Working system flake builds, attempt to integrate into nixops

2021-11-18 09:51:41 -08:00 · 2021-11-18 09:51:41 -08:00 · 4168027ac2
commit 4168027ac2
parent fbd190bd4a
8 changed files with 182 additions and 179 deletions
--- a/config/hardware/cashew.nix
+++ b/config/hardware/cashew.nix
@ -1,19 +1,23 @@
 { config, lib, pkgs, ... }:

 {
-  networking = {
-    useDHCP = false;
+  config = {
+    boot.isContainer = true;

-    macvlans = {
-      extif0 = {
-        interface = "eno2";
-        mode = "bridge";
+    networking = {
+      useDHCP = false;
+
+      macvlans = {
+        extif0 = {
+          interface = "eno2";
+          mode = "bridge";
+        };
      };
-    };

-    interfaces = {
-      extif0.macAddress =
-        pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
+      interfaces = {
+        extif0.macAddress =
+          pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
+      };
    };
  };
 }
--- a/config/hardware/mail-container.nix
+++ b/config/hardware/mail-container.nix
@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:

 {
-
+  config = {
+    boot.isContainer = true;
+  };
 }
--- a/config/host-config/clunk.nix
+++ b/config/host-config/clunk.nix
@ -2,6 +2,8 @@

 with lib;
 let
+  hostname = "clunk";
+
  primary-ip = "10.0.0.1";

  dns-proxy-port = 5335;
@ -12,47 +14,8 @@ let
  site = config.fudo.site.${site-name};

 in {
-  system = {
-    # # DO force all DNS traffic to use the local server
-    # activationScripts.force-local-dns = let
-    #   wifi-ip =
-    #     config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
-    # in ''
-    #   ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
-    #   ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
-    # '';
-  };
-
  environment.systemPackages = host-packages;

-  fudo.local-network = let
-    host-config = config.fudo.hosts.${config.instance.hostname};
-    site-name = host-config.site;
-    site = config.fudo.sites.${site-name};
-    domain-name = host-config.domain;
-    domain = config.fudo.domains.${domain-name};
-
-  in {
-    enable = true;
-    # NOTE: requests go:
-    #  - local bind instance
-    #  - pi-hole
-    #  - DoH resolver
-    domain = domain-name;
-    dns-servers = [ primary-ip ];
-    gateway = primary-ip;
-    dhcp-interfaces = [ "intif0" ];
-    dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
-    recursive-resolver = "${primary-ip} port 5353";
-    network = site.network;
-    dhcp-dynamic-network = site.dynamic-network;
-    search-domains = [ "selby.ca" ];
-    enable-reverse-mappings = true;
-    network-definition = config.fudo.networks."rus.selby.ca";
-  };
-
-  fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
-
  networking = {
    interfaces = {
      enp1s0.useDHCP = true;
@ -83,19 +46,54 @@ in {
  };

  fudo = {
+
+    secrets.host-secrets.${hostname} = let
+      files = config.fudo.secrets.files;
+    in {
+      heimdal-master-key = {
+        source-file = files.realm-master-keys."RUS.SELBY.CA";
+        target-file = "/run/heimdal/master-key";
+        user = config.fudo.auth.kdc.user;
+      };
+    };
+
+    local-network = let
+      host-config = config.fudo.hosts.${config.instance.hostname};
+      site-name = host-config.site;
+      site = config.fudo.sites.${site-name};
+      domain-name = host-config.domain;
+      domain = config.fudo.domains.${domain-name};
+
+    in {
+      enable = true;
+      # NOTE: requests go:
+      #  - local bind instance
+      #  - pi-hole
+      #  - DoH resolver
+      domain = domain-name;
+      dns-servers = [ primary-ip ];
+      gateway = primary-ip;
+      dhcp-interfaces = [ "intif0" ];
+      dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
+      recursive-resolver = "${primary-ip} port 5353";
+      network = site.network;
+      dhcp-dynamic-network = site.dynamic-network;
+      search-domains = [ "selby.ca" ];
+      enable-reverse-mappings = true;
+      network-definition = config.fudo.networks."rus.selby.ca";
+    };
+
+    hosts.clunk.external-interfaces = [ "enp1s0" ];
+
    garbage-collector = {
      enable = true;
      timing = "weekly";
    };

    auth.kdc = {
-      enable = true;
-      realm = "RUS.SELBY.CA";
-      bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
-      acl = {
-        "niten" = { perms = [ "add" "change-password" "list" ]; };
-        "*/root" = { perms = [ "all" ]; };
-      };
+      master-key-file =
+        secrets.heimdal-master-key.target-file;
+      state-directory = "/state/kerberos";
    };

    secure-dns-proxy = {
--- a/config/host-config/france.nix
+++ b/config/host-config/france.nix
@ -24,16 +24,16 @@ let
  };

 in {
-  imports = let
-    is-regular-file = filename: type: type == "regular" || type == "link";
-    regular-files = path:
-      attrNames (filterAttrs is-regular-file (builtins.readDir path));
-    is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
-    nix-files = path:
-      map
-        (file: path + "/${file}")
-        (filter is-nix-file (regular-files path));
-  in nix-files ./france;
+  # imports = let
+  #   is-regular-file = filename: type: type == "regular" || type == "link";
+  #   regular-files = path:
+  #     attrNames (filterAttrs is-regular-file (builtins.readDir path));
+  #   is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
+  #   nix-files = path:
+  #     map
+  #       (file: path + "/${file}")
+  #       (filter is-nix-file (regular-files path));
+  # in nix-files ./france;

  config = {
    security.acme.email = "admin@fudo.org";
@ -136,100 +136,99 @@ in {
      };

      client.dns = {
-        enable = true;
        ipv4 = true;
        ipv6 = true;
        user = "fudo-client";
        external-interface = "extif0";
      };

