diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix index 07c20a8..45f2e5c 100644 --- a/hosts/fw.cloonar.com/modules/gitea.nix +++ b/hosts/fw.cloonar.com/modules/gitea.nix @@ -15,87 +15,6 @@ in users.groups.gitea = { gid = 989; }; - # services.nginx.virtualHosts."${domain}" = { - # enableACME = true; - # forceSSL = true; - # locations."/" = { - # proxyPass = "https://${ip}:443/"; - # extraConfig = '' - # proxy_set_header=Host ${domain} - # ''; - # }; - # }; - # - # environment.etc."gitea/app.ini".text = '' - # APP_NAME = Cloonar Gitea server - # RUN_MODE = prod - # - # [cron.update_checker] - # ENABLED=false - # - # [database] - # DB_TYPE=sqlite3 - # PATH=/bitnami/gitea/data/gitea.db - # - # [openid] - # ENABLE_OPENID_SIGNIN=false - # ENABLE_OPENID_SIGNUP=true - # WHITELISTED_URIS=auth.cloonar.com - # - # [server] - # DISABLE_SSH=false - # DOMAIN=git.cloonar.com - # HTTP_ADDR=0.0.0.0 - # HTTP_PORT=443 - # PROTOCOL=https - # ROOT_URL=https://git.cloonar.com/ - # SSH_PORT=22 - # CERT_FILE=/ssl/fullchain.pem - # KEY_FILE=/ssl/key.pem - # - # [service] - # ALLOW_ONLY_EXTERNAL_REGISTRATION=true - # DISABLE_REGISTRATION=false - # SHOW_REGISTRATION_BUTTON=false - # - # [webhook] - # ALLOWED_HOST_LIST=drone.cloonar.com - # ''; - # - # virtualisation = { - # oci-containers.containers = { - # gitea = { - # image = "gitea/gitea:1"; - # volumes = [ - # "/var/lib/gitea:/data" - # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" - # "/var/lib/acme/git.cloonar.com:/ssl:ro" - # ]; - # environment = { - # USER_UID = builtins.toString config.users.users.gitea.uid; - # USER_GID = builtins.toString config.users.groups.gitea.gid; - # }; - # extraOptions = [ - # "--ip=${ip}" - # ]; - # }; - # gitea = { - # image = "gitea/gitea:1"; - # volumes = [ - # "/var/lib/gitea:/data" - # "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro" - # "/var/lib/acme/git.cloonar.com:/ssl:ro" - # ]; - # environment = { - # USER_UID = builtins.toString config.users.users.gitea.uid; - # USER_GID = builtins.toString config.users.groups.gitea.gid; - # }; - # extraOptions = [ - # "--ip=${ip}" - # ]; - # }; - # }; - # }; containers.gitea = { autoStart = true; @@ -107,12 +26,12 @@ in isReadOnly = false; }; }; - # bindMounts = { - # "/var/lib/acme/gitea/" = { - # hostPath = "${security.acme.certs.${domain}.directory}"; - # isReadOnly = true; - # }; - # }; + bindMounts = { + "/var/lib/acme/gitea/" = { + hostPath = "${config.security.acme.certs.${domain}.directory}"; + isReadOnly = true; + }; + }; config = { lib, config, pkgs, ... }: { networking = { hostName = "gitea"; @@ -124,8 +43,6 @@ in allowedTCPPorts = [ 22 80 443 ]; }; }; - # services.resolved.enable = true; - # services.nginx.enable = true; # services.nginx.virtualHosts."${domain}" = { # sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index 524c74f..5cf70a0 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -1,138 +1,177 @@ -{ config, ... }: { +{ config, ... }: +let + domain = "ns.cloonar.com"; + cfg = { + server = { + interface = [ "0.0.0.0" "::0" ]; + interface-automatic = "yes"; + access-control = [ + "127.0.0.0/8 allow" + "10.42.96.0/24 allow" + "10.42.97.0/24 allow" + "10.42.98.0/24 allow" + "10.42.99.0/24 allow" + "10.42.101.0/24 allow" + "0.0.0.0/0 allow" + ]; + tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem"; + local-zone = "\"cloonar.com\" transparent"; + local-data = [ + "\"localhost A 127.0.0.1\"" + "\"localhost.cloonar.com A 127.0.0.1\"" + "\"localhost AAAA ::1\"" + "\"localhost.cloonar.com AAAA ::1\"" + "\"fw.cloonar.com A 10.42.97.1\"" + "\"fw A 10.42.97.1\"" + + "\"switch.cloonar.com IN A 10.42.97.10\"" + "\"drone.cloonar.com IN A 10.42.97.118\"" + "\"hv-02.cloonar.com IN A 10.42.97.3\"" + "\"home-assistant.cloonar.com IN A 