nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed merge conflict

This commit is contained in:
nostoromo root 2020-11-16 12:40:39 -08:00
parent 4d6e8cb264 64ad31ab4f
commit 3165c259bc
9 changed files with 282 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
config/fudo/garbage-collector.nix Normal file
View File

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.garbage-collector;
in {
options.fudo.garbage-collector = {
enable = mkEnableOption "Enable periodic NixOS garbage collection";
timing = mkOption {
type = types.str;
default = "weekly";
description = "Period (systemd format) at which to run garbage collector.";
};
age = mkOption {
type = types.str;
default = "30d";
description = "Age of garbage to collect (eg. 30d).";
};
};
config = mkIf cfg.enable {
systemd = {
timers.fudo-garbage-collector = {
enable = true;
description = "Collect NixOS garbage older than ${cfg.age}";
partOf = [ "fudo-garbage-collector.service" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.timing;
};
};
services.fudo-garbage-collector = {
enable = true;
serviceConfig = {
Type = "oneshot";
StandardOutput = "journal";
};
script = ''
${pkgs.nix}/bin/nix-collect-garbage --delete-older-than ${cfg.age}
'';
};
};
};
}

16
config/fudo/local-network.nix
View File

@ -20,10 +20,11 @@ let
}; };
mac-address = mkOption { mac-address = mkOption {
type = types.str; type = with types; nullOr types.str;
description = '' description = ''
The MAC address of a given host, if desired for IP reservation. The MAC address of a given host, if desired for IP reservation.
''; '';
default = null;
}; };
ssh-fingerprints = mkOption { ssh-fingerprints = mkOption {
@ -43,7 +44,7 @@ in {
enable = mkEnableOption "Enable local network configuration (DHCP & DNS)."; enable = mkEnableOption "Enable local network configuration (DHCP & DNS).";
hosts = mkOption { hosts = mkOption {
type = with types; loaOf (submodule hostOpts); type = with types; attrsOf (submodule hostOpts);
default = {}; default = {};
description = "A map of hostname => { host_attributes }."; description = "A map of hostname => { host_attributes }.";
}; };
@ -74,7 +75,7 @@ in {
}; };
aliases = mkOption { aliases = mkOption {
type = with types; loaOf str; type = with types; attrsOf str;
default = {}; default = {};
description = "A mapping of host-alias => hostname to use on the local network."; description = "A mapping of host-alias => hostname to use on the local network.";
}; };
@ -148,7 +149,7 @@ in {
ethernetAddress = hostOpts.mac-address; ethernetAddress = hostOpts.mac-address;
hostName = hostname; hostName = hostname;
ipAddress = hostOpts.ip-address; ipAddress = hostOpts.ip-address;
}) cfg.hosts; }) (filterAttrs (host: hostOpts: hostOpts.mac-address != null) cfg.hosts);
interfaces = cfg.dhcp-interfaces; interfaces = cfg.dhcp-interfaces;
@ -210,6 +211,13 @@ in {
cacheNetworks = [ cfg.network "localhost" "localnets" ]; cacheNetworks = [ cfg.network "localhost" "localnets" ];
forwarders = [ cfg.recursive-resolver ]; forwarders = [ cfg.recursive-resolver ];
listenOn = cfg.dns-serve-ips; listenOn = cfg.dns-serve-ips;
extraOptions = concatStringsSep "\n" [
"dnssec-enable yes;"
"dnssec-validation yes;"
"auth-nxdomain no;"
"recursion yes;"
"allow-recursion { any; };"
];
zones = [ zones = [
{ {
master = true; master = true;

1
config/local.nix
View File

@ -10,6 +10,7 @@ with lib;
./fudo/client/dns.nix ./fudo/client/dns.nix
./fudo/common.nix ./fudo/common.nix
./fudo/dns.nix ./fudo/dns.nix
./fudo/garbage-collector.nix
./fudo/git.nix ./fudo/git.nix
./fudo/grafana.nix ./fudo/grafana.nix
./fudo/kdc.nix ./fudo/kdc.nix

1
defaults.nix
View File

@ -30,7 +30,6 @@
clang clang
curl curl
dpkg dpkg
emacs
enca enca
fail2ban fail2ban
file file

