mirror of
https://github.com/SebastianStork/nixos-config.git
synced 2026-01-21 15:11:34 +01:00
Switch container networking from macvlans to bridges
This commit is contained in:
parent
4168626450
commit
78f25ad322
5 changed files with 60 additions and 28 deletions
|
|
@ -4,6 +4,7 @@ keys:
|
||||||
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
||||||
- &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
|
- &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
|
||||||
- &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
|
- &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
|
||||||
|
- &onlyoffice age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
|
||||||
- &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
|
- &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
|
||||||
- &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
|
- &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
|
||||||
- &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
|
- &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
|
||||||
|
|
@ -28,6 +29,11 @@ creation_rules:
|
||||||
- age:
|
- age:
|
||||||
- *admin
|
- *admin
|
||||||
- *nextcloud
|
- *nextcloud
|
||||||
|
- path_regex: hosts/stratus/containers/onlyoffice/secrets.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *admin
|
||||||
|
- *onlyoffice
|
||||||
- path_regex: hosts/stratus/containers/paperless/secrets.yaml$
|
- path_regex: hosts/stratus/containers/paperless/secrets.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
|
||||||
|
|
@ -7,14 +7,10 @@
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
|
containers = lib.filterAttrs (_: v: v == "directory") (builtins.readDir ./.);
|
||||||
interface = "eno1";
|
|
||||||
dataDirOf = name: "/data/${name}";
|
dataDirOf = name: "/data/${name}";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [
|
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
|
||||||
./nextcloud
|
|
||||||
./paperless
|
|
||||||
];
|
|
||||||
|
|
||||||
sops.secrets = lib.mapAttrs' (
|
sops.secrets = lib.mapAttrs' (
|
||||||
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
|
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
|
||||||
|
|
@ -27,10 +23,25 @@ in
|
||||||
]) containers
|
]) containers
|
||||||
);
|
);
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
bridges.br0.interfaces = [ "eno1" ];
|
||||||
|
interfaces."br0".useDHCP = true;
|
||||||
|
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
internalInterfaces = [ "ve-+" ];
|
||||||
|
externalInterface = "br0";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
containers = lib.mapAttrs (name: _: {
|
containers = lib.mapAttrs (name: _: {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
ephemeral = true;
|
ephemeral = true;
|
||||||
macvlans = [ interface ];
|
|
||||||
|
privateNetwork = true;
|
||||||
|
enableTun = true;
|
||||||
|
hostBridge = "br0";
|
||||||
|
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
|
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
|
||||||
|
|
@ -66,18 +77,10 @@ in
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
inherit domain;
|
inherit domain;
|
||||||
useNetworkd = true;
|
|
||||||
useHostResolvConf = false;
|
useHostResolvConf = false;
|
||||||
|
interfaces."eth0".useDHCP = true;
|
||||||
};
|
};
|
||||||
|
services.resolved.enable = true;
|
||||||
systemd.network = {
|
|
||||||
enable = true;
|
|
||||||
networks."10-mv-${interface}" = {
|
|
||||||
matchConfig.Name = "mv-${interface}";
|
|
||||||
networkConfig.DHCP = "yes";
|
|
||||||
dhcpV4Config.ClientIdentifier = "mac";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
myConfig.sops = {
|
myConfig.sops = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -85,7 +88,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."tailscale-auth-key" = { };
|
sops.secrets."tailscale-auth-key" = { };
|
||||||
services.tailscale.interfaceName = "userspace-networking";
|
|
||||||
myConfig.tailscale = {
|
myConfig.tailscale = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ssh.enable = true;
|
ssh.enable = true;
|
||||||
|
|
|
||||||
31
hosts/stratus/containers/onlyoffice/secrets.yaml
Normal file
31