10.42.97.20\"" + "\"home-assistant.cloonar.old IN A 10.44.97.20\"" + "\"deconz.cloonar.com IN A 10.42.97.20\"" + "\"mopidy.cloonar.com IN A 10.42.97.20\"" + "\"snapcast.cloonar.com IN A 10.42.97.20\"" + "\"cl-storage-01.cloonar.com IN A 10.42.97.9\"" + "\"git.cloonar.com IN A 10.44.97.118\"" + + "\"stage.wsw.at IN A 10.254.235.22\"" + "\"prod.wsw.at IN A 10.254.217.23\"" + "\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" + "\"wohnservice-wien.at IN A 10.254.240.109\"" + "\"mieterhilfe.at IN A 10.254.240.109\"" + "\"wohnpartner-wien.at IN A 10.254.240.109\"" + "\"wohnberatung-wien.at IN A 10.254.240.109\"" + "\"wienbautvor.at IN A 10.254.240.109\"" + "\"a.wohnservice-wien.at IN A 10.254.240.109\"" + "\"a.wohnpartner-wien.at IN A 10.254.240.109\"" + "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" + "\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" + "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" + "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" + "\"a.stage.wienbautvor.at IN A 10.254.240.110\"" + "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\"" + "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\"" + "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\"" + "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\"" + "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\"" + "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" + "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" + + "\"testing.ebs.amz.at IN A 80.120.142.235\"" + "\"api.testing-ebs.amz.at IN A 80.120.142.235\"" + + "\"metz.cloonar.com IN A 10.42.96.167\"" + "\"firetv-living.cloonar.com IN A 10.42.96.175\"" + "\"ps5-living.cloonar.com IN A 10.42.96.176\"" + + "\"ddl-warez.to IN A 172.67.184.30\"" + ]; + local-data-ptr = [ + "\"127.0.0.1 localhost\"" + "\"::1 localhost\"" + "\"10.42.97.10 switch.cloonar.com\"" + "\"10.42.97.1 fw.cloonar.com\"" + "\"10.42.97.118 drone.cloonar.com\"" + "\"10.42.97.3 hv-02.cloonar.com\"" + "\"10.42.97.20 home-assistant.cloonar.com\"" + "\"10.42.97.9 cl-storage-01.cloonar.com\"" + "\"10.42.97.118 git.cloonar.com\"" + + "\"10.254.235.22 stage.wsw.at\"" + "\"10.254.217.23 prod.wsw.at\"" + "\"10.254.240.109 wohnservice-wien.at\"" + "\"10.254.240.110 a.stage.wohnservice-wien.at\"" + + "\"80.120.142.235 testing.ebs.amz.at\"" + + "\"172.67.184.30 ddl-warez.to\"" + ]; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + "10.44.96.1" + # "9.9.9.9#dns11.quad9.net" + # "149.112.112.112#dns11.quad9.net" + ]; + } + { + name = "ghetto.at.local."; + forward-addr = [ + "10.43.97.1" + ]; + } + { + name = "epicenter.works."; + forward-addr = [ + "10.50.60.1" + ]; + } + { + name = "akvorrat.at."; + forward-addr = [ + "10.50.60.1" + ]; + } + { + name = "epicenter.intra."; + forward-addr = [ + "10.14.1.1" + ]; + } + { + name = "intra.epicenter.works."; + forward-addr = [ + "10.14.1.1" + ]; + } + ]; + }; +in { services.unbound = { enable = true; - settings = { + settings = cfg // { server = { - interface = [ "0.0.0.0" "::0" ]; - interface-automatic = "yes"; - access-control = [ - "127.0.0.0/8 allow" - "10.42.96.0/24 allow" - "10.42.97.0/24 allow" - "10.42.98.0/24 allow" - "10.42.99.0/24 allow" - "10.42.101.0/24 allow" - "0.0.0.0/0 allow" - ]; - tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem"; - local-zone = "\"cloonar.com\" transparent"; - local-data = [ - "\"localhost A 127.0.0.1\"" - "\"localhost.cloonar.com A 127.0.0.1\"" - "\"localhost AAAA ::1\"" - "\"localhost.cloonar.com AAAA ::1\"" - "\"fw.cloonar.com A 10.42.97.1\"" - "\"fw A 10.42.97.1\"" + tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem"; + } + }; + }; + security.acme.certs."fw.cloonar.com" = { + domain = "fw.cloonar.com"; + }; - "\"switch.cloonar.com IN A 