nix/lib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nix:25.05
Branches Tags
nix:master
nix:dev
..
compare: nix:master
Branches Tags
nix:master
nix:dev

No commits in common. "25.05" and "master" have entirely different histories.
25.05 ... master

18 changed files with 401 additions and 337 deletions
Show Stats Expand all files Collapse all files

154
lib/fudo/adguard-dns-proxy.nix
View File

@ -4,7 +4,7 @@ with lib;
let let
cfg = config.fudo.adguard-dns-proxy; cfg = config.fudo.adguard-dns-proxy;
inherit (config.instance) hostname; hostname = config.instance.hostname;
get-basename = filename: get-basename = filename:
head (builtins.match "^[a-zA-Z0-9]+-(.+)$" (baseNameOf filename)); head (builtins.match "^[a-zA-Z0-9]+-(.+)$" (baseNameOf filename));
@ -41,12 +41,7 @@ let
}; };
generate-config = { dns, http, filters, verbose, upstream-dns, bootstrap-dns generate-config = { dns, http, filters, verbose, upstream-dns, bootstrap-dns
, blocked-hosts, enable-dnssec, domain-upstreams, local-domain-name, ... }: , blocked-hosts, enable-dnssec, local-domain-name, ... }: {
let
upstreamDnsEntries = mapAttrsToList (_: opts:
let domainClause = concatStringsSep "/" opts.domains;
in "[/${domainClause}/]${opts.upstream}") domain-upstreams;
in {
bind_host = http.listen-ip; bind_host = http.listen-ip;
bind_port = http.listen-port; bind_port = http.listen-port;
users = [{ users = [{
@ -60,7 +55,7 @@ let
dns = { dns = {
bind_hosts = dns.listen-ips; bind_hosts = dns.listen-ips;
port = dns.listen-port; port = dns.listen-port;
upstream_dns = upstream-dns ++ upstreamDnsEntries; upstream_dns = upstream-dns;
bootstrap_dns = bootstrap-dns; bootstrap_dns = bootstrap-dns;
enable_dnssec = enable-dnssec; enable_dnssec = enable-dnssec;
local_domain_name = local-domain-name; local_domain_name = local-domain-name;
@ -72,17 +67,16 @@ let
safesearch_enabled = false; safesearch_enabled = false;
use_private_ptr_resolvers = cfg.dns.reverse-dns != [ ]; use_private_ptr_resolvers = cfg.dns.reverse-dns != [ ];
local_ptr_upstreams = cfg.dns.reverse-dns; local_ptr_upstreams = cfg.dns.reverse-dns;
hostsfile_enabled = false;
}; };
tls.enabled = false; tls.enabled = false;
filters = imap1 (i: filters = imap1 (i: filter: {
{ name, url, ... }: { enabled = true;
enabled = true; name = filter.name;
inherit name url; url = filter.url;
}) filters; }) filters;
dhcp.enabled = false; dhcp.enabled = false;
clients = [ ]; clients = [ ];
inherit verbose; verbose = verbose;
schema_version = 10; schema_version = 10;
}; };
@ -128,25 +122,6 @@ in {
}; };
}; };
domain-upstreams = mkOption {
type = attrsOf (submodule ({ name, ... }: {
options = {
domains = mkOption {
type = listOf str;
description =
"List of domains to route to a specific upstream DNS target.";
default = [ name ];
};
upstream = mkOption {
type = str;
description = "Upstream DNS target, in {ip}:{port} format.";
};
};
}));
default = { };
};
filters = mkOption { filters = mkOption {
type = listOf (submodule filterOpts); type = listOf (submodule filterOpts);
description = "List of filters to apply to DNS traffic."; description = "List of filters to apply to DNS traffic.";
@ -208,8 +183,8 @@ in {
# These 11 addrs send the network, so the response can prefer closer answers # These 11 addrs send the network, so the response can prefer closer answers
"https://9.9.9.11/dns-query" "https://9.9.9.11/dns-query"
"https://149.112.112.11/dns-query" "https://149.112.112.11/dns-query"
# "https://2620:fe::11/dns-query" "https://2620:fe::11/dns-query"
# "https://2620:fe::fe:11/dns-query" "https://2620:fe::fe:11/dns-query"
]; ];
}; };
@ -247,7 +222,18 @@ in {
verbose = mkEnableOption "Keep verbose logs."; verbose = mkEnableOption "Keep verbose logs.";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable (let
upgrade-perms = cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024;
in {
users = mkIf upgrade-perms {
users.${cfg.user} = {
isSystemUser = true;
group = cfg.user;
};
groups.${cfg.user} = { members = [ cfg.user ]; };
};
fudo = { fudo = {
secrets.host-secrets.${hostname} = { secrets.host-secrets.${hostname} = {
adguard-dns-proxy-admin-password = { adguard-dns-proxy-admin-password = {
@ -256,75 +242,41 @@ in {
user = "root"; user = "root";
}; };
}; };
};
networking.firewall = { system.services.adguard-dns-proxy =
allowedTCPPorts = [ cfg.dns.listen-port ]; let cfg-path = "/run/adguard-dns-proxy/config.yaml";
allowedUDPPorts = [ cfg.dns.listen-port ]; in {
}; description =
"DNS Proxy for ad filtering and DNS-over-HTTPS lookups.";
wantedBy = [ "default.target" ];
after = [ "syslog.target" ];
requires = [ "network.target" ];
privateNetwork = false;
requiredCapabilities = optional upgrade-perms "CAP_NET_BIND_SERVICE";
restartWhen = "always";
addressFamilies = null;
networkWhitelist = cfg.allowed-networks;
user = mkIf upgrade-perms cfg.user;
runtimeDirectory = "adguard-dns-proxy";
stateDirectory = "adguard-dns-proxy";
preStart = ''
cp ${generate-config-file cfg} ${cfg-path};
chown $USER ${cfg-path};
chmod u+w ${cfg-path};
'';
systemd.services.adguard-dns-proxy = execStart = let
let configFile = "/run/adguard-dns-proxy/config.yaml"; args = [
in {
description = "DNS proxy for ad filtering and DNS-over-HTTPS lookups.";
wantedBy = [ "default.target" ];
after = [ "network.target" ];
requires = [ "network.target" ];
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "adguardsProxyPrestart.sh"
"cp ${generate-config-file cfg} $RUNTIME_DIRECTORY/config.yaml";
ExecStart = pkgs.writeShellScript "adguardProxyStart.sh"
(concatStringsSep " " [
"${pkgs.adguardhome}/bin/adguardhome"
"--no-check-update" "--no-check-update"
"--work-dir /var/lib/adguard-dns-proxy" "--work-dir /var/lib/adguard-dns-proxy"
"--pidfile /run/adguard-dns-proxy.pid" "--pidfile /run/adguard-dns-proxy/adguard-dns-proxy.pid"
"--host ${cfg.http.listen-ip}" "--host ${cfg.http.listen-ip}"
"--port ${toString cfg.http.listen-port}" "--port ${toString cfg.http.listen-port}"
"--config $RUNTIME_DIRECTORY/config.yaml" "--config ${cfg-path}"
]); ];
AmbientCapabilities = optional arg-string = concatStringsSep " " args;
(cfg.dns.listen-port <= 1024 || cfg.http.listen-port <= 1024) in "${pkgs.adguardhome}/bin/adguardhome ${arg-string}";
[ "CAP_NET_BIND_SERVICE" ];
DynamicUser = true;
RuntimeDirectory = "adguard-dns-proxy";
StateDirectory = "adguard-dns-proxy";
}; };
}; };
});
# system.services.adguard-dns-proxy =
# let cfg-path = "/run/adguard-dns-proxy/config.yaml";
# in {
# description =
# "DNS Proxy for ad filtering and DNS-over-HTTPS lookups.";
# wantedBy = [ "default.target" ];
# after = [ "syslog.target" ];
# requires = [ "network.target" ];
# privateNetwork = false;
# requiredCapabilities = optional upgrade-perms "CAP_NET_BIND_SERVICE";
# restartWhen = "always";
# addressFamilies = null;
# networkWhitelist = cfg.allowed-networks;
# user = mkIf upgrade-perms cfg.user;
# runtimeDirectory = "adguard-dns-proxy";
# stateDirectory = "adguard-dns-proxy";
# preStart = ''
# cp ${generate-config-file cfg} ${cfg-path};
# chown $USER ${cfg-path};
# chmod u+w ${cfg-path};
# '';
# execStart = let
# args = [
# "--no-check-update"
# "--work-dir /var/lib/adguard-dns-proxy"
# "--pidfile /run/adguard-dns-proxy/adguard-dns-proxy.pid"
# "--host ${cfg.http.listen-ip}"
# "--port ${toString cfg.http.listen-port}"
# "--config ${cfg-path}"
# ];
# arg-string = concatStringsSep " " args;
# in "${pkgs.adguardhome}/bin/adguardhome ${arg-string}";
# };
};
} }

