Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

change unbound

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-04 15:22:32 +01:00
parent 1dbba8eac6
commit cb01ec7e4c
2 changed files with 173 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
hosts/fw.cloonar.com/modules/gitea.nix
View File

@@ -15,87 +15,6 @@ in
users.groups.gitea = { users.groups.gitea = {
gid = 989; gid = 989;
}; };
# services.nginx.virtualHosts."${domain}" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "https://${ip}:443/";
# extraConfig = ''
# proxy_set_header=Host ${domain}
# '';
# };
# };
#
# environment.etc."gitea/app.ini".text = ''
# APP_NAME = Cloonar Gitea server
# RUN_MODE = prod
#
# [cron.update_checker]
# ENABLED=false
#
# [database]
# DB_TYPE=sqlite3
# PATH=/bitnami/gitea/data/gitea.db
#
# [openid]
# ENABLE_OPENID_SIGNIN=false
# ENABLE_OPENID_SIGNUP=true
# WHITELISTED_URIS=auth.cloonar.com
#
# [server]
# DISABLE_SSH=false
# DOMAIN=git.cloonar.com
# HTTP_ADDR=0.0.0.0
# HTTP_PORT=443
# PROTOCOL=https
# ROOT_URL=https://git.cloonar.com/
# SSH_PORT=22
# CERT_FILE=/ssl/fullchain.pem
# KEY_FILE=/ssl/key.pem
#
# [service]
# ALLOW_ONLY_EXTERNAL_REGISTRATION=true
# DISABLE_REGISTRATION=false
# SHOW_REGISTRATION_BUTTON=false
#
# [webhook]
# ALLOWED_HOST_LIST=drone.cloonar.com
# '';
#
# virtualisation = {
# oci-containers.containers = {
# gitea = {
# image = "gitea/gitea:1";
# volumes = [
# "/var/lib/gitea:/data"
# "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
# "/var/lib/acme/git.cloonar.com:/ssl:ro"
# ];
# environment = {
# USER_UID = builtins.toString config.users.users.gitea.uid;
# USER_GID = builtins.toString config.users.groups.gitea.gid;
# };
# extraOptions = [
# "--ip=${ip}"
# ];
# };
# gitea = {
# image = "gitea/gitea:1";
# volumes = [
# "/var/lib/gitea:/data"
# "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
# "/var/lib/acme/git.cloonar.com:/ssl:ro"
# ];
# environment = {
# USER_UID = builtins.toString config.users.users.gitea.uid;
# USER_GID = builtins.toString config.users.groups.gitea.gid;
# };
# extraOptions = [
# "--ip=${ip}"
# ];
# };
# };
# };
containers.gitea = { containers.gitea = {
autoStart = true; autoStart = true;
@@ -107,12 +26,12 @@ in
isReadOnly = false; isReadOnly = false;
}; };
}; };
# bindMounts = { bindMounts = {
# "/var/lib/acme/gitea/" = { "/var/lib/acme/gitea/" = {
# hostPath = "${security.acme.certs.${domain}.directory}"; hostPath = "${config.security.acme.certs.${domain}.directory}";
# isReadOnly = true; isReadOnly = true;
# }; };
# }; };
config = { lib, config, pkgs, ... }: { config = { lib, config, pkgs, ... }: {
networking = { networking = {
hostName = "gitea"; hostName = "gitea";
@@ -124,8 +43,6 @@ in
allowedTCPPorts = [ 22 80 443 ]; allowedTCPPorts = [ 22 80 443 ];
}; };
}; };
# services.resolved.enable = true;
# services.nginx.enable = true; # services.nginx.enable = true;
# services.nginx.virtualHosts."${domain}" = { # services.nginx.virtualHosts."${domain}" = {
# sslCertificate = "/var/lib/acme/gitea/fullchain.pem"; # sslCertificate = "/var/lib/acme/gitea/fullchain.pem";

53
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -1,7 +1,7 @@
{ config, ... }: { { config, ... }:
services.unbound = { let
enable = true; domain = "ns.cloonar.com";
settings = { cfg = {
server = { server = {
interface = [ "0.0.0.0" "::0" ]; interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes"; interface-automatic = "yes";
@@ -14,7 +14,7 @@
"10.42.101.0/24 allow" "10.42.101.0/24 allow"
"0.0.0.0/0 allow" "0.0.0.0/0 allow"
]; ];
tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem"; tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
local-zone = "\"cloonar.com\" transparent"; local-zone = "\"cloonar.com\" transparent";
local-data = [ local-data = [
"\"localhost A 127.0.0.1\"" "\"localhost A 127.0.0.1\""
@@ -129,10 +129,49 @@
} }
]; ];
}; };
in {
services.unbound = {
enable = true;
settings = cfg // {
server = {
tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
}
};
}; };
security.acme.certs."fw.cloonar.com" = { security.acme.certs."fw.cloonar.com" = {
domain = "fw.cloonar.com"; domain = "fw.cloonar.com";
group = config.services.unbound.group; };
containers.unbound = {
autoStart = true;
ephemeral = true;
macvlans = [ "vserver" ];
bindMounts = {
"/var/lib/acme/unbound/" = {
hostPath = "${config.security.acme.certs.${domain}.directory}";
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
networking = {
hostName = "ns";
interfaces.mv-vserver = {
useDHCP = true;
};
firewall = {
enable = true;
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 853 ];
};
services.unbound = {
enable = true;
settings = cfg;
};
};
};
};
security.acme.certs."${domain}" = {
domain = "${domain}";
}; };
} }