10.42.97.10\"" - "\"drone.cloonar.com IN A 10.42.97.118\"" - "\"hv-02.cloonar.com IN A 10.42.97.3\"" - "\"home-assistant.cloonar.com IN A 10.42.97.20\"" - "\"home-assistant.cloonar.old IN A 10.44.97.20\"" - "\"deconz.cloonar.com IN A 10.42.97.20\"" - "\"mopidy.cloonar.com IN A 10.42.97.20\"" - "\"snapcast.cloonar.com IN A 10.42.97.20\"" - "\"cl-storage-01.cloonar.com IN A 10.42.97.9\"" - "\"git.cloonar.com IN A 10.44.97.118\"" - - "\"stage.wsw.at IN A 10.254.235.22\"" - "\"prod.wsw.at IN A 10.254.217.23\"" - "\"piwik.wohnservice-wien.at IN A 10.254.240.109\"" - "\"wohnservice-wien.at IN A 10.254.240.109\"" - "\"mieterhilfe.at IN A 10.254.240.109\"" - "\"wohnpartner-wien.at IN A 10.254.240.109\"" - "\"wohnberatung-wien.at IN A 10.254.240.109\"" - "\"wienbautvor.at IN A 10.254.240.109\"" - "\"a.wohnservice-wien.at IN A 10.254.240.109\"" - "\"a.wohnpartner-wien.at IN A 10.254.240.109\"" - "\"a.stage.wohnservice-wien.at IN A 10.254.240.110\"" - "\"a.stage.mieterhilfe.at IN A 10.254.240.110\"" - "\"a.stage.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"a.stage.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"a.stage.wienbautvor.at IN A 10.254.240.110\"" - "\"a.stage.wienwohntbesser.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnservice-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.mieterhilfe.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnpartner-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.wohnberatung-wien.at IN A 10.254.240.110\"" - "\"upgrade-staging.wienbautvor.at IN A 10.254.240.110\"" - "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" - - "\"testing.ebs.amz.at IN A 80.120.142.235\"" - "\"api.testing-ebs.amz.at IN A 80.120.142.235\"" - - "\"metz.cloonar.com IN A 10.42.96.167\"" - "\"firetv-living.cloonar.com IN A 10.42.96.175\"" - "\"ps5-living.cloonar.com IN A 10.42.96.176\"" - - "\"ddl-warez.to IN A 172.67.184.30\"" - ]; - local-data-ptr = [ - "\"127.0.0.1 localhost\"" - "\"::1 localhost\"" - "\"10.42.97.10 switch.cloonar.com\"" - "\"10.42.97.1 fw.cloonar.com\"" - "\"10.42.97.118 drone.cloonar.com\"" - "\"10.42.97.3 hv-02.cloonar.com\"" - "\"10.42.97.20 home-assistant.cloonar.com\"" - "\"10.42.97.9 cl-storage-01.cloonar.com\"" - "\"10.42.97.118 git.cloonar.com\"" - - "\"10.254.235.22 stage.wsw.at\"" - "\"10.254.217.23 prod.wsw.at\"" - "\"10.254.240.109 wohnservice-wien.at\"" - "\"10.254.240.110 a.stage.wohnservice-wien.at\"" - - "\"80.120.142.235 testing.ebs.amz.at\"" - - "\"172.67.184.30 ddl-warez.to\"" - ]; + containers.unbound = { + autoStart = true; + ephemeral = true; + macvlans = [ "vserver" ]; + bindMounts = { + "/var/lib/acme/unbound/" = { + hostPath = "${config.security.acme.certs.${domain}.directory}"; + isReadOnly = true; + }; + }; + config = { lib, config, pkgs, ... }: { + networking = { + hostName = "ns"; + interfaces.mv-vserver = { + useDHCP = true; + }; + firewall = { + enable = true; + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 853 ]; + }; + services.unbound = { + enable = true; + settings = cfg; + }; }; - forward-zone = [ - { - name = "."; - forward-addr = [ - "10.44.96.1" - # "9.9.9.9#dns11.quad9.net" - # "149.112.112.112#dns11.quad9.net" - ]; - } - { - name = "ghetto.at.local."; - forward-addr = [ - "10.43.97.1" - ]; - } - { - name = "epicenter.works."; - forward-addr = [ - "10.50.60.1" - ]; - } - { - name = "akvorrat.at."; - forward-addr = [ - "10.50.60.1" - ]; - } - { - name = "epicenter.intra."; - forward-addr = [ - "10.14.1.1" - ]; - } - { - name = "intra.epicenter.works."; - forward-addr = [ - "10.14.1.1" - ]; - } - ]; }; }; - security.acme.certs."fw.cloonar.com" = { - domain = "fw.cloonar.com"; - group = config.services.unbound.group; + security.acme.certs."${domain}" = { + domain = "${domain}"; }; }