32
lib/fudo/auth/kerberos/default.nix
View File

@ -6,24 +6,22 @@ in {
imports = [ ./kdc.nix ]; imports = [ ./kdc.nix ];
config = { config = {
security.krb5 = { krb5 = {
enable = true; enable = true;
package = pkgs.heimdal; kerberos = pkgs.heimdal;
settings = { libdefaults = {
libdefaults = { default_realm = realm;
default_realm = realm; allow_weak_crypto = false;
allow_weak_crypto = false; dns_lookup_kdc = true;
dns_lookup_kdc = true; dns_lookup_realm = true;
dns_lookup_realm = true; forwardable = true;
forwardable = true; proxiable = true;
proxiable = true; };
}; appdefaults = {
appdefaults = { forwardable = true;
forwardable = true; proxiable = true;
proxiable = true; encrypt = true;
encrypt = true; forward = true;
forward = true;
};
}; };
}; };

1
lib/fudo/default.nix
View File

@ -22,6 +22,7 @@ with lib; {
./grafana.nix ./grafana.nix
./hosts.nix ./hosts.nix
./host-filesystems.nix ./host-filesystems.nix
./initrd-network.nix
./ipfs.nix ./ipfs.nix
./jabber.nix ./jabber.nix
# ./kdc.nix # ./kdc.nix

