From d145f6282a91ca58ec45c6af1441b8002a0a9f13 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 31 Mar 2021 23:28:42 +0000 Subject: [PATCH 01/20] Working (I think?) GUI on zbox --- config/domains.nix | 6 +-- config/hardware/zbox.nix | 70 +++++++++++++++++++++++++++++++++++ config/hosts.nix | 3 +- config/hosts/zbox.nix | 11 +++++- config/profiles/common-ui.nix | 20 +++++----- config/sites.nix | 52 +++++++++++++------------- config/sites/seattle.nix | 6 ++- 7 files changed, 125 insertions(+), 43 deletions(-) create mode 100644 config/hardware/zbox.nix diff --git a/config/domains.nix b/config/domains.nix index 51a06c0..756180e 100644 --- a/config/domains.nix +++ b/config/domains.nix @@ -7,7 +7,7 @@ local-users = [ "niten" "reaper" ]; local-groups = [ "fudo" "selby" "admin" ]; - admin-users = [ "niten" "reaper" ]; + local-admins = [ "niten" "reaper" ]; admin-email = "admin@fudo.org"; gssapi-realm = "FUDO.ORG"; }; @@ -17,7 +17,7 @@ local-users = [ "niten" "reaper" "xiaoxuan" "ken" ]; local-groups = [ "fudo" "selby" "admin" ]; - admin-users = [ "niten" ]; + local-admins = [ "niten" ]; admin-email = "niten@fudo.org"; gssapi-realm = "FUDO.ORG"; }; @@ -48,7 +48,7 @@ local-users = [ "niten" "viator" ]; local-groups = [ "admin" ]; - admin-users = [ "niten" ]; + local-admins = [ "niten" ]; admin-email = "viator@informis.land"; gssapi-realm = "INFORMIS.LAND"; }; diff --git a/config/hardware/zbox.nix b/config/hardware/zbox.nix new file mode 100644 index 0000000..4998b21 --- /dev/null +++ b/config/hardware/zbox.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/zbox-root"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/zbox-swap"; } + ]; + + hardware = { + bluetooth.enable = true; + + cpu.intel.updateMicrocode = true; + + opengl = { + driSupport = true; + driSupport32Bit = true; + + # extraPackages32 = with pkgs.i686Linux; [ libva ]; + }; + + pulseaudio.support32Bit = true; + }; + + networking = { + macvlans = { + intif0 = { + interface = "eno1"; + mode = "bridge"; + }; + }; + + interfaces = { + intif0 = { + # output of: echo clunk-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:dd:80:52:83:9b"; + }; + }; + }; + + services.xserver.videoDrivers = [ "nvidia" ]; + + nix.maxJobs = lib.mkDefault 8; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/config/hosts.nix b/config/hosts.nix index a22b9f3..d315143 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -149,6 +149,7 @@ profile = "desktop"; }; - zbox = { description = "Niten's primary desktop."; }; + zbox = { description = "Niten's primary desktop."; + enable-gui = true;}; }; } diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index 718db2e..d4f8240 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -1,10 +1,17 @@ { config, lib, pkgs, ... }: { + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + fudo.slynk.enable = true; networking = { - eno1.useDHCP = false; - intif0 = { useDHCP = true; }; + interfaces = { + eno1.useDHCP = false; + intif0 = { useDHCP = true; }; + }; }; } diff --git a/config/profiles/common-ui.nix b/config/profiles/common-ui.nix index b17aa94..4210b28 100644 --- a/config/profiles/common-ui.nix +++ b/config/profiles/common-ui.nix @@ -6,7 +6,7 @@ let enable-gui = config.fudo.hosts.${hostname}.enable-gui; in { - import = [ ./common.nix ]; + imports = [ ./common.nix ]; boot.plymouth.enable = false; @@ -14,7 +14,8 @@ in { system.autoUpgrade.enable = true; - services.xserver = mkIf enable-gui { + services = { + xserver = mkIf enable-gui { enable = true; desktopManager.gnome3.enable = true; @@ -23,13 +24,6 @@ in { windowManager.stumpwm.enable = true; - emacs = { - enable = true; - install = true; - package = pkgs.emacs; - defaultEditor = true; - }; - # windowManager.session = pkgs.lib.singleton { # name = "stumpwm"; # start = '' @@ -37,6 +31,14 @@ in { # waidPID=$! # ''; # }; + }; + + emacs = { + enable = true; + install = true; + package = pkgs.emacs; + defaultEditor = true; + }; }; sound.enable = true; diff --git a/config/sites.nix b/config/sites.nix index 8097af9..16289ff 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -10,32 +10,32 @@ timezone = "America/Los_Angeles"; gateway-host = "nostromo"; # FIXME: good idea? - network-mounts = { - "/mnt/documents" = { - device = "whitedwarf:/volume1/Documents"; - fsType = "nfs4"; - }; - "/mnt/downloads" = { - device = "whitedwarf:/volume1/Downloads"; - fsType = "nfs4"; - }; - "/mnt/music" = { - device = "doraemon:/volume1/Music"; - fsType = "nfs4"; - }; - "/mnt/video" = { - device = "doraemon:/volume1/Video"; - fsType = "nfs4"; - }; - "/mnt/cargo_video" = { - device = "cargo:/volume1/video"; - fsType = "nfs4"; - }; - "/mnt/photo" = { - device = "cargo:/volume1/pictures"; - fsType = "nfs4"; - }; - }; + # network-mounts = { + # "/mnt/documents" = { + # device = "whitedwarf:/volume1/Documents"; + # fsType = "nfs4"; + # }; + # "/mnt/downloads" = { + # device = "whitedwarf:/volume1/Downloads"; + # fsType = "nfs4"; + # }; + # "/mnt/music" = { + # device = "doraemon:/volume1/Music"; + # fsType = "nfs4"; + # }; + # "/mnt/video" = { + # device = "doraemon:/volume1/Video"; + # fsType = "nfs4"; + # }; + # "/mnt/cargo_video" = { + # device = "cargo:/volume1/video"; + # fsType = "nfs4"; + # }; + # "/mnt/photo" = { + # device = "cargo:/volume1/pictures"; + # fsType = "nfs4"; + # }; + # }; }; portage = { diff --git a/config/sites/seattle.nix b/config/sites/seattle.nix index 3c2a8b4..b352f09 100644 --- a/config/sites/seattle.nix +++ b/config/sites/seattle.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: { - -} \ No newline at end of file + environment.systemPackages = with pkgs; [ + hll2380dw-cups + ]; +} From 0ee115d2ca8ae71ccbcfb178f74cb46263113750 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 1 Apr 2021 17:22:11 +0000 Subject: [PATCH 02/20] Changes for zbox --- config/hosts/zbox.nix | 2 ++ config/profiles/common-ui.nix | 5 +++++ home-manager/niten.nix | 2 ++ 3 files changed, 9 insertions(+) diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index d4f8240..a90ce5b 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: { + system.stateVersion = "20.09"; + # TODO: remove? nixpkgs.config.permittedInsecurePackages = [ "openssh-with-gssapi-8.4p1" # CVE-2021-28041 diff --git a/config/profiles/common-ui.nix b/config/profiles/common-ui.nix index 4210b28..ac39060 100644 --- a/config/profiles/common-ui.nix +++ b/config/profiles/common-ui.nix @@ -14,6 +14,11 @@ in { system.autoUpgrade.enable = true; + environment.systemPackages = with pkgs; [ + firefox + spotify + ]; + services = { xserver = mkIf enable-gui { enable = true; diff --git a/home-manager/niten.nix b/home-manager/niten.nix index 0b218bf..d818577 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -17,6 +17,7 @@ let doomEmacsInit enca file + firefox fortune gnupg guile @@ -44,6 +45,7 @@ let rustc sbcl signal-desktop + spotify stdenv telnet texlive.combined.scheme-basic From ae1a225869371ddeeba0948c15492bedfb0bdd32 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 2 Apr 2021 21:08:01 +0000 Subject: [PATCH 03/20] add network mounts --- config/sites/seattle.nix | 42 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/config/sites/seattle.nix b/config/sites/seattle.nix index b352f09..0fd0a52 100644 --- a/config/sites/seattle.nix +++ b/config/sites/seattle.nix @@ -1,6 +1,46 @@ { config, lib, pkgs, ... }: -{ +let + local-domain = "sea.fudo.org"; +in { + fileSystems = { + "/mnt/documents" = { + device = "whitedwarf.${local-domain}:/volume1/Documents"; + fsType = "nfs4"; + }; + "/mnt/downloads" = { + device = "whitedwarf.${local-domain}:/volume1/Downloads"; + fsType = "nfs4"; + }; + "/mnt/music" = { + device = "doraemon.${local-domain}:/volume1/Music"; + fsType = "nfs4"; + }; + "/mnt/video" = { + device = "doraemon.${local-domain}:/volume1/Video"; + fsType = "nfs4"; + }; + # fileSystems."/mnt/security" = { + # device = "panopticon.${local-domain}:/srv/kerberos/data"; + # fsType = "nfs4"; + # }; + "/mnt/cargo_video" = { + device = "cargo.${local-domain}:/volume1/video"; + fsType = "nfs4"; + }; + "/mnt/photo" = { + device = "cargo.${local-domain}:/volume1/pictures"; + fsType = "nfs4"; + }; + }; + + services.printing = { + enable = true; + drivers = [ + pkgs.hll2380dw-cups + ]; + }; + environment.systemPackages = with pkgs; [ hll2380dw-cups ]; From b09647c970026e6f41118a2d3fc742045aa2d804 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 2 Apr 2021 21:08:31 +0000 Subject: [PATCH 04/20] Got local packages working again --- config/hardware/spark.nix | 69 +++++++++++++++++++++++++++++++++ config/hosts.nix | 18 ++++++--- config/hosts/spark.nix | 16 ++++++++ config/profiles/common-ui.nix | 49 +++++++++++++++-------- home-manager/niten.nix | 2 + lib/fudo/users-common.nix | 34 ++++++++++++++++ lib/fudo/users.nix | 73 ++++++++++++++++------------------- lib/system.nix | 31 +++++++++++++++ 8 files changed, 231 insertions(+), 61 deletions(-) create mode 100644 config/hardware/spark.nix create mode 100644 config/hosts/spark.nix create mode 100644 lib/fudo/users-common.nix create mode 100644 lib/system.nix diff --git a/config/hardware/spark.nix b/config/hardware/spark.nix new file mode 100644 index 0000000..024b4ee --- /dev/null +++ b/config/hardware/spark.nix @@ -0,0 +1,69 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + system.stateVersion = "20.03"; + + boot = { + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + initrd = { + availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ]; + kernelModules = [ ]; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + + hardware = { + bluetooth.enable = true; + + cpu.intel.updateMicrocode = true; + + opengl = { + driSupport = true; + driSupport32Bit = true; + }; + + pulseaudio.support32Bit = true; + }; + + networking = { + macvlans = { + extif0 = { + interface = "enp3s0"; + mode = "bridge"; + }; + }; + + interfaces = { + enp3s0 = { + useDHCP = false; + }; + + extif0 = { + # output of: echo spark-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:9c:b7:b6:ad:c4"; + }; + }; + }; + + services.xserver.videoDrivers = [ "intel" ]; + nix.maxJobs = lib.mkDefault 4; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; +} diff --git a/config/hosts.nix b/config/hosts.nix index d315143..0012d47 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -130,7 +130,12 @@ pselby-work = { description = "Google Lenovo work laptop."; }; - spark = { description = "Niten's backup desktop."; }; + spark = { + description = "Niten's backup desktop."; + rp = "niten"; + admin-email = "niten@fudo.org"; + enable-gui = true; + }; upstairs-desktop = { description = "Upstairs desktop in Russell."; @@ -144,12 +149,13 @@ ]; rp = "niten"; admin-email = "niten@fudo.org"; - domain = "rus.selby.ca"; - site = "russell"; - profile = "desktop"; }; - zbox = { description = "Niten's primary desktop."; - enable-gui = true;}; + zbox = { + description = "Niten's primary desktop."; + rp = "niten"; + admin-email = "niten@fudo.org"; + enable-gui = true; + }; }; } diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix new file mode 100644 index 0000000..e6b83d5 --- /dev/null +++ b/config/hosts/spark.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +{ + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + + fudo.slynk.enable = true; + + networking = { + interfaces = { + extif0 = { useDHCP = true; }; + }; + }; +} diff --git a/config/profiles/common-ui.nix b/config/profiles/common-ui.nix index ac39060..504b394 100644 --- a/config/profiles/common-ui.nix +++ b/config/profiles/common-ui.nix @@ -12,30 +12,36 @@ in { boot.tmpOnTmpfs = true; - system.autoUpgrade.enable = true; + environment = mkIf enable-gui { + systemPackages = [ + #libva + ]; + }; - environment.systemPackages = with pkgs; [ - firefox - spotify - ]; + system = { + autoUpgrade.enable = true; + }; services = { xserver = mkIf enable-gui { - enable = true; + enable = true; - desktopManager.gnome3.enable = true; + desktopManager.gnome3.enable = true; - displayManager.gdm.enable = true; + displayManager.gdm = { + enable = true; + wayland = true; + }; - windowManager.stumpwm.enable = true; + windowManager.stumpwm.enable = true; - # windowManager.session = pkgs.lib.singleton { - # name = "stumpwm"; - # start = '' - # ${pkgs.lispPackages.stumpwm}/bin/stumpwm & - # waidPID=$! - # ''; - # }; + # windowManager.session = pkgs.lib.singleton { + # name = "stumpwm"; + # start = '' + # ${pkgs.lispPackages.stumpwm}/bin/stumpwm & + # waidPID=$! + # ''; + # }; }; emacs = { @@ -44,6 +50,17 @@ in { package = pkgs.emacs; defaultEditor = true; }; + + trezord.enable = true; + }; + + hardware = { + bluetooth.enable = true; + + opengl = mkIf enable-gui { + driSupport = true; + driSupport32Bit = true; + }; }; sound.enable = true; diff --git a/home-manager/niten.nix b/home-manager/niten.nix index d818577..478755c 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: +with lib; let name = "Niten"; email = "niten@fudo.org"; @@ -19,6 +20,7 @@ let file firefox fortune + git gnupg guile imagemagick diff --git a/lib/fudo/users-common.nix b/lib/fudo/users-common.nix new file mode 100644 index 0000000..1066610 --- /dev/null +++ b/lib/fudo/users-common.nix @@ -0,0 +1,34 @@ +# Common home-manager config +{ config, lib, pkgs, ... }: + +with lib; +let + sys = import ../system.nix { inherit lib config; }; + + list-contains = lst: item: any (i: i == item) lst; + + domain-realm = domain: domainOpts: domainOpts.gssapi-realm; + + user-realms = username: + mapAttrsToList domain-realm + (filterAttrs (domain: domainOpts: list-contains domainOpts.local-users username) + config.fudo.domains); + + user-principals = username: + map (realm: "${username}@${realm}") (user-realms username); + + user-k5login = username: userOpts: let + principals = userOpts.k5login ++ (user-principals username); + in '' + ${concatStringsSep "\n" principals} + ''; + + user-config = username: userOpts: { + home.file.".k5login" = { + source = pkgs.writeText "${username}-k5login" (user-k5login username userOpts); + }; + }; + +in { + config.home-manager.users = mapAttrs user-config sys.local-users; +} diff --git a/lib/fudo/users.nix b/lib/fudo/users.nix index 29c5498..c450305 100644 --- a/lib/fudo/users.nix +++ b/lib/fudo/users.nix @@ -150,28 +150,13 @@ in { }; }; + imports = [ + ./users-common.nix + ]; + config = let - local-host = config.instance.hostname; - local-domain = config.fudo.hosts.${local-host}.domain; - local-site = config.fudo.hosts.${local-host}.site; - - host-user-list = config.fudo.hosts."${local-host}".local-users; - domain-user-list = config.fudo.domains."${local-domain}".local-users; - local-users = - getAttrs (host-user-list ++ domain-user-list) config.fudo.users; - - host-admin-list = config.fudo.hosts."${local-host}".local-admins; - domain-admin-list = config.fudo.domains."${local-domain}".local-admins; - site-admin-list = config.fudo.sites."${local-site}".local-admins; - local-admins = host-admin-list ++ domain-admin-list ++ site-admin-list; - - host-group-list = config.fudo.hosts."${local-host}".local-groups; - domain-group-list = config.fudo.domains."${local-domain}".local-groups; - site-group-list = config.fudo.sites."