nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nix:25.05
Branches Tags
nix:master
nix:dev
..
compare: nix:master
Branches Tags
nix:master
nix:dev

No commits in common. "25.05" and "master" have entirely different histories.
25.05 ... master

18 changed files with 401 additions and 337 deletions
Show Stats Expand all files Collapse all files

154
lib/fudo/adguard-dns-proxy.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.fudo.adguard-dns-proxy;
inherit (config.instance) hostname;
hostname = config.instance.hostname;
get-basename = filename:
head (builtins.match "^[a-zA-Z0-9]+-(.+)$" (baseNameOf filename));
@ -41,12 +41,7 @@ let
};
generate-config = { dns, http, filters, verbose, upstream-dns, bootstrap-dns
, blocked-hosts, enable-dnssec, domain-upstreams, local-domain-name, ... }:
let
upstreamDnsEntries = mapAttrsToList (_: opts:
let domainClause = concatStringsSep "/" opts.domains;
in "[/${domainClause}/]${opts.upstream}") domain-upstreams;
in {
, blocked-hosts, enable-dnssec, local-domain-name, ... }: {
bind_host = http.listen-ip;
bind_port = http.listen-port;
users = [{
@ -60,7 +55,7 @@ let
dns = {
bind_hosts = dns.listen-ips;
port = dns.listen-port;
upstream_dns = upstream-dns ++ upstreamDnsEntries;
upstream_dns = upstream-dns;
bootstrap_dns = bootstrap-dns;
enable_dnssec = enable-dnssec;
local_domain_name = local-domain-name;
@ -72,17 +67,16 @@ let
safesearch_enabled = false;
use_private_ptr_resolvers = cfg.dns.reverse-dns != [ ];
local_ptr_upstreams = cfg.dns.reverse-dns;
hostsfile_enabled = false;
};
tls.enabled = false;
filters = imap1 (i:
{ name, url, ... }: {
enabled = true;
inherit name url;
}) filters;
filters = imap1 (i: filter: {
enabled = true;
name = filter.name;
url = filter.url;
}) filters;
dhcp.enabled = false;
clients = [ ];
inherit verbose;
verbose = verbose;
schema_version = 10;
};
@ -128,25 +122,6 @@ in {
};
};
domain-upstreams = mkOption {
type = attrsOf (submodule ({ name, ... }: {
options = {
domains = mkOption {
type = listOf str;
description =
"List of domains to route to a specific upstream DNS target.";
default = [ name ];
};
upstream = mkOption {
type = str;
description = "Upstream DNS target, in {ip}:{port} format.";
};
};
}));
default = { };
};
filters = mkOption {
type = listOf (submodule filterOpts);
description = "List of filters to apply to DNS traffic.";
@ -208,8 +183,8 @@ in {
# These 11 addrs send the network, so the response can prefer closer answers
"https://9.9.9.11/dns-query"
"https://149.112.112.11/dns-query"
# "https://2620:fe::11/dns-query"
# "https://2620:fe::fe:11/dns-query"
"https://2620:fe::11/dns-query"
"https://2620:fe::fe:11/dns-query"
];
};
@ -247,7 +222,18 @@ in {
verbose = mkEnableOption "Keep verbose logs.";
};
config = mkIf cfg.enable {
config = mkIf cfg.enable (let
upgrade-perms = cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024;
in {
users = mkIf upgrade-perms {
users.${cfg.user} = {
isSystemUser = true;
group = cfg.user;
};
groups.${cfg.user} = { members = [ cfg.user ]; };
};
fudo = {
secrets.host-secrets.${hostname} = {
adguard-dns-proxy-admin-password = {
@ -256,75 +242,41 @@ in {
user = "root";
};
};
};
networking.firewall = {
allowedTCPPorts = [ cfg.dns.listen-port ];
allowedUDPPorts = [ cfg.dns.listen-port ];
};
system.services.adguard-dns-proxy =
let cfg-path = "/run/adguard-dns-proxy/config.yaml";
in {
description =
"DNS Proxy for ad filtering and DNS-over-HTTPS lookups.";
wantedBy = [ "default.target" ];
after = [ "syslog.target" ];
requires = [ "network.target" ];
privateNetwork = false;
requiredCapabilities = optional upgrade-perms "CAP_NET_BIND_SERVICE";
restartWhen = "always";
addressFamilies = null;
networkWhitelist = cfg.allowed-networks;
user = mkIf upgrade-perms cfg.user;
runtimeDirectory = "adguard-dns-proxy";
stateDirectory = "adguard-dns-proxy";
preStart = ''
cp ${generate-config-file cfg} ${cfg-path};
chown $USER ${cfg-path};
chmod u+w ${cfg-path};
'';
systemd.services.adguard-dns-proxy =
let configFile = "/run/adguard-dns-proxy/config.yaml";
in {
description = "DNS proxy for ad filtering and DNS-over-HTTPS lookups.";
wantedBy = [ "default.target" ];
after = [ "network.target" ];
requires = [ "network.target" ];
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "adguardsProxyPrestart.sh"
"cp ${generate-config-file cfg} $RUNTIME_DIRECTORY/config.yaml";
ExecStart = pkgs.writeShellScript "adguardProxyStart.sh"
(concatStringsSep " " [
"${pkgs.adguardhome}/bin/adguardhome"
execStart = let
args = [
"--no-check-update"
"--work-dir /var/lib/adguard-dns-proxy"
"--pidfile /run/adguard-dns-proxy.pid"
"--pidfile /run/adguard-dns-proxy/adguard-dns-proxy.pid"
"--host ${cfg.http.listen-ip}"
"--port ${toString cfg.http.listen-port}"
"--config $RUNTIME_DIRECTORY/config.yaml"
]);
AmbientCapabilities = optional
(cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024)
[ "CAP_NET_BIND_SERVICE" ];
DynamicUser = true;
RuntimeDirectory = "adguard-dns-proxy";
StateDirectory = "adguard-dns-proxy";
"--config ${cfg-path}"
];
arg-string = concatStringsSep " " args;
in "${pkgs.adguardhome}/bin/adguardhome ${arg-string}";
};
};
# system.services.adguard-dns-proxy =
# let cfg-path = "/run/adguard-dns-proxy/config.yaml";
# in {
# description =
# "DNS Proxy for ad filtering and DNS-over-HTTPS lookups.";
# wantedBy = [ "default.target" ];
# after = [ "syslog.target" ];
# requires = [ "network.target" ];
# privateNetwork = false;
# requiredCapabilities = optional upgrade-perms "CAP_NET_BIND_SERVICE";
# restartWhen = "always";
# addressFamilies = null;
# networkWhitelist = cfg.allowed-networks;
# user = mkIf upgrade-perms cfg.user;
# runtimeDirectory = "adguard-dns-proxy";
# stateDirectory = "adguard-dns-proxy";
# preStart = ''
# cp ${generate-config-file cfg} ${cfg-path};
# chown $USER ${cfg-path};
# chmod u+w ${cfg-path};
# '';
# execStart = let
# args = [
# "--no-check-update"
# "--work-dir /var/lib/adguard-dns-proxy"
# "--pidfile /run/adguard-dns-proxy/adguard-dns-proxy.pid"
# "--host ${cfg.http.listen-ip}"
# "--port ${toString cfg.http.listen-port}"
# "--config ${cfg-path}"
# ];
# arg-string = concatStringsSep " " args;
# in "${pkgs.adguardhome}/bin/adguardhome ${arg-string}";
# };
};
};
});
}