1
fudo/profiles/common-ui.nix
View File

@ -19,6 +19,7 @@ let
corefonts corefonts
chrome-gnome-shell chrome-gnome-shell
chromium chromium
emacs
evince evince
firefox firefox
gimp gimp

5
fudo/profiles/server.nix
View File

@ -51,6 +51,7 @@ in {
config = mkIf (config.fudo.common.profile == "server") { config = mkIf (config.fudo.common.profile == "server") {
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
emacs-nox
ldns ldns
ldns.examples ldns.examples
racket-minimal racket-minimal
@ -67,8 +68,8 @@ in {
networking = { networking = {
networkmanager.enable = mkForce false; networkmanager.enable = mkForce false;
} };
;
boot.tmpOnTmpfs = true; boot.tmpOnTmpfs = true;
services.xserver.enable = false; services.xserver.enable = false;

154
fudo/sites/russell.nix
View File

@ -4,10 +4,11 @@ with lib;
let let
admin = "admin@fudo.org"; admin = "admin@fudo.org";
nameservers = [ local-domain = "rus.selby.ca";
"1.1.1.1"
"8.8.8.8" gateway = "10.0.0.1";
];
nameservers = [ "10.0.0.1" ];
hostname = config.networking.hostName; hostname = config.networking.hostName;
@ -20,15 +21,146 @@ in {
}; };
networking = { networking = {
domain = "fudo.org"; domain = "rus.selby.ca";
search = ["fudo.org"]; search = [local-domain "fudo.org" "selby.ca"];
firewall.enable = false;
nameservers = nameservers; nameservers = nameservers;
# Don't set the gateway if we ARE the gateway.
# This is the most generic way I can think of to do that. local-network is really
# about running all the local servers (DNS, DHCP, and providing gateway).
defaultGateway = optionalString (config.fudo.local-network.enable != true) gateway;
enableIPv6 = true;
# Necessary to make sure than Kerberos and Avahi both work (the former
# needs the full reverse-lookup name of the server, the latter wants
# `hostname` to return just the host itself.
hosts = {
"127.0.0.1" = [
"${config.networking.hostName}.${local-domain}"
config.networking.hostName
];
};
}; };
# fudo.node-exporter = { krb5.libdefaults.default_realm = "FUDO.ORG";
# enable = true;
# hostname = hostname; users.extraUsers = {
# }; guest = {
isNormalUser = true;
uid = 1000;
description = "Guest User";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
};
ken = {
isNormalUser = true;
uid = 10035;
createHome = true;
description = "Ken Selby";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
group = "users";
home = "/home/selby/ken";
hashedPassword = "$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf.";
};
xiaoxuan = {
isNormalUser = true;
uid = 10065;
createHome = true;
description = "Xiaoxuan Jin";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
group = "users";
home = "/home/xiaoxuan";
hashedPassword = "$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0";
};
};
fudo.common.domain = "sea.fudo.org";
fudo.local-network = {
domain = "${local-domain}";
network = "10.0.0.0/16";
dhcp-dynamic-network = "10.0.1.0/24";
enable-reverse-mappings = true;
srv-records = {
tcp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerberos-adm = [{
port = 88;
host = "france.fudo.org";
}];
ssh = [{
port = 22;
host = "clunk.${local-domain}";
}];
};
udp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerboros-master = [{
port = 88;
host = "france.fudo.org";
}];
kpasswd = [{
port = 464;
host = "france.fudo.org";
}];
};
};
aliases = {
dns-hole = "clunk";
};
hosts = {
clunk = {
ip-address = "10.0.0.1";
mac-address = "02:44:d1:eb:c3:6b";
};
dns-proxy = {
ip-address = "10.0.0.2";
# This is just an alias for clunk's primary interface
};
google-wifi = {
ip-address = "10.0.0.11";
mac-address = "70:3a:cb:c0:3b:09";
};
pselby-work = {
ip-address = "10.0.0.151";
mac-address = "00:50:b6:aa:bd:b3";
};
downstairs-desktop = {
ip-address = "10.0.0.100";
mac-address = "90:b1:1c:8e:29:cf";
};
upstairs-desktop = {
ip-address = "10.0.0.101";
mac-address = "00:21:70:70:25:7d";
};
};
};
}; };
} }