3
lib/fudo/grafana.nix
View File

@ -159,6 +159,7 @@ in {
state-directory = mkOption { state-directory = mkOption {
type = str; type = str;
description = "Directory at which to store Grafana state data."; description = "Directory at which to store Grafana state data.";
default = "/var/lib/grafana";
}; };
private-network = mkEnableOption "Network is private, no SSL."; private-network = mkEnableOption "Network is private, no SSL.";
@ -198,7 +199,7 @@ in {
grafana = { grafana = {
enable = true; enable = true;
dataDir = toPath cfg.state-directory; dataDir = cfg.state-directory;
settings = { settings = {

3
lib/fudo/hosts.nix
View File

@ -93,12 +93,11 @@ in {
time.timeZone = site.timezone; time.timeZone = site.timezone;
security.krb5.settings.libdefaults.default_realm = domain.gssapi-realm; krb5.libdefaults.default_realm = domain.gssapi-realm;
services = { services = {
cron.mailto = domain.admin-email; cron.mailto = domain.admin-email;
fail2ban.ignoreIP = config.instance.local-networks; fail2ban.ignoreIP = config.instance.local-networks;
udev.packages = optional host-cfg.android-dev pkgs.android-udev-rules;
}; };
virtualisation.docker = mkIf (host-cfg.docker-server) { virtualisation.docker = mkIf (host-cfg.docker-server) {

86
lib/fudo/initrd-network.nix Normal file
View File

@ -0,0 +1,86 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
initrd-cfg = config.fudo.hosts.${hostname}.initrd-network;
read-lines = filename: splitString "\n" (fileContents filename);
concatLists = lsts: concatMap (i: i) lsts;
gen-sshfp-records-pkg = hostname: pubkey: let
pubkey-file = builtins.toFile "${hostname}-initrd-ssh-pubkey" pubkey;
in pkgs.stdenv.mkDerivation {
name = "${hostname}-initrd-ssh-firngerprint";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ openssh ];
installPhase = ''
mkdir $out
ssh-keygen -r REMOVEME -f "${pubkey-file}" | sed 's/^REMOVEME IN SSHFP //' >> $out/initrd-ssh-pubkey.sshfp
'';
};
gen-sshfp-records = hostname: pubkey: let
sshfp-record-pkg = gen-sshfp-records-pkg hostname pubkey;
in read-lines "${sshfp-record-pkg}/initrd-ssh-pubkey.sshfp";
in {
config = {
boot = mkIf (initrd-cfg != null) {
kernelParams = let
site-name = config.instance.local-site;
site = config.fudo.sites.${site-name};
site-gateway = pkgs.lib.network.site-gateway config site-name;
netmask =
pkgs.lib.ip.maskFromV32Network site.network;
in [
"ip=${initrd-cfg.ip}:${site-gateway}:${netmask}:${hostname}:${initrd-cfg.interface}"
];
initrd = {
network = {
enable = true;
ssh = let
admin-ssh-keys =
concatMap (admin: config.fudo.users.${admin}.ssh-authorized-keys)
config.instance.local-admins;
in {
enable = true;
port = 22;
authorizedKeys = admin-ssh-keys;
hostKeys = [
initrd-cfg.keypair.private-key-file
];
};
};
};
};
fudo = {
local-network = let
initrd-network-hosts =
filterAttrs
(hostname: hostOpts: hostOpts.initrd-network != null)
config.instance.local-hosts;
in {
zone-definition.hosts = mapAttrs'
(hostname: hostOpts: nameValuePair "${hostname}-recovery" {
ipv4-address = hostOpts.initrd-network.ip;
description = "${hostname} initrd host";
}) initrd-network-hosts;
extra-records = let
recs = (mapAttrsToList
(hostname: hostOpts: map
(sshfp: "${hostname} IN SSHFP ${sshfp}")
(gen-sshfp-records hostname hostOpts.initrd-network.keypair.public-key))
initrd-network-hosts);
in concatLists recs;
};
};
};
}

17
lib/fudo/local-network.nix
View File

@ -4,8 +4,6 @@ with lib;
let let
cfg = config.fudo.local-network; cfg = config.fudo.local-network;
inherit (pkgs.lib) getHostIpv4 getHostFqdn;
join-lines = concatStringsSep "\n"; join-lines = concatStringsSep "\n";
inherit (pkgs.lib.ip) inherit (pkgs.lib.ip)
@ -119,12 +117,14 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
fudo.system.hostfile-entries = let fudo.system.hostfile-entries = let
siteHosts = other-hosts =
(filterAttrs (_: hostOpts: hostOpts.site == config.instance.local-site) filterAttrs (hostname: hostOpts: hostname != config.instance.hostname)
config.fudo.hosts); cfg.zone-definition.hosts;
in mapAttrs' (hostname: _: in mapAttrs' (hostname: hostOpts:
nameValuePair (getHostIpv4 hostname) [ (getHostFqdn hostname) hostname ]) nameValuePair hostOpts.ipv4-address [
(filterAttrs (hostname: _: !isNull (getHostIpv4 hostname)) siteHosts); "${hostname}.${cfg.domain}"
hostname
]) other-hosts;
services.kea.dhcp4 = { services.kea.dhcp4 = {
enable = true; enable = true;
@ -161,7 +161,6 @@ in {
} }
]; ];
subnet4 = [{ subnet4 = [{
id = 1;
pools = [{ pools = [{
pool = let pool = let
minIp = networkMinIp cfg.dhcp-dynamic-network; minIp = networkMinIp cfg.dhcp-dynamic-network;

