg23"; + networking.useHostResolvConf = false; + services.resolved.extraConfig = '' + DNSStubListener=no + ''; services.dnsmasq = { enable = true; resolveLocalQueries = false; @@ -64,4 +74,12 @@ with import <stockholm/lib>; interface=int0 ''; }; + + environment.systemPackages = [ + (pkgs.writers.writeDashBin "restart_router" '' + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m OFF + sleep 2 + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m ON + '') + ]; } diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix index 559e7b20d..6aacec5b6 100644 --- a/lass/2configs/riot.nix +++ b/lass/2configs/riot.nix @@ -31,27 +31,31 @@ privateNetwork = true; hostAddress = "10.233.1.1"; localAddress = "10.233.1.2"; - forwardPorts = [ - { hostPort = 45622; containerPort = 22; } - ]; }; systemd.network.networks."50-ve-riot" = { matchConfig.Name = "ve-riot"; networkConfig = { - IPForward = "yes"; # weirdly we have to use POSTROUTING MASQUERADE here + # and set ip_forward manually + # IPForward = "yes"; # IPMasquerade = "both"; LinkLocalAddressing = "no"; KeepConfiguration = "static"; }; }; - # networking.nat can be used instead of this + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; + krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } ]; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.PREROUTING.rules = [ + { predicate = "-p tcp --dport 45622"; target = "DNAT --to-destination ${config.containers.riot.localAddress}:22"; v6 = false; } + ]; krebs.iptables.tables.filter.FORWARD.rules = [ { predicate = "-i ve-riot"; target = "ACCEPT"; } { predicate = "-o ve-riot"; target = "ACCEPT"; } diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix index 86aa40f03..5188f270d 100644 --- a/lass/3modules/sync-containers3.nix +++ b/lass/3modules/sync-containers3.nix @@ -104,9 +104,8 @@ in { consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' set -efux if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then - touch "$HOME"/incomplete - rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk - rm "$HOME"/incomplete + nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk + rm -f "$HOME"/incomplete fi ''} ''; @@ -218,10 +217,6 @@ in { exit 0 ;; esac - if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then - echo 'data is inconistent, start aborted' - exit 1 - fi consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" '' set -efu @@ -230,8 +225,8 @@ in { mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state /run/current-system/sw/bin/nixos-container start ${ctr.name} # wait for system to become reachable for the first time - retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null systemctl start ${ctr.name}_watcher.service + retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null sleep 10 @@ -240,6 +235,13 @@ in { ''; }; }; } + { "container@${ctr.name}" = lib.mkIf ctr.runContainer { + serviceConfig = { + ExecStop = pkgs.writers.writeDash "remove_interface" '' + ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} + ''; + }; + }; } ]) (lib.attrValues cfg.containers))); systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" { @@ -280,14 +282,19 @@ in { }) (lib.mkIf (cfg.containers != {}) { # networking + + # needed because otherwise we lose local dns + environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; + + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; systemd.network.networks.ctr0 = { name = "ctr0"; address = [ "10.233.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; }; @@ -304,6 +311,9 @@ in { { predicate = "-i ctr0"; target = "ACCEPT"; } { predicate = "-o ctr0"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; |