diff options
| -rw-r--r-- | sys/nspawn.nix | 74 |
1 files changed, 63 insertions, 11 deletions
diff --git a/sys/nspawn.nix b/sys/nspawn.nix index e854e06..2298c94 100644 --- a/sys/nspawn.nix +++ b/sys/nspawn.nix @@ -3,7 +3,21 @@ with lib; let cfg = config.local.nspawn; in { - options.local.nspawn.dmz.enable = mkEnableOption "DMZ services in a container"; + options.local.nspawn.dmz = { + enable = mkEnableOption "DMZ services in a container"; + + net = mkOption { + type = with types; str; + }; + + hostAddr = mkOption { + type = with types; str; + }; + + system = mkOption { + type = with types; attrs; + }; + }; # SituaciĆ³n con os-release # @@ -24,21 +38,59 @@ in # final es 'mkdir rootfs/usr/lib && touch rootfs/usr/lib/os-release'. config = mkIf cfg.dmz.enable { - systemd.nspawn.dmz = { - execConfig.PrivateUsers = "pick"; - - filesConfig.BindReadOnly = + local.nspawn.dmz = { + system = let containerModule = { ... }: { config.boot.isContainer = true; }; - - system = pkgs.nixos [ ../dmz containerModule ]; in - [ - "/nix/store" - "${system.toplevel}/init:/sbin/init" - ]; + pkgs.nixos [ ../dmz containerModule ]; + + net = "10.34.3.0/28"; + hostAddr = "10.34.3.1/28"; }; + + systemd = { + nspawn.dmz = { + execConfig.PrivateUsers = "pick"; + + filesConfig.BindReadOnly = + [ + # idmap porque algunos hacks en nixpkgs (postfix-setup.service) + # asumen que la store es de root + "/nix/store:/nix/store:idmap" + "${cfg.dmz.system.toplevel}/init:/sbin/init" + ]; + + networkConfig.Port = [ "tcp:25" "tcp:80" "tcp:443" "tcp:587" ]; + }; + + network.networks."40-ve-dmz" = { + matchConfig = { + Name = "ve-dmz"; + Driver = "veth"; + }; + + networkConfig = { + Address = "${cfg.dmz.hostAddr}"; + LinkLocalAddressing = "yes"; + DHCPServer = "yes"; + IPMasquerade = "both"; + LLDP = "yes"; + EmitLLDP = "customer-bridge"; + IPv6SendRA = "yes"; + }; + + # IP de contenedor fijada en hostAddr + 1 + dhcpServerConfig = { + PoolOffset = 2; + PoolSize = 1; + }; + }; + }; + + # DHCP + networking.firewall.interfaces.ve-dmz.allowedUDPPorts = [ 67 ]; }; } |