SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 19:51:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Switch container networking from macvlans to bridges

Browse source
This commit is contained in:
SebastianStork 2024-09-05 19:47:58 +02:00
parent 4168626450
commit 78f25ad322
5 changed files with 60 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

36
hosts/stratus/containers/default.nix
View file

@ -7,14 +7,10 @@
}:
let
containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
interface = "eno1";
dataDirOf = name: "/data/${name}";
in
{
imports = [
./nextcloud
./paperless
];
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
sops.secrets = lib.mapAttrs' (
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
@ -27,10 +23,25 @@ in
]) containers
);
networking = {
useDHCP = false;
bridges.br0.interfaces = [ "eno1" ];
interfaces."br0".useDHCP = true;
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "br0";
};
};
containers = lib.mapAttrs (name: _: {
autoStart = true;
ephemeral = true;
macvlans = [ interface ];
privateNetwork = true;
enableTun = true;
hostBridge = "br0";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
@ -66,18 +77,10 @@ in
networking = {
inherit domain;
useNetworkd = true;
useHostResolvConf = false;
interfaces."eth0".useDHCP = true;
};
systemd.network = {
enable = true;
networks."10-mv-${interface}" = {
matchConfig.Name = "mv-${interface}";
networkConfig.DHCP = "yes";
dhcpV4Config.ClientIdentifier = "mac";
};
};
services.resolved.enable = true;
myConfig.sops = {
enable = true;
@ -85,7 +88,6 @@ in
};
sops.secrets."tailscale-auth-key" = { };
services.tailscale.interfaceName = "userspace-networking";
myConfig.tailscale = {
enable = true;
ssh.enable = true;

31
hosts/stratus/containers/onlyoffice/secrets.yaml Normal file
View file

@ -0,0 +1,31 @@
tailscale-auth-key: ENC[AES256_GCM,data:MCrnxZwV2+48DuBcE0iD+HX695jUuiMkWh82xTfUZrMIBZqFpx5cwnktHtz6v04bgyO7K0npnxoaNhJvD78=,iv:X+sFy20iXhBt7APCmxrY4M8+C5seyahRFJ2FlIqHIsg=,tag:DKjF/X/7PWvzkxTDtsvDPQ==,type:str]
onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-03T18:32:07Z"
mac: ENC[AES256_GCM,data:bEDkET4vypdIE2psravUlXJp0fea/Gh8KatTFnU55ZIUutxoOHtbhL4aarPZGmLj1qkBw1fuY+rPS+dCABXsLLjso52NzeBhUvMqbbpdffXqjvO5lel8KgzW5AbxKcCCWJT4x29ffyi6K8EccsSYvjtRBnq0VaK52+uhi2F/ISg=,iv:LncnT7F/42gmxAw02XopbYXFRZ6cKlD5v2VivqWL3Fs=,tag:vHyzbINIUuFtWzrB4CnPaQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0