nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merged with upstream

This commit is contained in:
root@procul 2021-04-11 18:09:51 +00:00
parent e7d4a6b199 5f75be732c
commit 3f84c400df
60 changed files with 1812 additions and 1270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
config/domains/fudo.org.nix → config/domain-config/fudo.org.nix
View File

0
config/domains/informis.land.nix → config/domain-config/informis.land.nix
View File

0
config/domains/rus.selby.ca.nix → config/domain-config/rus.selby.ca.nix
View File

0
config/domains/sea.fudo.org.nix → config/domain-config/sea.fudo.org.nix
View File

6
config/domains.nix
View File

@ -7,7 +7,7 @@
local-users = [ "niten" "reaper" ]; local-users = [ "niten" "reaper" ];
local-groups = [ "fudo" "selby" "admin" ]; local-groups = [ "fudo" "selby" "admin" ];
admin-users = [ "niten" "reaper" ]; local-admins = [ "niten" "reaper" ];
admin-email = "admin@fudo.org"; admin-email = "admin@fudo.org";
gssapi-realm = "FUDO.ORG"; gssapi-realm = "FUDO.ORG";
}; };
@ -17,7 +17,7 @@
local-users = [ "niten" "reaper" "xiaoxuan" "ken" ]; local-users = [ "niten" "reaper" "xiaoxuan" "ken" ];
local-groups = [ "fudo" "selby" "admin" ]; local-groups = [ "fudo" "selby" "admin" ];
admin-users = [ "niten" ]; local-admins = [ "niten" ];
admin-email = "niten@fudo.org"; admin-email = "niten@fudo.org";
gssapi-realm = "FUDO.ORG"; gssapi-realm = "FUDO.ORG";
}; };
@ -48,7 +48,7 @@
local-users = [ "niten" "viator" ]; local-users = [ "niten" "viator" ];
local-groups = [ "admin" ]; local-groups = [ "admin" ];
admin-users = [ "niten" ]; local-admins = [ "niten" ];
admin-email = "viator@informis.land"; admin-email = "viator@informis.land";
gssapi-realm = "INFORMIS.LAND"; gssapi-realm = "INFORMIS.LAND";
}; };

1
config/hardware/lambda.nix
View File

@ -19,7 +19,6 @@
}; };
kernelModules = [ "kvm-amd" ]; kernelModules = [ "kvm-amd" ];
externalModulePackages = [ ];
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader.grub = { loader.grub = {

95
config/hardware/limina.nix Normal file
View File

@ -0,0 +1,95 @@
{ config, lib, pkgs, ... }:
with lib; {
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
system.stateVersion = "20.09";
boot = {
initrd = {
availableKernelModules =
[ "ahci" "xhci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = pkgs.linuxPackages_latest;
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
"/" = {
device = "zroot/transient/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/transient/nix";
fsType = "zfs";
};
"/var/log" = {
device = "zroot/transient/logs";
fsType = "zfs";
neededForBoot = true;
};
"/home" = {
device = "zroot/persistent/home";
fsType = "zfs";
};
"/state" = {
device = "zroot/persistent/state";
fsType = "zfs";
};
};
services.zfs.autoScrub.enable = true;
swapDevices = [{ device = "/dev/disk/by-label/swap"; }];
nix.maxJobs = lib.mkDefault 4;
hardware.bluetooth.enable = false;
networking = {
hostId = substring 0 8 (fileContents /state/etc/machine-id);
macvlans = {
intif0 = {
interface = "enp2s0";
mode = "bridge";
};
intif1 = {
interface = "enp3s0";
mode = "bridge";
};
intif2 = {
interface = "enp4s0";
mode = "bridge";
};
};
interfaces = {
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
# output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
intif0 = { macAddress = "02:dc:59:b4:a7:8c"; };
intif1 = { macAddress = "02:df:43:1d:8a:63"; };
intif2 = { macAddress = "02:55:d9:05:23:36"; };
};
};
}

1
config/hardware/plato.nix
View File

@ -73,6 +73,7 @@ with lib;
}; };
interfaces = { interfaces = {
enp1s0.useDHCP = false;
intif0 = { intif0 = {
# output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' # output of: echo plato-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:25:b7:67:c4:c2"; macAddress = "02:25:b7:67:c4:c2";

69
config/hardware/spark.nix Normal file
View File

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
system.stateVersion = "20.03";
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
hardware = {
bluetooth.enable = true;
cpu.intel.updateMicrocode = true;
opengl = {
driSupport = true;
driSupport32Bit = true;
};
pulseaudio.support32Bit = true;
};
networking = {
macvlans = {
extif0 = {
interface = "enp3s0";
mode = "bridge";
};
};
interfaces = {
enp3s0 = {
useDHCP = false;
};
extif0 = {
# output of: echo spark-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:9c:b7:b6:ad:c4";
};
};
};
services.xserver.videoDrivers = [ "intel" ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

70
config/hardware/zbox.nix Normal file
View File

@ -0,0 +1,70 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/zbox-root";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-label/zbox-swap"; }
];
hardware = {
bluetooth.enable = true;
cpu.intel.updateMicrocode = true;
opengl = {
driSupport = true;
driSupport32Bit = true;
# extraPackages32 = with pkgs.i686Linux; [ libva ];
};
pulseaudio.support32Bit = true;
};
networking = {
macvlans = {
intif0 = {
interface = "eno1";
mode = "bridge";
};
};
interfaces = {
intif0 = {
# output of: echo clunk-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:dd:80:52:83:9b";
};
};
};
services.xserver.videoDrivers = [ "nvidia" ];
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

9
config/host-config/atom.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
fudo.laptop.use-network-manager = false;
fudo.slynk.enable = true;
services.xserver = { videoDrivers = [ "nvidia" ]; };
}

168
config/host-config/clunk.nix Normal file
View File

@ -0,0 +1,168 @@
{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.1";
dns-proxy-port = 5335;
host-packages = with pkgs; [
nixops
];
site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name};
in {
system = {
# # DO force all DNS traffic to use the local server
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0.useDHCP = true;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
forwardPorts = [{
destination = "127.0.0.1:53";
sourcePort = 53;
proto = "udp";
}];
};
};
fudo = {
garbage-collector = {
enable = true;
timing = "weekly";
};
auth.kdc = {
enable = true;
realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
}

179
config/host-config/france.nix Normal file
View File

@ -0,0 +1,179 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "208.81.3.117";
hostname = config.instance.hostname;
domain-name = config.fudo.hosts.${hostname}.domain;
domain = config.fudo.domains.${domain-name};
host-fqdn = "${hostname}.${domain-name}";
mail-hostname = "mail.fudo.org";
in {
imports = [ ./france/postgresql.nix ];
config = {
fudo = {
auth = {
ldap = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "FIXME";
kerberos-host = host-fqdn;
kerberos-keytab = "FIXME";
sslCert = "FIXME";
sslKey = "FIXME";
sslCaCert = "FIXME";
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
};
kdc = let realm = "FUDO.ORG";
in {
enable = true;
database-path = "FIXME";
realm = realm;
mkey-file = "FIXME";
acl = [
{
principal = "pam_migrate/*.fudo.org@${realm}";
access = "add";
}
{
principal = "host/*.fudo.org@${realm}";
access = "add";
}
] ++ (concatMap (user: [
{
principal = "${user}@${realm}";
access = "add,list,modify";
}
{
principal = "${user}/root@${realm}";
access = "all";
}
]) domain.admin-users);
bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
};
};
prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org";
in {
node = [ "node.${dns-root}" ];
postfix = [ "postfix.${dns-root}" ];
dovecot = [ "dovecot.${dns-root}" ];
rspamd = [ "rspamd.${dns-root}" ];
};
};
postgresql = {
enable = true;
# FIXME: ssl-private-key && ssl certificate
keytab = "/srv/postgres/secure/postgres.keytab";
local-networks = getHostLocalNetworks hostname;
admin-users = domain.admin-users;
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "FIXME";
external-interface = "extif0";
password-file = "FIXME";
};
mail-server = domain.mail-config // {
enableContainer = true;
monitoring = true;
hostname = mail-hostname;
state-directory = "FIXME";
mail-directory = "FIXME";
dovecot.ldap = {
reader-dn = "FIXME";
reader-password = "FIXME";
server-urls = [ "FIXME" ];
};
clamav.enable = true;
dkim.signing = true;
};
git = {
enable = true;
hostname = "git.fudo.org";
site-name = "Fudo Git";
user = "FIXME";
database = {
user = "FIXME";
password-file = "FIXME";
hostname = "127.0.0.1";
name = "FIXME";
};
repository-dir = "FIXME";
state-dir = "FIXME";
ssh = {
listen-ip = git-server-ip;
listen-port = 22;
};
};
minecraft-server = {
enable = true;
package = pkgs.minecraft-current;
data-dir = "FIXME";
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
};
networking = {
intif0 = {
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
extif0 = {
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 28;
}
{
address = git-server-ip;
prefixLength = 32;
}
];
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisations = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"mail.fudo.org" = {
enableACME = true;
locations."/".return = "301 https://webmail.fudo.org$request_uri";
};
};
};
};
};
}