${local-site}".local-groups; - local-groups = - getAttrs (host-group-list ++ domain-group-list ++ site-group-list) - config.fudo.groups; - + sys = import ../system.nix { inherit lib config; }; + in { fudo.auth.ldap-server = let ldapUsers = (filterAttrs @@ -211,29 +196,39 @@ in { "/home/${userOpts.primary-group}/${username}"; hashedPassword = userOpts.login-hashed-passwd; openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys; - }) local-users; + }) sys.local-users; groups = (mapAttrs (groupname: groupOpts: { gid = groupOpts.gid; - members = filterExistingUsers local-users groupOpts.members; - }) local-groups) // { - wheel = { members = local-admins; }; + members = filterExistingUsers sys.local-users groupOpts.members; + }) sys.local-groups) // { + wheel = { members = sys.local-admins; }; }; }; - home-manager.users = let - home-manager-users = - filterAttrs (username: userOpts: userOpts.home-manager-config != null) - local-users; - common-user-config = username: { - home.file.".k5login" = { - source = pkgs.writeText "${username}-k5login" '' - ${concatStringsSep "\n" config.fudo.users.${username}.k5login} - ''; - }; - }; - in mapAttrs (username: userOpts: - userOpts.home-manager-config // (common-user-config username)) - home-manager-users; + home-manager = { + useGlobalPkgs = true; + + users = let + home-manager-users = + filterAttrs (username: userOpts: userOpts.home-manager-config != null) + sys.local-users; + in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users; + + # users = let + # home-manager-users = + # filterAttrs (username: userOpts: userOpts.home-manager-config != null) + # local-users; + # common-user-config = username: { + # home.file.".k5login" = { + # source = pkgs.writeText "${username}-k5login" '' + # ${concatStringsSep "\n" config.fudo.users.${username}.k5login} + # ''; + # }; + # }; + # in mapAttrs (username: userOpts: + # userOpts.home-manager-config // (common-user-config username)) + # home-manager-users; + }; }; } diff --git a/lib/system.nix b/lib/system.nix new file mode 100644 index 0000000..c9d7f1e --- /dev/null +++ b/lib/system.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: + +with lib; +let + local-host = config.instance.hostname; + local-domain = config.fudo.hosts.${local-host}.domain; + local-site = config.fudo.hosts.${local-host}.site; + + host-user-list = config.fudo.hosts."${local-host}".local-users; + domain-user-list = config.fudo.domains."${local-domain}".local-users; + site-user-list = config.fudo.sites."${local-site}".local-users; + local-users = + getAttrs (host-user-list ++ domain-user-list ++ site-user-list) config.fudo.users; + + host-admin-list = config.fudo.hosts."${local-host}".local-admins; + domain-admin-list = config.fudo.domains."${local-domain}".local-admins; + site-admin-list = config.fudo.sites."${local-site}".local-admins; + local-admins = host-admin-list ++ domain-admin-list ++ site-admin-list; + + host-group-list = config.fudo.hosts."${local-host}".local-groups; + domain-group-list = config.fudo.domains."${local-domain}".local-groups; + site-group-list = config.fudo.sites."${local-site}".local-groups; + local-groups = + getAttrs (host-group-list ++ domain-group-list ++ site-group-list) + config.fudo.groups; + +in { + local-users = local-users; + local-admins = local-admins; + local-groups = local-groups; +} From 37a09d955314595e108fa9ffdb1761cb63ff14f4 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 2 Apr 2021 22:50:40 +0000 Subject: [PATCH 05/20] Added openttd --- config/networks/sea.fudo.org.nix | 2 +- home-manager/niten.nix | 3 +++ packages/default.nix | 6 ++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index cbe8144..dd22863 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -133,7 +133,7 @@ in { }; spark = { ip-address = "10.0.0.108"; - mac-address = "78:24:af:04:f7:dd"; + mac-address = "02:9c:b7:b6:ad:c4"; }; hyperion = { ip-address = "10.0.0.109"; diff --git a/home-manager/niten.nix b/home-manager/niten.nix index 478755c..3ea5fc6 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -40,6 +40,7 @@ let nix-prefetch-git nmap openldap + openttd pciutils pv pwgen @@ -92,6 +93,8 @@ in { onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh"; }; + # ".openttd" = { source = pkgs.openttd-data; }; + # ".k5login" = { # source = pkgs.writeText "niten-k5login" '' # niten@FUDO.ORG diff --git a/packages/default.nix b/packages/default.nix index 424e772..1f3b512 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -161,5 +161,11 @@ in { }; vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; }; + + openttd-data = pkgs.fetchgit { + url = "https://git.fudo.org/fudo-public/openttd-data.git"; + rev = "5b7dd0ca9014e642e1f2d0aa3154b5da869911d3"; + sha256 = "061k0f0jgm5k81djslb172xk0wkis0m878izgisyj2qgg3wf1awh"; + }; }; } From 69b2b0305e154287e21d87b41873215075f80902 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 2 Apr 2021 22:57:34 +0000 Subject: [PATCH 06/20] Put openttd data in the right place --- home-manager/niten.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/home-manager/niten.nix b/home-manager/niten.nix index 3ea5fc6..b883a69 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -93,7 +93,9 @@ in { onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh"; }; - # ".openttd" = { source = pkgs.openttd-data; }; + ".local/share/openttd/baseset" = { + source = "${pkgs.openttd-data}/data"; + }; # ".k5login" = { # source = pkgs.writeText "niten-k5login" '' From 4da2c85fb17ecc35c61c59b985f5bc1b9f847698 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 3 Apr 2021 10:15:10 -0700 Subject: [PATCH 07/20] 'Fix' printer driver, set timezone --- config/sites/seattle.nix | 3 +++ lib/fudo/hosts.nix | 2 ++ packages/hll2380dw-cups.nix | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/sites/seattle.nix b/config/sites/seattle.nix index 0fd0a52..2a1a1b4 100644 --- a/config/sites/seattle.nix +++ b/config/sites/seattle.nix @@ -37,6 +37,9 @@ in { services.printing = { enable = true; drivers = [ + pkgs.brlaser + pkgs.brgenml1lpr + pkgs.brgenml1cupswrapper pkgs.hll2380dw-cups ]; }; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index b3ca95e..efcea43 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -138,6 +138,8 @@ in { hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; }; + time.timeZone = site.timezone; + krb5.libdefaults.default_realm = domain.gssapi-realm; services.cron.mailto = domain.admin-email; diff --git a/packages/hll2380dw-cups.nix b/packages/hll2380dw-cups.nix index b0ed6dd..4e9059c 100644 --- a/packages/hll2380dw-cups.nix +++ b/packages/hll2380dw-cups.nix @@ -22,12 +22,13 @@ stdenv.mkDerivation rec { coreutils ghostscript gnugrep gnused ]} mkdir -p $out/lib/cups/filter/ - ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380W \ + ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380DW \ $out/lib/cups/filter/brother_lpdwrapper_HLL2380DW ln -s $out/opt/brother/Printers/HLL2380DW/paperconfigml1 \ $out/lib/cups/filter/ mkdir -p $out/share/cups/model ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother-HLL2380DW-cups-en.ppd $out/share/cups/model/ + touch $out/HI ''; meta = with stdenv.lib; { From d850a71f357e5cc8088e58ad6fe8b33fc9560101 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 5 Apr 2021 15:01:23 -0700 Subject: [PATCH 08/20] Changes... --- config/hosts.nix | 16 +++++++ config/profiles/common.nix | 14 ------ home-manager/niten.nix | 1 + lib/fudo/sites.nix | 87 ++++++++++++++++++++++++++++++++------ 4 files changed, 92 insertions(+), 26 deletions(-) diff --git a/config/hosts.nix b/config/hosts.nix index 0012d47..ecc90d5 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -132,9 +132,17 @@ spark = { description = "Niten's backup desktop."; + ssh-fingerprints = [ + "1 1 d26812dee9b26a19a52c38d2b346442979093142" + "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3" + "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63" + "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b" + ]; rp = "niten"; admin-email = "niten@fudo.org"; enable-gui = true; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; }; upstairs-desktop = { @@ -153,9 +161,17 @@ zbox = { description = "Niten's primary desktop."; + ssh-fingerprints = [ + "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d" + "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493" + "4 1 862842d99f5afb33db4f073d2f3d1154c6417110" + "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3" + ]; rp = "niten"; admin-email = "niten@fudo.org"; enable-gui = true; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; }; }; } diff --git a/config/profiles/common.nix b/config/profiles/common.nix index 19df54d..647bb48 100644 --- a/config/profiles/common.nix +++ b/config/profiles/common.nix @@ -53,20 +53,6 @@ in { GSSAPIKeyExchange yes GSSAPIStoreCredentialsOnRekey yes ''; - # FIXME: add all the hosts we know about - knownHosts = { - # publicKey, hostNames - }; - }; - - lshd = { - enable = true; - portNumber = 2112; - rootLogin = true; - srpKeyExchange = true; - tcpForwarding = false; - publicKeyAuthentication = true; - passwordAuthentication = false; }; fail2ban = { diff --git a/home-manager/niten.nix b/home-manager/niten.nix index b883a69..58eeb6c 100644 --- a/home-manager/niten.nix +++ b/home-manager/niten.nix @@ -26,6 +26,7 @@ let imagemagick ipfs iptables + jdk jq leiningen libisofs diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 61179bb..03599be 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -2,58 +2,62 @@ with lib; let + hostname = config.instance.hostname; + site-name = config.fudo.hosts.${hostname}.site; + site-cfg = config.fudo.sites.${site-name}; + siteOpts = { site, ... }: { - options = { + options = with types; { site = mkOption { - type = types.str; + type = str; description = "Site name."; default = site; }; network = mkOption { - type = types.str; + type = str; description = "Network to be treated as local."; }; dynamic-network = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Network to be allocated by DHCP."; default = null; }; gateway-v4 = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Gateway to use for public ipv4 internet access."; default = null; }; gateway-v6 = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Gateway to use for public ipv6 internet access."; default = null; }; gateway-host = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Identity of the host to act as a gateway."; default = null; }; local-groups = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of groups which should exist at this site."; default = [ ]; }; local-users = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of users which should exist on all hosts at this site."; default = [ ]; }; local-admins = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of admin users which should exist on all hosts at this site."; default = [ ]; @@ -63,16 +67,34 @@ let mkEnableOption "Enable site-wide monitoring with prometheus."; nameservers = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of nameservers to be used by hosts at this site."; default = [ ]; }; timezone = mkOption { - type = types.str; + type = str; description = "Timezone of the site."; example = "America/Winnipeg"; }; + + deploy-pubkey = mkOption { + type = nullOr str; + description = "SSH pubkey of site deploy key. Used by dropbear daemon."; + default = null; + }; + + dropbear-rsa-key-path = mkOption { + type = str; + description = "Location of Dropbear RSA key."; + default = "/etc/dropbear/host_rsa_key"; + }; + + dropbear-ecdsa-key-path = mkOption { + type = str; + description = "Location of Dropbear ECDSA key."; + default = "/etc/dropbear/host_ecdsa_key"; + }; }; }; @@ -82,4 +104,45 @@ in { description = "Site configurations for all sites known to the system."; default = { }; }; + + config = mkIf (site-cfg.deploy-pubkey != null) { + environment.etc."dropbear/authorized_keys" = { + text = "root@deploy ${site-cfg.deploy-pubkey}"; + mode = "0400"; + }; + + systemd.services = let dropbear-port = 2112; + in { + + dropbear-init = { + wantedBy = [ "multi-user.target" ]; + script = '' + if [ ! -d /etc/dropbear ]; then + mkdir /etc/dropbear + chmod 700 /etc/dropbear + fi + + if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path} + fi + + if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} + fi + ''; + }; + + dropbear = { + requires = [ "dropbear-init.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + type = "simple"; + ExecStart = "${pkgs.dropbear} -F -m -s -j -k -p ${dropbear-port}"; + }; + }; + }; + }; } From 555fcd869eeeac9416706b375299d0a381779390 Mon Sep 17 00:00:00 2001 From: Root Date: Mon, 5 Apr 2021 15:44:45 -0700 Subject: [PATCH 09/20] Added limina --- config/hardware/limina.nix | 112 +++++++++++++++++++++++++++++++ config/hosts/limina.nix | 56 ++++++++++++++++ config/networks/sea.fudo.org.nix | 4 ++ config/profiles/server.nix | 6 -- 4 files changed, 172 insertions(+), 6 deletions(-) create mode 100644 config/hardware/limina.nix create mode 100644 config/hosts/limina.nix diff --git a/config/hardware/limina.nix b/config/hardware/limina.nix new file mode 100644 index 0000000..afbc313 --- /dev/null +++ b/config/hardware/limina.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + + boot = { + initrd = { + availableKernelModules = + [ "ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + supportedFilesystems = [ "zfs" ]; + kernelPackages = pkgs.linuxPackages_latest; + }; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + + "/" = { + device = "zroot/transient/root"; + fsType = "zfs"; + }; + + "/nix" = { + device = "zroot/transient/nix"; + fsType = "zfs"; + }; + + "/var/log" = { + device = "zroot/transient/logs"; + fsType = "zfs"; + neededForBoot = true; + }; + + "/home" = { + device = "zroot/persistent/home"; + fsType = "zfs"; + }; + + "/state" = { + device = "zroot/persistent/state"; + fsType = "zfs"; + }; + }; + + services.zfs.autoScrub.enable = true; + + swapDevices = [{ device = "/dev/disk/by-label/swap"; }]; + + nix.maxJobs = lib.mkDefault 4; + + hardware.bluetooth.enable = false; + + networking = { + hostId = substring 0 8 (fileContents /state/etc/machine-id); + + macvlans = { + extif0 = { + interface = "enp1s0"; + mode = "bridge"; + }; + intif0 = { + interface = "enp2s0"; + mode = "bridge"; + }; + intif1 = { + interface = "enp3s0"; + mode = "bridge"; + }; + intif2 = { + interface = "enp4s0"; + mode = "bridge"; + }; + }; + + interfaces = { + enp1s0.useDHCP = false; + enp2s0.useDHCP = false; + enp3s0.useDHCP = false; + enp4s0.useDHCP = false; + + # output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + extif0 = { + macAddress = "02:fd:79:94:a2:a8"; + useDHCP = true; + }; + + intif0 = { + macAddress = "02:dc:59:b4:a7:8c"; + }; + + intif1 = { + macAddress = "02:df:43:1d:8a:63"; + }; + + intif2 = { + macAddress = "02:55:d9:05:23:36"; + }; + }; + }; +} diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix new file mode 100644 index 0000000..9743b00 --- /dev/null +++ b/config/hosts/limina.