32
lib/fudo/auth/kerberos/default.nix
View File

@ -6,24 +6,22 @@ in {
imports = [ ./kdc.nix ];
config = {
security.krb5 = {
krb5 = {
enable = true;
package = pkgs.heimdal;
settings = {
libdefaults = {
default_realm = realm;
allow_weak_crypto = false;
dns_lookup_kdc = true;
dns_lookup_realm = true;
forwardable = true;
proxiable = true;
};
appdefaults = {
forwardable = true;
proxiable = true;
encrypt = true;
forward = true;
};
kerberos = pkgs.heimdal;
libdefaults = {
default_realm = realm;
allow_weak_crypto = false;
dns_lookup_kdc = true;
dns_lookup_realm = true;
forwardable = true;
proxiable = true;
};
appdefaults = {
forwardable = true;
proxiable = true;
encrypt = true;
forward = true;
};
};

1
lib/fudo/default.nix
View File

@ -22,6 +22,7 @@ with lib; {
./grafana.nix
./hosts.nix
./host-filesystems.nix
./initrd-network.nix
./ipfs.nix
./jabber.nix
# ./kdc.nix

3
lib/fudo/grafana.nix
View File

@ -159,6 +159,7 @@ in {
state-directory = mkOption {
type = str;
description = "Directory at which to store Grafana state data.";
default = "/var/lib/grafana";
};
private-network = mkEnableOption "Network is private, no SSL.";
@ -198,7 +199,7 @@ in {
grafana = {
enable = true;
dataDir = toPath cfg.state-directory;
dataDir = cfg.state-directory;
settings = {

3
lib/fudo/hosts.nix
View File

@ -93,12 +93,11 @@ in {
time.timeZone = site.timezone;
security.krb5.settings.libdefaults.default_realm = domain.gssapi-realm;
krb5.libdefaults.default_realm = domain.gssapi-realm;
services = {
cron.mailto = domain.admin-email;
fail2ban.ignoreIP = config.instance.local-networks;
udev.packages = optional host-cfg.android-dev pkgs.android-udev-rules;
};
virtualisation.docker = mkIf (host-cfg.docker-server) {

86
lib/fudo/initrd-network.nix Normal file
View File

@ -0,0 +1,86 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;
read-lines = filename: splitString "\n" (fileContents filename);
concatLists = lsts: concatMap (i: i) lsts;
gen-sshfp-records-pkg = hostname: pubkey: let
pubkey-file = builtins.toFile "${hostname}-initrd-ssh-pubkey" pubkey;
in pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-firngerprint";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/initrd-ssh-pubkey.sshfp
'';
};
gen-sshfp-records = hostname: pubkey: let
sshfp-record-pkg = gen-sshfp-records-pkg hostname pubkey;
in read-lines "${sshfp-record-pkg}/initrd-ssh-pubkey.sshfp";
in {
config = {
boot = mkIf (initrd-cfg != null) {
kernelParams = let
site-name = config.instance.local-site;
site = config.fudo.sites.${site-name};
site-gateway = pkgs.lib.network.site-gateway config site-name;
netmask =
pkgs.lib.ip.maskFromV32Network site.network;
in [
"ip=${initrd-cfg.ip}:${site-gateway}:${netmask}:${hostname}:${initrd-cfg.interface}"
];
initrd = {
network = {
enable = true;
ssh = let
admin-ssh-keys =
concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
config.instance.local-admins;
in {
enable = true;
port = 22;
authorizedKeys = admin-ssh-keys;
hostKeys = [
initrd-cfg.keypair.private-key-file
];
};
};
};
};
fudo = {
local-network = let
initrd-network-hosts =
filterAttrs
(hostname: hostOpts: hostOpts.initrd-network != null)
config.instance.local-hosts;
in {
zone-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery" {
ipv4-address = hostOpts.initrd-network.ip;
description = "${hostname} initrd host";
}) initrd-network-hosts;
extra-records = let
recs = (mapAttrsToList
(hostname: hostOpts: map
(sshfp: "${hostname} IN SSHFP ${sshfp}")
(gen-sshfp-records hostname hostOpts.initrd-network.keypair.public-key))
initrd-network-hosts);
in concatLists recs;
};
};
};
}

