diff options
Diffstat (limited to 'sys/nspawn/dmz.nix')
| -rw-r--r-- | sys/nspawn/dmz.nix | 113 |
1 files changed, 73 insertions, 40 deletions
diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index af91f82..0192333 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -7,23 +7,29 @@ with lib; let hassEnable = config.local.home-assistant.enable; in { - options.local.nspawn.dmz = with types; { + options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; net = mkOption { - type = str; + type = types.str; }; netBits = mkOption { - type = int; + type = types.enum [ 30 ]; + }; + + dmzAddr = mkOption { + type = types.str; + readOnly = true; }; hostAddr = mkOption { - type = str; + type = types.str; + readOnly = true; }; system = mkOption { - type = attrs; + type = types.raw; }; }; @@ -49,49 +55,76 @@ in local = { mailHost.mdaListen = cfg.hostAddr; - nspawn.dmz.system = + nspawn.dmz = let - containerModule = { ... }: { - #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables - config = { - local = { - preset.dmz = { - enable = true; - container = true; - }; - - mta = { - mdaAddr = mailHost.mdaListen; - inherit (mailHost) saslPort lmtpPort; - }; - - web.sites.home = { - enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + incrementIpv4 = bytes: (incrementIpv4' bytes).tail; + + incrementIpv4' = bytes: + let + next = incrementIpv4' (tail bytes); + byteInc = (head bytes) + next.carry; + in + if bytes == [ ] + then { tail = [ ]; carry = 1; } + else if byteInc < 256 + then { tail = [ byteInc ] ++ next.tail; carry = 0; } + else { tail = [ 0 ] ++ next.tail; carry = 1; }; + + joinIpv4 = bytes: concatStringsSep "." (map toString bytes); + hostBytes = incrementIpv4 (map toInt (splitString "." cfg.net)); + in + { + dmzAddr = joinIpv4 (incrementIpv4 hostBytes); + hostAddr = joinIpv4 hostBytes; + + system = + let + containerModule = { ... }: { + #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables + config = { + local = { + preset.dmz = { + enable = true; + container = true; + }; + + mta = { + mdaAddr = mailHost.mdaListen; + inherit (mailHost) saslPort lmtpPort; + }; + + web.sites.home = { + enable = hassEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + }; + }; + + nixpkgs = { + pkgs = mkDefault pkgs; + localSystem = mkDefault pkgs.stdenv.hostPlatform; + }; }; }; - - nixpkgs = { - pkgs = mkDefault pkgs; - localSystem = mkDefault pkgs.stdenv.hostPlatform; - }; + in + # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba + import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { + modules = [ + ../. + containerModule + ]; + + system = null; + specialArgs = { inherit flakes; }; }; - }; - in - # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba - import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { - modules = [ - ../. - containerModule - ]; - - system = null; - specialArgs = { inherit flakes; }; }; }; services = { - home-assistant.config.http.server_host = singleton cfg.hostAddr; + home-assistant.config.http = { + server_host = [ cfg.hostAddr ]; + trusted_proxies = [ cfg.dmzAddr ]; + use_x_forwarded_for = true; + }; }; systemd = { |