-      france = {
-        ldap = let
-          cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
-          chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
-        in {
-          ssl-certificate = cert-copy.certificate;
-          ssl-private-key = cert-copy.private-key;
-          ssl-ca-certificate = chain;
-          keytab = secrets.ldap-keytab.target-file;
-          root-password-file = secrets.ldap-root-passwd.target-file;
-        };
+    #   france = {
+    #     ldap = let
+    #       cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
+    #       chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
+    #     in {
+    #       ssl-certificate = cert-copy.certificate;
+    #       ssl-private-key = cert-copy.private-key;
+    #       ssl-ca-certificate = chain;
+    #       keytab = secrets.ldap-keytab.target-file;
+    #       root-password-file = secrets.ldap-root-passwd.target-file;
+    #     };

-        kdc = {
-          state-directory = "/state/kerberos";
-          master-key-file = secret-files.realm-master-keys."FUDO.ORG";
-          listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
-        };
+    #     kdc = {
+    #       state-directory = "/state/kerberos";
+    #       master-key-file = secret-files.realm-master-keys."FUDO.ORG";
+    #       listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
+    #     };

-        jabber = {
-          ldap-servers = [ "france.fudo.org" ];
-          listen-ips = [ primary-ip ];
+    #     jabber = {
+    #       ldap-servers = [ "france.fudo.org" ];
+    #       listen-ips = [ primary-ip ];

-          backplane = {
-            host-passwd-files = let
-              hosts = attrNames config.fudo.hosts;
-            in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
-              config.fudo.hosts;
-            service-passwd-files = {
-              dns = backplane-dns-password-file;
-            };
-          };
-        };
+    #       backplane = {
+    #         host-passwd-files = let
+    #           hosts = attrNames config.fudo.hosts;
+    #         in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
+    #           config.fudo.hosts;
+    #         service-passwd-files = {
+    #           dns = backplane-dns-password-file;
+    #         };
+    #       };
+    #     };

-        backplane-server = {
-          listen-ips = [ primary-ip ];
-          backplane-dns-password-file =
-            secrets.backplane-dns-password.target-file;
-        };
+    #     backplane-server = {
+    #       listen-ips = [ primary-ip ];
+    #       backplane-dns-password-file =
+    #         secrets.backplane-dns-password.target-file;
+    #     };

-        mail = {
-          mail-directory = "${mail-directory}/mailboxes";
-          state-directory = "${mail-directory}/var";
-          ldap-server-urls = [
-            "ldap://france.fudo.org"
-          ];
-        };
+    #     mail = {
+    #       mail-directory = "${mail-directory}/mailboxes";
+    #       state-directory = "${mail-directory}/var";
+    #       ldap-server-urls = [
+    #         "ldap://france.fudo.org"
+    #       ];
+    #     };

-        webmail = {
-          mail-server = mail-hostname;
-          database.hostname = "localhost";
-        };
+    #     webmail = {
+    #       mail-server = mail-hostname;
+    #       database.hostname = "localhost";
+    #     };

-        git = {
-          repository-directory = "/state/gitea/repo";
-          state-directory = "/state/gitea/state";
-          ssh.listen-ip = git-server-ip;
-          database-host = "localhost";
-        };
+    #     git = {
+    #       repository-directory = "/state/gitea/repo";
+    #       state-directory = "/state/gitea/state";
+    #       ssh.listen-ip = git-server-ip;
+    #       database-host = "localhost";
+    #     };

-        postgresql = let
-          cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
-        in {
-          keytab = secrets.postgres-keytab.target-file;
-          ssl-certificate = cert-copy.certificate;
-          ssl-private-key = cert-copy.private-key;
-        };
+    #     postgresql = let
+    #       cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
+    #     in {
+    #       keytab = secrets.postgres-keytab.target-file;
+    #       ssl-certificate = cert-copy.certificate;
+    #       ssl-private-key = cert-copy.private-key;
+    #     };

-        dns = {
-          default-host = primary-ip;
-          listen-ip = primary-ip;
-          mail-hosts = [ "mail.fudo.org" ];
-        };
+    #     dns = {
+    #       default-host = primary-ip;
+    #       listen-ip = primary-ip;
+    #       mail-hosts = [ "mail.fudo.org" ];
+    #     };