17
lib/fudo/local-network.nix
View File

@ -4,8 +4,6 @@ with lib;
let
cfg = config.fudo.local-network;
inherit (pkgs.lib) getHostIpv4 getHostFqdn;
join-lines = concatStringsSep "\n";
inherit (pkgs.lib.ip)
@ -119,12 +117,14 @@ in {
config = mkIf cfg.enable {
fudo.system.hostfile-entries = let
siteHosts =
(filterAttrs (_: hostOpts: hostOpts.site == config.instance.local-site)
config.fudo.hosts);
in mapAttrs' (hostname: _:
nameValuePair (getHostIpv4 hostname) [ (getHostFqdn hostname) hostname ])
(filterAttrs (hostname: _: !isNull (getHostIpv4 hostname)) siteHosts);
other-hosts =
filterAttrs (hostname: hostOpts: hostname != config.instance.hostname)
cfg.zone-definition.hosts;
in mapAttrs' (hostname: hostOpts:
nameValuePair hostOpts.ipv4-address [
"${hostname}.${cfg.domain}"
hostname
]) other-hosts;
services.kea.dhcp4 = {
enable = true;
@ -161,7 +161,6 @@ in {
}
];
subnet4 = [{
id = 1;
pools = [{
pool = let
minIp = networkMinIp cfg.dhcp-dynamic-network;

1
lib/fudo/minecraft-clj.nix
View File

@ -268,7 +268,6 @@ in {
"${worldOpts.world-name} Minecraft Server with Clojure REPL";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;

10
lib/fudo/nexus.nix
View File

@ -9,14 +9,14 @@ let
default = name;
};
server = mkOption {
type = str;
description = "Primary server for this Nexus domain.";
servers = mkOption {
type = listOf str;
description = "List of servers for this Nexus domain.";
};
secondary-dns-servers = mkOption {
dns-servers = mkOption {
type = listOf str;
description = "List of secondary DNS servers for this Nexus domain.";
description = "List of DNS servers for this Nexus domain.";
};
gssapi-realm = mkOption {