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; { + config = { + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + + environment.etc = { + nixos.source = "/state/nixos"; + adjtime.source = "/state/etc/adjtime"; + NIXOS.source = "/state/etc/NIXOS"; + machine-id.source = "/state/etc/machine-id"; + "host-config.nix".source = "/state/etc/host-config.nix"; + }; + + system.stateVersion = "20.09"; + + boot.initrd.postDeviceCommands = lib.mkAfter '' + ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank + ''; + + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + + systemd.tmpfiles.rules = [ + "L /root/.gnupg - - - - /state/root/gnupg" + "L /root/.emacs.d - - - - /state/root/emacs.d" + "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" + "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" + "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" + "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" + "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + ]; + + services = { + openssh = { + hostKeys = [ + { + path = "/state/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/state/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + }; + }; +} diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index dd22863..3cc9857 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -67,6 +67,10 @@ in { }; hosts = { + limina = { + ip-address = "10.0.0.6"; + mac-address = "02:fd:79:94:a2:a8"; + }; nostromo = { ip-address = "10.0.0.1"; mac-address = "46:54:76:06:f1:10"; diff --git a/config/profiles/server.nix b/config/profiles/server.nix index a8cd609..2803c7c 100644 --- a/config/profiles/server.nix +++ b/config/profiles/server.nix @@ -4,10 +4,6 @@ with lib; let serverPackages = with pkgs; [ emacs-nox - ldns - ldns.examples - jdk14_headless - racket-minimal reboot-if-necessary test-config ]; @@ -55,8 +51,6 @@ in { config = { environment = { systemPackages = serverPackages; - - # noXlibs = lib.mkForce true; }; system.autoUpgrade.enable = false; From 418c04170cd6dd1bc36ce41661e7a92da77f5803 Mon Sep 17 00:00:00 2001 From: Root Date: Wed, 7 Apr 2021 14:03:52 -0700 Subject: [PATCH 10/20] Switch to using a common hostconfig at build and config time. --- .../{domains => domain-config}/fudo.org.nix | 0 .../informis.land.nix | 0 .../rus.selby.ca.nix | 0 .../sea.fudo.org.nix | 0 config/hardware/limina.nix | 24 +-- config/host-config/atom.nix | 9 + config/host-config/clunk.nix | 168 +++++++++++++++ config/host-config/france.nix | 179 ++++++++++++++++ config/host-config/lambda.nix | 32 +++ config/host-config/limina.nix | 185 +++++++++++++++++ config/host-config/nostromo.nix | 169 +++++++++++++++ config/host-config/plato.nix | 50 +++++ config/host-config/spark.nix | 16 ++ config/host-config/zbox.nix | 19 ++ config/hosts.nix | 185 ++--------------- config/hosts/atom.nix | 14 +- config/hosts/clunk.nix | 181 ++-------------- config/hosts/downstairs-desktop.nix | 18 ++ config/hosts/france.nix | 194 ++---------------- config/hosts/lambda.nix | 45 ++-- config/hosts/limina.nix | 70 ++----- config/hosts/nostromo.nix | 184 ++--------------- config/hosts/plato.nix | 64 ++---- config/hosts/procul.nix | 4 + config/hosts/pselby-work.nix | 3 + config/hosts/spark.nix | 24 +-- config/hosts/upstairs-desktop.nix | 13 ++ config/hosts/zbox.nix | 27 +-- .../common-ui.nix | 0 .../{profiles => profile-config}/common.nix | 0 .../{profiles => profile-config}/desktop.nix | 0 .../{profiles => profile-config}/laptop.nix | 0 .../{profiles => profile-config}/server.nix | 0 .../joes-datacenter-0.nix | 0 config/{sites => site-config}/portage.nix | 0 config/{sites => site-config}/russell.nix | 0 config/{sites => site-config}/seattle.nix | 0 configuration.nix | 3 - initialize.nix | 21 +- lib/fudo/hosts.nix | 2 +- 40 files changed, 1015 insertions(+), 888 deletions(-) rename config/{domains => domain-config}/fudo.org.nix (100%) rename config/{domains => domain-config}/informis.land.nix (100%) rename config/{domains => domain-config}/rus.selby.ca.nix (100%) rename config/{domains => domain-config}/sea.fudo.org.nix (100%) create mode 100644 config/host-config/atom.nix create mode 100644 config/host-config/clunk.nix create mode 100644 config/host-config/france.nix create mode 100644 config/host-config/lambda.nix create mode 100644 config/host-config/limina.nix create mode 100644 config/host-config/nostromo.nix create mode 100644 config/host-config/plato.nix create mode 100644 config/host-config/spark.nix create mode 100644 config/host-config/zbox.nix create mode 100644 config/hosts/downstairs-desktop.nix create mode 100644 config/hosts/procul.nix create mode 100644 config/hosts/pselby-work.nix create mode 100644 config/hosts/upstairs-desktop.nix rename config/{profiles => profile-config}/common-ui.nix (100%) rename config/{profiles => profile-config}/common.nix (100%) rename config/{profiles => profile-config}/desktop.nix (100%) rename config/{profiles => profile-config}/laptop.nix (100%) rename config/{profiles => profile-config}/server.nix (100%) rename config/{sites => site-config}/joes-datacenter-0.nix (100%) rename config/{sites => site-config}/portage.nix (100%) rename config/{sites => site-config}/russell.nix (100%) rename config/{sites => site-config}/seattle.nix (100%) diff --git a/config/domains/fudo.org.nix b/config/domain-config/fudo.org.nix similarity index 100% rename from config/domains/fudo.org.nix rename to config/domain-config/fudo.org.nix diff --git a/config/domains/informis.land.nix b/config/domain-config/informis.land.nix similarity index 100% rename from config/domains/informis.land.nix rename to config/domain-config/informis.land.nix diff --git a/config/domains/rus.selby.ca.nix b/config/domain-config/rus.selby.ca.nix similarity index 100% rename from config/domains/rus.selby.ca.nix rename to config/domain-config/rus.selby.ca.nix diff --git a/config/domains/sea.fudo.org.nix b/config/domain-config/sea.fudo.org.nix similarity index 100% rename from config/domains/sea.fudo.org.nix rename to config/domain-config/sea.fudo.org.nix diff --git a/config/hardware/limina.nix b/config/hardware/limina.nix index afbc313..6c970d8 100644 --- a/config/hardware/limina.nix +++ b/config/hardware/limina.nix @@ -1,9 +1,10 @@ { config, lib, pkgs, ... }: -with lib; -{ +with lib; { imports = [ ]; + system.stateVersion = "20.09"; + boot = { initrd = { availableKernelModules = @@ -89,24 +90,15 @@ with lib; enp2s0.useDHCP = false; enp3s0.useDHCP = false; enp4s0.useDHCP = false; - + # output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - extif0 = { - macAddress = "02:fd:79:94:a2:a8"; - useDHCP = true; - }; + extif0 = { macAddress = "02:fd:79:94:a2:a8"; }; - intif0 = { - macAddress = "02:dc:59:b4:a7:8c"; - }; + intif0 = { macAddress = "02:dc:59:b4:a7:8c"; }; - intif1 = { - macAddress = "02:df:43:1d:8a:63"; - }; + intif1 = { macAddress = "02:df:43:1d:8a:63"; }; - intif2 = { - macAddress = "02:55:d9:05:23:36"; - }; + intif2 = { macAddress = "02:55:d9:05:23:36"; }; }; }; } diff --git a/config/host-config/atom.nix b/config/host-config/atom.nix new file mode 100644 index 0000000..abc7d91 --- /dev/null +++ b/config/host-config/atom.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + fudo.laptop.use-network-manager = false; + + fudo.slynk.enable = true; + + services.xserver = { videoDrivers = [ "nvidia" ]; }; +} diff --git a/config/host-config/clunk.nix b/config/host-config/clunk.nix new file mode 100644 index 0000000..5cd326f --- /dev/null +++ b/config/host-config/clunk.nix @@ -0,0 +1,168 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + primary-ip = "10.0.0.1"; + + dns-proxy-port = 5335; + + host-packages = with pkgs; [ + nixops + ]; + + site-name = config.fudo.hosts.${config.instance.hostname}.site; + site = config.fudo.site.${site-name}; + +in { + system = { + # # DO force all DNS traffic to use the local server + # activationScripts.force-local-dns = let + # wifi-ip = + # config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address; + # in '' + # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 + # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 + # ''; + }; + + environment.systemPackages = host-packages; + + fudo.local-network = let + host-config = config.fudo.hosts.${config.instance.hostname}; + site-name = host-config.site; + site = config.fudo.sites.${site-name}; + domain-name = host-config.domain; + domain = config.fudo.domains.${domain-name}; + + in { + enable = true; + # NOTE: requests go: + # - local bind instance + # - pi-hole + # - DoH resolver + domain = domain-name; + dns-servers = [ primary-ip ]; + gateway = primary-ip; + dhcp-interfaces = [ "intif0" ]; + dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + recursive-resolver = "${primary-ip} port 5353"; + network = site.network; + dhcp-dynamic-network = site.dynamic-network; + search-domains = [ "selby.ca" ]; + enable-reverse-mappings = true; + network-definition = config.fudo.networks."rus.selby.ca"; + }; + + networking = { + firewall = { + enable = true; + trustedInterfaces = [ "intif0" "docker0" ]; + allowedTCPPorts = [ 22 ]; + }; + + interfaces = { + enp1s0.useDHCP = true; + + enp2s0.useDHCP = false; + enp3s0.useDHCP = false; + enp4s0.useDHCP = false; + + intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + }; + + nat = { + enable = true; + externalInterface = "enp1s0"; + internalInterfaces = [ "intif0" ]; + forwardPorts = [{ + destination = "127.0.0.1:53"; + sourcePort = 53; + proto = "udp"; + }]; + }; + }; + + fudo = { + garbage-collector = { + enable = true; + timing = "weekly"; + }; + + auth.kdc = { + enable = true; + realm = "RUS.SELBY.CA"; + bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; + acl = { + "niten" = { perms = [ "add" "change-password" "list" ]; }; + "*/root" = { perms = [ "all" ]; }; + }; + }; + + secure-dns-proxy = { + enable = true; + listen-port = dns-proxy-port; + upstream-dns = + [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; + bootstrap-dns = "1.1.1.1"; + allowed-networks = + [ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ]; + listen-ips = [ primary-ip ]; + }; + }; + + virtualisation = { + docker = { + enable = true; + autoPrune.enable = true; + enableOnBoot = true; + }; + + oci-containers = { + backend = "docker"; + containers = { + pihole = { + image = "pihole/pihole:v5.7"; + autoStart = true; + ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; + environment = { + # ServerIP = primary-ip; + VIRTUAL_HOST = "dns-hole.rus.selby.ca"; + DNS1 = "${primary-ip}#${toString dns-proxy-port}"; + }; + volumes = [ + "/srv/pihole/etc-pihole/:/etc/pihole/" + "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + ]; + }; + }; + }; + }; + + services.nginx = { + enable = true; + + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "dns-hole.rus.selby.ca" = { + serverAliases = [ + "pihole.rus.selby.ca" + "hole.rus.selby.ca" + "pihole" + "dns-hole" + "hole" + ]; + + locations."/" = { proxyPass = "http://127.0.0.1:3080"; }; + }; + }; + }; +} diff --git a/config/host-config/france.nix b/config/host-config/france.nix new file mode 100644 index 0000000..f4fe89a --- /dev/null +++ b/config/host-config/france.nix @@ -0,0 +1,179 @@ +{ config, lib, pkgs, ... }: + +let + primary-ip = "208.81.3.117"; + hostname = config.instance.hostname; + domain-name = config.fudo.hosts.${hostname}.domain; + domain = config.fudo.domains.${domain-name}; + host-fqdn = "${hostname}.${domain-name}"; + mail-hostname = "mail.fudo.org"; + +in { + imports = [ ./france/postgresql.nix ]; + + config = { + fudo = { + auth = { + ldap = { + enable = true; + base = "dc=fudo,dc=org"; + organization = "Fudo"; + rootpw-file = "FIXME"; + kerberos-host = host-fqdn; + kerberos-keytab = "FIXME"; + + sslCert = "FIXME"; + sslKey = "FIXME"; + sslCaCert = "FIXME"; + + listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ]; + + users = config.fudo.users; + groups = config.fudo.groups; + system-users = config.fudo.system-users; + }; + + kdc = let realm = "FUDO.ORG"; + in { + enable = true; + database-path = "FIXME"; + realm = realm; + mkey-file = "FIXME"; + acl = [ + { + principal = "pam_migrate/*.fudo.org@${realm}"; + access = "add"; + } + { + principal = "host/*.fudo.org@${realm}"; + access = "add"; + } + ] ++ (concatMap (user: [ + { + principal = "${user}@${realm}"; + access = "add,list,modify"; + } + { + principal = "${user}/root@${realm}"; + access = "all"; + } + ]) domain.admin-users); + bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + }; + }; + + prometheus = { + enable = true; + hostname = "metrics.fudo.org"; + service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org"; + in { + node = [ "node.${dns-root}" ]; + postfix = [ "postfix.${dns-root}" ]; + dovecot = [ "dovecot.${dns-root}" ]; + rspamd = [ "rspamd.${dns-root}" ]; + }; + }; + + postgresql = { + enable = true; + # FIXME: ssl-private-key && ssl certificate + keytab = "/srv/postgres/secure/postgres.keytab"; + local-networks = getHostLocalNetworks hostname; + admin-users = domain.admin-users; + }; + + client.dns = { + enable = true; + ipv4 = true; + ipv6 = true; + user = "FIXME"; + external-interface = "extif0"; + password-file = "FIXME"; + }; + + mail-server = domain.mail-config // { + enableContainer = true; + monitoring = true; + + hostname = mail-hostname; + + state-directory = "FIXME"; + mail-directory = "FIXME"; + + dovecot.ldap = { + reader-dn = "FIXME"; + reader-password = "FIXME"; + server-urls = [ "FIXME" ]; + }; + + clamav.enable = true; + dkim.signing = true; + }; + + git = { + enable = true; + hostname = "git.fudo.org"; + site-name = "Fudo Git"; + user = "FIXME"; + database = { + user = "FIXME"; + password-file = "FIXME"; + hostname = "127.0.0.1"; + name = "FIXME"; + }; + repository-dir = "FIXME"; + state-dir = "FIXME"; + ssh = { + listen-ip = git-server-ip; + listen-port = 22; + }; + }; + + minecraft-server = { + enable = true; + package = pkgs.minecraft-current; + data-dir = "FIXME"; + world-name = "selbyland"; + motd = "Welcome to the Selby Minecraft server."; + }; + }; + + networking = { + intif0 = { + ipv4.addresses = [{ + address = "192.168.11.1"; + prefixLength = 24; + }]; + }; + extif0 = { + ipv4.addresses = [ + { + address = primary-ip; + prefixLength = 28; + } + { + address = git-server-ip; + prefixLength = 32; + } + ]; + }; + }; + + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisations = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "mail.fudo.org" = { + enableACME = true; + locations."/".return = "301 https://webmail.fudo.org$request_uri"; + }; + }; + }; + }; + }; +} diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix new file mode 100644 index 0000000..90349aa --- /dev/null +++ b/config/host-config/lambda.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +let primary-ip = "10.0.0.3"; + +in { + fudo.slynk.enable = true; + + networking = { + interfaces = { + enp3s0f0.useDHCP = false; + enp3s0f1.useDHCP = false; + enp4s0f0.useDHCP = false; + enp4s0f1.useDHCP = false; + + extif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + }; + }; + + fudo.ipfs = { + enable = true; + users = [ "niten" ]; + api-address = "/ip4/${primary-ip}/tcp/5001"; + }; + + # TODO: add camera +} diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix new file mode 100644 index 0000000..c716753 --- /dev/null +++ b/config/host-config/limina.nix @@ -0,0 +1,185 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + primary-ip = "10.0.0.6"; + + host-config = config.fudo.hosts.${config.instance.hostname}; + site-name = host-config.site; + site = config.fudo.sites.${site-name}; + domain-name = host-config.domain; + domain = config.fudo.domains.