nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'nixops' of ssh://git.fudo.org:2222/fudosys/NixOS into nixops

This commit is contained in:
Root 2021-04-10 13:33:24 -07:00
parent bd5910aed0 5e16e48a91
commit 30e12587b4
6 changed files with 157 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/host-config/plato.nix
View File

@ -4,12 +4,24 @@ with lib;
let primary-ip = "10.0.0.21"; let primary-ip = "10.0.0.21";
in { in {
config = { config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
environment.etc = { environment.etc = {
nixos.source = "/state/nixos"; nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime"; adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS"; NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id"; machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix"; "host-config.nix".source = "/state/etc/host-config.nix";
"krb5.keytab" = {
source = "/state/etc/plato.keytab";
user = "root";
group = "root";
mode = "0600";
};
}; };
system.stateVersion = "20.09"; system.stateVersion = "20.09";

3
config/hosts/plato.nix
View File

@ -13,4 +13,7 @@
profile = "server"; profile = "server";
ssh-pubkey = ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
build-pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
];
} }

15
config/profile-config/common.nix
View File

@ -11,10 +11,10 @@ in {
systemPackages = global-packages; systemPackages = global-packages;
shellInit = '' # shellInit = ''
${pkgs.gnupg}/bin/gpg-connect-agent /bye # ${pkgs.gnupg}/bin/gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
''; # '';
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -45,7 +45,7 @@ in {
openssh = { openssh = {
enable = true; enable = true;
startWhenNeeded = true; startWhenNeeded = true;
useDns = true; # useDns = true;
permitRootLogin = "prohibit-password"; permitRootLogin = "prohibit-password";
extraConfig = '' extraConfig = ''
GSSAPIAuthentication yes GSSAPIAuthentication yes
@ -91,13 +91,12 @@ in {
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
enableSSHSupport = true; # enableSSHSupport = true;
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses"; # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
}; };
ssh = { ssh = {
# Use GPG agent instead startAgent = true;
startAgent = false;
package = pkgs.openssh_gssapi; package = pkgs.openssh_gssapi;

13
config/sites.nix
View File

@ -9,7 +9,18 @@
dynamic-network = "10.0.1.0/24"; dynamic-network = "10.0.1.0/24";
timezone = "America/Los_Angeles"; timezone = "America/Los_Angeles";
gateway-host = "nostromo"; gateway-host = "nostromo";
deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; deploy-pubkey =
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
build-servers = {
nostromo = {
max-jobs = 2;
speed-factor = 2;
};
lambda = {
max-jobs = 2;
speed-factor = 2;
};
};
# FIXME: good idea? # FIXME: good idea?
# network-mounts = { # network-mounts = {
# "/mnt/documents" = { # "/mnt/documents" = {

19
lib/fudo/hosts.nix
View File

@ -106,6 +106,12 @@ let
"SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
default = null; default = null;
}; };
build-pubkeys = mkOption {
type = listOf str;
description = "SSH public keys used to access the build server.";
default = [ ];
};
}; };
}; };
@ -124,6 +130,8 @@ in {
site = config.fudo.sites.${site-name}; site = config.fudo.sites.${site-name};
domain-name = host-cfg.domain; domain-name = host-cfg.domain;
domain = config.fudo.domains.${domain-name}; domain = config.fudo.domains.${domain-name};
has-build-servers = (length (attrNames site.build-servers)) > 0;
has-build-keys = (length host-cfg.build-pubkeys) > 0;
in { in {
networking = { networking = {
@ -138,6 +146,17 @@ in {
hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; };
}; };
nix = mkIf
(has-build-servers && has-build-keys && site.enable-distributed-builds) {
buildMachines = mapAttrsToList (hostname: buildOpts: {
hostName = "${hostname}.${domain}";
maxJobs = buildOpts.max-jobs;
speedFactor = buildOpts.speed-factor;
supportedFeatures = buildOpts.supported-features;
}) site.build-servers;
distributedBuilds = true;
};
time.timeZone = site.timezone; time.timeZone = site.timezone;
krb5.libdefaults.default_realm = domain.gssapi-realm; krb5.libdefaults.default_realm = domain.gssapi-realm;