1
lib/fudo/minecraft-clj.nix
View File

@ -268,7 +268,6 @@ in {
"${worldOpts.world-name} Minecraft Server with Clojure REPL"; "${worldOpts.world-name} Minecraft Server with Clojure REPL";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
requires = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;

10
lib/fudo/nexus.nix
View File

@ -9,14 +9,14 @@ let
default = name; default = name;
}; };
server = mkOption { servers = mkOption {
type = str; type = listOf str;
description = "Primary server for this Nexus domain."; description = "List of servers for this Nexus domain.";
}; };
secondary-dns-servers = mkOption { dns-servers = mkOption {
type = listOf str; type = listOf str;
description = "List of secondary DNS servers for this Nexus domain."; description = "List of DNS servers for this Nexus domain.";
}; };
gssapi-realm = mkOption { gssapi-realm = mkOption {

135
lib/fudo/postgres.nix
View File

@ -7,13 +7,11 @@ let
hostname = config.instance.hostname; hostname = config.instance.hostname;
domain-name = config.instance.local-domain; domain-name = config.instance.local-domain;
sslEnabled = cfg.ssl-certificate != null;
gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm; gssapi-realm = config.fudo.domains.${domain-name}.gssapi-realm;
strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename); join-lines = lib.concatStringsSep "\n";
joinLines = concatStringsSep "\n"; strip-ext = filename: head (builtins.match "^(.+)[.][^.]+$" filename);
userDatabaseOpts = { database, ... }: { userDatabaseOpts = { database, ... }: {
options = { options = {
@ -103,7 +101,7 @@ let
exit 2 exit 2
fi fi
${joinLines (mapAttrsToList (user: opts: ${join-lines (mapAttrsToList (user: opts:
password-setter-script user opts.password-file "$OUTPUT_FILE") password-setter-script user opts.password-file "$OUTPUT_FILE")
(filterPasswordedUsers users))} (filterPasswordedUsers users))}
''; '';
@ -113,19 +111,17 @@ let
nameValuePair "DATABASE ${database}" databaseOpts.access) databases; nameValuePair "DATABASE ${database}" databaseOpts.access) databases;
makeEntry = nw: makeEntry = nw:
let hostClause = if sslEnabled then "hostssl" else "host"; "hostssl all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
in "${hostClause} all all ${nw} gss include_realm=0 krb_realm=${gssapi-realm}";
makeNetworksEntry = networks: joinLines (map makeEntry networks); makeNetworksEntry = networks: join-lines (map makeEntry networks);
makeLocalUserPasswordEntries = users: networks: makeLocalUserPasswordEntries = users: networks:
let let
network-entries = user: db: network-entries = user: db:
joinLines (map (network: join-lines
let hostClause = if sslEnabled then "hostssl" else "host"; (map (network: "hostssl ${db} ${user} ${network} md5") networks);
in "${hostClause} ${db} ${user} ${network} md5") networks); in join-lines (mapAttrsToList (user: opts:
in joinLines (mapAttrsToList (user: opts: join-lines (map (db: ''
joinLines (map (db: ''
local ${db} ${user} md5 local ${db} ${user} md5
host ${db} ${user} 127.0.0.1/16 md5 host ${db} ${user} 127.0.0.1/16 md5
host ${db} ${user} ::1/128 md5 host ${db} ${user} ::1/128 md5
@ -136,18 +132,19 @@ let
enableDatabaseExtensionsSql = database: databaseOpts: '' enableDatabaseExtensionsSql = database: databaseOpts: ''
\c ${database} \c ${database}
${joinLines (map enableExtensionSql databaseOpts.extensions)} ${join-lines (map enableExtensionSql databaseOpts.extensions)}
''; '';
userTableAccessSql = user: entity: access: userTableAccessSql = user: entity: access:
"GRANT ${access} ON ${entity} TO ${user};"; "GRANT ${access} ON ${entity} TO ${user};";
userDatabaseAccessSql = user: database: dbOpts: '' userDatabaseAccessSql = user: database: dbOpts: ''
\c ${database} \c ${database}
${joinLines (mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)} ${join-lines
(mapAttrsToList (userTableAccessSql user) dbOpts.entity-access)}
''; '';
userAccessSql = user: userOpts: userAccessSql = user: userOpts:
joinLines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases); join-lines (mapAttrsToList (userDatabaseAccessSql user) userOpts.databases);
usersAccessSql = users: joinLines (mapAttrsToList userAccessSql users); usersAccessSql = users: join-lines (mapAttrsToList userAccessSql users);
in { in {
@ -208,23 +205,23 @@ in {
default = { }; default = { };
}; };
# socket-directory = mkOption { socket-directory = mkOption {
# type = str; type = str;
# description = "Directory in which to place unix sockets."; description = "Directory in which to place unix sockets.";
# default = "/run/postgresql"; default = "/run/postgresql";
# }; };
# socket-group = mkOption { socket-group = mkOption {
# type = str; type = str;
# description = "Group for accessing sockets."; description = "Group for accessing sockets.";
# default = "postgres_local"; default = "postgres_local";
# }; };
# local-users = mkOption { local-users = mkOption {
# type = listOf str; type = listOf str;
# description = "Users able to access the server via local socket."; description = "Users able to access the server via local socket.";
# default = [ ]; default = [ ];
# }; };
required-services = mkOption { required-services = mkOption {
type = listOf str; type = listOf str;
@ -258,27 +255,23 @@ in {
environment.systemPackages = with pkgs; [ cfg.package ]; environment.systemPackages = with pkgs; [ cfg.package ];
# users.groups = { users.groups = {
# ${cfg.socket-group} = { members = [ "postgres" ] ++ cfg.local-users; }; ${cfg.socket-group} = { members = [ "postgres" ] ++ cfg.local-users; };
# }; };
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = cfg.package; package = cfg.package;
