diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
| commit | d7ac88762db111a7962c4e14b5f4e37ab85ccac7 (patch) | |
| tree | 0c2c8c4383bef74215e3b7c48a2f6b0117f084bc /sys/nspawn/dmz.nix | |
| parent | 504589d1035f27b766bd33040b415b2725ece4ca (diff) | |
tree-wide: reformat using alejandra after enabling trivionomicon
Diffstat (limited to '')
| -rw-r--r-- | sys/nspawn/dmz.nix | 129 |
1 files changed, 67 insertions, 62 deletions
diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index fb3acea..805ca72 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -1,4 +1,10 @@ -{ lib, config, flakes, pkgs, ... }: +{ + lib, + config, + flakes, + pkgs, + ... +}: with lib; let cfg = config.local.nspawn.dmz; inherit (config.local) mailHost; @@ -7,8 +13,7 @@ with lib; let hassPort = config.services.home-assistant.config.http.server_port; hassEnable = config.local.home-assistant.enable; -in -{ +in { options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; @@ -60,71 +65,70 @@ in nspawn.dmz = { hostAddr6 = dmzNet.hosts.gateway.v6.address; - system = - let - containerModule = { ... }: { - #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables - config = { - local = { - preset.dmz = { - enable = true; - container = true; - }; + system = let + containerModule = {...}: { + #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables + config = { + local = { + preset.dmz = { + enable = true; + container = true; + }; - mta = { - mdaAddr = "[${mailHost.mdaListen}]"; - inherit (mailHost) saslPort lmtpPort; - }; + mta = { + mdaAddr = "[${mailHost.mdaListen}]"; + inherit (mailHost) saslPort lmtpPort; + }; - web.sites = { - home = { - enable = hassEnable; - proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}"; - }; + web.sites = { + home = { + enable = hassEnable; + proxyUrl = "http://[${cfg.hostAddr6}]:${toString hassPort}"; }; }; + }; - nixpkgs = { - pkgs = mkDefault pkgs; - localSystem = mkDefault pkgs.stdenv.hostPlatform; - }; + nixpkgs = { + pkgs = mkDefault pkgs; + localSystem = mkDefault pkgs.stdenv.hostPlatform; + }; - services.nginx.virtualHosts = { - "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = { - root = "/var/lib/acme/acme-challenge"; + services.nginx.virtualHosts = { + "${config.local.domains.imap.main}".locations."^~ /.well-known/acme-challenge/" = { + root = "/var/lib/acme/acme-challenge"; - extraConfig = '' - auth_basic off; - auth_request off; - ''; - }; + extraConfig = '' + auth_basic off; + auth_request off; + ''; }; + }; - systemd.network.networks."40-host0" = { - name = "host0"; + systemd.network.networks."40-host0" = { + name = "host0"; - networkConfig = { - DNS = [ cfg.dns64 ]; + networkConfig = { + DNS = [cfg.dns64]; - DHCP = "no"; - IPv6AcceptRA = "yes"; - LinkLocalAddressing = "ipv6"; - }; + DHCP = "no"; + IPv6AcceptRA = "yes"; + LinkLocalAddressing = "ipv6"; + }; - ipv6AcceptRAConfig = { - Token = [ - "static:::${dmzNet.hosts.dmz.v6.suffix}" - "eui64" - "static:::${dmzNet.hosts.mta.v6.suffix}" - "static:::${dmzNet.hosts.web.v6.suffix}" - ]; + ipv6AcceptRAConfig = { + Token = [ + "static:::${dmzNet.hosts.dmz.v6.suffix}" + "eui64" + "static:::${dmzNet.hosts.mta.v6.suffix}" + "static:::${dmzNet.hosts.web.v6.suffix}" + ]; - UseDNS = false; - }; + UseDNS = false; }; }; }; - in + }; + in # Tomado de la definiciĆ³n de pkgs.nixos junto con definiciĆ³n de nixpkgs.{pkgs,localSystem} arriba import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { modules = [ @@ -133,15 +137,15 @@ in ]; system = null; - specialArgs = { inherit flakes; }; + specialArgs = {inherit flakes;}; }; }; }; services = { home-assistant.config.http = mkIf hassEnable { - server_host = [ cfg.hostAddr6 ]; - trusted_proxies = [ dmzNet.hosts.web.v6.address ]; + server_host = [cfg.hostAddr6]; + trusted_proxies = [dmzNet.hosts.web.v6.address]; use_x_forwarded_for = true; }; }; @@ -199,26 +203,27 @@ in }; services = { - dovecot2.after = [ "systemd-nspawn@dmz.service" ]; + dovecot2.after = ["systemd-nspawn@dmz.service"]; "systemd-nspawn@dmz" = { overrideStrategy = "asDropin"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "machines.target" ]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + wantedBy = ["machines.target"]; }; }; }; networking.firewall = { - allowedTCPPorts = [ 25 80 443 ]; + allowedTCPPorts = [25 80 443]; interfaces.ve-dmz = { - allowedTCPPorts = [ mailHost.saslPort mailHost.lmtpPort ] + allowedTCPPorts = + [mailHost.saslPort mailHost.lmtpPort] ++ optional hassEnable hassPort; - allowedUDPPorts = [ 67 ]; # DHCP + allowedUDPPorts = [67]; # DHCP }; }; }; |