diff --git a/hosts/default.nix b/hosts/default.nix index 38041bf..da2923b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -16,6 +16,16 @@ server = true; modules = [ + inputs.agenix.nixosModules.default + + { + age.secrets.ms-sql-server = { + file = ../secrets/ms-sql-server.age; + owner = "moni"; + mode = "0444"; + }; + } + inputs.nix-minecraft.nixosModules.minecraft-servers ./mistral/configuration.nix ]; diff --git a/hosts/mistral/configuration.nix b/hosts/mistral/configuration.nix index e384b90..3af30f2 100644 --- a/hosts/mistral/configuration.nix +++ b/hosts/mistral/configuration.nix @@ -1,6 +1,7 @@ { inputs, modulesPath, + config, lib, pkgs, ... @@ -30,8 +31,12 @@ programs.fish.enable = true; networking.firewall = { - allowedTCPPorts = [ 4747 ]; - allowedUDPPorts = [ 4747 ]; + allowedTCPPorts = [ + 1433 + 4747 + ]; + + interfaces.podman1.allowedUDPPorts = [ 53 ]; }; services = { @@ -189,10 +194,36 @@ }; }; + systemd.services.create-podman-network = with config.virtualisation.oci-containers; { + serviceConfig.Type = "oneshot"; + wantedBy = [ "${backend}-ms-sql-server.service" ]; + + script = '' + ${lib.getExe pkgs.podman} network exists db-net || ${lib.getExe pkgs.podman} network create db-net + ''; + }; + users.users.moni = { isNormalUser = true; home = "/home/moni"; shell = pkgs.fish; extraGroups = [ "wheel" ]; }; + + virtualisation = { + podman.enable = true; + + oci-containers = { + backend = "podman"; + + containers.ms-sql-server = { + image = "mcr.microsoft.com/mssql/server:2022-latest"; + autoStart = true; + ports = [ "1433:1433" ]; + environment.ACCEPT_EULA = "y"; + environmentFiles = [ config.age.secrets.ms-sql-server.file ]; + extraOptions = [ "--network=db-net" ]; + }; + }; + }; } diff --git a/hosts/starcruiser/configuration.nix b/hosts/starcruiser/configuration.nix index c0461eb..d8bf0fd 100644 --- a/hosts/starcruiser/configuration.nix +++ b/hosts/starcruiser/configuration.nix @@ -189,10 +189,10 @@ # $ sudo smbpasswd -a yourusername # This adds to the [global] section: - extraConfig = '' - browseable = yes - smb encrypt = required - ''; + settings."global" = { + browseable = "yes"; + "smb encrypt" = "required"; + }; shares = { homes = { diff --git a/secrets/ms-sql-server.age b/secrets/ms-sql-server.age new file mode 100644 index 0000000..013a6e3 --- /dev/null +++ b/secrets/ms-sql-server.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 KAuKJQ uNmFlnOJrSfCYukis4yKo/R0vPbtft6l7bFLL2rhEzM +3VUCbsImDTPwORsfdV2Upwm2oxdcamCEUrScDnbUOF8 +-> ssh-ed25519 OasC+A vDF4rFXn4Ej6s58w3DIO1CcwxsLc1ea9xI5ziiSe8AY +JIGPq4U2ekfmm6l2e9EW7oq91Vw0KvKutIaIdt/vOwQ +-> ssh-ed25519 KAuKJQ K6HF9PlDt8n3J6cQg7FY0UYMWON1dC/XQIyrOS6WKEk +n33slXMowtZWwmbiG/LxOx0UO6uUMglYsugMlhi2GNM +-> ssh-ed25519 fKg5bA EPjboK4/bFjUyh/5bSJEvhkpC8nTrS7tSskDzD20Om4 +burv5DChCvC+rhkeei4n+V8Lg+fA8BEfCR8WeiuaI90 +--- 1ru76Rtfhr56aDxjc1G9y719Y662nCWVA1qgqtEF5Es +¢Å‘™µÞ«˜?[s†Œ2Õ•N**xZè:YrZ³öøíŽIÑX¥ôíšJ|xúì)Â!r‘Üà<–Sr¼Úw \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7d58726..600bb7e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,17 +7,19 @@ let zero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOf7dkQDloUFN1Hxn/yWrcqMaJiH/jsXUGAAtL9l92xQ"; starcruiser = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrPdqIiTrGqnN6eAhRuGl9ZV2sUz/IR85T3/TzUT4Ol"; riscake = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEeZg4xxANKadIm8hnhM/rQrl77Xwwp0tFRnnANtFgI3"; + mistral = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDRGyDQlHPogYIt0IIwI+/1D+U3qbOHOZOyPsAN2NWt"; users = [ moni.linux moni.darwin zero ]; - hosts = [ +in +{ + "tokens.age".publicKeys = users ++ [ starcruiser riscake ]; -in -{ - "tokens.age".publicKeys = users ++ hosts; + + "ms-sql-server.age".publicKeys = users ++ [ mistral ]; }