135
lib/fudo/postgres.nix
View File

@ -7,13 +7,11 @@ let
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
sslEnabled = cfg.ssl-certificate != null;
gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm;
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
join-lines = lib.concatStringsSep "\n";
joinLines = concatStringsSep "\n";
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
userDatabaseOpts = { database, ... }: {
options = {
@ -103,7 +101,7 @@ let
exit 2
fi
${joinLines (mapAttrsToList (user: opts:
${join-lines (mapAttrsToList (user: opts:
password-setter-script user opts.password-file "$OUTPUT_FILE")
(filterPasswordedUsers users))}
'';
@ -113,19 +111,17 @@ let
nameValuePair "DATABASE ${database}" databaseOpts.access) databases;
makeEntry = nw:
let hostClause = if sslEnabled then "hostssl" else "host";
in "${hostClause} all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
"hostssl all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
makeNetworksEntry = networks: joinLines (map makeEntry networks);
makeNetworksEntry = networks: join-lines (map makeEntry networks);
makeLocalUserPasswordEntries = users: networks:
let
network-entries = user: db:
joinLines (map (network:
let hostClause = if sslEnabled then "hostssl" else "host";
in "${hostClause} ${db} ${user} ${network} md5") networks);
in joinLines (mapAttrsToList (user: opts:
joinLines (map (db: ''
join-lines
(map (network: "hostssl ${db} ${user} ${network} md5") networks);
in join-lines (mapAttrsToList (user: opts:
join-lines (map (db: ''
local ${db} ${user} md5
host ${db} ${user} 127.0.0.1/16 md5
host ${db} ${user} ::1/128 md5
@ -136,18 +132,19 @@ let
enableDatabaseExtensionsSql = database: databaseOpts: ''
\c ${database}
${joinLines (map enableExtensionSql databaseOpts.extensions)}
${join-lines (map enableExtensionSql databaseOpts.extensions)}
'';
userTableAccessSql = user: entity: access:
"GRANT ${access} ON ${entity} TO ${user};";
userDatabaseAccessSql = user: database: dbOpts: ''
\c ${database}
${joinLines (mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
${join-lines
(mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
'';
userAccessSql = user: userOpts:
joinLines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
usersAccessSql = users: joinLines (mapAttrsToList userAccessSql users);
join-lines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
usersAccessSql = users: join-lines (mapAttrsToList userAccessSql users);
in {
@ -208,23 +205,23 @@ in {
default = { };
};
# socket-directory = mkOption {
# type = str;
# description = "Directory in which to place unix sockets.";
# default = "/run/postgresql";
# };
socket-directory = mkOption {
type = str;
description = "Directory in which to place unix sockets.";
default = "/run/postgresql";
};
# socket-group = mkOption {
# type = str;
# description = "Group for accessing sockets.";
# default = "postgres_local";
# };
socket-group = mkOption {
type = str;
description = "Group for accessing sockets.";
default = "postgres_local";
};
# local-users = mkOption {
# type = listOf str;
# description = "Users able to access the server via local socket.";
# default = [ ];
# };
local-users = mkOption {
type = listOf str;
description = "Users able to access the server via local socket.";
default = [ ];
};
required-services = mkOption {
type = listOf str;
@ -258,27 +255,23 @@ in {
environment.systemPackages = with pkgs; [ cfg.package ];
# users.groups = {
# ${cfg.socket-group} = { members = [ "postgres" ] ++ cfg.local-users; };
# };
users.groups = {
${cfg.socket-group} = { members = [ "postgres" ] ++ cfg.local-users; };
};
services.postgresql = {
enable = true;
package = cfg.package;
enableTCPIP = true;
ensureDatabases = mapAttrsToList (name: value: name) cfg.databases;
ensureUsers = map (user: {
name = user;
ensureClauses.login = true;
}) (attrNames cfg.users);