${domain-name}; + + dns-proxy-port = 5335; + +in { + config = { + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + + networking = { + firewall = { + enable = true; + trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ]; + allowedTCPPorts = [ 22 ]; + }; + + interfaces = { + extif0 = { useDHCP = true; }; + + intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + intif1 = { useDHCP = false; }; + intif2 = { useDHCP = false; }; + }; + + nat = { + enable = true; + externalInterface = "extif0"; + internalInterfaces = [ "intif0" ]; + }; + }; + + fudo = { + local-network = { + enable = false; + domain = domain-name; + dns-servers = [ primary-ip ]; + gateway = primary-ip; + dhcp-interfaces = [ "intif0" ]; + dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + recursive-resolver = "1.1.1.1"; + network = site.network; + dhcp-dynamic-network = site.dynamic-network; + search-domains = [ domain-name "fudo.org" ]; + enable-reverse-mappings = true; + network-definition = config.fudo.networks.${domain-name}; + }; + + client.dns = { + enable = true; + ipv4 = true; + ipv6 = true; + user = "fudo-client"; + external-interface = "extif0"; + password-file = "/srv/client/secure/client.passwd"; + }; + + garbage-collector = { + enable = true; + timing = "weekly"; + }; + + secure-dns-proxy = { + enable = true; + listen-port = dns-proxy-port; + upstream-dns = + [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; + bootstrap-dns = "1.1.1.1"; + allowed-networks = + [ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ]; + listen-ips = [ primary-ip ]; + }; + }; + + virtualisation = { + docker = { + enable = true; + autoPrune.enable = true; + enableOnBoot = true; + }; + + oci-containers = { + backend = "docker"; + containers = { + pihole = { + image = "pihole/pihole:v5.7"; + autoStart = true; + ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; + environment = { + # ServerIP = primary-ip; + VIRTUAL_HOST = "dns-hole.sea.fudo.org"; + DNS1 = "${primary-ip}#${toString dns-proxy-port}"; + }; + volumes = [ + "/srv/pihole/etc-pihole/:/etc/pihole/" + "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + ]; + }; + }; + }; + }; + + services.nginx = { + enable = true; + + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "dns-hole.${domain-name}" = { + serverAliases = [ + "pihole.${domain-name}" + "hole.${domain-name}" + "pihole" + "dns-hole" + "hole" + ]; + + locations."/" = { proxyPass = "http://127.0.0.1:3080"; }; + }; + }; + }; + + # Support for statelessness + environment.etc = { + nixos.source = "/state/nixos"; + adjtime.source = "/state/etc/adjtime"; + NIXOS.source = "/state/etc/NIXOS"; + machine-id.source = "/state/etc/machine-id"; + "host-config.nix".source = "/state/etc/host-config.nix"; + }; + + boot.initrd.postDeviceCommands = lib.mkAfter '' + ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank + ''; + + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + + systemd.tmpfiles.rules = [ + "L /root/.gnupg - - - - /state/root/gnupg" + "L /root/.emacs.d - - - - /state/root/emacs.d" + "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" + "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" + "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" + "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" + "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + ]; + + services.openssh = { + hostKeys = [ + { + path = "/state/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/state/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + }; +} diff --git a/config/host-config/nostromo.nix b/config/host-config/nostromo.nix new file mode 100644 index 0000000..deabe7d --- /dev/null +++ b/config/host-config/nostromo.nix @@ -0,0 +1,169 @@ +{ config, lib, pkgs, ... }: + +let + primary-ip = "10.0.0.1"; + dns-proxy-ip = "10.0.0.5"; + +in { + fudo.local-network = let + hostname = config.instance.hostname; + site-name = config.fudo.hosts.${hostname}.site; + site = config.fudo.site.${site-name}; + + in { + enable = true; + dns-servers = site.dns-servers; + gateway = site.gateway; + dhcp-interfaces = [ "intif0" ]; + dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + recursive-resolver = "${primary-ip} port 5353"; + server-ip = primary-ip; + }; + + fudo.slynk.enable = true; + + # systemd.network.networks.eno2 = { + # extraConfig = { + # IPv6AcceptRA = true; + # IPv6PrefixDelegation = "dhcpv6"; + # }; + # }; + + networking = { + # dhcpd.extraConfig = '' + # interface eno2 + # ia_na 1 + # ia_pd 2 eno2/0 + # ''; + + eno1.useDHCP = false; + eno2.useDHCP = false; + eno3.useDHCP = false; + eno4.useDHCP = false; + enp33s0f0.useDHCP = false; + enp33s0f1.useDHCP = false; + enp9s0f0.useDHCP = false; + enp9s0f1.useDHCP = false; + + intif0 = { + useDHCP = false; + ipv4.addresses = [ + { + address = primary-ip; + prefixLength = 22; + } + { + address = dns-proxy-ip; + prefixLength = 32; + } + ]; + }; + + extif0 = { useDHCP = true; }; + + nat = { + enable = true; + externalInterface = "extif0"; + internalInterfaces = [ "intif0" ]; + }; + }; + + fudo = { + client.dns = { + enable = true; + ipv4 = true; + ipv6 = true; + user = "fudo-client"; + external-interface = "extif0"; + password-file = "/srv/client/secure/client.passwd"; + }; + + secure-dns-proxy = { + enable = true; + port = 3535; + upstream-dns = + [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; + bootstrap-dns = "1.1.1.1"; + listen-ips = [ dns-proxy-ip ]; + }; + }; + + virtualization = { + docker = { + enable = true; + autoPrune.enable = true; + enableOnBoot = true; + }; + + libvirtd = { + enable = true; + qemuPackage = pkgs.qemu_kvm; + onShutdown = "shutdown"; + }; + }; + + docker-containers = { + pihole = { + image = "pihole/pihole:4.3.2-1"; + ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; + environment = { + ServerIP = primary-ip; + VIRTUAL_HOST = "dns-hole.sea.fudo.org"; + DNS1 = dns-proxy-ip; + }; + volumes = [ + "/srv/pihole/etc-pihole/:/etc/pihole/" + "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + ]; + }; + }; + + security.acme.certs = { + "sea-camera.fudo.link".email = "niten@fudo.org"; + "sea-camera-od.fudo.link".email = "niten@fudo.org"; + }; + + services = { + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "sea-camera.fudo.link" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://panopticon.sea.fudo.org/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + ''; + }; + }; + + # Supposed to be for object detection... + "sea-camera-od.fudo.link" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://panopticon-od.sea.fudo.org/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + ''; + }; + }; + + "pihole.sea.fudo.org" = { + serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ]; + locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; + }; + }; + }; + }; +} diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix new file mode 100644 index 0000000..6db97c7 --- /dev/null +++ b/config/host-config/plato.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with lib; { + config = { + environment.etc = { + nixos.source = "/state/nixos"; + adjtime.source = "/state/etc/adjtime"; + NIXOS.source = "/state/etc/NIXOS"; + machine-id.source = "/state/etc/machine-id"; + "host-config.nix".source = "/state/etc/host-config.nix"; + }; + + system.stateVersion = "20.09"; + + boot.initrd.postDeviceCommands = lib.mkAfter '' + ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank + ''; + + security.sudo.extraConfig = '' + # rollback results in sudo lectures after each reboot + Defaults lecture = never + ''; + + systemd.tmpfiles.rules = [ + "L /root/.gnupg - - - - /state/root/gnupg" + "L /root/.emacs.d - - - - /state/root/emacs.d" + "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" + "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" + "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" + "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" + "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" + ]; + + services = { + openssh = { + hostKeys = [ + { + path = "/state/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/state/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + }; + }; +} diff --git a/config/host-config/spark.nix b/config/host-config/spark.nix new file mode 100644 index 0000000..e6b83d5 --- /dev/null +++ b/config/host-config/spark.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +{ + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + + fudo.slynk.enable = true; + + networking = { + interfaces = { + extif0 = { useDHCP = true; }; + }; + }; +} diff --git a/config/host-config/zbox.nix b/config/host-config/zbox.nix new file mode 100644 index 0000000..a90ce5b --- /dev/null +++ b/config/host-config/zbox.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +{ + system.stateVersion = "20.09"; + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + + fudo.slynk.enable = true; + + networking = { + interfaces = { + eno1.useDHCP = false; + intif0 = { useDHCP = true; }; + }; + }; +} diff --git a/config/hosts.nix b/config/hosts.nix index ecc90d5..23c39cf 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -1,177 +1,16 @@ { config, lib, pkgs, ... }: -{ - config.fudo.hosts = { - atom = { - description = "Niten's toy laptop."; - enable-gui = false; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "sea.fudo.org"; - site = "seattle"; - profile = "laptop"; - }; +with lib; +let + is-nix-file = filename: type: (builtins.match ".+\.nix$" filename) != null; + is-regular-file = filename: type: type == "regular" || type == "link"; + hostname-from-file = filename: builtins.replaceStrings [".nix"] [""] filename; + + host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir ./hosts))); + hosts = map hostname-from-file host-files; - clunk = { - description = "rus.selby.ca gateway box."; - docker-server = true; - ssh-fingerprints = [ - "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728" - "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5" - "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4" - "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "rus.selby.ca"; - site = "russell"; - profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; - }; - - downstairs-desktop = { - description = "Downstairs desktop in Russell."; - ssh-fingerprints = [ - "1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff" - "1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e" - "3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84" - "3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b" - "4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e" - "4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "rus.selby.ca"; - site = "russell"; - profile = "desktop"; - ssh-pubkey = - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas="; - }; - - france = { - description = "Primary fudo.org server."; - docker-server = true; - ssh-fingerprints = [ - "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94" - "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80" - "4 1 c95a198f504a589fc62893a95424b12f0b24732d" - "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96" - ]; - rp = "admin"; - admin-email = "admin@fudo.org"; - domain = "fudo.org"; - site = "portage"; - profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; - }; - - google-wifi = { - description = "Google WiFi router."; - rp = "niten"; - }; - - lambda = { - description = "sea.fudo.org experiment server."; - docker-server = true; - ssh-fingerprints = [ - "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35" - "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88" - "4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199" - "4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "sea.fudo.org"; - site = "seattle"; - profile = "server"; - }; - - nostromo = { - description = "sea.fudo.org gateway box and primary server."; - docker-server = true; - ssh-fingerprints = [ - "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" - "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e" - "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42" - "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "sea.fudo.org"; - site = "seattle"; - profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; - }; - - plato = { - description = "Niten's toy server."; - ssh-fingerprints = [ - "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9" - "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c" - "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e" - "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - domain = "rus.selby.ca"; - site = "russell"; - profile = "server"; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; - }; - - procul = { - description = "informis.land server."; - docker-server = true; - }; - - pselby-work = { description = "Google Lenovo work laptop."; }; - - spark = { - description = "Niten's backup desktop."; - ssh-fingerprints = [ - "1 1 d26812dee9b26a19a52c38d2b346442979093142" - "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3" - "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63" - "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - enable-gui = true; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; - }; - - upstairs-desktop = { - description = "Upstairs desktop in Russell."; - ssh-fingerprints = [ - "1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4" - "1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d" - "3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024" - "3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952" - "4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e" - "4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - }; - - zbox = { - description = "Niten's primary desktop."; - ssh-fingerprints = [ - "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d" - "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493" - "4 1 862842d99f5afb33db4f073d2f3d1154c6417110" - "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3" - ]; - rp = "niten"; - admin-email = "niten@fudo.org"; - enable-gui = true; - ssh-pubkey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; - }; - }; + load-host-file = hostname: import (./. + "/hosts/${hostname}.nix"); + +in { + config.fudo.hosts = genAttrs hosts (hostname: load-host-file hostname); } diff --git a/config/hosts/atom.nix b/config/hosts/atom.nix index abc7d91..1202aa8 100644 --- a/config/hosts/atom.nix +++ b/config/hosts/atom.nix @@ -1,9 +1,9 @@ -{ config, lib, pkgs, ... }: - { - fudo.laptop.use-network-manager = false; - - fudo.slynk.enable = true; - - services.xserver = { videoDrivers = [ "nvidia" ]; }; + description = "Niten's toy laptop."; + enable-gui = false; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "laptop"; } diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index 5cd326f..f3c931c 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -1,168 +1,17 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - primary-ip = "10.0.0.1"; - - dns-proxy-port = 5335; - - host-packages = with pkgs; [ - nixops +{ + description = "rus.selby.ca gateway box."; + docker-server = true; + ssh-fingerprints = [ + "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728" + "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5" + "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4" + "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696" ]; - - site-name = config.fudo.hosts.${config.instance.hostname}.site; - site = config.fudo.site.${site-name}; - -in { - system = { - # # DO force all DNS traffic to use the local server - # activationScripts.force-local-dns = let - # wifi-ip = - # config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address; - # in '' - # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 - # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 - # ''; - }; - - environment.systemPackages = host-packages; - - fudo.local-network = let - host-config = config.fudo.hosts.