31
config/host-config/lambda.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
{
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
interfaces = {
enp3s0f0.useDHCP = false;
enp3s0f1.useDHCP = false;
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
intif0 = {
useDHCP = true;
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/0.0.0.0/tcp/5001";
};
# TODO: add camera
}

190
config/host-config/limina.nix Normal file
View File

@ -0,0 +1,190 @@
{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.1";
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
dns-proxy-port = 5335;
in {
config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0 = { useDHCP = true; };
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
intif1 = { useDHCP = false; };
intif2 = { useDHCP = false; };
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
local-network = {
enable = true;
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "1.1.1.1";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ domain-name "fudo.org" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks.${domain-name};
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "enp1s0";
password-file = "/srv/client/secure/client.passwd";
};
garbage-collector = {
enable = true;
timing = "weekly";
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.${domain-name}" = {
serverAliases = [
"pihole.${domain-name}"
"hole.${domain-name}"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
# Support for statelessness
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
"krb5.keytab" = {
source = "/state/etc/limina.keytab";
user = "root";
mode = "0400";
};
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services.openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
}

169
config/host-config/nostromo.nix Normal file
View File

@ -0,0 +1,169 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.5";
in {
fudo.local-network = let
hostname = config.instance.hostname;
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.site.${site-name};
in {
enable = true;
dns-servers = site.dns-servers;
gateway = site.gateway;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
server-ip = primary-ip;
};
fudo.slynk.enable = true;
# systemd.network.networks.eno2 = {
# extraConfig = {
# IPv6AcceptRA = true;
# IPv6PrefixDelegation = "dhcpv6";
# };
# };
networking = {
# dhcpd.extraConfig = ''
# interface eno2
# ia_na 1
# ia_pd 2 eno2/0
# '';
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
enp33s0f0.useDHCP = false;
enp33s0f1.useDHCP = false;
enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
extif0 = { useDHCP = true; };
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
};
virtualization = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = dns-proxy-ip;
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
security.acme.certs = {
"sea-camera.fudo.link".email = "niten@fudo.org";
"sea-camera-od.fudo.link".email = "niten@fudo.org";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
# Supposed to be for object detection...
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
}

81
config/host-config/plato.nix Normal file
View File

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
with lib;
let primary-ip = "10.0.0.21";
in {
config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
"krb5.keytab" = {
source = "/state/etc/plato.keytab";
user = "root";
group = "root";
mode = "0600";
};
};
system.stateVersion = "20.09";
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
# "L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
networking = {
defaultGateway = {
address = "10.0.0.1";
interface = "intif0";
};
interfaces = {
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
};
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
}

16
config/host-config/spark.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
interfaces = {
extif0 = { useDHCP = true; };
};
};
}

19
config/host-config/zbox.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
system.stateVersion = "20.09";
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
interfaces = {
eno1.useDHCP = false;
intif0 = { useDHCP = true; };
};
};
}

162
config/hosts.nix
View File

@ -1,154 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ with lib;
config.fudo.hosts = { let
atom = { is-nix-file = filename: type: (builtins.match ".+\.nix$" filename) != null;
description = "Niten's toy laptop."; is-regular-file = filename: type: type == "regular" || type == "link";
enable-gui = false; hostname-from-file = filename: builtins.replaceStrings [".nix"] [""] filename;
rp = "niten";
admin-email = "niten@fudo.org"; host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir ./hosts)));
domain = "sea.fudo.org"; hosts = map hostname-from-file host-files;
site = "seattle";
profile = "laptop";
};
clunk = { load-host-file = hostname: import (./. + "/hosts/${hostname}.nix");
description = "rus.selby.ca gateway box.";
docker-server = true; in {
ssh-fingerprints = [ config.fudo.hosts = genAttrs hosts (hostname: load-host-file hostname);
"1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
"1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
"4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
"4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
};
downstairs-desktop = {
description = "Downstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff"
"1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e"
"3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84"
"3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b"
"4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e"
"4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
ssh-pubkey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
};
france = {
description = "Primary fudo.org server.";
docker-server = true;
ssh-fingerprints = [
"1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
"1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
"4 1 c95a198f504a589fc62893a95424b12f0b24732d"
"4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
];
rp = "admin";
admin-email = "admin@fudo.org";
domain = "fudo.org";
site = "portage";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
};
google-wifi = {
description = "Google WiFi router.";
rp = "niten";
};
lambda = {
description = "sea.fudo.org experiment server.";
docker-server = true;
ssh-fingerprints = [
"1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
"1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
"4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199"
"4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
};
nostromo = {
description = "sea.fudo.org gateway box and primary server.";
docker-server = true;
ssh-fingerprints = [
"1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
"1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
"4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
"4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
};
plato = {
description = "Niten's toy server.";
ssh-fingerprints = [
"4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
"4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
"1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
"1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
};
procul = {
description = "informis.land server.";
docker-server = true;
};
pselby-work = { description = "Google Lenovo work laptop."; };
spark = { description = "Niten's backup desktop."; };
upstairs-desktop = {
description = "Upstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4"
"1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d"
"3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024"
"3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952"
"4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e"
"4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
};
zbox = { description = "Niten's primary desktop."; };
};
} }

14
config/hosts/atom.nix
View File

@ -1,9 +1,9 @@
{ config, lib, pkgs, ... }:
{ {
fudo.laptop.use-network-manager = false; description = "Niten's toy laptop.";
enable-gui = false;
fudo.slynk.enable = true; rp = "niten";
admin-email = "niten@fudo.org";
services.xserver = { videoDrivers = [ "nvidia" ]; }; domain = "sea.fudo.org";
site = "seattle";
profile = "laptop";
} }

181
config/hosts/clunk.nix
View File

@ -1,168 +1,17 @@
{ config, lib, pkgs, ... }: {
description = "rus.selby.ca gateway box.";
with lib; docker-server = true;
let ssh-fingerprints = [
primary-ip = "10.0.0.1"; "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
"1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
dns-proxy-port = 5335; "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
"4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
host-packages = with pkgs; [
nixops
]; ];
rp = "niten";
site-name = config.fudo.hosts.${config.instance.hostname}.site; admin-email = "niten@fudo.org";
site = config.fudo.site.${site-name}; domain = "rus.selby.ca";
site = "russell";
in { profile = "server";
system = { ssh-pubkey =
# # DO force all DNS traffic to use the local server "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0.useDHCP = true;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
forwardPorts = [{
destination = "127.0.0.1:53";
sourcePort = 53;
proto = "udp";
}];
};
};
fudo = {
garbage-collector = {
enable = true;
timing = "weekly";
};
auth.kdc = {
enable = true;
realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
} }

18
config/hosts/downstairs-desktop.nix Normal file
View File

@ -0,0 +1,18 @@
{
description = "Downstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff"
"1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e"
"3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84"
"3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b"
"4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e"
"4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
ssh-pubkey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
}

194
config/hosts/france.nix
View File

@ -1,179 +1,17 @@
{ config, lib, pkgs, ... }: {
description = "Primary fudo.org server.";
let docker-server = true;
primary-ip = "208.81.3.117"; ssh-fingerprints = [
hostname = config.instance.hostname; "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
domain-name = config.fudo.hosts.${hostname}.domain; "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
domain = config.fudo.domains.${domain-name}; "4 1 c95a198f504a589fc62893a95424b12f0b24732d"
host-fqdn = "${hostname}.${domain-name}"; "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
mail-hostname = "mail.fudo.org"; ];
rp = "admin";
in { admin-email = "admin@fudo.org";
imports = [ ./france/postgresql.nix ]; domain = "fudo.org";
site = "portage";
config = { profile = "server";
fudo = { ssh-pubkey =
auth = { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
ldap = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "FIXME";
kerberos-host = host-fqdn;
kerberos-keytab = "FIXME";
sslCert = "FIXME";
sslKey = "FIXME";
sslCaCert = "FIXME";
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
};
kdc = let realm = "FUDO.ORG";
in {
enable = true;
database-path = "FIXME";
realm = realm;
mkey-file = "FIXME";
acl = [
{
principal = "pam_migrate/*.fudo.org@${realm}";
access = "add";
}
{
principal = "host/*.fudo.org@${realm}";
access = "add";
}
] ++ (concatMap (user: [
{
principal = "${user}@${realm}";
access = "add,list,modify";
}
{
principal = "${user}/root@${realm}";
access = "all";
}
]) domain.admin-users);
bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
};
};
prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org";
in {
node = [ "node.${dns-root}" ];
postfix = [ "postfix.${dns-root}" ];
dovecot = [ "dovecot.${dns-root}" ];
rspamd = [ "rspamd.${dns-root}" ];
};
};
postgresql = {
enable = true;
# FIXME: ssl-private-key && ssl certificate
keytab = "/srv/postgres/secure/postgres.keytab";
local-networks = getHostLocalNetworks hostname;
admin-users = domain.admin-users;
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "FIXME";
external-interface = "extif0";
password-file = "FIXME";
};
mail-server = domain.mail-config // {
enableContainer = true;
monitoring = true;
hostname = mail-hostname;
state-directory = "FIXME";
mail-directory = "FIXME";
dovecot.ldap = {
reader-dn = "FIXME";
reader-password = "FIXME";
server-urls = [ "FIXME" ];
};
clamav.enable = true;
dkim.signing = true;
};
git = {
enable = true;
hostname = "git.fudo.org";
site-name = "Fudo Git";
user = "FIXME";
database = {
user = "FIXME";
password-file = "FIXME";
hostname = "127.0.0.1";
name = "FIXME";
};
repository-dir = "FIXME";
state-dir = "FIXME";
ssh = {
listen-ip = git-server-ip;
listen-port = 22;
};
};
minecraft-server = {
enable = true;
package = pkgs.minecraft-current;
data-dir = "FIXME";
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
};
networking = {
intif0 = {
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
extif0 = {
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 28;
}
{
address = git-server-ip;
prefixLength = 32;
}
];
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisations = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"mail.fudo.org" = {
enableACME = true;
locations."/".return = "301 https://webmail.fudo.org$request_uri";
};
};
};
};
};
} }