# ensureUsers = ((mapAttrsToList (username: attrs: {
# name = username;
# ensurePermissions = userDatabaseAccess username attrs.databases;
# }) cfg.users) ++ (flatten (mapAttrsToList (database: opts:
# (map (username: {
# name = username;
# ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
# }) opts.users)) cfg.databases)));
ensureUsers = ((mapAttrsToList (username: attrs: {
name = username;
ensurePermissions = userDatabaseAccess username attrs.databases;
}) cfg.users) ++ (flatten (mapAttrsToList (database: opts:
(map (username: {
name = username;
ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
}) opts.users)) cfg.databases)));
settings = let ssl-enabled = cfg.ssl-certificate != null;
in {
@ -288,11 +281,9 @@ in {
ssl_cert_file = mkIf ssl-enabled cfg.ssl-certificate;
ssl_key_file = mkIf ssl-enabled cfg.ssl-private-key;
# unix_socket_directories = cfg.socket-directory;
# unix_socket_group = cfg.socket-group;
# unix_socket_permissions = "0777";
log_min_error_statement = "DEBUG3";
unix_socket_directories = cfg.socket-directory;
unix_socket_group = cfg.socket-group;
unix_socket_permissions = "0777";
};
authentication = lib.mkForce ''
@ -313,9 +304,9 @@ in {
systemd = {
tmpfiles.rules = optionals (cfg.state-directory != null)
tmpfiles.rules = optional (cfg.state-directory != null)
(let user = config.systemd.services.postgresql.serviceConfig.User;
in [ "d ${cfg.state-directory} 0700 ${user} - - -" ]);
in "d ${cfg.state-directory} 0700 ${user} - - -");
targets.${strip-ext cfg.systemd-target} = {
description = "Postgresql and associated systemd services.";
@ -362,12 +353,11 @@ in {
description =
"A service to set postgresql user passwords after the server has started.";
after = [ "postgresql.service" ] ++ cfg.required-services;
requires = [ "postgresql.service" ] ++ cfg.required-services;
wantedBy = [ "postgresql.service" ];
serviceConfig = {
Type = "oneshot";
User = config.services.postgresql.superUser;
ExecStart = password-wrapper-script;
ExecStart = "${password-wrapper-script}";
};
partOf = [ cfg.systemd-target ];
};
@ -382,7 +372,7 @@ in {
# allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
# extra-settings-sql = pkgs.writeText "settings.sql" ''
# ${joinLines
# ${concatStringsSep "\n"
# (map allow-user-login (mapAttrsToList (key: val: key) cfg.users))}
# ${usersAccessSql cfg.users}
# '';
@ -394,40 +384,28 @@ in {
# '';
# Wait a bit before starting dependent services, to let postgres finish initializing
serviceConfig = {
# ReadWritePaths = [ cfg.socket-directory ];
ExecStartPost = mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ];
};
serviceConfig.ExecStartPost =
mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ];
postStop = joinLines cfg.cleanup-tasks;
postStop = concatStringsSep "\n" cfg.cleanup-tasks;
};
postgresql-finalizer = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" "postgresql-password-setter.service" ];
partOf = [ cfg.systemd-target ];
partOf = [ "postgresql.target" ];
wantedBy = [ "postgresql.service" ];
serviceConfig = {
User = config.services.postgresql.superUser;
ExecStart = let
enableExtensionsClause = joinLines
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases);
grantMasterAccessSql = db: user: ''
GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${user};
\c ${db} postgres
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO ${user};
\c postgres postgres
'';
grantMasterAccess = joinLines (mapAttrsToList (database: opts:
joinLines (map (grantMasterAccessSql database) opts.users))
cfg.databases);
allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
extra-settings-sql = pkgs.writeText "settings.sql" ''
${enableExtensionsClause}
${join-lines
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases)}
${grantMasterAccess}
${concatStringsSep "\n" (map allow-user-login
(mapAttrsToList (key: val: key) cfg.users))}
${usersAccessSql cfg.users}
'';
@ -435,6 +413,7 @@ in {
${pkgs.postgresql}/bin/psql --port ${
toString config.services.postgresql.port
} -d postgres -f ${extra-settings-sql}
chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
'';
};
};