${config.instance.hostname}; - site-name = host-config.site; - site = config.fudo.sites.${site-name}; - domain-name = host-config.domain; - domain = config.fudo.domains.${domain-name}; - - in { - enable = true; - # NOTE: requests go: - # - local bind instance - # - pi-hole - # - DoH resolver - domain = domain-name; - dns-servers = [ primary-ip ]; - gateway = primary-ip; - dhcp-interfaces = [ "intif0" ]; - dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - recursive-resolver = "${primary-ip} port 5353"; - network = site.network; - dhcp-dynamic-network = site.dynamic-network; - search-domains = [ "selby.ca" ]; - enable-reverse-mappings = true; - network-definition = config.fudo.networks."rus.selby.ca"; - }; - - networking = { - firewall = { - enable = true; - trustedInterfaces = [ "intif0" "docker0" ]; - allowedTCPPorts = [ 22 ]; - }; - - interfaces = { - enp1s0.useDHCP = true; - - enp2s0.useDHCP = false; - enp3s0.useDHCP = false; - enp4s0.useDHCP = false; - - intif0 = { - useDHCP = false; - ipv4.addresses = [{ - address = primary-ip; - prefixLength = 22; - }]; - }; - }; - - nat = { - enable = true; - externalInterface = "enp1s0"; - internalInterfaces = [ "intif0" ]; - forwardPorts = [{ - destination = "127.0.0.1:53"; - sourcePort = 53; - proto = "udp"; - }]; - }; - }; - - fudo = { - garbage-collector = { - enable = true; - timing = "weekly"; - }; - - auth.kdc = { - enable = true; - realm = "RUS.SELBY.CA"; - bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; - acl = { - "niten" = { perms = [ "add" "change-password" "list" ]; }; - "*/root" = { perms = [ "all" ]; }; - }; - }; - - secure-dns-proxy = { - enable = true; - listen-port = dns-proxy-port; - upstream-dns = - [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; - bootstrap-dns = "1.1.1.1"; - allowed-networks = - [ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ]; - listen-ips = [ primary-ip ]; - }; - }; - - virtualisation = { - docker = { - enable = true; - autoPrune.enable = true; - enableOnBoot = true; - }; - - oci-containers = { - backend = "docker"; - containers = { - pihole = { - image = "pihole/pihole:v5.7"; - autoStart = true; - ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; - environment = { - # ServerIP = primary-ip; - VIRTUAL_HOST = "dns-hole.rus.selby.ca"; - DNS1 = "${primary-ip}#${toString dns-proxy-port}"; - }; - volumes = [ - "/srv/pihole/etc-pihole/:/etc/pihole/" - "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" - ]; - }; - }; - }; - }; - - services.nginx = { - enable = true; - - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - virtualHosts = { - "dns-hole.rus.selby.ca" = { - serverAliases = [ - "pihole.rus.selby.ca" - "hole.rus.selby.ca" - "pihole" - "dns-hole" - "hole" - ]; - - locations."/" = { proxyPass = "http://127.0.0.1:3080"; }; - }; - }; - }; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; } diff --git a/config/hosts/downstairs-desktop.nix b/config/hosts/downstairs-desktop.nix new file mode 100644 index 0000000..b6c7184 --- /dev/null +++ b/config/hosts/downstairs-desktop.nix @@ -0,0 +1,18 @@ +{ + description = "Downstairs desktop in Russell."; + ssh-fingerprints = [ + "1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff" + "1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e" + "3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84" + "3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b" + "4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e" + "4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "desktop"; + ssh-pubkey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas="; +} diff --git a/config/hosts/france.nix b/config/hosts/france.nix index f4fe89a..ca71c85 100644 --- a/config/hosts/france.nix +++ b/config/hosts/france.nix @@ -1,179 +1,17 @@ -{ config, lib, pkgs, ... }: - -let - primary-ip = "208.81.3.117"; - hostname = config.instance.hostname; - domain-name = config.fudo.hosts.${hostname}.domain; - domain = config.fudo.domains.${domain-name}; - host-fqdn = "${hostname}.${domain-name}"; - mail-hostname = "mail.fudo.org"; - -in { - imports = [ ./france/postgresql.nix ]; - - config = { - fudo = { - auth = { - ldap = { - enable = true; - base = "dc=fudo,dc=org"; - organization = "Fudo"; - rootpw-file = "FIXME"; - kerberos-host = host-fqdn; - kerberos-keytab = "FIXME"; - - sslCert = "FIXME"; - sslKey = "FIXME"; - sslCaCert = "FIXME"; - - listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ]; - - users = config.fudo.users; - groups = config.fudo.groups; - system-users = config.fudo.system-users; - }; - - kdc = let realm = "FUDO.ORG"; - in { - enable = true; - database-path = "FIXME"; - realm = realm; - mkey-file = "FIXME"; - acl = [ - { - principal = "pam_migrate/*.fudo.org@${realm}"; - access = "add"; - } - { - principal = "host/*.fudo.org@${realm}"; - access = "add"; - } - ] ++ (concatMap (user: [ - { - principal = "${user}@${realm}"; - access = "add,list,modify"; - } - { - principal = "${user}/root@${realm}"; - access = "all"; - } - ]) domain.admin-users); - bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - }; - }; - - prometheus = { - enable = true; - hostname = "metrics.fudo.org"; - service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org"; - in { - node = [ "node.${dns-root}" ]; - postfix = [ "postfix.${dns-root}" ]; - dovecot = [ "dovecot.${dns-root}" ]; - rspamd = [ "rspamd.${dns-root}" ]; - }; - }; - - postgresql = { - enable = true; - # FIXME: ssl-private-key && ssl certificate - keytab = "/srv/postgres/secure/postgres.keytab"; - local-networks = getHostLocalNetworks hostname; - admin-users = domain.admin-users; - }; - - client.dns = { - enable = true; - ipv4 = true; - ipv6 = true; - user = "FIXME"; - external-interface = "extif0"; - password-file = "FIXME"; - }; - - mail-server = domain.mail-config // { - enableContainer = true; - monitoring = true; - - hostname = mail-hostname; - - state-directory = "FIXME"; - mail-directory = "FIXME"; - - dovecot.ldap = { - reader-dn = "FIXME"; - reader-password = "FIXME"; - server-urls = [ "FIXME" ]; - }; - - clamav.enable = true; - dkim.signing = true; - }; - - git = { - enable = true; - hostname = "git.fudo.org"; - site-name = "Fudo Git"; - user = "FIXME"; - database = { - user = "FIXME"; - password-file = "FIXME"; - hostname = "127.0.0.1"; - name = "FIXME"; - }; - repository-dir = "FIXME"; - state-dir = "FIXME"; - ssh = { - listen-ip = git-server-ip; - listen-port = 22; - }; - }; - - minecraft-server = { - enable = true; - package = pkgs.minecraft-current; - data-dir = "FIXME"; - world-name = "selbyland"; - motd = "Welcome to the Selby Minecraft server."; - }; - }; - - networking = { - intif0 = { - ipv4.addresses = [{ - address = "192.168.11.1"; - prefixLength = 24; - }]; - }; - extif0 = { - ipv4.addresses = [ - { - address = primary-ip; - prefixLength = 28; - } - { - address = git-server-ip; - prefixLength = 32; - } - ]; - }; - }; - - services = { - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisations = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts = { - "mail.fudo.org" = { - enableACME = true; - locations."/".return = "301 https://webmail.fudo.org$request_uri"; - }; - }; - }; - }; - }; +{ + description = "Primary fudo.org server."; + docker-server = true; + ssh-fingerprints = [ + "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94" + "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80" + "4 1 c95a198f504a589fc62893a95424b12f0b24732d" + "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96" + ]; + rp = "admin"; + admin-email = "admin@fudo.org"; + domain = "fudo.org"; + site = "portage"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; } diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 90349aa..46758ee 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -1,32 +1,15 @@ -{ config, lib, pkgs, ... }: - -let primary-ip = "10.0.0.3"; - -in { - fudo.slynk.enable = true; - - networking = { - interfaces = { - enp3s0f0.useDHCP = false; - enp3s0f1.useDHCP = false; - enp4s0f0.useDHCP = false; - enp4s0f1.useDHCP = false; - - extif0 = { - useDHCP = false; - ipv4.addresses = [{ - address = primary-ip; - prefixLength = 22; - }]; - }; - }; - }; - - fudo.ipfs = { - enable = true; - users = [ "niten" ]; - api-address = "/ip4/${primary-ip}/tcp/5001"; - }; - - # TODO: add camera +{ + description = "sea.fudo.org experiment server."; + docker-server = true; + ssh-fingerprints = [ + "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35" + "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88" + "4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199" + "4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; } diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index 9743b00..04fb8f6 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -1,56 +1,16 @@ -{ config, lib, pkgs, ... }: - -with lib; { - config = { - - # TODO: remove? - nixpkgs.config.permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" # CVE-2021-28041 - ]; - - environment.etc = { - nixos.source = "/state/nixos"; - adjtime.source = "/state/etc/adjtime"; - NIXOS.source = "/state/etc/NIXOS"; - machine-id.source = "/state/etc/machine-id"; - "host-config.nix".source = "/state/etc/host-config.nix"; - }; - - system.stateVersion = "20.09"; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank - ''; - - security.sudo.extraConfig = '' - # rollback results in sudo lectures after each reboot - Defaults lecture = never - ''; - - systemd.tmpfiles.rules = [ - "L /root/.gnupg - - - - /state/root/gnupg" - "L /root/.emacs.d - - - - /state/root/emacs.d" - "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" - "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" - "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" - "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" - "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" - ]; - - services = { - openssh = { - hostKeys = [ - { - path = "/state/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/state/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - }; - }; - }; +{ + description = "Seattle Gateway Server."; + ssh-fingerprints = [ + "1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e" + "1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb" + "4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad" + "4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; } diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix index deabe7d..a5992d8 100644 --- a/config/hosts/nostromo.nix +++ b/config/hosts/nostromo.nix @@ -1,169 +1,17 @@ -{ config, lib, pkgs, ... }: - -let - primary-ip = "10.0.0.1"; - dns-proxy-ip = "10.0.0.5"; - -in { - fudo.local-network = let - hostname = config.instance.hostname; - site-name = config.fudo.hosts.${hostname}.site; - site = config.fudo.site.${site-name}; - - in { - enable = true; - dns-servers = site.dns-servers; - gateway = site.gateway; - dhcp-interfaces = [ "intif0" ]; - dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - recursive-resolver = "${primary-ip} port 5353"; - server-ip = primary-ip; - }; - - fudo.slynk.enable = true; - - # systemd.network.networks.eno2 = { - # extraConfig = { - # IPv6AcceptRA = true; - # IPv6PrefixDelegation = "dhcpv6"; - # }; - # }; - - networking = { - # dhcpd.extraConfig = '' - # interface eno2 - # ia_na 1 - # ia_pd 2 eno2/0 - # ''; - - eno1.useDHCP = false; - eno2.useDHCP = false; - eno3.useDHCP = false; - eno4.useDHCP = false; - enp33s0f0.useDHCP = false; - enp33s0f1.useDHCP = false; - enp9s0f0.useDHCP = false; - enp9s0f1.useDHCP = false; - - intif0 = { - useDHCP = false; - ipv4.addresses = [ - { - address = primary-ip; - prefixLength = 22; - } - { - address = dns-proxy-ip; - prefixLength = 32; - } - ]; - }; - - extif0 = { useDHCP = true; }; - - nat = { - enable = true; - externalInterface = "extif0"; - internalInterfaces = [ "intif0" ]; - }; - }; - - fudo = { - client.dns = { - enable = true; - ipv4 = true; - ipv6 = true; - user = "fudo-client"; - external-interface = "extif0"; - password-file = "/srv/client/secure/client.passwd"; - }; - - secure-dns-proxy = { - enable = true; - port = 3535; - upstream-dns = - [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; - bootstrap-dns = "1.1.1.1"; - listen-ips = [ dns-proxy-ip ]; - }; - }; - - virtualization = { - docker = { - enable = true; - autoPrune.enable = true; - enableOnBoot = true; - }; - - libvirtd = { - enable = true; - qemuPackage = pkgs.qemu_kvm; - onShutdown = "shutdown"; - }; - }; - - docker-containers = { - pihole = { - image = "pihole/pihole:4.3.2-1"; - ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; - environment = { - ServerIP = primary-ip; - VIRTUAL_HOST = "dns-hole.sea.fudo.org"; - DNS1 = dns-proxy-ip; - }; - volumes = [ - "/srv/pihole/etc-pihole/:/etc/pihole/" - "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" - ]; - }; - }; - - security.acme.certs = { - "sea-camera.fudo.link".email = "niten@fudo.org"; - "sea-camera-od.fudo.link".email = "niten@fudo.org"; - }; - - services = { - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts = { - "sea-camera.fudo.link" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://panopticon.sea.fudo.org/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - ''; - }; - }; - - # Supposed to be for object detection... - "sea-camera-od.fudo.link" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://panopticon-od.sea.fudo.org/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - ''; - }; - }; - - "pihole.sea.fudo.org" = { - serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ]; - locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; - }; - }; - }; - }; +{ + description = "sea.fudo.org gateway box and primary server."; + docker-server = true; + ssh-fingerprints = [ + "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" + "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e" + "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42" + "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 6db97c7..b85e492 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -1,50 +1,16 @@ -{ config, lib, pkgs, ... }: - -with lib; { - config = { - environment.etc = { - nixos.source = "/state/nixos"; - adjtime.source = "/state/etc/adjtime"; - NIXOS.source = "/state/etc/NIXOS"; - machine-id.source = "/state/etc/machine-id"; - "host-config.nix".source = "/state/etc/host-config.nix"; - }; - - system.stateVersion = "20.09"; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - ${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank - ''; - - security.sudo.extraConfig = '' - # rollback results in sudo lectures after each reboot - Defaults lecture = never - ''; - - systemd.tmpfiles.rules = [ - "L /root/.gnupg - - - - /state/root/gnupg" - "L /root/.emacs.d - - - - /state/root/emacs.d" - "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" - "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" - "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" - "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" - "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" - ]; - - services = { - openssh = { - hostKeys = [ - { - path = "/state/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/state/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - }; - }; - }; +{ + description = "Niten's toy server."; + ssh-fingerprints = [ + "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9" + "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c" + "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e" + "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; } diff --git a/config/hosts/procul.nix b/config/hosts/procul.nix new file mode 100644 index 0000000..c9547fe --- /dev/null +++ b/config/hosts/procul.nix @@ -0,0 +1,4 @@ +{ + description = "informis.land server."; + docker-server = true; +} diff --git a/config/hosts/pselby-work.nix b/config/hosts/pselby-work.nix new file mode 100644 index 0000000..9797c0e --- /dev/null +++ b/config/hosts/pselby-work.nix @@ -0,0 +1,3 @@ +{ + description = "Google Lenovo work laptop."; +} diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix index e6b83d5..38fc00c 100644 --- a/config/hosts/spark.nix +++ b/config/hosts/spark.nix @@ -1,16 +1,14 @@ -{ config, lib, pkgs, ... }: - { - # TODO: remove? - nixpkgs.config.permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + description = "Niten's backup desktop."; + ssh-fingerprints = [ + "1 1 d26812dee9b26a19a52c38d2b346442979093142" + "1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3" + "4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63" + "4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b" ]; - - fudo.slynk.enable = true; - - networking = { - interfaces = { - extif0 = { useDHCP = true; }; - }; - }; + rp = "niten"; + admin-email = "niten@fudo.org"; + enable-gui = true; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; } diff --git a/config/hosts/upstairs-desktop.nix b/config/hosts/upstairs-desktop.nix new file mode 100644 index 0000000..dcf14e8 --- /dev/null +++ b/config/hosts/upstairs-desktop.nix @@ -0,0 +1,13 @@ +{ + description = "Upstairs desktop in Russell."; + ssh-fingerprints = [ + "1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4" + "1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d" + "3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024" + "3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952" + "4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e" + "4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; +} diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index a90ce5b..9a66a72 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -1,19 +1,14 @@ -{ config, lib, pkgs, ... }: - { - system.stateVersion = "20.09"; - - # TODO: remove? - nixpkgs.config.permittedInsecurePackages = [ - "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + description = "Niten's primary desktop."; + ssh-fingerprints = [ + "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d" + "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493" + "4 1 862842d99f5afb33db4f073d2f3d1154c6417110" + "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3" ]; - - fudo.slynk.enable = true; - - networking = { - interfaces = { - eno1.useDHCP = false; - intif0 = { useDHCP = true; }; - }; - }; + rp = "niten"; + admin-email = "niten@fudo.org"; + enable-gui = true; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; } diff --git a/config/profiles/common-ui.nix b/config/profile-config/common-ui.nix similarity index 100% rename from config/profiles/common-ui.nix rename to config/profile-config/common-ui.nix diff --git a/config/profiles/common.nix b/config/profile-config/common.nix similarity index 100% rename from config/profiles/common.nix rename to config/profile-config/common.nix diff --git a/config/profiles/desktop.nix b/config/profile-config/desktop.nix similarity index 100% rename from config/profiles/desktop.nix rename to config/profile-config/desktop.nix diff --git a/config/profiles/laptop.nix b/config/profile-config/laptop.nix similarity index 100% rename from config/profiles/laptop.nix rename to config/profile-config/laptop.nix diff --git a/config/profiles/server.nix b/config/profile-config/server.nix similarity index 100% rename from config/profiles/server.nix rename to config/profile-config/server.nix diff --git a/config/sites/joes-datacenter-0.nix b/config/site-config/joes-datacenter-0.nix similarity index 100% rename from config/sites/joes-datacenter-0.nix rename to config/site-config/joes-datacenter-0.nix diff --git a/config/sites/portage.nix b/config/site-config/portage.nix similarity index 100% rename from config/sites/portage.nix rename to config/site-config/portage.nix diff --git a/config/sites/russell.nix b/config/site-config/russell.nix similarity index 100% rename from config/sites/russell.nix rename to config/site-config/russell.nix diff --git a/config/sites/seattle.nix b/config/site-config/seattle.nix similarity index 100% rename from config/sites/seattle.nix rename to config/site-config/seattle.nix diff --git a/configuration.nix b/configuration.nix index d989c33..6222a20 100644 --- a/configuration.nix +++ b/configuration.nix @@ -8,9 +8,6 @@ in { imports = [ (initialize { hostname = local.hostname; - profile = local.profile; - site = local.site; - domain = local.domain; home-manager-package = builtins.fetchGit { url = "https://github.com/nix-community/home-manager.git"; ref = "release-20.09"; diff --git a/initialize.nix b/initialize.nix index 8b3061b..3a0b051 100644 --- a/initialize.nix +++ b/initialize.nix @@ -1,27 +1,24 @@ -{ hostname, profile, domain, site, home-manager-package, pkgs, ... }: +{ hostname, home-manager-package, pkgs, ... }: -{ +let + host-config = import (./. + "/config/hosts/${hostname}.nix"); + +in { imports = [ ./lib ./config ./packages (./. + "/config/hardware/${hostname}.nix") - (./. + "/config/hosts/${hostname}.nix") - (./. + "/config/profiles/${profile}.nix") - (./. + "/config/domains/${domain}.nix") - (./. + "/config/sites/${site}.nix") + (./. + "/config/host-config/${hostname}.nix") + (./. + "/config/profile-config/${host-config.profile}.nix") + (./. + "/config/domain-config/${host-config.domain}.nix") + (./. + "/config/site-config/${host-config.site}.nix") (import "${home-manager-package}/nixos") ]; config = { instance = { hostname = hostname; }; - - fudo.hosts."${hostname}" = { - domain = domain; - site = site; - profile = profile; - }; }; } diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index efcea43..9094eaa 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -78,7 +78,7 @@ let ssh-fingerprints = mkOption { type = listOf str; description = '' - A list of DNS SSHFP records for this host. + A list of DNS SSHFP records for this host. Get with `ssh-keygen -r ` ''; default = [ ]; }; From 16fd1ff21f7d872600a698b96b70cb5d2defe274 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:24:50 -0700 Subject: [PATCH 11/20] Changes for plato --- config/hardware/plato.nix | 1 + config/host-config/plato.nix | 23 +++- config/sites.nix | 1 + lib/fudo/networks/rus.selby.ca.nix | 86 ------------ lib/fudo/networks/sea.fudo.org.nix | 214 ----------------------------- lib/fudo/sites.nix | 51 +++++-- 6 files changed, 60 insertions(+), 316 deletions(-) delete mode 100644 lib/fudo/networks/rus.selby.ca.nix delete mode 100644 lib/fudo/networks/sea.fudo.org.nix diff --git a/config/hardware/plato.nix b/config/hardware/plato.nix index c068835..1fa1150 100644 --- a/config/hardware/plato.nix +++ b/config/hardware/plato.nix @@ -73,6 +73,7 @@ with lib; }; interfaces = { + enp1s0.useDHCP = false; intif0 = { # output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:25:b7:67:c4:c2"; diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 6db97c7..ffc6d72 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: -with lib; { +with lib; +let primary-ip = "10.0.0.21"; +in { config = { environment.etc = { nixos.source = "/state/nixos"; @@ -23,7 +25,7 @@ with lib; { systemd.tmpfiles.rules = [ "L /root/.gnupg - - - - /state/root/gnupg" - "L /root/.emacs.d - - - - /state/root/emacs.d" + # "L /root/.emacs.d - - - - /state/root/emacs.d" "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" @@ -31,6 +33,23 @@ with lib; { "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" ]; + networking = { + defaultGateway = { + address = "10.0.0.1"; + interface = "intif0"; + }; + + interfaces = { + intif0 = { + useDHCP = false; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 22; + }]; + }; + }; + }; + services = { openssh = { hostKeys = [ diff --git a/config/sites.nix b/config/sites.nix index 16289ff..212d7e5 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -9,6 +9,7 @@ dynamic-network = "10.0.1.0/24"; timezone = "America/Los_Angeles"; gateway-host = "nostromo"; + deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/networks/rus.selby.ca.nix b/lib/fudo/networks/rus.selby.ca.nix deleted file mode 100644 index 3d5d744..0000000 --- a/lib/fudo/networks/rus.selby.ca.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - hosts = { - clunk = { - ipv4-address = "10.0.0.1"; - mac-address = "02:44:d1:eb:c3:6b"; - }; - - dns-proxy = { - ipv4-address = "10.0.0.2"; - # This is just a second IP on clunk, for the pihole - }; - - google-wifi = { - ipv4-address = "10.0.0.11"; - mac-address = "70:3a:cb:c0:3b:09"; - }; - - pselby-work = { - ipv4-address = "10.0.0.151"; - mac-address = "00:50:b6:aa:bd:b3"; - }; - - downstairs-desktop = { - ipv4-address = "10.0.0.100"; - mac-address = "90:b1:1c:8e:29:cf"; - }; - - upstairs-desktop = { - ipv4-address = "10.0.0.101"; - mac-address = "80:e8:2c:22:65:c2"; - }; - }; - - aliases = { - dns-hole = "clunk"; - gateway = "clunk"; - upstairs = "upstairs-desktop"; - downstairs = "downstairs-desktop"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "clunk.${local-domain}"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "clunk.${local-domain}"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; -} diff --git a/lib/fudo/networks/sea.fudo.org.nix b/lib/fudo/networks/sea.fudo.org.nix deleted file mode 100644 index 68e017b..0000000 --- a/lib/fudo/networks/sea.fudo.org.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ config, lib, ... }: - -{ - default-host = "10.0.0.1"; - - mx = [ "mail.fudo.org" ]; - - aliases = { - kadmin = "nostromo"; - kdc = "nostromo"; - photo = "doraemon"; - music = "doraemon"; - panopticon = "lambda"; - panopticon-od = "lambda"; - ipfs = "nostromo"; - hole = "nostromo"; - pihole = "nostromo"; - dns-hole = "nostromo"; - mon-1 = "srv-1"; - }; - - srv-records = { - tcp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerberos-adm = [{ - port = 88; - host = "france.fudo.org"; - }]; - ssh = [{ - port = 22; - host = "nostromo.sea.fudo.org"; - }]; - ldap = [{ - port = 389; - host = "france.fudo.org"; - }]; - }; - - udp = { - domain = [{ - port = 53; - host = "nostromo.sea.fudo.org"; - }]; - kerberos = [{ - port = 88; - host = "france.fudo.org"; - }]; - kerboros-master = [{ - port = 88; - host = "france.fudo.org"; - }]; - kpasswd = [{ - port = 464; - host = "france.fudo.org"; - }]; - }; - }; - - hosts = { - nostromo = { - ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; - }; - switch-master = { - ip-address = "10.0.0.5"; - mac-address = "00:14:1C:B6:BB:40"; - }; - google-wifi = { - ip-address = "10.0.0.7"; - mac-address = "7C:D9:5C:9F:6F:E9"; - }; - cam-entrance = { - ip-address = "10.0.0.31"; - mac-address = "9c:8e:cd:0e:99:7b"; - }; - cam-driveway = { - ip-address = "10.0.0.32"; - mac-address = "9c:8e:cd:0d:3b:09"; - }; - cam-deck = { - ip-address = "10.0.0.33"; - mac-address = "9c:8e:cd:0e:98:c8"; - }; - cargo = { - ip-address = "10.0.0.50"; - mac-address = "00:11:32:75:d8:b7"; - }; - whitedwarf = { - ip-address = "10.0.0.51"; - mac-address = "00:11:32:12:14:1d"; - }; - doraemon = { - ip-address = "10.0.0.52"; - mac-address = "00:11:32:0a:06:c5"; - }; - android = { - ip-address = "10.0.0.81"; - mac-address = "00:16:3e:43:39:fc"; - }; - retro-wired = { - ip-address = "10.0.0.82"; - mac-address = "dc:a6:32:6b:57:43"; - }; - retro = { - ip-address = "10.0.0.83"; - mac-address = "dc:a6:32:6b:57:45"; - }; - monolith = { - ip-address = "10.0.0.100"; - mac-address = "6c:62:6d:c8:b0:d8"; - }; - taipan = { - ip-address = "10.0.0.107"; - mac-address = "52:54:00:34:c4:78"; - }; - spark = { - ip-address = "10.0.0.108"; - mac-address = "78:24:af:04:f7:dd"; - }; - hyperion = { - ip-address = "10.0.0.109"; - mac-address = "52:54:00:33:46:de"; - }; - zbox = { - ip-address = "10.0.0.110"; - mac-address = "02:dd:80:52:83:9b"; - }; - ubiquiti-wifi = { - ip-address = "10.0.0.126"; - mac-address = "04:18:d6:20:48:fb"; - }; - generator-wireless = { - ip-address = "10.0.0.130"; - mac-address = "B8:27:EB:A6:32:26"; - }; - brother-wireless = { - ip-address = "10.0.0.160"; - mac-address = "c0:38:96:64:49:65"; - }; - nest = { - ip-address = "10.0.0.176"; - mac-address = "18:b4:30:16:7c:5a"; - }; - xixi-phone = { - ip-address = "10.0.0.193"; - mac-address = "48:43:7c:75:89:42"; - }; - ipad = { - ip-address = "10.0.0.202"; - mac-address = "9c:35:eb:48:6e:71"; - }; - cam-front = { - ip-address = "10.0.0.203"; - mac-address = "c4:d6:55:3e:b4:c3"; - }; - family-tv = { - ip-address = "10.0.0.205"; - mac-address = "84:a4:66:3a:b1:f8"; - }; - babycam = { - ip-address = "10.0.0.206"; - mac-address = "08:ea:40:59:5f:9e"; - }; - workphone = { - ip-address = "10.0.0.211"; - mac-address = "a8:8e:24:5c:12:67"; - }; - chromecast-2 = { - ip-address = "10.0.0.215"; - mac-address = "a4:77:33:59:a2:ba"; - }; - front-light = { - ip-address = "10.0.0.221"; - mac-address = "94:10:3e:48:94:ed"; - }; - - # Ceph network - srv-1 = { - ip-address = "10.0.10.1"; - mac-address = "02:65:d7:00:7d:1b"; - }; - node-1 = { - ip-address = "10.0.10.101"; - mac-address = "00:1e:06:36:81:cf"; - }; - node-2 = { - ip-address = "10.0.10.102"; - mac-address = "00:1e:06:36:ec:3e"; - }; - node-3 = { - ip-address = "10.0.10.103"; - mac-address = "00:1e:06:36:ec:4b"; - }; - node-4 = { - ip-address = "10.0.10.104"; - mac-address = "00:1e:06:36:dd:8c"; - }; - }; -} diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 03599be..f3dcbdc 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -95,6 +95,12 @@ let description = "Location of Dropbear ECDSA key."; default = "/etc/dropbear/host_ecdsa_key"; }; + + dropbear-deploy-port = mkOption { + type = port; + description = "Port to be used for the deploy SSH server."; + default = 2112; + }; }; }; @@ -107,16 +113,30 @@ in { config = mkIf (site-cfg.deploy-pubkey != null) { environment.etc."dropbear/authorized_keys" = { - text = "root@deploy ${site-cfg.deploy-pubkey}"; + text = "${site-cfg.deploy-pubkey} root@deploy"; mode = "0400"; }; - systemd.services = let dropbear-port = 2112; - in { + networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; - dropbear-init = { - wantedBy = [ "multi-user.target" ]; - script = '' + systemd = { + sockets = { + dropbear-deploy = { + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; + Accept = true; + }; + unitConfig = { + restartIfChanged = true; + }; + }; + }; + + services = { + dropbear-deploy-init = { + wantedBy = [ "multi-user.target" ]; + script = '' if [ ! -d /etc/dropbear ]; then mkdir /etc/dropbear chmod 700 /etc/dropbear @@ -132,15 +152,18 @@ in { ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} fi ''; - }; + }; - dropbear = { - requires = [ "dropbear-init.