45
config/hosts/lambda.nix
View File

@ -1,32 +1,15 @@
{ config, lib, pkgs, ... }: {
description = "sea.fudo.org experiment server.";
let primary-ip = "10.0.0.3"; docker-server = true;
ssh-fingerprints = [
in { "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
fudo.slynk.enable = true; "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
"4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199"
networking = { "4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f"
interfaces = { ];
enp3s0f0.useDHCP = false; rp = "niten";
enp3s0f1.useDHCP = false; admin-email = "niten@fudo.org";
enp4s0f0.useDHCP = false; domain = "sea.fudo.org";
enp4s0f1.useDHCP = false; site = "seattle";
profile = "server";
extif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/${primary-ip}/tcp/5001";
};
# TODO: add camera
} }

16
config/hosts/limina.nix Normal file
View File

@ -0,0 +1,16 @@
{
description = "Seattle Gateway Server.";
ssh-fingerprints = [
"1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e"
"1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb"
"4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad"
"4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
}

184
config/hosts/nostromo.nix
View File

@ -1,169 +1,17 @@
{ config, lib, pkgs, ... }: {
description = "sea.fudo.org gateway box and primary server.";
let docker-server = true;
primary-ip = "10.0.0.1"; ssh-fingerprints = [
dns-proxy-ip = "10.0.0.5"; "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
"1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
in { "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
fudo.local-network = let "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
hostname = config.instance.hostname; ];
site-name = config.fudo.hosts.${hostname}.site; rp = "niten";
site = config.fudo.site.${site-name}; admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
in { site = "seattle";
enable = true; profile = "server";
dns-servers = site.dns-servers; ssh-pubkey =
gateway = site.gateway; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
server-ip = primary-ip;
};
fudo.slynk.enable = true;
# systemd.network.networks.eno2 = {
# extraConfig = {
# IPv6AcceptRA = true;
# IPv6PrefixDelegation = "dhcpv6";
# };
# };
networking = {
# dhcpd.extraConfig = ''
# interface eno2
# ia_na 1
# ia_pd 2 eno2/0
# '';
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
enp33s0f0.useDHCP = false;
enp33s0f1.useDHCP = false;
enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
extif0 = { useDHCP = true; };
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
};
virtualization = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = dns-proxy-ip;
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
security.acme.certs = {
"sea-camera.fudo.link".email = "niten@fudo.org";
"sea-camera-od.fudo.link".email = "niten@fudo.org";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
# Supposed to be for object detection...
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
} }

67
config/hosts/plato.nix
View File

@ -1,50 +1,19 @@
{ config, lib, pkgs, ... }: {
description = "Niten's toy server.";
with lib; { ssh-fingerprints = [
config = { "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
environment.etc = { "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
nixos.source = "/state/nixos"; "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
adjtime.source = "/state/etc/adjtime"; "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
NIXOS.source = "/state/etc/NIXOS"; ];
machine-id.source = "/state/etc/machine-id"; rp = "niten";
"host-config.nix".source = "/state/etc/host-config.nix"; admin-email = "niten@fudo.org";
}; domain = "sea.fudo.org";
site = "seattle";
system.stateVersion = "20.09"; profile = "server";
ssh-pubkey =
boot.initrd.postDeviceCommands = lib.mkAfter '' "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank build-pubkeys = [
''; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
];
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
} }

4
config/hosts/procul.nix Normal file
View File

@ -0,0 +1,4 @@
{
description = "informis.land server.";
docker-server = true;
}

3
config/hosts/pselby-work.nix Normal file
View File

@ -0,0 +1,3 @@
{
description = "Google Lenovo work laptop.";
}

17
config/hosts/spark.nix Normal file
View File

@ -0,0 +1,17 @@
{
description = "Niten's backup desktop.";
ssh-fingerprints = [
"1 1 d26812dee9b26a19a52c38d2b346442979093142"
"1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3"
"4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63"
"4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b"
];
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa";
profile = "desktop";
domain = "sea.fudo.org";
site = "seattle";
}

13
config/hosts/upstairs-desktop.nix Normal file
View File

@ -0,0 +1,13 @@
{
description = "Upstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4"
"1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d"
"3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024"
"3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952"
"4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e"
"4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa"
];
rp = "niten";
admin-email = "niten@fudo.org";
}

23
config/hosts/zbox.nix
View File

@ -1,10 +1,17 @@
{ config, lib, pkgs, ... }:
{ {
fudo.slynk.enable = true; description = "Niten's primary desktop.";
ssh-fingerprints = [
networking = { "1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d"
eno1.useDHCP = false; "1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493"
intif0 = { useDHCP = true; }; "4 1 862842d99f5afb33db4f073d2f3d1154c6417110"
}; "4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3"
];
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8";
profile = "desktop";
domain = "sea.fudo.org";
site = "seattle";
} }

2
config/networks.nix
View File

@ -3,6 +3,6 @@
{ {
config.fudo.networks = { config.fudo.networks = {
"rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; }; "rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; };
"sea.fudo.org" = import ./networks/rus.selby.ca.nix { inherit config lib; }; "sea.fudo.org" = import ./networks/sea.fudo.org.nix { inherit config lib; };
}; };
} }