4
fudo/sites/seattle.nix
View File

@ -118,8 +118,8 @@ in {
domain = "${local-domain}"; domain = "${local-domain}";
aliases = { aliases = {
kadmin = "slab"; kadmin = "nostromo";
kdc = "slab"; kdc = "nostromo";
photo = "doraemon"; photo = "doraemon";
music = "doraemon"; music = "doraemon";
panopticon = "hyperion"; panopticon = "hyperion";

92
hosts/clunk.nix
View File

@ -3,6 +3,7 @@
let let
hostname = "clunk"; hostname = "clunk";
host-internal-ip = "10.0.0.1"; host-internal-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.2";
inherit (lib.strings) concatStringsSep; inherit (lib.strings) concatStringsSep;
in { in {
@ -11,6 +12,10 @@ in {
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot = {
runSize = "50%";
};
hardware.bluetooth.enable = false; hardware.bluetooth.enable = false;
imports = [ imports = [
@ -23,17 +28,16 @@ in {
site = "russell"; site = "russell";
}; };
# fudo.local-network = { fudo.local-network = {
# enable = true; enable = true;
# dns-servers = [ host-internal-ip ]; dns-servers = [ host-internal-ip ];
# gateway = host-internal-ip; gateway = host-internal-ip;
# dhcp-interfaces = [ "intif0" ]; dhcp-interfaces = [ "intif0" ];
# dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ]; dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" "::1" ];
# # Using a pihole running in docker, see below # Using a pihole running in docker, see below
# recursive-resolver = "${host-internal-ip} port 5353"; recursive-resolver = "${host-internal-ip} port 5353";
# # recursive-resolver = "1.1.1.1"; server-ip = host-internal-ip;
# server-ip = host-internal-ip; };
# };
networking = { networking = {
hostName = hostname; hostName = hostname;
@ -48,6 +52,11 @@ in {
}; };
}; };
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
};
interfaces = { interfaces = {
enp2s0.useDHCP = false; enp2s0.useDHCP = false;
enp3s0.useDHCP = false; enp3s0.useDHCP = false;
@ -65,6 +74,11 @@ in {
address = host-internal-ip; address = host-internal-ip;
prefixLength = 22; prefixLength = 22;
} }
{
address = dns-proxy-ip;
prefixLength = 32;
}
]; ];
}; };
}; };
@ -77,13 +91,21 @@ in {
}; };
fudo = { fudo = {
garbage-collector = {
enable = true;
timing = "hourly";
};
secure-dns-proxy = { secure-dns-proxy = {
enable = true; enable = true;
port = 3535; port = 53;
upstream-dns = [ upstream-dns = [
"https://cloudflare-dns.com/dns-query" "https://1.1.1.1/dns-query"
"https://1.0.0.1/dns-query"
#"https://9.9.9.9/dns-query"
]; ];
bootstrap-dns = "1.1.1.1"; bootstrap-dns = "1.1.1.1";
listen-ips = [dns-proxy-ip];
}; };
}; };
@ -101,7 +123,7 @@ in {
docker-containers = { docker-containers = {
pihole = { pihole = {
image = "pihole/pihole:4.3.2-1"; image = "pihole/pihole:v5.1.2";
ports = [ ports = [
"5353:53/tcp" "5353:53/tcp"
"5353:53/udp" "5353:53/udp"
@ -109,18 +131,46 @@ in {
]; ];
environment = { environment = {
ServerIP = host-internal-ip; ServerIP = host-internal-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org"; VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = "1.1.1.1"; # Not working?
DNS2 = "8.8.8.8"; DNS1 = dns-proxy-ip;
#DNS1 = "1.1.1.1";
}; };
volumes = [ volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/" "/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
]; ];
# TODO: DNS-over-HTTPS via cloudflared };
# extraDockerOptions = [ };
# "--dns=1.1.1.1"
# ]; services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = {
proxyPass = "http://127.0.0.1:3080";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
}; };
}; };
} }