diff --git a/.gitignore b/.gitignore index 2ee4098..947f765 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ configuration.nix hardware-configuration.nix +*~ diff --git a/config/fudo/chat.nix b/config/fudo/chat.nix index dfaf28c..ecc03ed 100644 --- a/config/fudo/chat.nix +++ b/config/fudo/chat.nix @@ -32,7 +32,7 @@ in { }; smtp-password-file = mkOption { - type = types.path; + type = types.str; description = "Path to a file containing the password to use while connecting to the SMTP server."; }; @@ -61,7 +61,7 @@ in { }; password-file = mkOption { - type = types.path; + type = types.str; description = "Path to file containing database password."; }; }; diff --git a/config/fudo/webmail.nix b/config/fudo/webmail.nix index d2c4f4e..cf93502 100644 --- a/config/fudo/webmail.nix +++ b/config/fudo/webmail.nix @@ -186,7 +186,7 @@ let }; password-file = mkOption { - type = types.path; + type = types.str; description = "Password to use when connecting to the database."; }; }; diff --git a/fudo/sites/seattle.nix b/fudo/sites/seattle.nix index 7cc9e0d..d284f29 100644 --- a/fudo/sites/seattle.nix +++ b/fudo/sites/seattle.nix @@ -16,9 +16,7 @@ in { time.timeZone = "America/Los_Angeles"; - services.printing = { - enable = true; - }; + services.printing.enable = true; services.cron = { mailto = admin; @@ -63,6 +61,12 @@ in { home = "/home/xiaoxuan"; hashedPassword = "$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0"; }; + kevin = { + isNormalUser = true; + createHome = true; + home = "/home/kevin"; + hashedPassword = ""; + }; }; fileSystems."/mnt/documents" = { @@ -106,8 +110,10 @@ in { photo = "doraemon"; music = "doraemon"; panopticon = "hyperion"; - hole = "dnshole"; ipfs = "nostromo"; + hole = "nostromo"; + pihole = "nostromo"; + dns-hole = "nostromo"; }; network = "10.0.0.0/16"; @@ -169,6 +175,10 @@ in { ip-address = "10.0.0.2"; mac-address = "00:23:7d:e6:d9:ea"; }; + switch-master = { + ip-address = "10.0.0.5"; + mac-address = "00:14:1C:B6:BB:40"; + }; # lm = { # ip-address = "10.0.0.21"; # mac-address = "52:54:00:D8:34:92"; @@ -197,6 +207,18 @@ in { ip-address = "10.0.0.52"; mac-address = "00:11:32:0a:06:c5"; }; + android = { + ip-address = "10.0.0.81"; + mac-address = "00:16:3e:43:39:fc"; + }; + retro-wired = { + ip-address = "10.0.0.82"; + mac-address = "dc:a6:32:6b:57:43"; + }; + retro = { + ip-address = "10.0.0.83"; + mac-address = "dc:a6:32:6b:57:45"; + }; monolith = { ip-address = "10.0.0.100"; mac-address = "6c:62:6d:c8:b0:d8"; @@ -215,7 +237,7 @@ in { }; zbox = { ip-address = "10.0.0.110"; - mac-address = "18:60:24:91:CC:27"; + mac-address = "02:dd:80:52:83:9b"; }; ubiquiti-wifi = { ip-address = "10.0.0.126"; @@ -229,10 +251,6 @@ in { ip-address = "10.0.0.176"; mac-address = "18:b4:30:16:7c:5a"; }; - dns-hole = { - ip-address = "10.0.0.185"; - mac-address = "b8:27:eb:b2:95:fd"; - }; xixi-phone = { ip-address = "10.0.0.193"; mac-address = "48:43:7c:75:89:42"; @@ -265,6 +283,9 @@ in { ip-address = "10.0.0.221"; mac-address = "94:10:3e:48:94:ed"; }; + + + # Storage network node-1 = { ip-address = "10.0.10.101"; mac-address = "00:1e:06:36:81:cf"; diff --git a/hosts/france.nix b/hosts/france.nix index 2fc57a7..f5d8a8d 100644 --- a/hosts/france.nix +++ b/hosts/france.nix @@ -263,7 +263,7 @@ in { name = "webmail"; hostname = "localhost"; user = "webmail"; - password-file = /srv/webmail/secure/db.passwd; + password-file = "/srv/webmail/secure/db.passwd"; }; }; @@ -303,12 +303,12 @@ in { site-name = "Fudo Chat"; smtp-server = "france.fudo.org"; smtp-user = "chat"; - smtp-password-file = /srv/mattermost/secure/smtp.passwd; + smtp-password-file = "/srv/mattermost/secure/smtp.passwd"; database = { name = "mattermost"; hostname = "localhost"; user = "mattermost"; - password-file = /srv/mattermost/secure/db.passwd; + password-file = "/srv/mattermost/secure/db.passwd"; }; }; diff --git a/hosts/nostromo.nix b/hosts/nostromo.nix index 578b30e..d2cd4ec 100644 --- a/hosts/nostromo.nix +++ b/hosts/nostromo.nix @@ -1,7 +1,10 @@ -{ config, pkgs, ... }: +{ lib, config, pkgs, ... }: let hostname = "nostromo.sea.fudo.org"; + host-internal-ip = "10.0.0.1"; + local-gateway = "10.0.0.1"; + inherit (lib.strings) concatStringsSep; in { @@ -9,77 +12,219 @@ in { boot.loader.grub.enable = true; boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sdb"; + boot.loader.grub.device = "/dev/sda"; + + hardware.bluetooth.enable = false; imports = [ ../defaults.nix - ../networks/sea.fudo.org.nix - ../profiles/server.nix ../hardware-configuration.nix - # ../profiles/services/local_nameserver.nix ]; - fudo.postgresql = { - enable = true; - ssl-private-key = "/srv/nostromo.sea.fudo.org/certs/private/privkey.pem"; - ssl-certificate = "/srv/nostromo.sea.fudo.org/certs/cert.pem"; - keytab = "/srv/nostromo.sea.fudo.org/keytabs/postgres.keytab"; + fudo.common = { + profile = "server"; + site = "seattle"; + }; - local-networks = [ - "10.0.0.1/24" - ]; + fudo.local-network = { + enable = true; + # See fudo/sites/seattle.nix for general settings + dns-servers = [ host-internal-ip ]; + gateway = local-gateway; + dhcp-interfaces = [ "intif0" ]; + dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ]; + # Using a pihole running in docker, see below + recursive-resolver = "${host-internal-ip} port 5353"; + # recursive-resolver = "1.1.1.1"; + server-ip = host-internal-ip; }; networking = { hostName = hostname; - defaultGateway = "10.0.0.1"; + # defaultGateway = local-gateway; - nameservers = [ "10.0.0.1" ]; + nameservers = [ host-internal-ip ]; # Turn off for hypervisor: dhcp by default everywhere is a fuckin pain. - dhcpcd.enable = false; + #dhcpcd.enable = true; # Create a bridge for VMs to use - macvlans.intlan0 = { - interface = "eno1"; - mode = "bridge"; + macvlans = { + intif0 = { + interface = "eno1"; + mode = "bridge"; + }; + + # extif0 = { + # interface = "eno2"; + # mode = "bridge"; + # }; }; interfaces = { - intlan0 = { + eno1.useDHCP = false; + eno3.useDHCP = false; + eno4.useDHCP = false; + enp33s0f0.useDHCP = false; + enp33s0f1.useDHCP = false; + enp9s0f0.useDHCP = false; + enp9s0f1.useDHCP = false; + + eno2.useDHCP = true; + + + intif0 = { + useDHCP = false; macAddress = "46:54:76:06:f1:10"; ipv4.addresses = [ { - address = "10.0.0.2"; - prefixLength = 23; + address = host-internal-ip; + prefixLength = 22; + } + { + address = "10.0.10.2"; + prefixLength = 24; } ]; }; + + # extif0 = { + # useDHCP = true; + # }; + }; + + nat = { + enable = true; + externalInterface = "eno2"; + internalInterfaces = ["intif0"]; }; }; - hardware.bluetooth.enable = false; + fudo = { + postgresql = { + enable = true; + ssl-private-key = "/srv/nostromo/certs/private/privkey.pem"; + ssl-certificate = "/srv/nostromo/certs/cert.pem"; + keytab = "/srv/nostromo/keytabs/postgres.keytab"; + + local-networks = [ + "10.0.0.1/24" + "127.0.0.1/8" + ]; + }; + + # secure-dns = { + # enable = true; + # port = 9053; + # }; + }; environment.systemPackages = with pkgs; [ - ipfs libguestfs-with-appliance libvirt virtmanager ]; - virtualisation.libvirtd = { - enable = true; - qemuPackage = pkgs.qemu_kvm; - onShutdown = "shutdown"; + virtualisation = { + docker = { + enable = true; + autoPrune.enable = true; + enableOnBoot = true; + }; + + libvirtd = { + enable = true; + qemuPackage = pkgs.qemu_kvm; + onShutdown = "shutdown"; + }; }; - services.ipfs = { - enable = true; - enableGC = true; - autoMount = false; - defaultMode = "online"; - apiAddress = "/ip4/10.0.0.2/tcp/5001"; - gatewayAddress = "/ipv4/10.0.0.2/tcp/8080"; + docker-containers = { + pihole = { + image = "pihole/pihole:4.3.2-1"; + ports = [ + "5353:53/tcp" + "5353:53/udp" + "3080:80/tcp" + ]; + environment = { + ServerIP = host-internal-ip; + VIRTUAL_HOST = "dns-hole.sea.fudo.org"; + DNS1 = "1.1.1.1"; + DNS2 = "8.8.8.8"; + }; + volumes = [ + "/srv/pihole/etc-pihole/:/etc/pihole/" + "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + ]; + # TODO: DNS-over-HTTPS via cloudflared + extraDockerOptions = [ + "--dns=1.1.1.1" + ]; + }; + }; + + services = { + dhcpd6.enable = false; + + # glusterfs = { + # enable = true; + # enableGlustereventsd = true; + # useRpcbind = true; + # }; + + nginx = { + enable = true; + + virtualHosts = { + "pihole.sea.fudo.org" = { + serverAliases = [ + "dns-hole.sea.fudo.org" + "hole.sea.fudo.org" + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:3080"; + + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-By $server_addr:$server_port; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; + }; + + ceph = { + enable = true; + + global = { + clusterName = "sea-data"; + clusterNetwork = "10.0.10.0/24"; + fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3"; + monHost = "10.0.10.2"; + monInitialMembers = "mon-1"; + publicNetwork = "10.0.0.0/22"; + }; + + mds = { + enable = true; + daemons = ["srv-2"]; + }; + + mgr = { + enable = true; + daemons = ["srv-2"]; + }; + + mon = { + enable = true; + daemons = ["srv-2"]; + }; + }; }; } diff --git a/packages/cloudflared.nix b/packages/cloudflared.nix new file mode 100644 index 0000000..5daf85c --- /dev/null +++ b/packages/cloudflared.nix @@ -0,0 +1,29 @@ +{ stdenv, fetchgit }: + +let + url = "https://github.com/cloudflare/cloudflared.git"; + version = "2020.2.1"; + hash = ""; + +in stdenv.mkDerivation { + name = "cloudflared"; + + src = fetchgit { + url = url; + rev = version; + sha256 = "abc"; + }; + + configurePhase = '' + # Nothing to do + ''; + + buildPhase = '' + # Nothing to do + ''; + + installPhase = '' + mkdir -p "$out/bin" + cp ./cloudflared "$out/bin" + ''; +} diff --git a/packages/local.nix b/packages/local.nix index 2e589d1..deda25e 100644 --- a/packages/local.nix +++ b/packages/local.nix @@ -2,6 +2,11 @@ { nixpkgs.config.packageOverrides = pkgs: rec { + cloudflared = import ./cloudflared.nix { + stdenv = pkgs.stdenv; + fetchurl = builtins.fetchurl; + }; + letsencrypt-ca = import ./letsencrypt-ca.nix { stdenv = pkgs.stdenv; fetchurl = builtins.fetchurl;