change unbound

2023-12-04 15:22:32 +01:00
parent 1dbba8eac6
commit cb01ec7e4c
2 changed files with 173 additions and 217 deletions
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -15,87 +15,6 @@ in
  users.groups.gitea = {
    gid = 989;
  };
-  # services.nginx.virtualHosts."${domain}" = {
-  #   enableACME = true;
-  #   forceSSL = true;
-  #   locations."/" = {
-  #     proxyPass = "https://${ip}:443/";
-  #     extraConfig = ''
-  #       proxy_set_header=Host ${domain}
-  #     '';
-  #   };
-  # };
-  #
-  # environment.etc."gitea/app.ini".text = ''
-  #   APP_NAME = Cloonar Gitea server
-  #   RUN_MODE = prod
-  #
-  #   [cron.update_checker]
-  #   ENABLED=false
-  #
-  #   [database]
-  #   DB_TYPE=sqlite3
-  #   PATH=/bitnami/gitea/data/gitea.db
-  #
-  #   [openid]
-  #   ENABLE_OPENID_SIGNIN=false
-  #   ENABLE_OPENID_SIGNUP=true
-  #   WHITELISTED_URIS=auth.cloonar.com
-  #
-  #   [server]
-  #   DISABLE_SSH=false
-  #   DOMAIN=git.cloonar.com
-  #   HTTP_ADDR=0.0.0.0
-  #   HTTP_PORT=443
-  #   PROTOCOL=https
-  #   ROOT_URL=https://git.cloonar.com/
-  #   SSH_PORT=22
-  #   CERT_FILE=/ssl/fullchain.pem
-  #   KEY_FILE=/ssl/key.pem
-  #
-  #   [service]
-  #   ALLOW_ONLY_EXTERNAL_REGISTRATION=true
-  #   DISABLE_REGISTRATION=false
-  #   SHOW_REGISTRATION_BUTTON=false
-  #
-  #   [webhook]
-  #   ALLOWED_HOST_LIST=drone.cloonar.com
-  # '';
-  #
-  # virtualisation = {
-  #   oci-containers.containers = {
-  #     gitea = {
-  #       image = "gitea/gitea:1";
-  #       volumes = [
-  #         "/var/lib/gitea:/data"
-  #         "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
-  #         "/var/lib/acme/git.cloonar.com:/ssl:ro"
-  #       ];
-  #       environment = {
-  #         USER_UID = builtins.toString config.users.users.gitea.uid;
-  #         USER_GID = builtins.toString config.users.groups.gitea.gid;
-  #       };
-  #       extraOptions = [
-  #         "--ip=${ip}"
-  #       ];
-  #     };
-  #     gitea = {
-  #       image = "gitea/gitea:1";
-  #       volumes = [
-  #         "/var/lib/gitea:/data"
-  #         "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
-  #         "/var/lib/acme/git.cloonar.com:/ssl:ro"
-  #       ];
-  #       environment = {
-  #         USER_UID = builtins.toString config.users.users.gitea.uid;
-  #         USER_GID = builtins.toString config.users.groups.gitea.gid;
-  #       };
-  #       extraOptions = [
-  #         "--ip=${ip}"
-  #       ];
-  #     };
-  #   };
-  # };

  containers.gitea = {
    autoStart = true;
@@ -107,12 +26,12 @@ in
        isReadOnly = false;
      };
    };
-    # bindMounts = {
-    #   "/var/lib/acme/gitea/" = {
-    #     hostPath = "${security.acme.certs.${domain}.directory}";
-    #     isReadOnly = true;
-    #   };
-    # };
+    bindMounts = {
+      "/var/lib/acme/gitea/" = {
+        hostPath = "${config.security.acme.certs.${domain}.directory}";
+        isReadOnly = true;
+      };
+    };
    config = { lib, config, pkgs, ... }: {
      networking = {
        hostName = "gitea";
@@ -124,8 +43,6 @@ in
          allowedTCPPorts = [ 22 80 443 ];
        };
      };
-      # services.resolved.enable = true;
-
      # services.nginx.enable = true;
      # services.nginx.virtualHosts."${domain}" = {
      #   sslCertificate = "/var/lib/acme/gitea/fullchain.pem";
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -1,7 +1,7 @@
-{ config, ... }: {
-  services.unbound = {
-    enable = true;
-    settings = {
+{ config, ... }:
+let
+  domain = "ns.cloonar.com";
+  cfg = {
    server = {
      interface = [ "0.0.0.0" "::0" ];
      interface-automatic = "yes";
@@ -14,7 +14,7 @@
        "10.42.101.0/24 allow"
        "0.0.0.0/0 allow"
      ];
-        tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
+      tls-cert-bundle = "/var/lib/acme/unbound/fullchain.pem";
      local-zone = "\"cloonar.com\" transparent";
      local-data = [
        "\"localhost A 127.0.0.1\""
@@ -129,10 +129,49 @@
      }
    ];
  };
+in {
+  services.unbound = {
+    enable = true;
+    settings = cfg // {
+      server = {
+        tls-cert-bundle = "/var/lib/acme/fw.cloonnar.com/fullchain.pem";
+      }
+    }; 
  };
-
  security.acme.certs."fw.cloonar.com" = {
    domain = "fw.cloonar.com";
-    group = config.services.unbound.group;
+  };
+
+  containers.unbound = {
+    autoStart = true;
+    ephemeral = true;
+    macvlans = [ "vserver" ];
+    bindMounts = {
+      "/var/lib/acme/unbound/" = {
+        hostPath = "${config.security.acme.certs.${domain}.directory}";
+        isReadOnly = true;
+      };
+    };
+    config = { lib, config, pkgs, ... }: {
+      networking = {
+        hostName = "ns";
+        interfaces.mv-vserver = {
+          useDHCP = true;
+        };
+        firewall = {
+          enable = true;
+          allowedUDPPorts = [ 53 ];
+          allowedTCPPorts = [ 853 ];
+        };
+        services.unbound = {
+          enable = true;
+          settings = cfg;
+        };
+      };
+    };
+  };
+
+  security.acme.certs."${domain}" = {
+    domain = "${domain}";
  };
 }