diff --git a/modules/server/containers/default.nix b/modules/server/containers/default.nix index 97cbb9c..4e23799 100644 --- a/modules/server/containers/default.nix +++ b/modules/server/containers/default.nix @@ -4,7 +4,7 @@ let builder = import ./builder.nix { inherit config lib serverCfg; }; enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers; containerSetsList = lib.mapAttrsToList (name: containerCfg: - let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder;}; + let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;}; in{ containers = lib.mapAttrs' (cName: cValue: lib.nameValuePair "${name}-${cName}" cValue diff --git a/modules/server/containers/defs/authentik.nix b/modules/server/containers/defs/authentik.nix index a1b30ce..365865c 100644 --- a/modules/server/containers/defs/authentik.nix +++ b/modules/server/containers/defs/authentik.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, builder, ... }: +{ config, containerCfg, pkgs, lib, builder, name, ... }: let version = "2026.2.2"; serverCfg = config.syscfg.server; @@ -19,7 +19,7 @@ in { image = "ghcr.io/goauthentik/server:${version}"; port = containerCfg.port; ip = containerCfg.ip; - secret = "authentik"; + secret = name; extraEnv = { "AUTHENTIK_REDIS__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__HOST" = builder.host; diff --git a/modules/server/containers/defs/collabora.nix b/modules/server/containers/defs/collabora.nix index 9403181..1ba42f2 100644 --- a/modules/server/containers/defs/collabora.nix +++ b/modules/server/containers/defs/collabora.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, builder, ... }: +{ config, containerCfg, pkgs, lib, builder, name, ... }: let version = "latest"; serverCfg = config.syscfg.server; @@ -9,7 +9,7 @@ in { image = "collabora/code:${version}"; port = containerCfg.port; ip = containerCfg.ip; - secret = "collabora"; + secret = name; extraEnv = { "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}"; "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; diff --git a/modules/server/containers/defs/etherpad.nix b/modules/server/containers/defs/etherpad.nix index acc1e7d..fccc84d 100644 --- a/modules/server/containers/defs/etherpad.nix +++ b/modules/server/containers/defs/etherpad.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, builder, ... }: +{ config, containerCfg, pkgs, lib, builder, name,... }: let version = "latest"; serverCfg = config.syscfg.server; @@ -20,7 +20,7 @@ in { image = "etherpad/etherpad:${version}"; port = containerCfg.port; ip = containerCfg.ip; - secret = "etherpad"; + secret = name; extraEnv = { NODE_ENV = "production"; TITLE = "Pad"; diff --git a/modules/server/containers/defs/nextcloud.nix b/modules/server/containers/defs/nextcloud.nix index 94ec562..5e742bc 100644 --- a/modules/server/containers/defs/nextcloud.nix +++ b/modules/server/containers/defs/nextcloud.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, builder, ... }: +{ config, containerCfg, pkgs, lib, builder, name,... }: let version = "27"; serverCfg = config.syscfg.server; @@ -20,7 +20,7 @@ in { image = "nextcloud:${version}"; port = containerCfg.port; ip = containerCfg.ip; - secret = "nextcloud"; + secret = name; extraEnv = { REDIS_HOST = builder.host; POSTGRES_HOST = builder.host; diff --git a/modules/server/containers/defs/traefik.nix b/modules/server/containers/defs/traefik.nix index 68a208a..cb544ae 100644 --- a/modules/server/containers/defs/traefik.nix +++ b/modules/server/containers/defs/traefik.nix @@ -1,4 +1,4 @@ -{ config, containerCfg, pkgs, lib, builder, ... }: +{ config, containerCfg, pkgs, lib, builder, name,... }: let version = "2026.2.2"; serverCfg = config.syscfg.server; @@ -19,8 +19,9 @@ in { image = "traefik:${version}"; port = containerCfg.port; ip = containerCfg.ip; + secret = name; extraEnv = { - "INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path; + config.sops.secrets.INFOMANIAK_API_KEY.path }; overrides = { cmd = [ diff --git a/modules/server/default.nix b/modules/server/default.nix index d7010aa..997ca33 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,3 +1,3 @@ { config, pkgs, lib, ... }:{ - imports = [ ./containers ./database ./nftables ./nginx ./openssh ./sops ]; + imports = [ ./containers ./database ./nftables ./openssh ./sops ]; } diff --git a/modules/server/nftables/default.nix b/modules/server/nftables/default.nix index 2fafad5..ec69152 100644 --- a/modules/server/nftables/default.nix +++ b/modules/server/nftables/default.nix @@ -1,7 +1,8 @@ { config, lib, ... }: let cfg = config.syscfg.server; -in{ +in { + config = mkIf (cfg.ipfw.enable) { boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; @@ -9,7 +10,6 @@ in{ networking.nftables.enable = true; networking.nftables.ruleset = '' - ${if cfg.nftables.enable then '' table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; @@ -28,13 +28,14 @@ in{ iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} '' - ) config.syscfg.server.nftables.ports} + ) cfg.ipfw.ports} } chain postrouting { type nat hook postrouting priority srcnat; policy accept; - oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade + oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade } - }'' else ""} + } ''; + }; } \ No newline at end of file diff --git a/modules/server/sops/default.nix b/modules/server/sops/default.nix index ce7cfb6..73f2656 100644 --- a/modules/server/sops/default.nix +++ b/modules/server/sops/default.nix @@ -5,7 +5,6 @@ let (lib.filterAttrs (name: cfg: cfg.db or cfg.sops or false) config.syscfg.server.containers); allApps = lib.unique (listNames ++ containerNames); in{ - config = lib.mkIf (config.syscfg.server.sops) { sops.secrets = { INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: { @@ -13,5 +12,4 @@ in{ mode = "0644"; sopsFile = ./server.yaml; })); - }; } diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix index 1d513f3..fbcafe2 100644 --- a/modules/shared/syscfg/default.nix +++ b/modules/shared/syscfg/default.nix @@ -82,18 +82,9 @@ let }; serverOpt = with lib; { hostDomain = mkOption { type = types.str; }; - shortName = mkOption { type = types.str; }; mailDomain = mkOption { type = types.str; }; mailServer = mkOption { type = types.str; }; - dbHost = mkOption { - type = types.str; - default = "localhost"; - }; - dbPort = mkOption { - type = types.str; - default = "3306"; - }; configPath = mkOption { type = types.str; default = "/media/config"; @@ -117,10 +108,6 @@ let }); default = {}; }; - sops = mkOption { - type = types.bool; - default = false; - }; openssh = mkOption { type = types.bool; default = false; @@ -133,7 +120,7 @@ let type = types.bool; default = false; }; - nftables = { + ipfw = { enable = mkOption { type = types.bool; default = false; diff --git a/systems/gateway/cfg.nix b/systems/gateway/cfg.nix index b7575cb..e3107b2 100644 --- a/systems/gateway/cfg.nix +++ b/systems/gateway/cfg.nix @@ -29,7 +29,7 @@ openssh = true; wireguard = true; web = true; - nftables = { + ipfw = { enable = true; ifs = ["ens3" "wg0" ]; ports = [ diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix index 9f2a580..e7e9886 100644 --- a/systems/sandbox/cfg.nix +++ b/systems/sandbox/cfg.nix @@ -21,17 +21,12 @@ server = { openssh = true; web = true; - sops = true; hostDomain = "test.helcel.net"; - shortName = "testcel"; mailDomain = "test@helcel"; mailServer = "infomaniak.ch"; - - dbHost = "localhost"; containers = { - #cloud = {enable = true;}; authentik = { enable = true; db = true; @@ -44,21 +39,18 @@ enable = true; db = true; subdomain = "cloud"; - ip = "10.88.0.126"; port = 80; }; collabora = { enable = true; sops = true; subdomain = "office"; - ip = "10.88.0.127"; port = 9980; }; etherpad = { enable = true; db = true; subdomain = "pad"; - ip = "10.88.0.128"; port = 80; }; };