122
config/networks/sea.fudo.org.nix
View File

@ -1,32 +1,27 @@
{ config, lib, ... }:
let local-domain = "sea.fudo.org"; let local-domain = "sea.fudo.org";
in { in {
domain = "${local-domain}";
aliases = { aliases = {
kadmin = "nostromo"; deploy = "plato";
kdc = "nostromo"; gateway = "limina";
# kadmin = "nostromo";
# kdc = "nostromo";
photo = "doraemon"; photo = "doraemon";
music = "doraemon"; music = "doraemon";
panopticon = "lambda"; panopticon = "lambda";
panopticon-od = "lambda"; panopticon-od = "lambda";
ipfs = "nostromo"; ipfs = "nostromo";
hole = "nostromo"; hole = "limina";
pihole = "nostromo"; pihole = "limina";
dns-hole = "nostromo"; dns-hole = "limina";
mon-1 = "srv-1";
}; };
network = "10.0.0.0/16";
dhcp-dynamic-network = "10.0.1.0/24";
enable-reverse-mappings = true;
srv-records = { srv-records = {
tcp = { tcp = {
domain = [{ domain = [{
port = 53; port = 53;
host = "nostromo.sea.fudo.org"; host = "limina.sea.fudo.org";
}]; }];
kerberos = [{ kerberos = [{
port = 88; port = 88;
@ -38,7 +33,7 @@ in {
}]; }];
ssh = [{ ssh = [{
port = 22; port = 22;
host = "nostromo.sea.fudo.org"; host = "limina.sea.fudo.org";
}]; }];
ldap = [{ ldap = [{
port = 389; port = 389;
@ -49,7 +44,7 @@ in {
udp = { udp = {
domain = [{ domain = [{
port = 53; port = 53;
host = "nostromo.sea.fudo.org"; host = "limina.sea.fudo.org";
}]; }];
kerberos = [{ kerberos = [{
port = 88; port = 88;
@ -67,150 +62,151 @@ in {
}; };
hosts = { hosts = {
nostromo = { limina = {
ip-address = "10.0.0.1"; ipv4-address = "10.0.0.1";
mac-address = "46:54:76:06:f1:10"; mac-address = "02:fd:79:94:a2:a8";
};
lm = {
ip-address = "10.0.0.2";
mac-address = "00:23:7d:e6:d9:ea";
};
lambda = {
ip-address = "10.0.0.3";
mac-address = "02:50:f6:52:9f:9d";
}; };
switch-master = { switch-master = {
ip-address = "10.0.0.5"; ipv4-address = "10.0.0.5";
mac-address = "00:14:1C:B6:BB:40"; mac-address = "00:14:1C:B6:BB:40";
}; };
google-wifi = { google-wifi = {
ip-address = "10.0.0.7"; ipv4-address = "10.0.0.7";
mac-address = "7C:D9:5C:9F:6F:E9"; mac-address = "7C:D9:5C:9F:6F:E9";
}; };
nostromo = {
ipv4-address = "10.0.0.10";
mac-address = "46:54:76:06:f1:10";
};
lambda = {
ipv4-address = "10.0.0.11";
mac-address = "e8:39:35:2c:38:08";
};
plato = { ipv4-address = "10.0.0.21"; };
cam-entrance = { cam-entrance = {
ip-address = "10.0.0.31"; ipv4-address = "10.0.0.31";
mac-address = "9c:8e:cd:0e:99:7b"; mac-address = "9c:8e:cd:0e:99:7b";
}; };
cam-driveway = { cam-driveway = {
ip-address = "10.0.0.32"; ipv4-address = "10.0.0.32";
mac-address = "9c:8e:cd:0d:3b:09"; mac-address = "9c:8e:cd:0d:3b:09";
}; };
cam-deck = { cam-deck = {
ip-address = "10.0.0.33"; ipv4-address = "10.0.0.33";
mac-address = "9c:8e:cd:0e:98:c8"; mac-address = "9c:8e:cd:0e:98:c8";
}; };
cargo = { cargo = {
ip-address = "10.0.0.50"; ipv4-address = "10.0.0.50";
mac-address = "00:11:32:75:d8:b7"; mac-address = "00:11:32:75:d8:b7";
}; };
whitedwarf = { whitedwarf = {
ip-address = "10.0.0.51"; ipv4-address = "10.0.0.51";
mac-address = "00:11:32:12:14:1d"; mac-address = "00:11:32:12:14:1d";
}; };
doraemon = { doraemon = {
ip-address = "10.0.0.52"; ipv4-address = "10.0.0.52";
mac-address = "00:11:32:0a:06:c5"; mac-address = "00:11:32:0a:06:c5";
}; };
android = { android = {
ip-address = "10.0.0.81"; ipv4-address = "10.0.0.81";
mac-address = "00:16:3e:43:39:fc"; mac-address = "00:16:3e:43:39:fc";
}; };
retro-wired = { retro-wired = {
ip-address = "10.0.0.82"; ipv4-address = "10.0.0.82";
mac-address = "dc:a6:32:6b:57:43"; mac-address = "dc:a6:32:6b:57:43";
}; };
retro = { retro = {
ip-address = "10.0.0.83"; ipv4-address = "10.0.0.83";
mac-address = "dc:a6:32:6b:57:45"; mac-address = "dc:a6:32:6b:57:45";
}; };
monolith = { monolith = {
ip-address = "10.0.0.100"; ipv4-address = "10.0.0.100";
mac-address = "6c:62:6d:c8:b0:d8"; mac-address = "6c:62:6d:c8:b0:d8";
}; };
taipan = { taipan = {
ip-address = "10.0.0.107"; ipv4-address = "10.0.0.107";
mac-address = "52:54:00:34:c4:78"; mac-address = "52:54:00:34:c4:78";
}; };
spark = { spark = {
ip-address = "10.0.0.108"; ipv4-address = "10.0.0.108";
mac-address = "78:24:af:04:f7:dd"; mac-address = "02:9c:b7:b6:ad:c4";
}; };
hyperion = { hyperion = {
ip-address = "10.0.0.109"; ipv4-address = "10.0.0.109";
mac-address = "52:54:00:33:46:de"; mac-address = "52:54:00:33:46:de";
}; };
zbox = { zbox = {
ip-address = "10.0.0.110"; ipv4-address = "10.0.0.110";
mac-address = "02:dd:80:52:83:9b"; mac-address = "02:DD:80:52:83:9B";
}; };
ubiquiti-wifi = { ubiquiti-wifi = {
ip-address = "10.0.0.126"; ipv4-address = "10.0.0.126";
mac-address = "04:18:d6:20:48:fb"; mac-address = "04:18:d6:20:48:fb";
}; };
generator-wireless = { generator-wireless = {
ip-address = "10.0.0.130"; ipv4-address = "10.0.0.130";
mac-address = "B8:27:EB:A6:32:26"; mac-address = "B8:27:EB:A6:32:26";
}; };
brother-wireless = { brother-wireless = {
ip-address = "10.0.0.160"; ipv4-address = "10.0.0.160";
mac-address = "c0:38:96:64:49:65"; mac-address = "c0:38:96:64:49:65";
}; };
nest = { nest = {
ip-address = "10.0.0.176"; ipv4-address = "10.0.0.176";
mac-address = "18:b4:30:16:7c:5a"; mac-address = "18:b4:30:16:7c:5a";
}; };
xixi-phone = { xixi-phone = {
ip-address = "10.0.0.193"; ipv4-address = "10.0.0.193";
mac-address = "48:43:7c:75:89:42"; mac-address = "48:43:7c:75:89:42";
}; };
ipad = { ipad = {
ip-address = "10.0.0.202"; ipv4-address = "10.0.0.202";
mac-address = "9c:35:eb:48:6e:71"; mac-address = "9c:35:eb:48:6e:71";
}; };
cam-front = { cam-front = {
ip-address = "10.0.0.203"; ipv4-address = "10.0.0.203";
mac-address = "c4:d6:55:3e:b4:c3"; mac-address = "c4:d6:55:3e:b4:c3";
}; };
family-tv = { family-tv = {
ip-address = "10.0.0.205"; ipv4-address = "10.0.0.205";
mac-address = "84:a4:66:3a:b1:f8"; mac-address = "84:a4:66:3a:b1:f8";
}; };
babycam = { babycam = {
ip-address = "10.0.0.206"; ipv4-address = "10.0.0.206";
mac-address = "08:ea:40:59:5f:9e"; mac-address = "08:ea:40:59:5f:9e";
}; };
workphone = { workphone = {
ip-address = "10.0.0.211"; ipv4-address = "10.0.0.211";
mac-address = "a8:8e:24:5c:12:67"; mac-address = "a8:8e:24:5c:12:67";
}; };
chromecast-2 = { chromecast-2 = {
ip-address = "10.0.0.215"; ipv4-address = "10.0.0.215";
mac-address = "a4:77:33:59:a2:ba"; mac-address = "a4:77:33:59:a2:ba";
}; };
front-light = { front-light = {
ip-address = "10.0.0.221"; ipv4-address = "10.0.0.221";
mac-address = "94:10:3e:48:94:ed"; mac-address = "94:10:3e:48:94:ed";
}; };
# Ceph network # Ceph network
srv-1 = { srv-1 = {
ip-address = "10.0.10.1"; ipv4-address = "10.0.10.1";
mac-address = "02:65:d7:00:7d:1b"; mac-address = "02:65:d7:00:7d:1b";
}; };
node-1 = { node-1 = {
ip-address = "10.0.10.101"; ipv4-address = "10.0.10.101";
mac-address = "00:1e:06:36:81:cf"; mac-address = "00:1e:06:36:81:cf";
}; };
node-2 = { node-2 = {
ip-address = "10.0.10.102"; ipv4-address = "10.0.10.102";
mac-address = "00:1e:06:36:ec:3e"; mac-address = "00:1e:06:36:ec:3e";
}; };
node-3 = { node-3 = {
ip-address = "10.0.10.103"; ipv4-address = "10.0.10.103";
mac-address = "00:1e:06:36:ec:4b"; mac-address = "00:1e:06:36:ec:4b";
}; };
node-4 = { node-4 = {
ip-address = "10.0.10.104"; ipv4-address = "10.0.10.104";
mac-address = "00:1e:06:36:dd:8c"; mac-address = "00:1e:06:36:dd:8c";
}; };
}; };

