From b0bc3b518488d19e266d92b8a4641b520c54967f Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Wed, 5 Mar 2025 11:27:05 +0000 Subject: [PATCH] Add nginx & certbot Signed-off-by: Nikolaos Karaolidis --- .../nick/configs/console/podman/default.nix | 26 ++++++ hosts/jupiter/users/nick/default.nix | 2 + .../storm/configs/console/podman/default.nix | 36 +++++++ .../configs/console/podman/nginx/certbot.sh | 7 ++ .../configs/console/podman/nginx/default.nix | 93 +++++++++++++++++++ .../configs/console/podman/nginx/nginx.conf | 73 +++++++++++++++ hosts/jupiter/users/storm/default.nix | 23 ++++- 7 files changed, 258 insertions(+), 2 deletions(-) create mode 100644 hosts/jupiter/users/nick/configs/console/podman/default.nix create mode 100644 hosts/jupiter/users/storm/configs/console/podman/default.nix create mode 100755 hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh create mode 100644 hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix create mode 100644 hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf diff --git a/hosts/jupiter/users/nick/configs/console/podman/default.nix b/hosts/jupiter/users/nick/configs/console/podman/default.nix new file mode 100644 index 0000000..c8b51c9 --- /dev/null +++ b/hosts/jupiter/users/nick/configs/console/podman/default.nix @@ -0,0 +1,26 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ config, pkgs, ... }: +let + hmConfig = config.home-manager.users.${user}; +in +{ + home-manager.users.${user}.sops = { + secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + + templates."containers-auth.json" = { + content = builtins.readFile ( + (pkgs.formats.json { }).generate "auth.json" { + auths = { + "docker.io" = { + auth = hmConfig.sops.placeholder."registry/docker.io"; + }; + }; + } + ); + path = "${home}/.config/containers/auth.json"; + }; + }; +} diff --git a/hosts/jupiter/users/nick/default.nix b/hosts/jupiter/users/nick/default.nix index 324bbe2..0dd4d7e 100644 --- a/hosts/jupiter/users/nick/default.nix +++ b/hosts/jupiter/users/nick/default.nix @@ -31,6 +31,8 @@ in (import ../../../common/configs/user/console/wget { inherit user home; }) (import ../../../common/configs/user/console/xdg { inherit user home; }) (import ../../../common/configs/user/console/zsh { inherit user home; }) + + (import ./configs/console/podman { inherit user home; }) ]; # echo "password" | mkpasswd -s diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix new file mode 100644 index 0000000..fe5787d --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -0,0 +1,36 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ config, pkgs, ... }: +let + hmConfig = config.home-manager.users.${user}; +in +{ + imports = [ + (import ./nginx { inherit user home; }) + ]; + + home-manager.users.${user} = { + virtualisation.quadlet = { + autoUpdate.enable = true; + }; + + sops = { + secrets."registry/docker.io".sopsFile = ../../../../../../../secrets/personal/secrets.yaml; + + templates."containers-auth.json" = { + content = builtins.readFile ( + (pkgs.formats.json { }).generate "auth.json" { + auths = { + "docker.io" = { + auth = hmConfig.sops.placeholder."registry/docker.io"; + }; + }; + } + ); + path = "${home}/.config/containers/auth.json"; + }; + }; + }; +} diff --git a/hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh b/hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh new file mode 100755 index 0000000..6f74084 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/certbot.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ ! -d "/etc/letsencrypt/live/karaolidis.com" ]; then + certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d karaolidis.com -d '*.karaolidis.com' -d krlds.com -d '*.krlds.com' --non-interactive --agree-tos --email nick@karaolidis.com +else + certbot renew --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini +fi diff --git a/hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix b/hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix new file mode 100644 index 0000000..5e68614 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/default.nix @@ -0,0 +1,93 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ config, pkgs, ... }: +let + hmConfig = config.home-manager.users.${user}; + inherit (hmConfig.virtualisation.quadlet) networks volumes containers; +in +{ + boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 0; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + home-manager.users.