hosts/stratus/containers/onlyoffice/secrets.yaml
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
tailscale-auth-key: ENC[AES256_GCM,data:MCrnxZwV2+48DuBcE0iD+HX695jUuiMkWh82xTfUZrMIBZqFpx5cwnktHtz6v04bgyO7K0npnxoaNhJvD78=,iv:X+sFy20iXhBt7APCmxrY4M8+C5seyahRFJ2FlIqHIsg=,tag:DKjF/X/7PWvzkxTDtsvDPQ==,type:str]
|
||||||
|
onlyoffice-secret-key: ENC[AES256_GCM,data:FtIKFZrajzZ5nDTO1/JbJh9Kixo=,iv:l4rjxiNrdjGP1YRYp/QSEFn/1SOnN8i77dCYBRtb7lM=,tag:dbPD1otFzUDLTPvhXQowwQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZW5ZOUhRM1NYOS8yWTRh
|
||||||
|
andCVjNIWDA0c294WmxwRGd4b3BTcHZRK0JFCmJyS1Rsd1JxaUgvQ05xelVQYWEy
|
||||||
|
dExxejRQUUpwajhBcHlTRG04UHpVY1EKLS0tIGRGTDBDVzU2N0h1aFdEMHNzSUhU
|
||||||
|
SnhUM1BHUzV2TDJKaVFDbkJqUW5rRmsKtBWX5Qf1XexmRvZkATZkcW51HJCGmEzq
|
||||||
|
5A61eA/RIhRwdDCxR1omIzhUq+BId1MwjuygapIgLsaTkUWnfKltNA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1es9tg5225aum5k5ahu8u9q0jprzzte6d64jmwxr2w33ylctqs4lqykdtx5
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUG1PTEN1Y1JjaVJrc3VW
|
||||||
|
OTN5eEt0SXg2VmZzOTNUMVlQaHZlaFd4Y1FvCkxRejFqOGYzbnR1UDBVMllqYTJt
|
||||||
|
Q2RXeW5tSEFiTVRMTFVtR00zQ1crQXMKLS0tIFFQTFYzQWlhbzVkNmUzM3Y0ejFj
|
||||||
|
V0V4ZkNucExLUGZVWUFuTWdaN3hSTkEKAJy3TKI+oUJS+1A2f47ck2xiOcW7TsFl
|
||||||
|
UCAaT19sZHVjaF/0CoPVmOZ3H5t3lh7BRo7di1TACr1TjYfCxEYRVw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-03T18:32:07Z"
|
||||||
|
mac: ENC[AES256_GCM,data:bEDkET4vypdIE2psravUlXJp0fea/Gh8KatTFnU55ZIUutxoOHtbhL4aarPZGmLj1qkBw1fuY+rPS+dCABXsLLjso52NzeBhUvMqbbpdffXqjvO5lel8KgzW5AbxKcCCWJT4x29ffyi6K8EccsSYvjtRBnq0VaK52+uhi2F/ISg=,iv:LncnT7F/42gmxAw02XopbYXFRZ6cKlD5v2VivqWL3Fs=,tag:vHyzbINIUuFtWzrB4CnPaQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
||||||
|
|
@ -17,13 +17,4 @@
|
||||||
exitNode.enable = true;
|
exitNode.enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.useNetworkd = true;
|
|
||||||
systemd.network = {
|
|
||||||
enable = true;
|
|
||||||
networks."10-eno1" = {
|
|
||||||
matchConfig.Name = "eno1";
|
|
||||||
networkConfig.DHCP = "yes";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,8 @@ tailscale-auth-key: ENC[AES256_GCM,data:zKjJsG23GYrAIAoTe9pRI/b9w6JPB/0EDrdtspQq
|
||||||
container:
|
container:
|
||||||
nextcloud:
|
nextcloud:
|
||||||
ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
|
ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
|
||||||
|
onlyoffice:
|
||||||
|
ssh-key: ENC[AES256_GCM,data:xonFRcLVBVXJZlDQViT1YD28uPasQYUeIaZn+He5C/cvrzxubjqO9uVLbj2sy6vYB5kBHof1xYJBePYg1YDEcYNcw1vuyc06EXgVxI5vB4U2jiyGd6H588S89dCmnpHKfF7jBvdaTyuvKLAg0m0juQQPUsEjomtiYmgj4rRUpLmjoewhtUSkddNvnIS21dD5lAP9xNbsgO2jSaYwTOHgitURdISnZNW+OJFvwqdnwwKVwCBwRBi2VbVBUN/KW/UzKIlhYsp+1SMsyBYdGUeBPysB/PTs0D/FYz031ALtjb1zeHf6vGyeyOqUZPIv8mCb/2qn/0Ou4wwf8RDjdGdj+usw2Af4i+8bdbcJaSZqbrdYGJpVkT+W9NVMddE+Edah6f13Gl4VV/av1L0cFpARbNu+X3NzEZOBKSn5shK0uu8cYXUrPpCzqBO+vTyG6FI0Kugd8kkBvhCsylO8CAiQjtLNjXv23TVqDyIpsXKSYFGNBbYiUKvAKRLvCputgqcr0osi998tgT77JZxDC3l31ljtdp7yEPKezFuF,iv:dB5TqLXea6DXnhMiwdxjtTSDL9NjWvqfRbVy/ZsVJs4=,tag:ItwDOkN+W1/YxOSU6oduaA==,type:str]
|
||||||
paperless:
|
paperless:
|
||||||
ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
|
ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
|
||||||
sops:
|
sops:
|
||||||
|
|
@ -29,8 +31,8 @@ sops:
|
||||||
aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
|
aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
|
||||||
FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
|
FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-09-01T22:31:28Z"
|
lastmodified: "2024-09-03T18:12:20Z"
|
||||||
mac: ENC[AES256_GCM,data:WUiRswjjZ2s2K2/B0PboppmktmtlZFMI6i99D3oI2tQDNCkEcr6gWxpyOXRskv9zjs7CEQ3f54v66La3FOwde87onuuBZVnjeaIPM5Og4+v6IQ/QlYWit7D1sRbxC4V2OCGbapn8stTO5jIuZhl5IxPEL/3dzpKVUMav7b2zt0w=,iv:73cprzlBVcRXxOHJskQCziOmoPAISyMmTBex2rFJjAE=,tag:rcED8ZfUESO2BLQLpg6L8w==,type:str]
|
mac: ENC[AES256_GCM,data:S8voLybmFyDRuAnNZHDRmpK08u2oCKFtdjeMi6cVxThqAZ2Eqwinqp/9HzLsbfQeEGvZdqAWFA0t0k39UfOjTEnfalP2UUukf/+G8UfMfEp0ph6RRDvHeCfKE/7zXMopdiVP+kNzc87iSSrbUUHrGwsO18sQYjIaMIsU8/2eHG4=,iv:R8YBo6wqxQssmvNE8mJUSGPjyuQklh7SN5OC24Cdp+o=,tag:yN4wd4mI1rRQaLo5H874Ag==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue