mistral: ms-sql-server

moni-dz · Sep 8, 2024 · c59e40f · c59e40f
1 parent 030848b
commit c59e40f
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 10 deletions.
diff --git a/hosts/default.nix b/hosts/default.nix
@@ -16,6 +16,16 @@
       server = true;
 
       modules = [
+        inputs.agenix.nixosModules.default
+
+        {
+          age.secrets.ms-sql-server = {
+            file = ../secrets/ms-sql-server.age;
+            owner = "moni";
+            mode = "0444";
+          };
+        }
+
         inputs.nix-minecraft.nixosModules.minecraft-servers
         ./mistral/configuration.nix
       ];

diff --git a/hosts/mistral/configuration.nix b/hosts/mistral/configuration.nix
@@ -1,6 +1,7 @@
 {
   inputs,
   modulesPath,
+  config,
   lib,
   pkgs,
   ...
@@ -30,8 +31,12 @@
   programs.fish.enable = true;
 
   networking.firewall = {
-    allowedTCPPorts = [ 4747 ];
-    allowedUDPPorts = [ 4747 ];
+    allowedTCPPorts = [
+      1433
+      4747
+    ];
+
+    interfaces.podman1.allowedUDPPorts = [ 53 ];
   };
 
   services = {
@@ -189,10 +194,40 @@
     };
   };
 
+  systemd.services.create-podman-network = with config.virtualisation.oci-containers; {
+    serviceConfig.Type = "oneshot";
+    wantedBy = [ "${backend}-ms-sql-server.service" ];
+
+    script = ''
+      ${lib.getExe pkgs.podman} network exists db-net || ${lib.getExe pkgs.podman} network create db-net
+    '';
+  };
+
   users.users.moni = {
     isNormalUser = true;
     home = "/home/moni";
     shell = pkgs.fish;
     extraGroups = [ "wheel" ];
   };
+
+  virtualisation = {
+    podman.enable = true;
+
+    oci-containers = {
+      backend = "podman";
+
+      containers.ms-sql-server = {
+        image = "mcr.microsoft.com/mssql/server:2022-latest";
+        autoStart = true;
+        ports = [ "1433:1433" ];
+
+        environment = {
+          ACCEPT_EULA = "Y";
+          MSSQL_SA_PASSWORD = __readFile config.age.secrets.ms-sql-server.path; # yes, this is bad but I don't have much choice...
+        };
+
+        extraOptions = [ "--network=db-net" ];
+      };
+    };
+  };
 }
diff --git a/hosts/starcruiser/configuration.nix b/hosts/starcruiser/configuration.nix
@@ -189,10 +189,10 @@
       # $ sudo smbpasswd -a yourusername
 
       # This adds to the [global] section:
-      extraConfig = ''
-        browseable = yes
-        smb encrypt = required
-      '';
+      settings."global" = {
+        browseable = "yes";
+        "smb encrypt" = "required";
+      };
 
       shares = {
         homes = {

diff --git a/secrets/ms-sql-server.age b/secrets/ms-sql-server.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 KAuKJQ S+5Cj+apibo8urg+BwImZ7bMuiBTcCbU2vwvfiuTKRc
+17qaL3XbwmwOEsLyLczHUbqfp+bUCCFXFdgtVHjnLAg
+-> ssh-ed25519 OasC+A V0wHZeDlGzNTmY+iZGIFCV5K+X+mi8ZxKkRpMfXFjxM
+k6J55lXiYpHcyHQ43T/KmRfvzY6zIRSTqO6nQ0hod7E
+-> ssh-ed25519 KAuKJQ fgPfr0ybokgSxQeSdg7NHpyUeWWKAPd+6qgKbn5dBgM
+o7Mgc3RFaZ+nZd5HOY/FbPvr6+dCEcZ00kYJsg5vZOY
+-> ssh-ed25519 fKg5bA DGsDYH+PY/kIE1P83uM/OratFSgBKg2owSccnxFdpl8
+SiGp65d0h1Hz9M5FshGSKiDcW9aEKbT0yuSv6LIBen8
+--- R0a2WytYTgh3SKesag1I1FSa2vhdVgdP8pzusQG8f00
+T���)Z�Agϟ�_����[���q���Q����<�+h�4K
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -7,17 +7,19 @@ let
   zero = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOf7dkQDloUFN1Hxn/yWrcqMaJiH/jsXUGAAtL9l92xQ";
   starcruiser = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrPdqIiTrGqnN6eAhRuGl9ZV2sUz/IR85T3/TzUT4Ol";
   riscake = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEeZg4xxANKadIm8hnhM/rQrl77Xwwp0tFRnnANtFgI3";
+  mistral = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFDRGyDQlHPogYIt0IIwI+/1D+U3qbOHOZOyPsAN2NWt";
 
   users = [
     moni.linux
     moni.darwin
     zero
   ];
-  hosts = [
+in
+{
+  "tokens.age".publicKeys = users ++ [
     starcruiser
     riscake
   ];
-in
-{
-  "tokens.age".publicKeys = users ++ hosts;
+
+  "ms-sql-server.age".publicKeys = users ++ [ mistral ];
 }