${user} = { + sops = { + secrets."cloudflare/certbot".sopsFile = ../../../../../../../../secrets/personal/secrets.yaml; + templates."cloudflare.ini".content = '' + dns_cloudflare_api_token = ${hmConfig.sops.placeholder."cloudflare/certbot"} + ''; + }; + + virtualisation.quadlet = { + networks.nginx.networkConfig = { + subnets = [ "10.89.0.0/16" ]; + gateways = [ "10.89.0.1" ]; + }; + + volumes = { + nginx-log.volumeConfig = { }; + nginx-cache.volumeConfig = { }; + letsencrypt.volumeConfig = { }; + }; + + containers = { + certbot = { + containerConfig = { + autoUpdate = "registry"; + image = "docker.io/certbot/dns-cloudflare"; + volumes = [ + "${volumes.letsencrypt.ref}:/etc/letsencrypt" + "${hmConfig.sops.templates."cloudflare.ini".path}:/etc/letsencrypt/cloudflare.ini:ro" + "${./certbot.sh}:/entrypoint.sh:ro" + ]; + entrypoint = "/entrypoint.sh"; + }; + + serviceConfig = { + Type = "oneshot"; + Restart = "on-failure"; + }; + + unitConfig = { + Wants = [ "network-online.target" ]; + After = [ + "network-online.target" + "sops-nix.service" + ]; + }; + }; + + nginx.containerConfig = { + autoUpdate = "registry"; + image = "docker.io/library/nginx:latest"; + networks = [ networks.nginx.ref ]; + publishPorts = [ + "80" + "443" + ]; + volumes = [ + "${./nginx.conf}:/etc/nginx/nginx.conf:ro" + "${volumes.nginx-log.ref}:/var/log/nginx" + "${volumes.nginx-cache.ref}:/var/run/nginx/cache" + "${volumes.letsencrypt.ref}:/etc/letsencrypt:ro" + ]; + }; + }; + }; + + systemd.user.timers.${containers.certbot._serviceName} = { + Timer = { + OnBootSec = "5min"; + OnUnitActiveSec = "12h"; + Persistent = true; + }; + + Install.WantedBy = [ "timers.target" ]; + }; + }; +} diff --git a/hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf b/hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf new file mode 100644 index 0000000..c195c71 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/nginx/nginx.conf @@ -0,0 +1,73 @@ +include /etc/nginx/modules/*.conf; + +worker_processes auto; +pcre_jit on; +error_log stderr; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + + resolver 10.89.0.1 valid=30s; + server_tokens off; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + client_max_body_size 0; + client_body_buffer_size 128k; + large_client_header_buffers 4 16k; + sendfile on; + tcp_nodelay on; + tcp_nopush on; + keepalive_timeout 30; + send_timeout 5m; + types_hash_max_size 2048; + variables_hash_max_size 2048; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types + text/plain + text/css + text/javascript + text/xml + application/json + application/x-javascript + application/xml + application/xml+rss + font/eot + font/otf + font/ttf + image/svg+xml; + gzip_min_length 256; + + proxy_cache_path /var/run/nginx/cache + levels=1:2 + keys_zone=auth_cache:50m + keys_zone=default_cache:100m + max_size=10g + inactive=60m + use_temp_path=off; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; + proxy_cache_revalidate on; + proxy_cache_min_uses 1; + proxy_cache_background_update on; + proxy_cache_lock on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/hosts/jupiter/users/storm/default.nix b/hosts/jupiter/users/storm/default.nix index b7fa8f0..bab04ad 100644 --- a/hosts/jupiter/users/storm/default.nix +++ b/hosts/jupiter/users/storm/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: let # FIXME: https://github.com/NixOS/nixpkgs/issues/24570 # FIXME: https://github.com/NixOS/nixpkgs/issues/305643 @@ -10,18 +10,37 @@ in ../../../common/configs/user/options.nix (import ../../../common/configs/user/console/home-manager { inherit user home; }) + (import ../../../common/configs/user/console/neovim { inherit user home; }) (import ../../../common/configs/user/console/podman { inherit user home; }) (import ../../../common/configs/user/console/sops { inherit user home; }) + (import ../../../common/configs/user/console/tmux { inherit user home; }) + (import ../../../common/configs/user/console/zsh { inherit user home; }) + + (import ./configs/console/podman { inherit user home; }) ]; + # echo "password" | mkpasswd -s + sops.secrets."${user}-password" = { + sopsFile = ../../../../secrets/personal/secrets.yaml; + key = "password"; + neededForUsers = true; + }; + users.users.${user} = { inherit home; - createHome = true; isSystemUser = true; + createHome = true; description = "Container Runner"; + hashedPasswordFile = config.sops.secrets."${user}-password".path; + extraGroups = [ "wheel" ]; linger = true; uid = lib.strings.toInt (builtins.readFile ./uid); group = user; + autoSubUidGidRange = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWDA5vnIB7KE2VG28Ovg5rXtQqxFwMXsfozLsH0BNZS nick@karaolidis.com" + ]; }; users.groups.${user}.gid = lib.strings.toInt (builtins.readFile ./uid);