-        chat = {
-          chat-hostname = "chat.fudo.org";
-          mail-server = "mail.fudo.org";
-          database-host = "localhost";
-        };
-      };
+    #     chat = {
+    #       chat-hostname = "chat.fudo.org";
+    #       mail-server = "mail.fudo.org";
+    #       database-host = "localhost";
+    #     };
+    #   };

-      minecraft-server = {
-        enable = true;
-        package = pkgs.minecraft-current;
-        data-dir = "/state/minecraft/selbyland";
-        world-name = "selbyland";
-        motd = "Welcome to the Selby Minecraft server.";
-      };
+    #   minecraft-server = {
+    #     enable = true;
+    #     package = pkgs.minecraft-current;
+    #     data-dir = "/state/minecraft/selbyland";
+    #     world-name = "selbyland";
+    #     motd = "Welcome to the Selby Minecraft server.";
+    #   };
    };

    networking = {
--- a/config/sites.nix
+++ b/config/sites.nix
@ -68,7 +68,6 @@
      network = "10.0.0.0/16";
      dynamic-network = "10.0.1.0/24";
      timezone = "America/Winnipeg";
-      gateway-host = "clunk";
      mail-server = "mail.fudo.org";
    };

--- a/flake.lock
+++ b/flake.lock
@ -236,7 +236,7 @@
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=",
+        "narHash": "sha256-TpFI+nD+c9JXhKKDBgIHJhIfveTScBD6gotTPt8tvg4=",
        "path": "/state/nixops/fudo-home",
        "type": "path"
      },
@ -286,11 +286,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1633291410,
-        "narHash": "sha256-IxUzCGwj+s2Rn/+u0NtY36ix5I8MopMOO8Ip59PnBlw=",
+        "lastModified": 1637019201,
+        "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "382505714d10c6791a96712e0554587c75c5bf8b",
+        "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
        "type": "github"
      },
      "original": {
@ -315,11 +315,11 @@
    "niten-doom-config": {
      "flake": false,
      "locked": {
-        "lastModified": 1628274414,
-        "narHash": "sha256-EIGqjTHcYnjVXceY1tpjaYxNmORh8NNiL2FVWCI5sBo=",
+        "lastModified": 1633712607,
+        "narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=",
        "ref": "master",
-        "rev": "0ab1532c856ccdb6ce46c5948054279f439eb1f2",
-        "revCount": 34,
+        "rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8",
+        "revCount": 35,
        "type": "git",
        "url": "https://git.fudo.org/niten/doom-emacs.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -38,8 +38,6 @@
      site = hostOpts.site;
      domain = hostOpts.domain;
      profile = hostOpts.profile;
-      build-seed =
-        builtins.readFile fudo-secrets.build-seed;
    in nixpkgs.lib.nixosSystem {
      inherit system;

@ -56,10 +54,12 @@
        (config-path + /profile-config/${profile}.nix)
        (config-path + /domain-config/${domain}.nix)
        (config-path + /site-config/${site}.nix)
-        ({ ... }: {
+        ({ config, ... }: {
          config = {
            instance = {
-              inherit hostname build-timestamp build-seed;
+              inherit hostname build-timestamp;
+              build-seed = builtins.readFile
+                config.fudo.secrets.files.build-seed;
            };

            nixpkgs.pkgs = pkgs-for system;
--- a/lib/fudo/backplane/jabber.nix
+++ b/lib/fudo/backplane/jabber.nix
@ -1,30 +1,31 @@
 { config, lib, pkgs, ... }:

 with lib;
-let
-  cfg = config.fudo.backplane;
-
-  backplane-server = cfg.backplane-host;
-
-  generate-auth-file = name: files: let
-    make-entry = name: passwd-file:
-      ''("${name}" . "${readFile passwd-file}")'';
-    entries = mapAttrsToList make-entry files;
-    content = concatStringsSep "\n" entries;
-  in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
-
-  host-auth-file = generate-auth-file "host"
-    (mapAttrs (hostname: hostOpts: hostOpts.password-file)
-      cfg.client-hosts);
-
-  service-auth-file = generate-auth-file "service"
-    (mapAttrs (service: serviceOpts: serviceOpts.password-file)
-      cfg.services);
-
-in {
+{
  config = mkIf config.fudo.jabber.enable {
+    fudo = let
+      cfg = config.fudo.backplane;

-    fudo = {
+      hostname = config.instance.hostname;
+
+      backplane-server = cfg.backplane-host;
+
+      generate-auth-file = name: files: let
+        make-entry = name: passwd-file:
+          ''("${name}" . "${readFile passwd-file}")'';
+        entries = mapAttrsToList make-entry files;
+        content = concatStringsSep "\n" entries;
+      in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
+
+      host-auth-file = generate-auth-file "host"
+        (mapAttrs (hostname: hostOpts: hostOpts.password-file)
+          cfg.client-hosts);
+
+      service-auth-file = generate-auth-file "service"
+        (mapAttrs (service: serviceOpts: serviceOpts.password-file)
+          cfg.services);
+
+    in {
      secrets.host-secrets.${hostname} = {
        backplane-host-auth = {
          source-file = host-auth-file;