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - type = "simple"; - ExecStart = "${pkgs.dropbear} -F -m -s -j -k -p ${dropbear-port}"; + "dropbear-deploy@" = { + description = "Per-connection service for deployment, using dropbear."; + requires = [ "dropbear-deploy-init.service" ]; + after = [ "network.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; + StandardInput = "socket"; + }; }; }; }; From 986bd347bd15ea4a69c5b12d61d4b7ccf20e636b Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 21:26:12 +0000 Subject: [PATCH 12/20] Changes for lambda --- config/hardware/lambda.nix | 9 ++-- config/hosts/lambda.nix | 71 +++++++++++++++++++++++++++++++- config/networks/sea.fudo.org.nix | 2 +- config/profiles/server.nix | 4 +- 4 files changed, 76 insertions(+), 10 deletions(-) diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 1624afd..0a4845f 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -19,7 +19,6 @@ }; kernelModules = [ "kvm-amd" ]; - externalModulePackages = [ ]; kernelPackages = pkgs.linuxPackages_latest; loader.grub = { @@ -49,16 +48,16 @@ networking = { macvlans = { - intif0 = { + extif0 = { interface = "enp3s0f1"; mode = "bridge"; }; }; interfaces = { - intif0 = { - # output of: echo lambda-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:f5:fe:8c:22:fe"; + extif0 = { + # output of: echo lambda-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:27:fe:1c:3c:6e"; }; }; }; diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 90349aa..fe32bcb 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -1,11 +1,22 @@ { config, lib, pkgs, ... }: -let primary-ip = "10.0.0.3"; +let + primary-ip = "10.0.0.3"; + shinobi-port = "7080"; + shinobi-od-port = "7082"; in { + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + fudo.slynk.enable = true; networking = { + defaultGateway = "10.0.0.1"; + interfaces = { enp3s0f0.useDHCP = false; enp3s0f1.useDHCP = false; @@ -28,5 +39,61 @@ in { api-address = "/ip4/${primary-ip}/tcp/5001"; }; - # TODO: add camera + virtualisation.oci-containers.containers = { + shinobi = { + image = "shinobisystems/shinobi:latest"; + ports = [ "${shinobi-port}:8080" ]; + volumes = [ + "/srv/shinobi/plugins:/home/Shinobi/plugins" + "/srv/shinobi/config:/home/Shinobi/config" + "/srv/shinobi/videos:/home/Shinobi/videos" + "/srv/shinobi/db-data:/var/lib/mysql" + "/etc/localtime:/etc/localtime:ro" + ]; + }; + + # shinobi-od = { + # image = "shinobisystems/shinobi-tensorflow:latest"; + # volumes = + # [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ]; + # ports = [ "${shinobi-od-port}:8082" ]; + # environment = { + # PLUGIN_HOST = "panopticon.sea.fudo.org"; + # PLUGIN_PORT = shinobi-port; + # PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3"; + # }; + # }; + + # photoprism = { image = "photoprism/photoprism"; }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + + virtualHosts = { + "panopticon.sea.fudo.org" = { + locations."/" = { + proxyPass = "http://localhost:${shinobi-port}"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + ''; + }; + }; + # "panopticon-od.sea.fudo.org" = { + # locations."/" = { + # proxyPass = "http://localhost:${shinobi-od-port}"; + # extraConfig = '' + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection "Upgrade"; + # ''; + # }; + # }; + }; + }; } diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index dd22863..6a66637 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -77,7 +77,7 @@ in { }; lambda = { ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; + mac-address = "02:27:fe:1c:3c:6e"; }; switch-master = { ip-address = "10.0.0.5"; diff --git a/config/profiles/server.nix b/config/profiles/server.nix index a8cd609..b7d1879 100644 --- a/config/profiles/server.nix +++ b/config/profiles/server.nix @@ -6,7 +6,6 @@ let emacs-nox ldns ldns.examples - jdk14_headless racket-minimal reboot-if-necessary test-config @@ -24,7 +23,8 @@ let $WALL "$1 exists, rebooting system" ${pkgs.systemd}/bin/reboot else - $WALL "$1 does not exist, aborting reboot." + $WALL "$1 does not exist, switching config." + nixos-rebuild switch fi exit 0 From d9b0132e456650ad54142316158b1d1ebd81b971 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:48:28 -0700 Subject: [PATCH 13/20] Corrected MAC for lambda, and changed extif0 -> intif0 --- config/hardware/lambda.nix | 8 ++++---- config/host-config/lambda.nix | 19 +++++++++---------- config/networks/sea.fudo.org.nix | 22 +++++++++------------- 3 files changed, 22 insertions(+), 27 deletions(-) diff --git a/config/hardware/lambda.nix b/config/hardware/lambda.nix index 0a4845f..97a4d2a 100644 --- a/config/hardware/lambda.nix +++ b/config/hardware/lambda.nix @@ -48,16 +48,16 @@ networking = { macvlans = { - extif0 = { + intif0 = { interface = "enp3s0f1"; mode = "bridge"; }; }; interfaces = { - extif0 = { - # output of: echo lambda-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:27:fe:1c:3c:6e"; + intif0 = { + # output of: echo lambda-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:f5:fe:8c:22:fe"; }; }; }; diff --git a/config/host-config/lambda.nix b/config/host-config/lambda.nix index 90349aa..d630aa7 100644 --- a/config/host-config/lambda.nix +++ b/config/host-config/lambda.nix @@ -1,8 +1,11 @@ { config, lib, pkgs, ... }: -let primary-ip = "10.0.0.3"; - -in { +{ + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + fudo.slynk.enable = true; networking = { @@ -12,12 +15,8 @@ in { enp4s0f0.useDHCP = false; enp4s0f1.useDHCP = false; - extif0 = { - useDHCP = false; - ipv4.addresses = [{ - address = primary-ip; - prefixLength = 22; - }]; + intif0 = { + useDHCP = true; }; }; }; @@ -25,7 +24,7 @@ in { fudo.ipfs = { enable = true; users = [ "niten" ]; - api-address = "/ip4/${primary-ip}/tcp/5001"; + api-address = "/ip4/0.0.0.0/tcp/5001"; }; # TODO: add camera diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index 3a3ec29..844804d 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -68,20 +68,8 @@ in { hosts = { limina = { - ip-address = "10.0.0.6"; - mac-address = "02:fd:79:94:a2:a8"; - }; - nostromo = { ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:27:fe:1c:3c:6e"; + mac-address = "02:fd:79:94:a2:a8"; }; switch-master = { ip-address = "10.0.0.5"; @@ -90,6 +78,14 @@ in { google-wifi = { ip-address = "10.0.0.7"; mac-address = "7C:D9:5C:9F:6F:E9"; + }; + nostromo = { + ip-address = "10.0.0.10"; + mac-address = "46:54:76:06:f1:10"; + }; + lambda = { + ip-address = "10.0.0.11"; + mac-address = "02:f5:fe:8c:22:fe"; }; cam-entrance = { ip-address = "10.0.0.31"; From f25a0556ead9a5624a9615c0adae932d9bd01a11 Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 14:50:53 -0700 Subject: [PATCH 14/20] Fixes for limina, and changes to sea.fudo.org --- config/hardware/limina.nix | 9 --- config/host-config/limina.nix | 10 +-- config/networks.nix | 2 +- config/networks/sea.fudo.org.nix | 120 +++++++++++++++---------------- 4 files changed, 62 insertions(+), 79 deletions(-) diff --git a/config/hardware/limina.nix b/config/hardware/limina.nix index 6c970d8..ae5ee8d 100644 --- a/config/hardware/limina.nix +++ b/config/hardware/limina.nix @@ -67,10 +67,6 @@ with lib; { hostId = substring 0 8 (fileContents /state/etc/machine-id); macvlans = { - extif0 = { - interface = "enp1s0"; - mode = "bridge"; - }; intif0 = { interface = "enp2s0"; mode = "bridge"; @@ -86,18 +82,13 @@ with lib; { }; interfaces = { - enp1s0.useDHCP = false; enp2s0.useDHCP = false; enp3s0.useDHCP = false; enp4s0.useDHCP = false; # output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - extif0 = { macAddress = "02:fd:79:94:a2:a8"; }; - intif0 = { macAddress = "02:dc:59:b4:a7:8c"; }; - intif1 = { macAddress = "02:df:43:1d:8a:63"; }; - intif2 = { macAddress = "02:55:d9:05:23:36"; }; }; }; diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index c716753..e164d77 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -2,7 +2,7 @@ with lib; let - primary-ip = "10.0.0.6"; + primary-ip = "10.0.0.1"; host-config = config.fudo.hosts.${config.instance.hostname}; site-name = host-config.site; @@ -28,7 +28,7 @@ in { }; interfaces = { - extif0 = { useDHCP = true; }; + enp1s0 = { useDHCP = true; }; intif0 = { useDHCP = false; @@ -43,14 +43,14 @@ in { nat = { enable = true; - externalInterface = "extif0"; + externalInterface = "enp1s0"; internalInterfaces = [ "intif0" ]; }; }; fudo = { local-network = { - enable = false; + enable = true; domain = domain-name; dns-servers = [ primary-ip ]; gateway = primary-ip; @@ -69,7 +69,7 @@ in { ipv4 = true; ipv6 = true; user = "fudo-client"; - external-interface = "extif0"; + external-interface = "enp1s0"; password-file = "/srv/client/secure/client.passwd"; }; diff --git a/config/networks.nix b/config/networks.nix index 744ee27..ce7c00c 100644 --- a/config/networks.nix +++ b/config/networks.nix @@ -3,6 +3,6 @@ { config.fudo.networks = { "rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; }; - "sea.fudo.org" = import ./networks/rus.selby.ca.nix { inherit config lib; }; + "sea.fudo.org" = import ./networks/sea.fudo.org.nix { inherit config lib; }; }; } diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index 3cc9857..755ab98 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -1,32 +1,27 @@ +{ config, lib, ... }: + let local-domain = "sea.fudo.org"; in { - domain = "${local-domain}"; - aliases = { - kadmin = "nostromo"; - kdc = "nostromo"; + deploy = "plato"; + gateway = "limina"; + # kadmin = "nostromo"; + # kdc = "nostromo"; photo = "doraemon"; music = "doraemon"; panopticon = "lambda"; panopticon-od = "lambda"; ipfs = "nostromo"; - hole = "nostromo"; - pihole = "nostromo"; - dns-hole = "nostromo"; - mon-1 = "srv-1"; + hole = "limina"; + pihole = "limina"; + dns-hole = "limina"; }; - network = "10.0.0.0/16"; - - dhcp-dynamic-network = "10.0.1.0/24"; - - enable-reverse-mappings = true; - srv-records = { tcp = { domain = [{ port = 53; - host = "nostromo.sea.fudo.org"; + host = "limina.sea.fudo.org"; }]; kerberos = [{ port = 88; @@ -38,7 +33,7 @@ in { }]; ssh = [{ port = 22; - host = "nostromo.sea.fudo.org"; + host = "limina.sea.fudo.org"; }]; ldap = [{ port = 389; @@ -49,7 +44,7 @@ in { udp = { domain = [{ port = 53; - host = "nostromo.sea.fudo.org"; + host = "limina.sea.fudo.org"; }]; kerberos = [{ port = 88; @@ -68,153 +63,150 @@ in { hosts = { limina = { - ip-address = "10.0.0.6"; + ipv4-address = "10.0.0.1"; mac-address = "02:fd:79:94:a2:a8"; - }; - nostromo = { - ip-address = "10.0.0.1"; - mac-address = "46:54:76:06:f1:10"; - }; - lm = { - ip-address = "10.0.0.2"; - mac-address = "00:23:7d:e6:d9:ea"; - }; - lambda = { - ip-address = "10.0.0.3"; - mac-address = "02:50:f6:52:9f:9d"; }; switch-master = { - ip-address = "10.0.0.5"; + ipv4-address = "10.0.0.5"; mac-address = "00:14:1C:B6:BB:40"; }; google-wifi = { - ip-address = "10.0.0.7"; + ipv4-address = "10.0.0.7"; mac-address = "7C:D9:5C:9F:6F:E9"; }; + nostromo = { + ipv4-address = "10.0.0.10"; + mac-address = "46:54:76:06:f1:10"; + }; + lambda = { + ipv4-address = "10.0.0.11"; + mac-address = "02:50:f6:52:9f:9d"; + }; + plato = { ipv4-address = "10.0.0.21"; }; cam-entrance = { - ip-address = "10.0.0.31"; + ipv4-address = "10.0.0.31"; mac-address = "9c:8e:cd:0e:99:7b"; }; cam-driveway = { - ip-address = "10.0.0.32"; + ipv4-address = "10.0.0.32"; mac-address = "9c:8e:cd:0d:3b:09"; }; cam-deck = { - ip-address = "10.0.0.33"; + ipv4-address = "10.0.0.33"; mac-address = "9c:8e:cd:0e:98:c8"; }; cargo = { - ip-address = "10.0.0.50"; + ipv4-address = "10.0.0.50"; mac-address = "00:11:32:75:d8:b7"; }; whitedwarf = { - ip-address = "10.0.0.51"; + ipv4-address = "10.0.0.51"; mac-address = "00:11:32:12:14:1d"; }; doraemon = { - ip-address = "10.0.0.52"; + ipv4-address = "10.0.0.52"; mac-address = "00:11:32:0a:06:c5"; }; android = { - ip-address = "10.0.0.81"; + ipv4-address = "10.0.0.81"; mac-address = "00:16:3e:43:39:fc"; }; retro-wired = { - ip-address = "10.0.0.82"; + ipv4-address = "10.0.0.82"; mac-address = "dc:a6:32:6b:57:43"; }; retro = { - ip-address = "10.0.0.83"; + ipv4-address = "10.0.0.83"; mac-address = "dc:a6:32:6b:57:45"; }; monolith = { - ip-address = "10.0.0.100"; + ipv4-address = "10.0.0.100"; mac-address = "6c:62:6d:c8:b0:d8"; }; taipan = { - ip-address = "10.0.0.107"; + ipv4-address = "10.0.0.107"; mac-address = "52:54:00:34:c4:78"; }; spark = { - ip-address = "10.0.0.108"; + ipv4-address = "10.0.0.108"; mac-address = "02:9c:b7:b6:ad:c4"; }; hyperion = { - ip-address = "10.0.0.109"; + ipv4-address = "10.0.0.109"; mac-address = "52:54:00:33:46:de"; }; zbox = { - ip-address = "10.0.0.110"; - mac-address = "02:dd:80:52:83:9b"; + ipv4-address = "10.0.0.110"; + mac-address = "02:DD:80:52:83:9B"; }; ubiquiti-wifi = { - ip-address = "10.0.0.126"; + ipv4-address = "10.0.0.126"; mac-address = "04:18:d6:20:48:fb"; }; generator-wireless = { - ip-address = "10.0.0.130"; + ipv4-address = "10.0.0.130"; mac-address = "B8:27:EB:A6:32:26"; }; brother-wireless = { - ip-address = "10.0.0.160"; + ipv4-address = "10.0.0.160"; mac-address = "c0:38:96:64:49:65"; }; nest = { - ip-address = "10.0.0.176"; + ipv4-address = "10.0.0.176"; mac-address = "18:b4:30:16:7c:5a"; }; xixi-phone = { - ip-address = "10.0.0.193"; + ipv4-address = "10.0.0.193"; mac-address = "48:43:7c:75:89:42"; }; ipad = { - ip-address = "10.0.0.202"; + ipv4-address = "10.0.0.202"; mac-address = "9c:35:eb:48:6e:71"; }; cam-front = { - ip-address = "10.0.0.203"; + ipv4-address = "10.0.0.203"; mac-address = "c4:d6:55:3e:b4:c3"; }; family-tv = { - ip-address = "10.0.0.205"; + ipv4-address = "10.0.0.205"; mac-address = "84:a4:66:3a:b1:f8"; }; babycam = { - ip-address = "10.0.0.206"; + ipv4-address = "10.0.0.206"; mac-address = "08:ea:40:59:5f:9e"; }; workphone = { - ip-address = "10.0.0.211"; + ipv4-address = "10.0.0.211"; mac-address = "a8:8e:24:5c:12:67"; }; chromecast-2 = { - ip-address = "10.0.0.215"; + ipv4-address = "10.0.0.215"; mac-address = "a4:77:33:59:a2:ba"; }; front-light = { - ip-address = "10.0.0.221"; + ipv4-address = "10.0.0.221"; mac-address = "94:10:3e:48:94:ed"; }; # Ceph network srv-1 = { - ip-address = "10.0.10.1"; + ipv4-address = "10.0.10.1"; mac-address = "02:65:d7:00:7d:1b"; }; node-1 = { - ip-address = "10.0.10.101"; + ipv4-address = "10.0.10.101"; mac-address = "00:1e:06:36:81:cf"; }; node-2 = { - ip-address = "10.0.10.102"; + ipv4-address = "10.0.10.102"; mac-address = "00:1e:06:36:ec:3e"; }; node-3 = { - ip-address = "10.0.10.103"; + ipv4-address = "10.0.10.103"; mac-address = "00:1e:06:36:ec:4b"; }; node-4 = { - ip-address = "10.0.10.104"; + ipv4-address = "10.0.10.104"; mac-address = "00:1e:06:36:dd:8c"; }; }; From 1d896674338b4c5fd5744c5ebcb5c75e1c7f6e3b Mon Sep 17 00:00:00 2001 From: Root Date: Fri, 9 Apr 2021 17:36:28 -0700 Subject: [PATCH 15/20] Try to fix krb5 --- config/host-config/plato.nix | 6 ++++++ config/profile-config/common.nix | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index ffc6d72..b2691d6 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -10,6 +10,12 @@ in { NIXOS.source = "/state/etc/NIXOS"; machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; + "krb5.keytab" = { + source = "/state/etc/plato.keytab"; + user = "root"; + group = "root"; + mode = "0400"; + }; }; system.stateVersion = "20.09"; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 647bb48..54c1a65 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -45,7 +45,7 @@ in { openssh = { enable = true; startWhenNeeded = true; - useDns = true; + # useDns = true; permitRootLogin = "prohibit-password"; extraConfig = '' GSSAPIAuthentication yes From 43e11861d1b862fa71782b89c7fd6426da7d996a Mon Sep 17 00:00:00 2001 From: Root Date: Sat, 10 Apr 2021 10:43:40 -0700 Subject: [PATCH 16/20] Use primary SSH server for deploy...but use a backup ssh server too. --- config/host-config/plato.nix | 2 +- config/sites.nix | 3 +- lib/fudo/sites.nix | 56 +++++++++++++++++++----------------- 3 files changed, 32 insertions(+), 29 deletions(-) diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index b2691d6..11bca26 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -14,7 +14,7 @@ in { source = "/state/etc/plato.keytab"; user = "root"; group = "root"; - mode = "0400"; + mode = "0600"; }; }; diff --git a/config/sites.nix b/config/sites.nix index 212d7e5..1ee6c56 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -9,7 +9,8 @@ dynamic-network = "10.0.1.0/24"; timezone = "America/Los_Angeles"; gateway-host = "nostromo"; - deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="; + deploy-pubkey = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index f3dcbdc..7a052af 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -84,6 +84,8 @@ let default = null; }; + enable-ssh-backdoor = mkEnableOption "Enable a backup SSH server in case of failures of the primary."; + dropbear-rsa-key-path = mkOption { type = str; description = "Location of Dropbear RSA key."; @@ -96,7 +98,7 @@ let default = "/etc/dropbear/host_ecdsa_key"; }; - dropbear-deploy-port = mkOption { + dropbear-port = mkOption { type = port; description = "Port to be used for the deploy SSH server."; default = 2112; @@ -111,15 +113,15 @@ in { default = { }; }; - config = mkIf (site-cfg.deploy-pubkey != null) { - environment.etc."dropbear/authorized_keys" = { - text = "${site-cfg.deploy-pubkey} root@deploy"; - mode = "0400"; - }; + config = { + users.users.root.