52
config/profiles/common-ui.nix → config/profile-config/common-ui.nix
View File

@ -6,22 +6,43 @@ let
enable-gui = config.fudo.hosts.${hostname}.enable-gui; enable-gui = config.fudo.hosts.${hostname}.enable-gui;
in { in {
import = [ ./common.nix ]; imports = [ ./common.nix ];
boot.plymouth.enable = false; boot.plymouth.enable = false;
boot.tmpOnTmpfs = true; boot.tmpOnTmpfs = true;
system.autoUpgrade.enable = true; environment = mkIf enable-gui {
systemPackages = [
#libva
];
};
services.xserver = mkIf enable-gui { system = {
enable = true; autoUpgrade.enable = true;
};
desktopManager.gnome3.enable = true; services = {
xserver = mkIf enable-gui {
enable = true;
displayManager.gdm.enable = true; desktopManager.gnome3.enable = true;
windowManager.stumpwm.enable = true; displayManager.gdm = {
enable = true;
wayland = true;
};
windowManager.stumpwm.enable = true;
# windowManager.session = pkgs.lib.singleton {
# name = "stumpwm";
# start = ''
# ${pkgs.lispPackages.stumpwm}/bin/stumpwm &
# waidPID=$!
# '';
# };
};
emacs = { emacs = {
enable = true; enable = true;
@ -30,13 +51,16 @@ in {
defaultEditor = true; defaultEditor = true;
}; };
# windowManager.session = pkgs.lib.singleton { trezord.enable = true;
# name = "stumpwm"; };
# start = ''
# ${pkgs.lispPackages.stumpwm}/bin/stumpwm & hardware = {
# waidPID=$! bluetooth.enable = true;
# '';
# }; opengl = mkIf enable-gui {
driSupport = true;
driSupport32Bit = true;
};
}; };
sound.enable = true; sound.enable = true;

29
config/profiles/common.nix → config/profile-config/common.nix
View File

@ -11,10 +11,10 @@ in {
systemPackages = global-packages; systemPackages = global-packages;
shellInit = '' # shellInit = ''
${pkgs.gnupg}/bin/gpg-connect-agent /bye # ${pkgs.gnupg}/bin/gpg-connect-agent /bye
export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) # export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)
''; # '';
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -45,7 +45,7 @@ in {
openssh = { openssh = {
enable = true; enable = true;
startWhenNeeded = true; startWhenNeeded = true;
useDns = true; # useDns = true;
permitRootLogin = "prohibit-password"; permitRootLogin = "prohibit-password";
extraConfig = '' extraConfig = ''
GSSAPIAuthentication yes GSSAPIAuthentication yes
@ -53,20 +53,6 @@ in {
GSSAPIKeyExchange yes GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes GSSAPIStoreCredentialsOnRekey yes
''; '';
# FIXME: add all the hosts we know about
knownHosts = {
# publicKey, hostNames
};
};
lshd = {
enable = true;
portNumber = 2112;
rootLogin = true;
srpKeyExchange = true;
tcpForwarding = false;
publicKeyAuthentication = true;
passwordAuthentication = false;
}; };
fail2ban = { fail2ban = {
@ -105,13 +91,12 @@ in {
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
enableSSHSupport = true; # enableSSHSupport = true;
# pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses"; # pinentryFlavor = if cfg.enable-gui then "gnome3" else "curses";
}; };
ssh = { ssh = {
# Use GPG agent instead startAgent = true;
startAgent = false;
package = pkgs.openssh_gssapi; package = pkgs.openssh_gssapi;

0
config/profiles/desktop.nix → config/profile-config/desktop.nix
View File

0
config/profiles/laptop.nix → config/profile-config/laptop.nix
View File

9
config/profiles/server.nix → config/profile-config/server.nix
View File

@ -4,10 +4,6 @@ with lib;
let let
serverPackages = with pkgs; [ serverPackages = with pkgs; [
emacs-nox emacs-nox
ldns
ldns.examples
jdk14_headless
racket-minimal
reboot-if-necessary reboot-if-necessary
test-config test-config
]; ];
@ -24,7 +20,8 @@ let
$WALL "$1 exists, rebooting system" $WALL "$1 exists, rebooting system"
${pkgs.systemd}/bin/reboot ${pkgs.systemd}/bin/reboot
else else
$WALL "$1 does not exist, aborting reboot." $WALL "$1 does not exist, switching config."
nixos-rebuild switch
fi fi
exit 0 exit 0
@ -55,8 +52,6 @@ in {
config = { config = {
environment = { environment = {
systemPackages = serverPackages; systemPackages = serverPackages;
# noXlibs = lib.mkForce true;
}; };
system.autoUpgrade.enable = false; system.autoUpgrade.enable = false;

0
config/sites/joes-datacenter-0.nix → config/site-config/joes-datacenter-0.nix
View File

0
config/sites/portage.nix → config/site-config/portage.nix
View File

0
config/sites/russell.nix → config/site-config/russell.nix
View File

50
config/site-config/seattle.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }:
let
local-domain = "sea.fudo.org";
in {
fileSystems = {
"/mnt/documents" = {
device = "whitedwarf.${local-domain}:/volume1/Documents";
fsType = "nfs4";
};
"/mnt/downloads" = {
device = "whitedwarf.${local-domain}:/volume1/Downloads";
fsType = "nfs4";
};
"/mnt/music" = {
device = "doraemon.${local-domain}:/volume1/Music";
fsType = "nfs4";
};
"/mnt/video" = {
device = "doraemon.${local-domain}:/volume1/Video";
fsType = "nfs4";
};
# fileSystems."/mnt/security" = {
# device = "panopticon.${local-domain}:/srv/kerberos/data";
# fsType = "nfs4";
# };
"/mnt/cargo_video" = {
device = "cargo.${local-domain}:/volume1/video";
fsType = "nfs4";
};
"/mnt/photo" = {
device = "cargo.${local-domain}:/volume1/pictures";
fsType = "nfs4";
};
};
services.printing = {
enable = true;
drivers = [
pkgs.brlaser
pkgs.brgenml1lpr
pkgs.brgenml1cupswrapper
pkgs.hll2380dw-cups
];
};
environment.systemPackages = with pkgs; [
hll2380dw-cups
];
}

60
config/sites.nix
View File

@ -9,33 +9,45 @@
dynamic-network = "10.0.1.0/24"; dynamic-network = "10.0.1.0/24";
timezone = "America/Los_Angeles"; timezone = "America/Los_Angeles";
gateway-host = "nostromo"; gateway-host = "nostromo";
# FIXME: good idea? deploy-pubkey =
network-mounts = { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0=";
"/mnt/documents" = { build-servers = {
device = "whitedwarf:/volume1/Documents"; nostromo = {
fsType = "nfs4"; max-jobs = 2;
speed-factor = 2;
}; };
"/mnt/downloads" = { lambda = {
device = "whitedwarf:/volume1/Downloads"; max-jobs = 2;
fsType = "nfs4"; speed-factor = 2;
};
"/mnt/music" = {
device = "doraemon:/volume1/Music";
fsType = "nfs4";
};
"/mnt/video" = {
device = "doraemon:/volume1/Video";
fsType = "nfs4";
};
"/mnt/cargo_video" = {
device = "cargo:/volume1/video";
fsType = "nfs4";
};
"/mnt/photo" = {
device = "cargo:/volume1/pictures";
fsType = "nfs4";
}; };
}; };
# FIXME: good idea?
# network-mounts = {
# "/mnt/documents" = {
# device = "whitedwarf:/volume1/Documents";
# fsType = "nfs4";
# };
# "/mnt/downloads" = {
# device = "whitedwarf:/volume1/Downloads";
# fsType = "nfs4";
# };
# "/mnt/music" = {
# device = "doraemon:/volume1/Music";
# fsType = "nfs4";
# };
# "/mnt/video" = {
# device = "doraemon:/volume1/Video";
# fsType = "nfs4";
# };
# "/mnt/cargo_video" = {
# device = "cargo:/volume1/video";
# fsType = "nfs4";
# };
# "/mnt/photo" = {
# device = "cargo:/volume1/pictures";
# fsType = "nfs4";
# };
# };
}; };
portage = { portage = {

5
config/sites/seattle.nix
View File

@ -1,5 +0,0 @@
{ config, lib, pkgs, ... }:
{
}

3
configuration.nix
View File

@ -8,9 +8,6 @@ in {
imports = [ imports = [
(initialize { (initialize {
hostname = local.hostname; hostname = local.hostname;
profile = local.profile;
site = local.site;
domain = local.domain;
home-manager-package = builtins.fetchGit { home-manager-package = builtins.fetchGit {
url = "https://github.com/nix-community/home-manager.git"; url = "https://github.com/nix-community/home-manager.git";
ref = "release-20.09"; ref = "release-20.09";

10
home-manager/niten.nix
View File

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
name = "Niten"; name = "Niten";
email = "niten@fudo.org"; email = "niten@fudo.org";
@ -17,12 +18,15 @@ let
doomEmacsInit doomEmacsInit
enca enca
file file
firefox
fortune fortune
git
gnupg gnupg
guile guile
imagemagick imagemagick
ipfs ipfs
iptables iptables
jdk
jq jq
leiningen leiningen
libisofs libisofs
@ -37,6 +41,7 @@ let
nix-prefetch-git nix-prefetch-git
nmap nmap
openldap openldap
openttd
pciutils pciutils
pv pv
pwgen pwgen
@ -44,6 +49,7 @@ let
rustc rustc
sbcl sbcl
signal-desktop signal-desktop
spotify
stdenv stdenv
telnet telnet
texlive.combined.scheme-basic texlive.combined.scheme-basic
@ -88,6 +94,10 @@ in {
onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh"; onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
}; };
".local/share/openttd/baseset" = {
source = "${pkgs.openttd-data}/data";
};
# ".k5login" = { # ".k5login" = {
# source = pkgs.writeText "niten-k5login" '' # source = pkgs.writeText "niten-k5login" ''
# niten@FUDO.ORG # niten@FUDO.ORG