103
lib/fudo/sites.nix
View File

@ -6,6 +6,9 @@ let
site-name = config.fudo.hosts.${hostname}.site; site-name = config.fudo.hosts.${hostname}.site;
site-cfg = config.fudo.sites.${site-name}; site-cfg = config.fudo.sites.${site-name};
site-hosts = filterAttrs (hostname: hostOpts: hostOpts.site == site-name)
config.fudo.hosts;
siteOpts = { site, ... }: { siteOpts = { site, ... }: {
options = with types; { options = with types; {
site = mkOption { site = mkOption {
@ -84,6 +87,13 @@ let
default = null; default = null;
}; };
enable-ssh-backdoor = mkOption {
type = bool;
description =
"Enable a backup SSH server in case of failures of the primary.";
default = true;
};
dropbear-rsa-key-path = mkOption { dropbear-rsa-key-path = mkOption {
type = str; type = str;
description = "Location of Dropbear RSA key."; description = "Location of Dropbear RSA key.";
@ -96,11 +106,68 @@ let
default = "/etc/dropbear/host_ecdsa_key"; default = "/etc/dropbear/host_ecdsa_key";
}; };
dropbear-deploy-port = mkOption { dropbear-ssh-port = mkOption {
type = port; type = port;
description = "Port to be used for the deploy SSH server."; description = "Port to be used for the deploy SSH server.";
default = 2112; default = 2112;
}; };
enable-distributed-builds =
mkEnableOption "Enable distributed builds for the site.";
build-servers = mkOption {
type = attrsOf (submodule buildServerOpts);
description =
"List of hosts to be used as build servers for the local site.";
default = { };
example = {
my-build-host = {
port = 22;
systems = [ "i686-linux" "x86_64-linux" ];
};
};
};
build-user = mkOption {
type = str;
description = "User as which to run builds.";
default = "nix-site-builder";
};
};
};
buildServerOpts = { ... }: {
options = with types; {
port = mkOption {
type = port;
description = "SSH port at which to contact the server.";
default = 22;
};
systems = mkOption {
type = listOf str;
description =
"A list of systems for which this build server can build.";
default = [ "i686-linux" "x86_64-linux" ];
};
max-jobs = mkOption {
type = int;
description = "Max build allowed per-system.";
default = 1;
};
speed-factor = mkOption {
type = int;
description = "Weight to give this server, i.e. it's relative speed.";
default = 1;
};
supported-features = mkOption {
type = listOf str;
description = "List of features supported by this server.";
default = [ ];
};
}; };
}; };
@ -111,25 +178,33 @@ in {
default = { }; default = { };
}; };
config = mkIf (site-cfg.deploy-pubkey != null) { config = {
environment.etc."dropbear/authorized_keys" = { users.users = {
text = "${site-cfg.deploy-pubkey} root@deploy"; root.openssh.authorizedKeys.keys =
mode = "0400"; mkIf (site-cfg.deploy-pubkey != null) [ site-cfg.deploy-pubkey ];
${site-cfg.build-user} = mkIf
(any (build-host: build-host == config.instance.hostname)
(attrNames site-cfg.build-servers)) {
isSystemUser = true;
openssh.authorizedKeys.keys =
concatMap (hostOpts: hostOpts.build-pubkeys)
(attrValues site-hosts);
};
}; };
networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; networking.firewall.allowedTCPPorts =
mkIf site-cfg.enable-ssh-backdoor [ site-cfg.dropbear-ssh-port ];
systemd = { systemd = mkIf site-cfg.enable-ssh-backdoor {
sockets = { sockets = {
dropbear-deploy = { dropbear-deploy = {
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
socketConfig = { socketConfig = {
ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; ListenStream = "0.0.0.0:${toString site-cfg.dropbear-ssh-port}";
Accept = true; Accept = true;
}; };
unitConfig = { unitConfig = { restartIfChanged = true; };
restartIfChanged = true;
};
}; };
}; };
@ -155,12 +230,14 @@ in {
}; };
"dropbear-deploy@" = { "dropbear-deploy@" = {
description = "Per-connection service for deployment, using dropbear."; description =
"Per-connection service for deployment, using dropbear.";
requires = [ "dropbear-deploy-init.service" ]; requires = [ "dropbear-deploy-init.service" ];
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; ExecStart =
"${pkgs.dropbear}/bin/dropbear -F -i -w -m -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}";
ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
StandardInput = "socket"; StandardInput = "socket";
}; };