102
lib/fudo/prometheus.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }@toplevel:
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.fudo.metrics.prometheus;
@ -15,50 +15,35 @@ in {
description = "The prometheus package that should be used.";
};
scrapers = let
scraperOpts.options = {
name = mkOption {
type = str;
description = "Name of this exporter.";
};
secured = mkOption {
type = bool;
description = "Whether to use https instead of http.";
default = !toplevel.config.fudo.metrics.prometheus.private-network;
};
path = mkOption {
type = str;
description = "Host path at which to find exported metrics.";
default = "/metrics";
};
port = mkOption {
type = port;
description = "Port on which to scrape for metrics.";
default =
if toplevel.config.fudo.metrics.prometheus.private-network then
80
else
443;
};
static-targets = mkOption {
type = listOf str;
description = "Explicit list of hosts to scrape for metrics.";
default = [ ];
};
dns-sd-records = mkOption {
type = listOf str;
description = "List of DNS records to query for hosts to scrape.";
default = [ ];
};
service-discovery-dns = mkOption {
type = attrsOf (listOf str);
description = ''
A map of exporter type to a list of domains to use for service discovery.
'';
example = {
node = [ "node._metrics._tcp.my-domain.com" ];
postfix = [ "postfix._metrics._tcp.my-domain.com" ];
};
default = {
dovecot = [ ];
node = [ ];
postfix = [ ];
rspamd = [ ];
};
};
static-targets = mkOption {
type = attrsOf (listOf str);
description = ''
A map of exporter type to a list of host:ports from which to collect metrics.
'';
example = { node = [ "my-host.my-domain:1111" ]; };
default = {
dovecot = [ ];
node = [ ];
postfix = [ ];
rspamd = [ ];
};
in mkOption {
type = listOf (submodule scraperOpts);
default = [ ];
};
docker-hosts = mkOption {
@ -94,6 +79,7 @@ in {
state-directory = mkOption {
type = str;
description = "Directory at which to store Prometheus state.";
default = "/var/lib/prometheus";
};
private-network = mkEnableOption "Network is private.";
@ -148,19 +134,21 @@ in {
port = 9090;
scrapeConfigs = let
mkScraper =
{ name, secured, path, port, static-targets, dns-sd-records }: {
job_name = name;
honor_labels = false;
scheme = if secured then "https" else "http";
metrics_path = path;
static_configs = mkIf (static-targets != [ ])
(let attachPort = target: "${target}:${toString port}";
in [{ targets = map attachPort static-targets; }]);
dns_sd_configs =
mkIf (dns-sd-records != [ ]) [{ names = dns-sd-records; }];
};
in map mkScraper cfg.scrapers;
make-job = type: {
job_name = type;
honor_labels = false;
scheme = if cfg.private-network then "http" else "https";
metrics_path = "/metrics/${type}";
static_configs = if (hasAttr type cfg.static-targets) then [{
targets = cfg.static-targets.${type};
}] else
[ ];
dns_sd_configs = if (hasAttr type cfg.service-discovery-dns) then [{
names = cfg.service-discovery-dns.${type};
}] else
[ ];
};
in map make-job [ "docker" "node" "dovecot" "postfix" "rspamd" ];
pushgateway = {
enable = if (cfg.push-url != null) then true else false;