21
initialize.nix
View File

@ -1,27 +1,24 @@
{ hostname, profile, domain, site, home-manager-package, pkgs, ... }: { hostname, home-manager-package, pkgs, ... }:
{ let
host-config = import (./. + "/config/hosts/${hostname}.nix");
in {
imports = [ imports = [
./lib ./lib
./config ./config
./packages ./packages
(./. + "/config/hardware/${hostname}.nix") (./. + "/config/hardware/${hostname}.nix")
(./. + "/config/hosts/${hostname}.nix") (./. + "/config/host-config/${hostname}.nix")
(./. + "/config/profiles/${profile}.nix") (./. + "/config/profile-config/${host-config.profile}.nix")
(./. + "/config/domains/${domain}.nix") (./. + "/config/domain-config/${host-config.domain}.nix")
(./. + "/config/sites/${site}.nix") (./. + "/config/site-config/${host-config.site}.nix")
(import "${home-manager-package}/nixos") (import "${home-manager-package}/nixos")
]; ];
config = { config = {
instance = { hostname = hostname; }; instance = { hostname = hostname; };
fudo.hosts."${hostname}" = {
domain = domain;
site = site;
profile = profile;
};
}; };
} }

23
lib/fudo/hosts.nix
View File

@ -78,7 +78,7 @@ let
ssh-fingerprints = mkOption { ssh-fingerprints = mkOption {
type = listOf str; type = listOf str;
description = '' description = ''
A list of DNS SSHFP records for this host. A list of DNS SSHFP records for this host. Get with `ssh-keygen -r <hostname>`
''; '';
default = [ ]; default = [ ];
}; };
@ -106,6 +106,12 @@ let
"SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key.";
default = null; default = null;
}; };
build-pubkeys = mkOption {
type = listOf str;
description = "SSH public keys used to access the build server.";
default = [ ];
};
}; };
}; };
@ -124,6 +130,8 @@ in {
site = config.fudo.sites.${site-name}; site = config.fudo.sites.${site-name};
domain-name = host-cfg.domain; domain-name = host-cfg.domain;
domain = config.fudo.domains.${domain-name}; domain = config.fudo.domains.${domain-name};
has-build-servers = (length (attrNames site.build-servers)) > 0;
has-build-keys = (length host-cfg.build-pubkeys) > 0;
in { in {
networking = { networking = {
@ -138,6 +146,19 @@ in {
hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; };
}; };
nix = mkIf
(has-build-servers && has-build-keys && site.enable-distributed-builds) {
buildMachines = mapAttrsToList (hostname: buildOpts: {
hostName = "${hostname}.${domain}";
maxJobs = buildOpts.max-jobs;
speedFactor = buildOpts.speed-factor;
supportedFeatures = buildOpts.supported-features;
}) site.build-servers;
distributedBuilds = true;
};
time.timeZone = site.timezone;
krb5.libdefaults.default_realm = domain.gssapi-realm; krb5.libdefaults.default_realm = domain.gssapi-realm;
services.cron.mailto = domain.admin-email; services.cron.mailto = domain.admin-email;

86
lib/fudo/networks/rus.selby.ca.nix
View File

@ -1,86 +0,0 @@
{ config, lib, ... }:
{
default-host = "10.0.0.1";
mx = [ "mail.fudo.org" ];
hosts = {
clunk = {
ipv4-address = "10.0.0.1";
mac-address = "02:44:d1:eb:c3:6b";
};
dns-proxy = {
ipv4-address = "10.0.0.2";
# This is just a second IP on clunk, for the pihole
};
google-wifi = {
ipv4-address = "10.0.0.11";
mac-address = "70:3a:cb:c0:3b:09";
};
pselby-work = {
ipv4-address = "10.0.0.151";
mac-address = "00:50:b6:aa:bd:b3";
};
downstairs-desktop = {
ipv4-address = "10.0.0.100";
mac-address = "90:b1:1c:8e:29:cf";
};
upstairs-desktop = {
ipv4-address = "10.0.0.101";
mac-address = "80:e8:2c:22:65:c2";
};
};
aliases = {
dns-hole = "clunk";
gateway = "clunk";
upstairs = "upstairs-desktop";
downstairs = "downstairs-desktop";
};
srv-records = {
tcp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerberos-adm = [{
port = 88;
host = "france.fudo.org";
}];
ssh = [{
port = 22;
host = "clunk.${local-domain}";
}];
};
udp = {
domain = [{
port = 53;
host = "clunk.${local-domain}";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerboros-master = [{
port = 88;
host = "france.fudo.org";
}];
kpasswd = [{
port = 464;
host = "france.fudo.org";
}];
};
};
}

214
lib/fudo/networks/sea.fudo.org.nix
View File

@ -1,214 +0,0 @@
{ config, lib, ... }:
{
default-host = "10.0.0.1";
mx = [ "mail.fudo.org" ];
aliases = {
kadmin = "nostromo";
kdc = "nostromo";
photo = "doraemon";
music = "doraemon";
panopticon = "lambda";
panopticon-od = "lambda";
ipfs = "nostromo";
hole = "nostromo";
pihole = "nostromo";
dns-hole = "nostromo";
mon-1 = "srv-1";
};
srv-records = {
tcp = {
domain = [{
port = 53;
host = "nostromo.sea.fudo.org";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerberos-adm = [{
port = 88;
host = "france.fudo.org";
}];
ssh = [{
port = 22;
host = "nostromo.sea.fudo.org";
}];
ldap = [{
port = 389;
host = "france.fudo.org";
}];
};
udp = {
domain = [{
port = 53;
host = "nostromo.sea.fudo.org";
}];
kerberos = [{
port = 88;
host = "france.fudo.org";
}];
kerboros-master = [{
port = 88;
host = "france.fudo.org";
}];
kpasswd = [{
port = 464;
host = "france.fudo.org";
}];
};
};
hosts = {
nostromo = {
ip-address = "10.0.0.1";
mac-address = "46:54:76:06:f1:10";
};
lm = {
ip-address = "10.0.0.2";
mac-address = "00:23:7d:e6:d9:ea";
};
lambda = {
ip-address = "10.0.0.3";
mac-address = "02:50:f6:52:9f:9d";
};
switch-master = {
ip-address = "10.0.0.5";
mac-address = "00:14:1C:B6:BB:40";
};
google-wifi = {
ip-address = "10.0.0.7";
mac-address = "7C:D9:5C:9F:6F:E9";
};
cam-entrance = {
ip-address = "10.0.0.31";
mac-address = "9c:8e:cd:0e:99:7b";
};
cam-driveway = {
ip-address = "10.0.0.32";
mac-address = "9c:8e:cd:0d:3b:09";
};
cam-deck = {
ip-address = "10.0.0.33";
mac-address = "9c:8e:cd:0e:98:c8";
};
cargo = {
ip-address = "10.0.0.50";
mac-address = "00:11:32:75:d8:b7";
};
whitedwarf = {
ip-address = "10.0.0.51";
mac-address = "00:11:32:12:14:1d";
};
doraemon = {
ip-address = "10.0.0.52";
mac-address = "00:11:32:0a:06:c5";
};
android = {
ip-address = "10.0.0.81";
mac-address = "00:16:3e:43:39:fc";
};
retro-wired = {
ip-address = "10.0.0.82";
mac-address = "dc:a6:32:6b:57:43";
};
retro = {
ip-address = "10.0.0.83";
mac-address = "dc:a6:32:6b:57:45";
};
monolith = {
ip-address = "10.0.0.100";
mac-address = "6c:62:6d:c8:b0:d8";
};
taipan = {
ip-address = "10.0.0.107";
mac-address = "52:54:00:34:c4:78";
};
spark = {
ip-address = "10.0.0.108";
mac-address = "78:24:af:04:f7:dd";
};
hyperion = {
ip-address = "10.0.0.109";
mac-address = "52:54:00:33:46:de";
};
zbox = {
ip-address = "10.0.0.110";
mac-address = "02:dd:80:52:83:9b";
};
ubiquiti-wifi = {
ip-address = "10.0.0.126";
mac-address = "04:18:d6:20:48:fb";
};
generator-wireless = {
ip-address = "10.0.0.130";
mac-address = "B8:27:EB:A6:32:26";
};
brother-wireless = {
ip-address = "10.0.0.160";
mac-address = "c0:38:96:64:49:65";
};
nest = {
ip-address = "10.0.0.176";
mac-address = "18:b4:30:16:7c:5a";
};
xixi-phone = {
ip-address = "10.0.0.193";
mac-address = "48:43:7c:75:89:42";
};
ipad = {
ip-address = "10.0.0.202";
mac-address = "9c:35:eb:48:6e:71";
};
cam-front = {
ip-address = "10.0.0.203";
mac-address = "c4:d6:55:3e:b4:c3";
};
family-tv = {
ip-address = "10.0.0.205";
mac-address = "84:a4:66:3a:b1:f8";
};
babycam = {
ip-address = "10.0.0.206";
mac-address = "08:ea:40:59:5f:9e";
};
workphone = {
ip-address = "10.0.0.211";
mac-address = "a8:8e:24:5c:12:67";
};
chromecast-2 = {
ip-address = "10.0.0.215";
mac-address = "a4:77:33:59:a2:ba";
};
front-light = {
ip-address = "10.0.0.221";
mac-address = "94:10:3e:48:94:ed";
};
# Ceph network
srv-1 = {
ip-address = "10.0.10.1";
mac-address = "02:65:d7:00:7d:1b";
};
node-1 = {
ip-address = "10.0.10.101";
mac-address = "00:1e:06:36:81:cf";
};
node-2 = {
ip-address = "10.0.10.102";
mac-address = "00:1e:06:36:ec:3e";
};
node-3 = {
ip-address = "10.0.10.103";
mac-address = "00:1e:06:36:ec:4b";
};
node-4 = {
ip-address = "10.0.10.104";
mac-address = "00:1e:06:36:dd:8c";
};
};
}