enableTCPIP = true; enableTCPIP = true;
ensureDatabases = mapAttrsToList (name: value: name) cfg.databases; ensureDatabases = mapAttrsToList (name: value: name) cfg.databases;
ensureUsers = map (user: { ensureUsers = ((mapAttrsToList (username: attrs: {
name = user; name = username;
ensureClauses.login = true; ensurePermissions = userDatabaseAccess username attrs.databases;
}) (attrNames cfg.users); }) cfg.users) ++ (flatten (mapAttrsToList (database: opts:
# ensureUsers = ((mapAttrsToList (username: attrs: { (map (username: {
# name = username; name = username;
# ensurePermissions = userDatabaseAccess username attrs.databases; ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
# }) cfg.users) ++ (flatten (mapAttrsToList (database: opts: }) opts.users)) cfg.databases)));
# (map (username: {
# name = username;
# ensurePermissions = { "DATABASE ${database}" = "ALL PRIVILEGES"; };
# }) opts.users)) cfg.databases)));
settings = let ssl-enabled = cfg.ssl-certificate != null; settings = let ssl-enabled = cfg.ssl-certificate != null;
in { in {
@ -288,11 +281,9 @@ in {
ssl_cert_file = mkIf ssl-enabled cfg.ssl-certificate; ssl_cert_file = mkIf ssl-enabled cfg.ssl-certificate;
ssl_key_file = mkIf ssl-enabled cfg.ssl-private-key; ssl_key_file = mkIf ssl-enabled cfg.ssl-private-key;
# unix_socket_directories = cfg.socket-directory; unix_socket_directories = cfg.socket-directory;
# unix_socket_group = cfg.socket-group; unix_socket_group = cfg.socket-group;
# unix_socket_permissions = "0777"; unix_socket_permissions = "0777";
log_min_error_statement = "DEBUG3";
}; };
authentication = lib.mkForce '' authentication = lib.mkForce ''
@ -313,9 +304,9 @@ in {
systemd = { systemd = {
tmpfiles.rules = optionals (cfg.state-directory != null) tmpfiles.rules = optional (cfg.state-directory != null)
(let user = config.systemd.services.postgresql.serviceConfig.User; (let user = config.systemd.services.postgresql.serviceConfig.User;
in [ "d ${cfg.state-directory} 0700 ${user} - - -" ]); in "d ${cfg.state-directory} 0700 ${user} - - -");
targets.${strip-ext cfg.systemd-target} = { targets.${strip-ext cfg.systemd-target} = {
description = "Postgresql and associated systemd services."; description = "Postgresql and associated systemd services.";
@ -362,12 +353,11 @@ in {
description = description =
"A service to set postgresql user passwords after the server has started."; "A service to set postgresql user passwords after the server has started.";
after = [ "postgresql.service" ] ++ cfg.required-services; after = [ "postgresql.service" ] ++ cfg.required-services;
requires = [ "postgresql.service" ] ++ cfg.required-services;
wantedBy = [ "postgresql.service" ]; wantedBy = [ "postgresql.service" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
ExecStart = password-wrapper-script; ExecStart = "${password-wrapper-script}";
}; };
partOf = [ cfg.systemd-target ]; partOf = [ cfg.systemd-target ];
}; };
@ -382,7 +372,7 @@ in {
# allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;"; # allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
# extra-settings-sql = pkgs.writeText "settings.sql" '' # extra-settings-sql = pkgs.writeText "settings.sql" ''
# ${joinLines # ${concatStringsSep "\n"
# (map allow-user-login (mapAttrsToList (key: val: key) cfg.users))} # (map allow-user-login (mapAttrsToList (key: val: key) cfg.users))}
# ${usersAccessSql cfg.users} # ${usersAccessSql cfg.users}
# ''; # '';
@ -394,40 +384,28 @@ in {
# ''; # '';
# Wait a bit before starting dependent services, to let postgres finish initializing # Wait a bit before starting dependent services, to let postgres finish initializing
serviceConfig = { serviceConfig.ExecStartPost =
# ReadWritePaths = [ cfg.socket-directory ]; mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ];
ExecStartPost = mkAfter [ "${pkgs.coreutils}/bin/sleep 10" ];
};
postStop = joinLines cfg.cleanup-tasks; postStop = concatStringsSep "\n" cfg.cleanup-tasks;
}; };
postgresql-finalizer = { postgresql-finalizer = {
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" "postgresql-password-setter.service" ]; after = [ "postgresql.service" "postgresql-password-setter.service" ];
partOf = [ cfg.systemd-target ]; partOf = [ "postgresql.target" ];
wantedBy = [ "postgresql.service" ]; wantedBy = [ "postgresql.service" ];
serviceConfig = { serviceConfig = {
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
ExecStart = let ExecStart = let
enableExtensionsClause = joinLines allow-user-login = user: "ALTER ROLE ${user} WITH LOGIN;";
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases);
grantMasterAccessSql = db: user: ''
GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${user};
\c ${db} postgres
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO ${user};
\c postgres postgres
'';
grantMasterAccess = joinLines (mapAttrsToList (database: opts:
joinLines (map (grantMasterAccessSql database) opts.users))
cfg.databases);
extra-settings-sql = pkgs.writeText "settings.sql" '' extra-settings-sql = pkgs.writeText "settings.sql" ''
${enableExtensionsClause} ${join-lines
(mapAttrsToList enableDatabaseExtensionsSql cfg.databases)}
${grantMasterAccess} ${concatStringsSep "\n" (map allow-user-login
(mapAttrsToList (key: val: key) cfg.users))}
${usersAccessSql cfg.users} ${usersAccessSql cfg.users}
''; '';
@ -435,6 +413,7 @@ in {
${pkgs.postgresql}/bin/psql --port ${ ${pkgs.postgresql}/bin/psql --port ${
toString config.services.postgresql.port toString config.services.postgresql.port
} -d postgres -f ${extra-settings-sql} } -d postgres -f ${extra-settings-sql}
chgrp ${cfg.socket-group} ${cfg.socket-directory}/.s.PGSQL*
''; '';
}; };
}; };