52
lib/fudo/slynk.nix
View File

@ -4,23 +4,34 @@ with lib;
let
cfg = config.fudo.slynk;
initScript = port:
pkgs.writeText "slynk.lisp" ''
(asdf:load-system 'slynk)
initScript = port: load-paths:
let
load-path-string =
concatStringsSep " " (map (path: ''"${path}"'') load-paths);
in pkgs.writeText "slynk.lisp" ''
(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))
(ql:quickload :slynk)
(setf asdf:*central-registry*
(append asdf:*central-registry*
(list ${load-path-string})))
(slynk:create-server :port ${toString port} :dont-close t)
(dolist (var '("LD_LIBRARY_PATH"))
(format t "~S: ~S~%" var (sb-unix::posix-getenv var)))
(loop (sleep 60))
'';
sbclWithLibs = pkgs.sbcl.withPackages (ps:
with ps; [
alexandria
asdf-package-system
asdf-system-connections
cl_plus_ssl
cl-ppcre
quri
usocket
]);
lisp-libs = with pkgs.lispPackages; [
alexandria
asdf-package-system
asdf-system-connections
cl_plus_ssl
cl-ppcre
quicklisp
quri
uiop
usocket
];
in {
options.fudo.slynk = {
@ -37,17 +48,20 @@ in {
systemd.user.services.slynk = {
description = "Slynk Common Lisp server.";
serviceConfig = {
ExecStart = "sbcl --load ${initScript cfg.port}";
Restart = "on-failure";
PIDFile = "/run/slynk.$USERNAME.pid";
};
serviceConfig =
let load-paths = (map (pkg: "${pkg}/lib/common-lisp/") lisp-libs);
in {
ExecStartPre = "${pkgs.lispPackages.quicklisp}/bin/quicklisp init";
ExecStart =
"${pkgs.sbcl}/bin/sbcl --load ${initScript cfg.port load-paths}";
Restart = "on-failure";
PIDFile = "/run/slynk.$USERNAME.pid";
};
path = with pkgs; [
gcc
glibc # for getent
file
sbclWithLibs
];
environment = { LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib"; };

3
lib/fudo/webmail.nix
View File

@ -366,9 +366,6 @@ in {
'');
in {
requiredBy = [ "nginx.service" ];
before = [ "nginx.service" ];
requires = [ config.fudo.secrets.secret-target ];
after = [ config.fudo.secrets.secret-target ];
description =
"Initialize webmail service directories prior to starting nginx.";
script = "${scriptPkg}/bin/webmail-init.sh";

17
lib/instance.nix
View File

@ -19,8 +19,7 @@ in {
build-timestamp = mkOption {
type = int;
description =
"Timestamp associated with the build. Used for e.g. DNS serials.";
description = "Timestamp associated with the build. Used for e.g. DNS serials.";
};
local-domain = mkOption {
@ -46,8 +45,7 @@ in {
local-admins = mkOption {
type = listOf str;
description =
"List of users who should have admin access to the local host.";
description = "List of users who should have admin access to the local host.";
};
local-groups = mkOption {
@ -57,8 +55,7 @@ in {
local-hosts = mkOption {
type = attrsOf (submodule host.hostOpts);
description =
"List of hosts that should be considered local to the current host.";
description = "List of hosts that should be considered local to the current host.";
};
local-users = mkOption {
@ -68,8 +65,7 @@ in {
local-networks = mkOption {
type = listOf str;
description =
"Networks which are considered local to this host, site, or domain.";
description = "Networks which are considered local to this host, site, or domain.";
};
service-home = mkOption {
@ -85,7 +81,8 @@ in {
};
config = {
systemd.tmpfiles.rules =
[ "d ${config.instance.service-home} 755 root root - -" ];
systemd.tmpfiles.rules = [
"d ${config.instance.service-home} 755 root root - -"
];
};
}