187
lib/fudo/sites.nix
View File

@ -2,58 +2,65 @@
with lib; with lib;
let let
hostname = config.instance.hostname;
site-name = config.fudo.hosts.${hostname}.site;
site-cfg = config.fudo.sites.${site-name};
site-hosts = filterAttrs (hostname: hostOpts: hostOpts.site == site-name)
config.fudo.hosts;
siteOpts = { site, ... }: { siteOpts = { site, ... }: {
options = { options = with types; {
site = mkOption { site = mkOption {
type = types.str; type = str;
description = "Site name."; description = "Site name.";
default = site; default = site;
}; };
network = mkOption { network = mkOption {
type = types.str; type = str;
description = "Network to be treated as local."; description = "Network to be treated as local.";
}; };
dynamic-network = mkOption { dynamic-network = mkOption {
type = with types; nullOr str; type = nullOr str;
description = "Network to be allocated by DHCP."; description = "Network to be allocated by DHCP.";
default = null; default = null;
}; };
gateway-v4 = mkOption { gateway-v4 = mkOption {
type = with types; nullOr str; type = nullOr str;
description = "Gateway to use for public ipv4 internet access."; description = "Gateway to use for public ipv4 internet access.";
default = null; default = null;
}; };
gateway-v6 = mkOption { gateway-v6 = mkOption {
type = with types; nullOr str; type = nullOr str;
description = "Gateway to use for public ipv6 internet access."; description = "Gateway to use for public ipv6 internet access.";
default = null; default = null;
}; };
gateway-host = mkOption { gateway-host = mkOption {
type = with types; nullOr str; type = nullOr str;
description = "Identity of the host to act as a gateway."; description = "Identity of the host to act as a gateway.";
default = null; default = null;
}; };
local-groups = mkOption { local-groups = mkOption {
type = with types; listOf str; type = listOf str;
description = "List of groups which should exist at this site."; description = "List of groups which should exist at this site.";
default = [ ]; default = [ ];
}; };
local-users = mkOption { local-users = mkOption {
type = with types; listOf str; type = listOf str;
description = description =
"List of users which should exist on all hosts at this site."; "List of users which should exist on all hosts at this site.";
default = [ ]; default = [ ];
}; };
local-admins = mkOption { local-admins = mkOption {
type = with types; listOf str; type = listOf str;
description = description =
"List of admin users which should exist on all hosts at this site."; "List of admin users which should exist on all hosts at this site.";
default = [ ]; default = [ ];
@ -63,16 +70,104 @@ let
mkEnableOption "Enable site-wide monitoring with prometheus."; mkEnableOption "Enable site-wide monitoring with prometheus.";
nameservers = mkOption { nameservers = mkOption {
type = with types; listOf str; type = listOf str;
description = "List of nameservers to be used by hosts at this site."; description = "List of nameservers to be used by hosts at this site.";
default = [ ]; default = [ ];
}; };
timezone = mkOption { timezone = mkOption {
type = types.str; type = str;
description = "Timezone of the site."; description = "Timezone of the site.";
example = "America/Winnipeg"; example = "America/Winnipeg";
}; };
deploy-pubkey = mkOption {
type = nullOr str;
description = "SSH pubkey of site deploy key. Used by dropbear daemon.";
default = null;
};
enable-ssh-backdoor = mkOption {
type = bool;
description =
"Enable a backup SSH server in case of failures of the primary.";
default = true;
};
dropbear-rsa-key-path = mkOption {
type = str;
description = "Location of Dropbear RSA key.";
default = "/etc/dropbear/host_rsa_key";
};
dropbear-ecdsa-key-path = mkOption {
type = str;
description = "Location of Dropbear ECDSA key.";
default = "/etc/dropbear/host_ecdsa_key";
};
dropbear-ssh-port = mkOption {
type = port;
description = "Port to be used for the deploy SSH server.";
default = 2112;
};
enable-distributed-builds =
mkEnableOption "Enable distributed builds for the site.";
build-servers = mkOption {
type = attrsOf (submodule buildServerOpts);
description =
"List of hosts to be used as build servers for the local site.";
default = { };
example = {
my-build-host = {
port = 22;
systems = [ "i686-linux" "x86_64-linux" ];
};
};
};
build-user = mkOption {
type = str;
description = "User as which to run builds.";
default = "nix-site-builder";
};
};
};
buildServerOpts = { ... }: {
options = with types; {
port = mkOption {
type = port;
description = "SSH port at which to contact the server.";
default = 22;
};
systems = mkOption {
type = listOf str;
description =
"A list of systems for which this build server can build.";
default = [ "i686-linux" "x86_64-linux" ];
};
max-jobs = mkOption {
type = int;
description = "Max build allowed per-system.";
default = 1;
};
speed-factor = mkOption {
type = int;
description = "Weight to give this server, i.e. it's relative speed.";
default = 1;
};
supported-features = mkOption {
type = listOf str;
description = "List of features supported by this server.";
default = [ ];
};
}; };
}; };
@ -82,4 +177,72 @@ in {
description = "Site configurations for all sites known to the system."; description = "Site configurations for all sites known to the system.";
default = { }; default = { };
}; };
config = {
users.users = {
root.openssh.authorizedKeys.keys =
mkIf (site-cfg.deploy-pubkey != null) [ site-cfg.deploy-pubkey ];
${site-cfg.build-user} = mkIf
(any (build-host: build-host == config.instance.hostname)
(attrNames site-cfg.build-servers)) {
isSystemUser = true;
openssh.authorizedKeys.keys =
concatMap (hostOpts: hostOpts.build-pubkeys)
(attrValues site-hosts);
};
};
networking.firewall.allowedTCPPorts =
mkIf site-cfg.enable-ssh-backdoor [ site-cfg.dropbear-ssh-port ];
systemd = mkIf site-cfg.enable-ssh-backdoor {
sockets = {
dropbear-deploy = {
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = "0.0.0.0:${toString site-cfg.dropbear-ssh-port}";
Accept = true;
};
unitConfig = { restartIfChanged = true; };
};
};
services = {
dropbear-deploy-init = {
wantedBy = [ "multi-user.target" ];
script = ''
if [ ! -d /etc/dropbear ]; then
mkdir /etc/dropbear
chmod 700 /etc/dropbear
fi
if [ ! -f ${site-cfg.dropbear-rsa-key-path} ]; then
${pkgs.dropbear}/bin/dropbearkey -t rsa -f ${site-cfg.dropbear-rsa-key-path}
${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-rsa-key-path}
fi
if [ ! -f ${site-cfg.dropbear-ecdsa-key-path} ]; then
${pkgs.dropbear}/bin/dropbearkey -t ecdsa -f ${site-cfg.dropbear-ecdsa-key-path}
${pkgs.coreutils}/bin/chmod 0400 ${site-cfg.dropbear-ecdsa-key-path}
fi
'';
};
"dropbear-deploy@" = {
description =
"Per-connection service for deployment, using dropbear.";
requires = [ "dropbear-deploy-init.service" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
ExecStart =
"${pkgs.dropbear}/bin/dropbear -F -i -w -m -j -k -r ${site-cfg.dropbear-rsa-key-path} -r ${site-cfg.dropbear-ecdsa-key-path}";
ExecReload = "${pkgs.utillinux}/bin/kill -HUP $MAINPID";
StandardInput = "socket";
};
};
};
};
};
} }