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkey != null) [ + site-cfg.deploy-pubkey + ]; - networking.firewall.allowedTCPPorts = [ site-cfg.dropbear-deploy-port ]; + networking.firewall.allowedTCPPorts = mkIf site-cfg.enable-ssh-backdoor + [ site-cfg.dropbear-deploy-port ]; - systemd = { + systemd = mkIf site-cfg.enable-ssh-backdoor { sockets = { dropbear-deploy = { wantedBy = [ "sockets.target" ]; @@ -127,40 +129,40 @@ in { ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; Accept = true; }; - unitConfig = { - restartIfChanged = true; - }; + unitConfig = { restartIfChanged = true; }; }; }; - + services = { dropbear-deploy-init = { wantedBy = [ "multi-user.target" ]; script = '' - if [ ! -d /etc/dropbear ]; then - mkdir /etc/dropbear - chmod 700 /etc/dropbear - fi + if [ ! -d /etc/dropbear ]; then + mkdir /etc/dropbear + chmod 700 /etc/dropbear + fi - if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then - ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path} - ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path} - fi + if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path} + fi - if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then - ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path} - ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} - fi - ''; + if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then + ${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path} + ${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path} + fi + ''; }; "dropbear-deploy@" = { - description = "Per-connection service for deployment, using dropbear."; + description = + "Per-connection service for deployment, using dropbear."; requires = [ "dropbear-deploy-init.service" ]; after = [ "network.target" ]; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + ExecStart = + "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; StandardInput = "socket"; }; From 5e16e48a91bf3b135828af6c134c40e9c6c261ab Mon Sep 17 00:00:00 2001 From: Root Date: Sat, 10 Apr 2021 13:25:43 -0700 Subject: [PATCH 17/20] Add build servers --- config/host-config/plato.nix | 6 +++ config/hosts/plato.nix | 3 ++ config/profile-config/common.nix | 13 +++-- config/sites.nix | 10 ++++ lib/fudo/hosts.nix | 19 +++++++ lib/fudo/sites.nix | 93 ++++++++++++++++++++++++++++---- 6 files changed, 128 insertions(+), 16 deletions(-) diff --git a/config/host-config/plato.nix b/config/host-config/plato.nix index 11bca26..9ac5c7e 100644 --- a/config/host-config/plato.nix +++ b/config/host-config/plato.nix @@ -4,6 +4,12 @@ with lib; let primary-ip = "10.0.0.21"; in { config = { + + # TODO: remove? + nixpkgs.config.permittedInsecurePackages = [ + "openssh-with-gssapi-8.4p1" # CVE-2021-28041 + ]; + environment.etc = { nixos.source = "/state/nixos"; adjtime.source = "/state/etc/adjtime"; diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index b85e492..8fa9a6c 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -13,4 +13,7 @@ profile = "server"; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; + build-pubkeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" + ]; } diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 54c1a65..f27b7c4 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -11,10 +11,10 @@ in { systemPackages = global-packages; - shellInit = '' - ${pkgs.gnupg}/bin/gpg-connect-agent /bye - export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) - ''; + # shellInit = '' + # ${pkgs.gnupg}/bin/gpg-connect-agent /bye + # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) + # ''; }; nixpkgs.config.allowUnfree = true; @@ -91,13 +91,12 @@ in { gnupg.agent = { enable = true; - enableSSHSupport = true; + # enableSSHSupport = true; # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses"; }; ssh = { - # Use GPG agent instead - startAgent = false; + startAgent = true; package = pkgs.openssh_gssapi; diff --git a/config/sites.nix b/config/sites.nix index 1ee6c56..86c3605 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -11,6 +11,16 @@ gateway-host = "nostromo"; deploy-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="; + build-servers = { + nostromo = { + max-jobs = 2; + speed-factor = 2; + }; + lambda = { + max-jobs = 2; + speed-factor = 2; + }; + }; # FIXME: good idea? # network-mounts = { # "/mnt/documents" = { diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 9094eaa..b0993c8 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -106,6 +106,12 @@ let "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; default = null; }; + + build-pubkeys = mkOption { + type = listOf str; + description = "SSH public keys used to access the build server."; + default = [ ]; + }; }; }; @@ -124,6 +130,8 @@ in { site = config.fudo.sites.${site-name}; domain-name = host-cfg.domain; domain = config.fudo.domains.${domain-name}; + has-build-servers = (length (attrNames site.build-servers)) > 0; + has-build-keys = (length host-cfg.build-pubkeys) > 0; in { networking = { @@ -138,6 +146,17 @@ in { hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; }; + nix = mkIf + (has-build-servers && has-build-keys && site.enable-distributed-builds) { + buildMachines = mapAttrsToList (hostname: buildOpts: { + hostName = "${hostname}.${domain}"; + maxJobs = buildOpts.max-jobs; + speedFactor = buildOpts.speed-factor; + supportedFeatures = buildOpts.supported-features; + }) site.build-servers; + distributedBuilds = true; + }; + time.timeZone = site.timezone; krb5.libdefaults.default_realm = domain.gssapi-realm; diff --git a/lib/fudo/sites.nix b/lib/fudo/sites.nix index 7a052af..9389b42 100644 --- a/lib/fudo/sites.nix +++ b/lib/fudo/sites.nix @@ -6,6 +6,9 @@ let site-name = config.fudo.hosts.${hostname}.site; site-cfg = config.fudo.sites.${site-name}; + site-hosts = filterAttrs (hostname: hostOpts: hostOpts.site == site-name) + config.fudo.hosts; + siteOpts = { site, ... }: { options = with types; { site = mkOption { @@ -84,7 +87,12 @@ let default = null; }; - enable-ssh-backdoor = mkEnableOption "Enable a backup SSH server in case of failures of the primary."; + enable-ssh-backdoor = mkOption { + type = bool; + description = + "Enable a backup SSH server in case of failures of the primary."; + default = true; + }; dropbear-rsa-key-path = mkOption { type = str; @@ -98,11 +106,68 @@ let default = "/etc/dropbear/host_ecdsa_key"; }; - dropbear-port = mkOption { + dropbear-ssh-port = mkOption { type = port; description = "Port to be used for the deploy SSH server."; default = 2112; }; + + enable-distributed-builds = + mkEnableOption "Enable distributed builds for the site."; + + build-servers = mkOption { + type = attrsOf (submodule buildServerOpts); + description = + "List of hosts to be used as build servers for the local site."; + default = { }; + example = { + my-build-host = { + port = 22; + systems = [ "i686-linux" "x86_64-linux" ]; + }; + }; + }; + + build-user = mkOption { + type = str; + description = "User as which to run builds."; + default = "nix-site-builder"; + }; + }; + }; + + buildServerOpts = { ... }: { + options = with types; { + port = mkOption { + type = port; + description = "SSH port at which to contact the server."; + default = 22; + }; + + systems = mkOption { + type = listOf str; + description = + "A list of systems for which this build server can build."; + default = [ "i686-linux" "x86_64-linux" ]; + }; + + max-jobs = mkOption { + type = int; + description = "Max build allowed per-system."; + default = 1; + }; + + speed-factor = mkOption { + type = int; + description = "Weight to give this server, i.e. it's relative speed."; + default = 1; + }; + + supported-features = mkOption { + type = listOf str; + description = "List of features supported by this server."; + default = [ ]; + }; }; }; @@ -114,19 +179,29 @@ in { }; config = { - users.users.root.openssh.authorizedKeys.keys = mkIf (site-cfg.deploy-pubkey != null) [ - site-cfg.deploy-pubkey - ]; + users.users = { + root.openssh.authorizedKeys.keys = + mkIf (site-cfg.deploy-pubkey != null) [ site-cfg.deploy-pubkey ]; - networking.firewall.allowedTCPPorts = mkIf site-cfg.enable-ssh-backdoor - [ site-cfg.dropbear-deploy-port ]; + ${site-cfg.build-user} = mkIf + (any (build-host: build-host == config.instance.hostname) + (attrNames site-cfg.build-servers)) { + isSystemUser = true; + openssh.authorizedKeys.keys = + concatMap (hostOpts: hostOpts.build-pubkeys) + (attrValues site-hosts); + }; + }; + + networking.firewall.allowedTCPPorts = + mkIf site-cfg.enable-ssh-backdoor [ site-cfg.dropbear-ssh-port ]; systemd = mkIf site-cfg.enable-ssh-backdoor { sockets = { dropbear-deploy = { wantedBy = [ "sockets.target" ]; socketConfig = { - ListenStream = "0.0.0.0:${toString site-cfg.dropbear-deploy-port}"; + ListenStream = "0.0.0.0:${toString site-cfg.dropbear-ssh-port}"; Accept = true; }; unitConfig = { restartIfChanged = true; }; @@ -162,7 +237,7 @@ in { serviceConfig = { Type = "simple"; ExecStart = - "${pkgs.dropbear}/bin/dropbear -F -i -m -s -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; + "${pkgs.dropbear}/bin/dropbear -F -i -w -m -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}"; ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID"; StandardInput = "socket"; }; From bd5910aed0b1cbbcdd720b5851772f1344c9b040 Mon Sep 17 00:00:00 2001 From: Root Date: Sat, 10 Apr 2021 13:33:16 -0700 Subject: [PATCH 18/20] Add keytab to limina --- config/host-config/limina.nix | 5 +++++ config/networks/sea.fudo.org.nix | 10 +--------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index e164d77..94bdf12 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -147,6 +147,11 @@ in { NIXOS.source = "/state/etc/NIXOS"; machine-id.source = "/state/etc/machine-id"; "host-config.nix".source = "/state/etc/host-config.nix"; + "krb5.keytab" = { + source = "/state/etc/limina.keytab"; + user = root; + mode = "0400"; + }; }; boot.initrd.postDeviceCommands = lib.mkAfter '' diff --git a/config/networks/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix index 69fe708..f93f390 100644 --- a/config/networks/sea.fudo.org.nix +++ b/config/networks/sea.fudo.org.nix @@ -73,14 +73,6 @@ in { google-wifi = { ipv4-address = "10.0.0.7"; mac-address = "7C:D9:5C:9F:6F:E9"; - }; - nostromo = { - ip-address = "10.0.0.10"; - mac-address = "46:54:76:06:f1:10"; - }; - lambda = { - ip-address = "10.0.0.11"; - mac-address = "02:f5:fe:8c:22:fe"; }; nostromo = { ipv4-address = "10.0.0.10"; @@ -88,7 +80,7 @@ in { }; lambda = { ipv4-address = "10.0.0.11"; - mac-address = "02:50:f6:52:9f:9d"; + mac-address = "e8:39:35:2c:38:08"; }; plato = { ipv4-address = "10.0.0.21"; }; cam-entrance = { From bb1adafd1dccf765ffe4363711d4add64a945aa7 Mon Sep 17 00:00:00 2001 From: Root Date: Sat, 10 Apr 2021 13:36:00 -0700 Subject: [PATCH 19/20] Whoops, quotes --- config/host-config/limina.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index 94bdf12..9c12b98 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -149,7 +149,7 @@ in { "host-config.nix".source = "/state/etc/host-config.nix"; "krb5.keytab" = { source = "/state/etc/limina.keytab"; - user = root; + user = "root"; mode = "0400"; }; }; From 5f75be732cc0711100b15e247a40c03c334c1400 Mon Sep 17 00:00:00 2001 From: Niten Date: Sat, 10 Apr 2021 21:45:38 -0700 Subject: [PATCH 20/20] Add deets to hosts --- config/hosts/spark.nix | 3 +++ config/hosts/zbox.nix | 3 +++ nixops/lib/hosts.nix | 2 +- nixops/seattle.nix | 15 +++++++++++---- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/config/hosts/spark.nix b/config/hosts/spark.nix index 38fc00c..3b0b0c4 100644 --- a/config/hosts/spark.nix +++ b/config/hosts/spark.nix @@ -11,4 +11,7 @@ enable-gui = true; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa"; + profile = "desktop"; + domain = "sea.fudo.org"; + site = "seattle"; } diff --git a/config/hosts/zbox.nix b/config/hosts/zbox.nix index 9a66a72..c257835 100644 --- a/config/hosts/zbox.nix +++ b/config/hosts/zbox.nix @@ -11,4 +11,7 @@ enable-gui = true; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8"; + profile = "desktop"; + domain = "sea.fudo.org"; + site = "seattle"; } diff --git a/nixops/lib/hosts.nix b/nixops/lib/hosts.nix index 6e50ab5..a279063 100644 --- a/nixops/lib/hosts.nix +++ b/nixops/lib/hosts.nix @@ -14,7 +14,7 @@ let initialize = import ../../initialize.nix; # This is a problem...it creates a second source of truth. - host-config = ip: config: + host-config = ip: port: config: { ... }: { imports = [ (initialize { diff --git a/nixops/seattle.nix b/nixops/seattle.nix index c39e128..ff6577a 100644 --- a/nixops/seattle.nix +++ b/nixops/seattle.nix @@ -1,18 +1,25 @@ let + deploy-port = 2112; + nixos-version = "20.09"; - hosts = import ./lib/hosts.nix { inherit nix-version; }; + hosts = import ./lib/hosts.nix { inherit nixos-version; }; seattle-host = ip: hostname: profile: let site = "seattle"; domain = "sea.fudo.org"; - in hosts.host-config ip { inherit hostname profile domain site; }; + in hosts.host-config ip deploy-port { + inherit hostname profile domain site; + }; in { network.description = "Seattle home network."; - nostromo = seattle-host "10.0.0.1" "nostromo" "server"; - lambda = seattle-host "10.0.0.3" "lambda" "server"; + liminia = seattle-host "10.0.0.1" "limina" "server"; + plato = seattle-host "10.0.0.21" "plato" "server"; spark = seattle-host "10.0.0.108" "spark" "desktop"; zbox = seattle-host "10.0.0.110" "zbox" "desktop"; + + #nostromo = seattle-host "10.0.0.1" "nostromo" "server"; + #lambda = seattle-host "10.0.0.3" "lambda" "server"; }