Move more of jokum

slightly less stupid this time
2023-03-26 14:42:45 +02:00
parent bddd7e438d
commit 38e3202c9e
4 changed files with 75 additions and 29 deletions
--- a/hosts/bicep/services/jokum.nix
+++ b/hosts/bicep/services/jokum.nix
@@ -3,8 +3,49 @@
 {
  # lfmao
  containers.jokum = {
-    interfaces = [ "ens10f1" ];
+    autoStart = true;
    # wtf
-    path = inputs.self.nixosConfigurations.jokum.config.system.build.toplevel;
+    #path = inputs.self.nixosConfigurations.jokum.config.system.build.toplevel;
+    interfaces = [ "enp6s0f1" ];
+    bindMounts = {
+      "/data" = { hostPath = "/data/jokum"; isReadOnly = false; };
+    };
+    config = {config, pkgs, ...}: let
+      inherit values inputs;
+    in {
+      imports = [
+        inputs.sops-nix.nixosModules.sops
+        inputs.matrix-next.nixosModules.synapse
+
+        ../../jokum/services/matrix
+        ../../jokum/services/nginx
+      ];
+
+      _module.args = {
+        inherit values inputs;
+      };
+
+      sops.defaultSopsFile = ../../../secrets/jokum/jokum.yaml;
+      sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+      sops.age.generateKey = true;
+
+      services.openssh = {
+        enable = true;
+        permitRootLogin = "yes";
+      };
+
+      systemd.network.enable = true;
+
+      networking.useHostResolvConf = false;
+
+      systemd.network.networks."30-enp6s0f1" = values.defaultNetworkConfig // {
+        matchConfig.Name = "enp6s0f1";
+        address = with values.hosts.jokum; [ (ipv4 + "/25") (ipv6 + "/64") ]
+          ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
+      };
+
+      system.stateVersion = "21.05";
+    };
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -2,13 +2,14 @@
 {
  services.postgresql = {
    enable = true;
+    package = pkgs.postgresql_15;
    enableTCPIP = true;

-    authentication = pkgs.lib.mkOverride 10 ''
-      local all all trust
-      host all all 127.0.0.0/8 trust
-      host all all ::1/128 trust
-      host all all 241.129.241.128/25
+    dataDir = "/data/postgresql";
+
+    authentication = ''
+      host all all 129.241.210.128/25 md5
+      host all all 2001:700:300:1900::/64 md5
    '';

    # Hilsen https://pgconfigurator.cybertec-postgresql.com/
@@ -68,4 +69,7 @@
      wal_recycle = true;
    };
  };
+
+  networking.firewall.allowedTCPPorts = [ 5432 ];
+  networking.firewall.allowedUDPPorts = [ 5432 ];
 }