cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
flakes/containers/garnet/flake.nix
Cilly Leang 4ab35c6f51
Some checks are pending
CI / Build linux-lava for x86_64-linux (push) Waiting to run
Details
containers/garnet: better ip filtering
2026-05-28 23:04:35 +10:00

86 lines
2.1 KiB
Nix
Raw Blame History

{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "garnet";
fqdn = "cloud.lava.moe";
subnetId = "7";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/" = {
proxyPass = "http://[${client}]:9200";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
'';
};
extraConfig = ''
allow 10.0.0.0/8;
allow 100.0.0.0/8;
allow 192.168.1.0/24;
allow fd0d::/8;
deny all;
'';
};
systemd.tmpfiles.rules = [
"d /persist/containers/${name} 755 root users"
"d /persist/flower 755 root users"
];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."content" = {
hostPath = "/persist/flower";
mountPoint = "/flower";
isReadOnly = false;
};
};
};
};
}
Reference in a new issue View git blame Copy permalink