102
lib/fudo/prometheus.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }@toplevel: { config, lib, pkgs, ... }:
with lib; with lib;
let cfg = config.fudo.metrics.prometheus; let cfg = config.fudo.metrics.prometheus;
@ -15,50 +15,35 @@ in {
description = "The prometheus package that should be used."; description = "The prometheus package that should be used.";
}; };
scrapers = let service-discovery-dns = mkOption {
scraperOpts.options = { type = attrsOf (listOf str);
name = mkOption { description = ''
type = str; A map of exporter type to a list of domains to use for service discovery.
description = "Name of this exporter."; '';
}; example = {
node = [ "node._metrics._tcp.my-domain.com" ];
secured = mkOption { postfix = [ "postfix._metrics._tcp.my-domain.com" ];
type = bool; };
description = "Whether to use https instead of http."; default = {
default = !toplevel.config.fudo.metrics.prometheus.private-network; dovecot = [ ];
}; node = [ ];
postfix = [ ];
path = mkOption { rspamd = [ ];
type = str; };
description = "Host path at which to find exported metrics."; };
default = "/metrics";
}; static-targets = mkOption {
type = attrsOf (listOf str);
port = mkOption { description = ''
type = port; A map of exporter type to a list of host:ports from which to collect metrics.
description = "Port on which to scrape for metrics."; '';
default = example = { node = [ "my-host.my-domain:1111" ]; };
if toplevel.config.fudo.metrics.prometheus.private-network then default = {
80 dovecot = [ ];
else node = [ ];
443; postfix = [ ];
}; rspamd = [ ];
static-targets = mkOption {
type = listOf str;
description = "Explicit list of hosts to scrape for metrics.";
default = [ ];
};
dns-sd-records = mkOption {
type = listOf str;
description = "List of DNS records to query for hosts to scrape.";
default = [ ];
};
}; };
in mkOption {
type = listOf (submodule scraperOpts);
default = [ ];
}; };
docker-hosts = mkOption { docker-hosts = mkOption {
@ -94,6 +79,7 @@ in {
state-directory = mkOption { state-directory = mkOption {
type = str; type = str;
description = "Directory at which to store Prometheus state."; description = "Directory at which to store Prometheus state.";
default = "/var/lib/prometheus";
}; };
private-network = mkEnableOption "Network is private."; private-network = mkEnableOption "Network is private.";
@ -148,19 +134,21 @@ in {
port = 9090; port = 9090;
scrapeConfigs = let scrapeConfigs = let
mkScraper = make-job = type: {
{ name, secured, path, port, static-targets, dns-sd-records }: { job_name = type;
job_name = name; honor_labels = false;
honor_labels = false; scheme = if cfg.private-network then "http" else "https";
scheme = if secured then "https" else "http"; metrics_path = "/metrics/${type}";
metrics_path = path; static_configs = if (hasAttr type cfg.static-targets) then [{
static_configs = mkIf (static-targets != [ ]) targets = cfg.static-targets.${type};
(let attachPort = target: "${target}:${toString port}"; }] else
in [{ targets = map attachPort static-targets; }]); [ ];
dns_sd_configs = dns_sd_configs = if (hasAttr type cfg.service-discovery-dns) then [{
mkIf (dns-sd-records != [ ]) [{ names = dns-sd-records; }]; names = cfg.service-discovery-dns.${type};
}; }] else
in map mkScraper cfg.scrapers; [ ];
};
in map make-job [ "docker" "node" "dovecot" "postfix" "rspamd" ];
pushgateway = { pushgateway = {
enable = if (cfg.push-url != null) then true else false; enable = if (cfg.push-url != null) then true else false;

