diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-01-03 11:33:27 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-01-03 11:33:27 -0600 |
| commit | fa10c66901e2587f13575905366fff1f386002a4 (patch) | |
| tree | 36a32f7f1e7116f5065ae40b7d7f7e1b2e6d159a | |
| parent | e7f2096f8d193c20740d481fdf29151f8da08c5a (diff) | |
sys: unify gate and vpn into a globally-addressable IPv6-only network
Diffstat (limited to '')
| -rw-r--r-- | sys/nspawn/dmz.nix | 139 |
1 files changed, 62 insertions, 77 deletions
diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index f1f1cc8..3fe0335 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -3,6 +3,8 @@ with lib; let cfg = config.local.nspawn.dmz; inherit (config.local) mailHost; + dmzNet = config.local.nets.${cfg.netName}; + hassPort = config.services.home-assistant.config.http.server_port; hassEnable = config.local.home-assistant.enable; @@ -13,17 +15,18 @@ in options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; - net = mkOption { + netName = mkOption { type = types.str; }; - net6 = mkOption { + net = mkOption { type = types.str; + readOnly = true; }; - # Solo para IPv4 - netBits = mkOption { - type = types.enum [ 30 ]; + net6 = mkOption { + type = types.str; + readOnly = true; }; dmzAddr = mkOption { @@ -69,87 +72,69 @@ in mailHost.mdaListen = cfg.hostAddr; conduit.listenAddress = mkIf conduitEnable cfg.hostAddr; - nspawn.dmz = - let - incrementIpv4 = bytes: (incrementIpv4' bytes).tail; - - incrementIpv4' = bytes: - let - next = incrementIpv4' (tail bytes); - byteInc = (head bytes) + next.carry; - in - if bytes == [ ] - then { tail = [ ]; carry = 1; } - else if byteInc < 256 - then { tail = [ byteInc ] ++ next.tail; carry = 0; } - else { tail = [ 0 ] ++ next.tail; carry = 1; }; - - joinIpv4 = bytes: concatStringsSep "." (map toString bytes); - hostBytes = incrementIpv4 (map toInt (splitString "." cfg.net)); - in - { - dmzAddr = joinIpv4 (incrementIpv4 hostBytes); - hostAddr = joinIpv4 hostBytes; - hostAddr6 = throwIf (! hasSuffix "::" cfg.net6) "Invalid IPv6 /64: ${cfg.net6}" "${cfg.net6}1"; - - system = - let - containerModule = { ... }: { - #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables - config = { - local = { - preset.dmz = { - enable = true; - container = true; - }; + nspawn.dmz = { + dmzAddr = dmzNet.hosts.dmz.v4.address; + hostAddr = dmzNet.hosts.host.v4.address; + hostAddr6 = dmzNet.hosts.host.v6.address; + + system = + let + containerModule = { ... }: { + #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables + config = { + local = { + preset.dmz = { + enable = true; + container = true; + }; - mta = { - mdaAddr = mailHost.mdaListen; - inherit (mailHost) saslPort lmtpPort; - }; + mta = { + mdaAddr = mailHost.mdaListen; + inherit (mailHost) saslPort lmtpPort; + }; - web.sites = { - home = { - enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; - }; + web.sites = { + home = { + enable = hassEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + }; - matrix = { - enable = conduitEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString conduitPort}"; - }; + matrix = { + enable = conduitEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString conduitPort}"; }; }; + }; - nixpkgs = { - pkgs = mkDefault pkgs; - localSystem = mkDefault pkgs.stdenv.hostPlatform; - }; + nixpkgs = { + pkgs = mkDefault pkgs; + localSystem = mkDefault pkgs.stdenv.hostPlatform; + }; - services.nginx.virtualHosts = { - "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = { - root = "/var/lib/acme/acme-challenge"; + services.nginx.virtualHosts = { + "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = { + root = "/var/lib/acme/acme-challenge"; - extraConfig = '' - auth_basic off; - auth_request off; - ''; - }; + extraConfig = '' + auth_basic off; + auth_request off; + ''; }; }; }; - in - # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba - import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { - modules = [ - ../. - containerModule - ]; - - system = null; - specialArgs = { inherit flakes; }; }; - }; + in + # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba + import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { + modules = [ + ../. + containerModule + ]; + + system = null; + specialArgs = { inherit flakes; }; + }; + }; }; services = { @@ -187,10 +172,10 @@ in }; networkConfig = { - Address = [ "${cfg.hostAddr}/${toString cfg.netBits}" "${cfg.hostAddr6}/64" ]; + Address = [ dmzNet.hosts.host.v4.cidr dmzNet.hosts.host.v6.cidr ]; LinkLocalAddressing = "yes"; DHCPServer = "yes"; - IPMasquerade = "both"; + IPMasquerade = "ipv4"; LLDP = "yes"; EmitLLDP = "customer-bridge"; IPv6SendRA = "yes"; @@ -206,7 +191,7 @@ in { ipv6PrefixConfig = { Assign = "yes"; - Prefix = "${cfg.net6}/64"; + Prefix = dmzNet.v6.cidr; }; } ]; |