8
lib/lib/dns.nix
View File

@ -153,14 +153,14 @@ let
${join-lines (mapAttrsToList makeMetricRecords zone.metric-records)}
${join-lines (mapAttrsToList cnameRecord zone.aliases)}
${join-lines zone.verbatim-dns-records}
$TTL ${zone.host-record-ttl}
${join-lines (mapAttrsToList hostRecords zone.hosts)}
${join-lines (mapAttrsToList cnameRecord zone.aliases)}
${join-lines zone.verbatim-dns-records}
${join-lines (mapAttrsToList
(subdom: subdomCfg: domain-records "${subdom}.${dom}" subdomCfg)
zone.subdomains)}

5
lib/lib/text.nix
View File

@ -13,7 +13,4 @@ let
installPhase = "python -mjson.tool ${filename} > $out";
};
writeEnv = name: vars:
pkgs.writeText name (mapAttrsToList (var: val: "${var}=${val}") vars);
in { inherit format-json-file writeEnv; }
in { inherit format-json-file; }

102
lib/types/host.nix
View File

@ -92,7 +92,7 @@ in rec {
};
};
masterKeyOpts = _: {
masterKeyOpts = { ... }: {
options = with types; {
key-path = mkOption {
type = str;
@ -122,7 +122,7 @@ in rec {
type = str;
description =
"Primary domain to which the host belongs, in the form of a domain name.";
default = "unassigned.domain";
default = "fudo.org";
};
extra-domains = mkOption {
@ -290,28 +290,92 @@ in rec {
default = false;
};
wireguard = let
clientOpts = {
options = {
ip = mkOption {
type = nullOr str;
description =
"IP address assigned to this host in the WireGuard network.";
};
bound = mkOption {
type = bool;
description = "Whether to route all traffic from this host.";
default = false;
};
};
};
wireguardOpts = {
options = {
private-key-file = mkOption {
type = str;
description = "WireGuard private key file of the host.";
};
public-key = mkOption {
type = str;
description = "WireGuard public key.";
};
client = mkOption {
type = nullOr (submodule clientOpts);
default = null;
};
};
};
in mkOption {
type = nullOr (submodule wireguardOpts);
default = null;
};
initrd-network = let
keypair-type = { ... }: {
options = {
public-key = mkOption {
type = str;
description = "SSH public key.";
};
private-key-file = mkOption {
type = str;
description = "Path to SSH private key (on the local host!).";
};
};
};
initrd-network-config = { ... }: {
options = {
ip = mkOption {
type = str;
description =
"IP to assign to the initrd image, allowing access to host during bootup.";
};
keypair = mkOption {
type = (submodule keypair-type);
description = "SSH host key pair to use for initrd.";
};
interface = mkOption {
type = str;
description =
"Name of interface on which to listen for connections.";
};
};
};
in mkOption {
type = nullOr (submodule initrd-network-config);
description =
"Configuration parameters to set up initrd SSH network.";
default = null;
};
backplane-password-file = mkOption {
type = path;
description =
"File containing the password used by this host to connect to the backplane.";
};
initrd-ssh-key = mkOption {
type = nullOr str;
description =
"Path on the local filesystem to a host SSH key for initrd, if any.";
default = null;
};
deploy = {
enable = mkEnableOption "Enable deploy-rs deployments.";
ssh-options = mkOption {
type = listOf str;
description = "List of SSH options to use when deploying.";
default = [ ];
};
};
};
};
}

7
lib/types/user.nix
View File

@ -119,13 +119,6 @@ with lib; rec {
description = "User's surname.";
default = null;
};
config-user = mkOption {
type = nullOr str;
description =
"When generating config, consider this to be the 'real' user.";
default = null;
};
};
};