52
lib/fudo/slynk.nix
View File

@ -4,23 +4,34 @@ with lib;
let let
cfg = config.fudo.slynk; cfg = config.fudo.slynk;
initScript = port: initScript = port: load-paths:
pkgs.writeText "slynk.lisp" '' let
(asdf:load-system 'slynk) load-path-string =
concatStringsSep " " (map (path: ''"${path}"'') load-paths);
in pkgs.writeText "slynk.lisp" ''
(load (merge-pathnames "quicklisp/setup.lisp" (user-homedir-pathname)))
(ql:quickload :slynk)
(setf asdf:*central-registry*
(append asdf:*central-registry*
(list ${load-path-string})))
(slynk:create-server :port ${toString port} :dont-close t) (slynk:create-server :port ${toString port} :dont-close t)
(dolist (var '("LD_LIBRARY_PATH"))
(format t "~S: ~S~%" var (sb-unix::posix-getenv var)))
(loop (sleep 60)) (loop (sleep 60))
''; '';
sbclWithLibs = pkgs.sbcl.withPackages (ps: lisp-libs = with pkgs.lispPackages; [
with ps; [ alexandria
alexandria asdf-package-system
asdf-package-system asdf-system-connections
asdf-system-connections cl_plus_ssl
cl_plus_ssl cl-ppcre
cl-ppcre quicklisp
quri quri
usocket uiop
]); usocket
];
in { in {
options.fudo.slynk = { options.fudo.slynk = {
@ -37,17 +48,20 @@ in {
systemd.user.services.slynk = { systemd.user.services.slynk = {
description = "Slynk Common Lisp server."; description = "Slynk Common Lisp server.";
serviceConfig = { serviceConfig =
ExecStart = "sbcl --load ${initScript cfg.port}"; let load-paths = (map (pkg: "${pkg}/lib/common-lisp/") lisp-libs);
Restart = "on-failure"; in {
PIDFile = "/run/slynk.$USERNAME.pid"; ExecStartPre = "${pkgs.lispPackages.quicklisp}/bin/quicklisp init";
}; ExecStart =
"${pkgs.sbcl}/bin/sbcl --load ${initScript cfg.port load-paths}";
Restart = "on-failure";
PIDFile = "/run/slynk.$USERNAME.pid";
};
path = with pkgs; [ path = with pkgs; [
gcc gcc
glibc # for getent glibc # for getent
file file
sbclWithLibs
]; ];
environment = { LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib"; }; environment = { LD_LIBRARY_PATH = "${pkgs.openssl.out}/lib"; };

3
lib/fudo/webmail.nix
View File

@ -366,9 +366,6 @@ in {
''); '');
in { in {
requiredBy = [ "nginx.service" ]; requiredBy = [ "nginx.service" ];
before = [ "nginx.service" ];
requires = [ config.fudo.secrets.secret-target ];
after = [ config.fudo.secrets.secret-target ];
description = description =
"Initialize webmail service directories prior to starting nginx."; "Initialize webmail service directories prior to starting nginx.";
script = "${scriptPkg}/bin/webmail-init.sh"; script = "${scriptPkg}/bin/webmail-init.sh";

17
lib/instance.nix
View File

@ -19,8 +19,7 @@ in {
build-timestamp = mkOption { build-timestamp = mkOption {
type = int; type = int;
description = description = "Timestamp associated with the build. Used for e.g. DNS serials.";
"Timestamp associated with the build. Used for e.g. DNS serials.";
}; };
local-domain = mkOption { local-domain = mkOption {
@ -46,8 +45,7 @@ in {
local-admins = mkOption { local-admins = mkOption {
type = listOf str; type = listOf str;
description = description = "List of users who should have admin access to the local host.";
"List of users who should have admin access to the local host.";
}; };
local-groups = mkOption { local-groups = mkOption {
@ -57,8 +55,7 @@ in {
local-hosts = mkOption { local-hosts = mkOption {
type = attrsOf (submodule host.hostOpts); type = attrsOf (submodule host.hostOpts);
description = description = "List of hosts that should be considered local to the current host.";
"List of hosts that should be considered local to the current host.";
}; };
local-users = mkOption { local-users = mkOption {
@ -68,8 +65,7 @@ in {
local-networks = mkOption { local-networks = mkOption {
type = listOf str; type = listOf str;
description = description = "Networks which are considered local to this host, site, or domain.";
"Networks which are considered local to this host, site, or domain.";
}; };
service-home = mkOption { service-home = mkOption {
@ -85,7 +81,8 @@ in {
}; };
config = { config = {
systemd.tmpfiles.rules = systemd.tmpfiles.rules = [
[ "d ${config.instance.service-home} 755 root root - -" ]; "d ${config.instance.service-home} 755 root root - -"
];
}; };
} }

8
lib/lib/dns.nix
View File

@ -153,14 +153,14 @@ let
${join-lines (mapAttrsToList makeMetricRecords zone.metric-records)} ${join-lines (mapAttrsToList makeMetricRecords zone.metric-records)}
${join-lines (mapAttrsToList cnameRecord zone.aliases)}
${join-lines zone.verbatim-dns-records}
$TTL ${zone.host-record-ttl} $TTL ${zone.host-record-ttl}
${join-lines (mapAttrsToList hostRecords zone.hosts)} ${join-lines (mapAttrsToList hostRecords zone.hosts)}
${join-lines (mapAttrsToList cnameRecord zone.aliases)}
${join-lines zone.verbatim-dns-records}
${join-lines (mapAttrsToList ${join-lines (mapAttrsToList
(subdom: subdomCfg: domain-records "${subdom}.${dom}" subdomCfg) (subdom: subdomCfg: domain-records "${subdom}.${dom}" subdomCfg)
zone.subdomains)} zone.subdomains)}

5
lib/lib/text.nix
View File

@ -13,7 +13,4 @@ let
installPhase = "python -mjson.tool ${filename} > $out"; installPhase = "python -mjson.tool ${filename} > $out";
}; };
writeEnv = name: vars: in { inherit format-json-file; }
pkgs.writeText name (mapAttrsToList (var: val: "${var}=${val}") vars);
in { inherit format-json-file writeEnv; }

102
lib/types/host.nix
View File

@ -92,7 +92,7 @@ in rec {
}; };
}; };
masterKeyOpts = _: { masterKeyOpts = { ... }: {
options = with types; { options = with types; {
key-path = mkOption { key-path = mkOption {
type = str; type = str;
@ -122,7 +122,7 @@ in rec {
type = str; type = str;
description = description =
"Primary domain to which the host belongs, in the form of a domain name."; "Primary domain to which the host belongs, in the form of a domain name.";
default = "unassigned.domain"; default = "fudo.org";
}; };
extra-domains = mkOption { extra-domains = mkOption {
@ -290,28 +290,92 @@ in rec {
default = false; default = false;
}; };
wireguard = let
clientOpts = {
options = {
ip = mkOption {
type = nullOr str;
description =
"IP address assigned to this host in the WireGuard network.";
};
bound = mkOption {
type = bool;
description = "Whether to route all traffic from this host.";
default = false;
};
};
};
wireguardOpts = {
options = {
private-key-file = mkOption {
type = str;
description = "WireGuard private key file of the host.";
};
public-key = mkOption {
type = str;
description = "WireGuard public key.";
};
client = mkOption {
type = nullOr (submodule clientOpts);
default = null;
};
};
};
in mkOption {
type = nullOr (submodule wireguardOpts);
default = null;
};
initrd-network = let
keypair-type = { ... }: {
options = {
public-key = mkOption {
type = str;
description = "SSH public key.";
};
private-key-file = mkOption {
type = str;
description = "Path to SSH private key (on the local host!).";
};
};
};
initrd-network-config = { ... }: {
options = {
ip = mkOption {
type = str;
description =
"IP to assign to the initrd image, allowing access to host during bootup.";
};
keypair = mkOption {
type = (submodule keypair-type);
description = "SSH host key pair to use for initrd.";
};
interface = mkOption {
type = str;
description =
"Name of interface on which to listen for connections.";
};
};
};
in mkOption {
type = nullOr (submodule initrd-network-config);
description =
"Configuration parameters to set up initrd SSH network.";
default = null;
};
backplane-password-file = mkOption { backplane-password-file = mkOption {
type = path; type = path;
description = description =
"File containing the password used by this host to connect to the backplane."; "File containing the password used by this host to connect to the backplane.";
}; };
initrd-ssh-key = mkOption {
type = nullOr str;
description =
"Path on the local filesystem to a host SSH key for initrd, if any.";
default = null;
};
deploy = {
enable = mkEnableOption "Enable deploy-rs deployments.";
ssh-options = mkOption {
type = listOf str;
description = "List of SSH options to use when deploying.";
default = [ ];
};
};
}; };
}; };
} }

7
lib/types/user.nix
View File

@ -119,13 +119,6 @@ with lib; rec {
description = "User's surname."; description = "User's surname.";
default = null; default = null;
}; };
config-user = mkOption {
type = nullOr str;
description =
"When generating config, consider this to be the 'real' user.";
default = null;
};
}; };
}; };