34
lib/fudo/users-common.nix Normal file
View File

@ -0,0 +1,34 @@
# Common home-manager config
{ config, lib, pkgs, ... }:
with lib;
let
sys = import ../system.nix { inherit lib config; };
list-contains = lst: item: any (i: i == item) lst;
domain-realm = domain: domainOpts: domainOpts.gssapi-realm;
user-realms = username:
mapAttrsToList domain-realm
(filterAttrs (domain: domainOpts: list-contains domainOpts.local-users username)
config.fudo.domains);
user-principals = username:
map (realm: "${username}@${realm}") (user-realms username);
user-k5login = username: userOpts: let
principals = userOpts.k5login ++ (user-principals username);
in ''
${concatStringsSep "\n" principals}
'';
user-config = username: userOpts: {
home.file.".k5login" = {
source = pkgs.writeText "${username}-k5login" (user-k5login username userOpts);
};
};
in {
config.home-manager.users = mapAttrs user-config sys.local-users;
}

73
lib/fudo/users.nix
View File

@ -150,28 +150,13 @@ in {
}; };
}; };
imports = [
./users-common.nix
];
config = let config = let
local-host = config.instance.hostname; sys = import ../system.nix { inherit lib config; };
local-domain = config.fudo.hosts.${local-host}.domain;
local-site = config.fudo.hosts.${local-host}.site;
host-user-list = config.fudo.hosts."${local-host}".local-users;
domain-user-list = config.fudo.domains."${local-domain}".local-users;
local-users =
getAttrs (host-user-list ++ domain-user-list) config.fudo.users;
host-admin-list = config.fudo.hosts."${local-host}".local-admins;
domain-admin-list = config.fudo.domains."${local-domain}".local-admins;
site-admin-list = config.fudo.sites."${local-site}".local-admins;
local-admins = host-admin-list ++ domain-admin-list ++ site-admin-list;
host-group-list = config.fudo.hosts."${local-host}".local-groups;
domain-group-list = config.fudo.domains."${local-domain}".local-groups;
site-group-list = config.fudo.sites."${local-site}".local-groups;
local-groups =
getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
config.fudo.groups;
in { in {
fudo.auth.ldap-server = let fudo.auth.ldap-server = let
ldapUsers = (filterAttrs ldapUsers = (filterAttrs
@ -211,29 +196,39 @@ in {
"/home/${userOpts.primary-group}/${username}"; "/home/${userOpts.primary-group}/${username}";
hashedPassword = userOpts.login-hashed-passwd; hashedPassword = userOpts.login-hashed-passwd;
openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys; openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys;
}) local-users; }) sys.local-users;
groups = (mapAttrs (groupname: groupOpts: { groups = (mapAttrs (groupname: groupOpts: {
gid = groupOpts.gid; gid = groupOpts.gid;
members = filterExistingUsers local-users groupOpts.members; members = filterExistingUsers sys.local-users groupOpts.members;
}) local-groups) // { }) sys.local-groups) // {
wheel = { members = local-admins; }; wheel = { members = sys.local-admins; };
}; };
}; };
home-manager.users = let home-manager = {
home-manager-users = useGlobalPkgs = true;
filterAttrs (username: userOpts: userOpts.home-manager-config != null)
local-users; users = let
common-user-config = username: { home-manager-users =
home.file.".k5login" = { filterAttrs (username: userOpts: userOpts.home-manager-config != null)
source = pkgs.writeText "${username}-k5login" '' sys.local-users;
${concatStringsSep "\n" config.fudo.users.${username}.k5login} in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users;
'';
}; # users = let
}; # home-manager-users =
in mapAttrs (username: userOpts: # filterAttrs (username: userOpts: userOpts.home-manager-config != null)
userOpts.home-manager-config // (common-user-config username)) # local-users;
home-manager-users; # common-user-config = username: {
# home.file.".k5login" = {
# source = pkgs.writeText "${username}-k5login" ''
# ${concatStringsSep "\n" config.fudo.users.${username}.k5login}
# '';
# };
# };
# in mapAttrs (username: userOpts:
# userOpts.home-manager-config // (common-user-config username))
# home-manager-users;
};
}; };
} }

31
lib/system.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, ... }:
with lib;
let
local-host = config.instance.hostname;
local-domain = config.fudo.hosts.${local-host}.domain;
local-site = config.fudo.hosts.${local-host}.site;
host-user-list = config.fudo.hosts."${local-host}".local-users;
domain-user-list = config.fudo.domains."${local-domain}".local-users;
site-user-list = config.fudo.sites."${local-site}".local-users;
local-users =
getAttrs (host-user-list ++ domain-user-list ++ site-user-list) config.fudo.users;
host-admin-list = config.fudo.hosts."${local-host}".local-admins;
domain-admin-list = config.fudo.domains."${local-domain}".local-admins;
site-admin-list = config.fudo.sites."${local-site}".local-admins;
local-admins = host-admin-list ++ domain-admin-list ++ site-admin-list;
host-group-list = config.fudo.hosts."${local-host}".local-groups;
domain-group-list = config.fudo.domains."${local-domain}".local-groups;
site-group-list = config.fudo.sites."${local-site}".local-groups;
local-groups =
getAttrs (host-group-list ++ domain-group-list ++ site-group-list)
config.fudo.groups;
in {
local-users = local-users;
local-admins = local-admins;
local-groups = local-groups;
}

2
nixops/lib/hosts.nix
View File

@ -14,7 +14,7 @@ let
initialize = import ../../initialize.nix; initialize = import ../../initialize.nix;
# This is a problem...it creates a second source of truth. # This is a problem...it creates a second source of truth.
host-config = ip: config: host-config = ip: port: config:
{ ... }: { { ... }: {
imports = [ imports = [
(initialize { (initialize {

15
nixops/seattle.nix
View File

@ -1,18 +1,25 @@
let let
deploy-port = 2112;
nixos-version = "20.09"; nixos-version = "20.09";
hosts = import ./lib/hosts.nix { inherit nix-version; }; hosts = import ./lib/hosts.nix { inherit nixos-version; };
seattle-host = ip: hostname: profile: seattle-host = ip: hostname: profile:
let let
site = "seattle"; site = "seattle";
domain = "sea.fudo.org"; domain = "sea.fudo.org";
in hosts.host-config ip { inherit hostname profile domain site; }; in hosts.host-config ip deploy-port {
inherit hostname profile domain site;
};
in { in {
network.description = "Seattle home network."; network.description = "Seattle home network.";
nostromo = seattle-host "10.0.0.1" "nostromo" "server"; liminia = seattle-host "10.0.0.1" "limina" "server";
lambda = seattle-host "10.0.0.3" "lambda" "server"; plato = seattle-host "10.0.0.21" "plato" "server";
spark = seattle-host "10.0.0.108" "spark" "desktop"; spark = seattle-host "10.0.0.108" "spark" "desktop";
zbox = seattle-host "10.0.0.110" "zbox" "desktop"; zbox = seattle-host "10.0.0.110" "zbox" "desktop";
#nostromo = seattle-host "10.0.0.1" "nostromo" "server";
#lambda = seattle-host "10.0.0.3" "lambda" "server";
} }

6
packages/default.nix
View File

@ -161,5 +161,11 @@ in {
}; };
vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; }; vanilla-forum = import ./vanilla-forum.nix { pkgs = pkgs; };
openttd-data = pkgs.fetchgit {
url = "https://git.fudo.org/fudo-public/openttd-data.git";
rev = "5b7dd0ca9014e642e1f2d0aa3154b5da869911d3";
sha256 = "061k0f0jgm5k81djslb172xk0wkis0m878izgisyj2qgg3wf1awh";
};
}; };
} }

3
packages/hll2380dw-cups.nix
View File

@ -22,12 +22,13 @@ stdenv.mkDerivation rec {
coreutils ghostscript gnugrep gnused coreutils ghostscript gnugrep gnused
]} ]}
mkdir -p $out/lib/cups/filter/ mkdir -p $out/lib/cups/filter/
ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380W \ ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380DW \
$out/lib/cups/filter/brother_lpdwrapper_HLL2380DW $out/lib/cups/filter/brother_lpdwrapper_HLL2380DW
ln -s $out/opt/brother/Printers/HLL2380DW/paperconfigml1 \ ln -s $out/opt/brother/Printers/HLL2380DW/paperconfigml1 \
$out/lib/cups/filter/ $out/lib/cups/filter/
mkdir -p $out/share/cups/model mkdir -p $out/share/cups/model
ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother-HLL2380DW-cups-en.ppd $out/share/cups/model/ ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother-HLL2380DW-cups-en.ppd $out/share/cups/model/
touch $out/HI
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {