Currently broken config...

2020-01-15 11:24:11 -06:00
parent 46c45f4440
commit 00a97b1d94
51 changed files with 2991 additions and 364 deletions
--- a/hosts/france.nix
+++ b/hosts/france.nix
@@ -1,59 +1,194 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

+with lib;
 let
  hostname = "france.fudo.org";
+  mail-hostname = "france.fudo.org";
+  host_ipv4 = "208.81.3.117";
+  all-hostnames = [];
+
+  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
+  acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
+  acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
+
+  fudo-ca = "/etc/nixos/static/fudo_ca.pem";
+
+  minecraft-data-dir = "/srv/minecraft/data";
+
+  system-mail-directory = "/srv/mail";

 in {

-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
-
-  security.hideProcessInformation = true;
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/sda";
+  };

  imports = [
-    ../defaults.nix
-    ../networks/fudo.org.nix
-    ../profiles/server.nix
-    ../config/fudo.nix
-    ../profiles/services/basic_acme.nix
-    ../profiles/services/heimdal_kdc.nix
-    ../profiles/services/minecraft.nix
    ../hardware-configuration.nix
-    ../packages/local-packages.nix
+
+    ../defaults.nix
+
+    # These should really both be settings...
+    # ../networks/fudo.org.nix
+    # ../profiles/server.nix
+  ];
+
+  fudo.profile = "server";
+  fudo.site = "nutty-club";
+  fudo.local-networks = [
+    "208.81.1.128/28"
+    "208.81.3.112/28"
+    "172.17.0.0/16"
+    "127.0.0.0/8"
  ];

  environment.systemPackages = with pkgs; [
-    acme-ca
+    docker
    lxd
    multipath-tools
+    nix-prefetch-docker
  ];

-  fudo.auth.server = {
+  fudo.prometheus = {
    enable = true;
-    base = "dc=fudo,dc=org";
-    organization = "Fudo";
-    rootpw-file = "/srv/ldap/secure/root.pw";
-    kerberos-host = "france.fudo.org";
-    kerberos-keytab = "/srv/ldap/secure/ldap.keytab";
-
-    sslCert = "/srv/ldap/france.fudo.org.pem";
-    sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
-    sslCACert = "/etc/nixos/static/fudo_ca.pem";
-
-    listen-uris = [
-      "ldap://${hostname}/"
-      "ldaps://${hostname}/"
-      "ldap://localhost/"
-      "ldaps://localhost/"
-      "ldapi:///"
+    hostname = "metrics.fudo.org";
+    service-discovery-dns = {
+      node =    [ "node._metrics._tcp.fudo.org" ];
+      postfix = [ "postfix._metrics._tcp.fudo.org" ];
+      dovecot = [ "dovecot._metrics._tcp.fudo.org" ];
+      rspamd =  [ "rspamd._metrics._tcp.fudo.org" ];
+    };
+    # Connections will be allowed from these networks. No auth is performed--the
+    # data is read-only anyway.
+    trusted-networks = [
+      "208.81.1.128/28"
+      "208.81.3.112/28"
+      "172.17.0.0/16"
+      "127.0.0.0/8"
    ];
+  };

-    users = import ../fudo/users.nix;
+  fudo.grafana = {
+    enable = true;
+    hostname = "monitor.fudo.org";
+    smtp-username = "metrics";
+    smtp-password-file = "/srv/grafana/secure/smtp.passwd";
+    database-password-file = "/srv/grafana/secure/db.passwd";
+    admin-password-file = "/srv/grafana/secure/admin.passwd";
+    secret-key-file = "/srv/grafana/secure/secret.key";
+    prometheus-host = "metrics.fudo.org";
+  };

-    groups = import ../fudo/groups.nix;
+  # So that grafana waits for postgresql
+  systemd.services.grafana.requires = [
+    "postgresql"
+  ];

-    system-users = import ../fudo/system-users.nix;
+  fudo.postgresql = {
+    enable = true;
+    ssl-private-key = (acme-private-key hostname);
+    ssl-certificate = (acme-certificate hostname);
+    keytab = "/srv/postgres/secure/postgres.keytab";
+
+    # We allow connections from local networks. Auth is still required. Outside
+    # of these networks, no access is allowed.
+    #
+    # TODO: that's probably to strict, allow kerberos connections from anywhere.
+    local-networks = [
+      "208.81.1.128/28"
+      "208.81.3.112/28"
+      "192.168.11.1/24"
+      "127.0.0.1/8"
+      "172.17.0.0/16"
+    ];
+  };
+
+  # Not all users need access to france; don't allow LDAP-user access.
+  fudo.authentication.enable = false;
+
+  # But we DO run an LDAP auth server. Should be better-named.
+  fudo.auth = {
+    server = {
+      enable = true;
+      base = "dc=fudo,dc=org";
+      organization = "Fudo";
+      rootpw-file = "/srv/ldap/secure/root.pw";
+      kerberos-host = "france.fudo.org";
+      kerberos-keytab = "/srv/ldap/secure/ldap.keytab";
+
+      sslCert = "/srv/ldap/france.fudo.org.pem";
+      sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
+      sslCACert = fudo-ca;
+
+      # We're using fudo-generated certs for now, but we should move to ACME
+      # once I can figure out how to correctly produce the ca.pem file. Until
+      # then, the server will fail to start using these certs. See:
+      # https://serverfault.com/a/834565
+
+      # sslCert = (acme-bare-cert hostname);
+      # sslKey = (acme-private-key hostname);
+      # sslCACert = acme-ca;
+
+      # TODO: loop over v4 and v6 IPs.
+      listen-uris = [
+        "ldap://${host_ipv4}/"
+        "ldaps://${host_ipv4}/"
+        "ldap://localhost/"
+        "ldaps://localhost/"
+        "ldapi:///"
+      ];
+
+      users = import ../fudo/users.nix;
+
+      groups = import ../fudo/groups.nix;
+
+      system-users = import ../fudo/system-users.nix;
+    };
+
+    # Heimdal Kerberos server
+    kdc = {
+      enable = true;
+      database-path = "/var/heimdal/heimdal";
+      realm = "FUDO.ORG";
+      mkey-file = "/var/heimdal/m-key";
+      acl-file = "/etc/heimdal/kdc.acl";
+      bind-addresses = [
+        host_ipv4
+        "127.0.0.1"
+        "127.0.1.1"
+      ];
+    };
+  };
+
+  # TODO: not used yet
+  fudo.acme.hostnames = all-hostnames;
+
+  fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
+    enableContainer = true;
+    debug = true;
+    monitoring = true;
+
+    hostname = mail-hostname;
+
+    postfix.ssl-certificate = (acme-certificate mail-hostname);
+    postfix.ssl-private-key = (acme-private-key mail-hostname);
+    dovecot.ssl-certificate = (acme-certificate mail-hostname);
+    dovecot.ssl-private-key = (acme-private-key mail-hostname);
+
+    state-directory = "${system-mail-directory}/var";
+    mail-directory = "${system-mail-directory}/mailboxes";
+
+    dovecot.ldap-reader-dn = "cn=user_db_reader,dc=fudo,dc=org";
+    dovecot.ldap-reader-passwd = removeSuffix "\n" (readFile /srv/ldap/secure/user_db.passwd);
+
+    # FIXME: use SSL once I can figure out Acme SSL cert CA for LDAP.
+    dovecot.ldap-urls = [ "ldap://france.fudo.org" ];
+
+    clamav.enable = true;
+
+    dkim.signing = true;
  };

  networking = {
@@ -64,7 +199,8 @@ in {
    interfaces.enp4s0f0.useDHCP = true;
    interfaces.enp4s0f1.useDHCP = true;

-    enableIPv6 = true;
+    # TODO: fix IPv6
+    enableIPv6 = false;

    # Create a bridge for VMs to use
    macvlans = {
@@ -84,7 +220,7 @@ in {
        macAddress = "02:d4:e8:3b:10:2f";
        ipv4.addresses = [
          {
-            address = "208.81.3.117";
+            address = host_ipv4;
            prefixLength = 28;
          }
        ];
@@ -104,7 +240,82 @@ in {

  hardware.bluetooth.enable = false;

-  virtualisation.lxd = {
+  virtualisation = {
+    lxd = {
+      enable = true;
+    };
+
+    docker = {
+      enable = true;
+      enableOnBoot = true;
+
+      autoPrune = {
+        enable = true;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/srv/archiva" = {
+      fsType = "btrfs";
+      options = ["subvol=archiva"];
+      label = "pool0";
+    };
+    "/srv/grafana" = {
+      fsType = "btrfs";
+      options = ["subvol=grafana"];
+      label = "pool0";
+    };
+    "${system-mail-directory}" = {
+      fsType = "btrfs";
+      options = ["subvol=mail"];
+      label = "pool0";
+    };
+    "/srv/gitlab" = {
+      fsType = "btrfs";
+      options = ["subvol=gitlab"];
+      label = "pool0";
+    };
+  };
+
+  ##
+  # Archiva
+  ##
+
+  users.extraUsers = {
+    archiva = {
+      isNormalUser = false;
+      group = "nogroup";
+      uid = 1000;
+    };
+  };
+
+  docker-containers = {
+    archiva = {
+      image = "xetusoss/archiva";
+      ports = ["127.0.0.1:8091:8080"];
+      volumes = [
+        "/srv/archiva:/archiva-data"
+      ];
+      environment = {
+        # Not directly connected to the world anyway
+        SSL_ENABLED = "false";
+      };
+      # Ugly as shit: name-to-uid lookup fails.
+      #user = "1000";
+      user = toString config.users.users.archiva.uid;
+    };
+  };
+
+  ###
+  # Minecraft
+  ###
+
+  fudo.minecraft-server = {
    enable = true;
+    package = pkgs.minecraft-server_1_15_1;
+    data-dir = minecraft-data-dir;
+    world-name = "selbyland";
+    motd = "Welcome to the Selby Minecraft server.";
  };
 }
--- a/hosts/nostromo.nix
+++ b/hosts/nostromo.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }:

 let
-  hostname = "nostromo";
+  hostname = "nostromo.sea.fudo.org";

 in {

@@ -16,11 +16,20 @@ in {
    ../networks/sea.fudo.org.nix
    ../profiles/server.nix
    ../hardware-configuration.nix
-
-    ../profiles/services/postgres.nix
    # ../profiles/services/local_nameserver.nix
  ];

+  fudo.postgresql = {
+    enable = true;
+    ssl-private-key = "/srv/nostromo.sea.fudo.org/certs/private/privkey.pem";
+    ssl-certificate = "/srv/nostromo.sea.fudo.org/certs/cert.pem";
+    keytab = "/srv/nostromo.sea.fudo.org/keytabs/postgres.keytab";
+
+    local-networks = [
+      "10.0.0.1/24"
+    ];
+  };
+
  networking = {
    hostName = hostname;