Working system flake builds, attempt to integrate into nixops
This commit is contained in:
parent
fbd190bd4a
commit
4168027ac2
@ -1,19 +1,23 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
config = {
|
||||
boot.isContainer = true;
|
||||
|
||||
macvlans = {
|
||||
extif0 = {
|
||||
interface = "eno2";
|
||||
mode = "bridge";
|
||||
networking = {
|
||||
useDHCP = false;
|
||||
|
||||
macvlans = {
|
||||
extif0 = {
|
||||
interface = "eno2";
|
||||
mode = "bridge";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
extif0.macAddress =
|
||||
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
|
||||
interfaces = {
|
||||
extif0.macAddress =
|
||||
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,5 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
config = {
|
||||
boot.isContainer = true;
|
||||
};
|
||||
}
|
||||
|
@ -2,6 +2,8 @@
|
||||
|
||||
with lib;
|
||||
let
|
||||
hostname = "clunk";
|
||||
|
||||
primary-ip = "10.0.0.1";
|
||||
|
||||
dns-proxy-port = 5335;
|
||||
@ -12,47 +14,8 @@ let
|
||||
site = config.fudo.site.${site-name};
|
||||
|
||||
in {
|
||||
system = {
|
||||
# # DO force all DNS traffic to use the local server
|
||||
# activationScripts.force-local-dns = let
|
||||
# wifi-ip =
|
||||
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
|
||||
# in ''
|
||||
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
|
||||
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
|
||||
# '';
|
||||
};
|
||||
|
||||
environment.systemPackages = host-packages;
|
||||
|
||||
fudo.local-network = let
|
||||
host-config = config.fudo.hosts.${config.instance.hostname};
|
||||
site-name = host-config.site;
|
||||
site = config.fudo.sites.${site-name};
|
||||
domain-name = host-config.domain;
|
||||
domain = config.fudo.domains.${domain-name};
|
||||
|
||||
in {
|
||||
enable = true;
|
||||
# NOTE: requests go:
|
||||
# - local bind instance
|
||||
# - pi-hole
|
||||
# - DoH resolver
|
||||
domain = domain-name;
|
||||
dns-servers = [ primary-ip ];
|
||||
gateway = primary-ip;
|
||||
dhcp-interfaces = [ "intif0" ];
|
||||
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
||||
recursive-resolver = "${primary-ip} port 5353";
|
||||
network = site.network;
|
||||
dhcp-dynamic-network = site.dynamic-network;
|
||||
search-domains = [ "selby.ca" ];
|
||||
enable-reverse-mappings = true;
|
||||
network-definition = config.fudo.networks."rus.selby.ca";
|
||||
};
|
||||
|
||||
fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
|
||||
|
||||
networking = {
|
||||
interfaces = {
|
||||
enp1s0.useDHCP = true;
|
||||
@ -83,19 +46,54 @@ in {
|
||||
};
|
||||
|
||||
fudo = {
|
||||
|
||||
secrets.host-secrets.${hostname} = let
|
||||
files = config.fudo.secrets.files;
|
||||
in {
|
||||
heimdal-master-key = {
|
||||
source-file = files.realm-master-keys."RUS.SELBY.CA";
|
||||
target-file = "/run/heimdal/master-key";
|
||||
user = config.fudo.auth.kdc.user;
|
||||
};
|
||||
};
|
||||
|
||||
local-network = let
|
||||
host-config = config.fudo.hosts.${config.instance.hostname};
|
||||
site-name = host-config.site;
|
||||
site = config.fudo.sites.${site-name};
|
||||
domain-name = host-config.domain;
|
||||
domain = config.fudo.domains.${domain-name};
|
||||
|
||||
in {
|
||||
enable = true;
|
||||
# NOTE: requests go:
|
||||
# - local bind instance
|
||||
# - pi-hole
|
||||
# - DoH resolver
|
||||
domain = domain-name;
|
||||
dns-servers = [ primary-ip ];
|
||||
gateway = primary-ip;
|
||||
dhcp-interfaces = [ "intif0" ];
|
||||
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
||||
recursive-resolver = "${primary-ip} port 5353";
|
||||
network = site.network;
|
||||
dhcp-dynamic-network = site.dynamic-network;
|
||||
search-domains = [ "selby.ca" ];
|
||||
enable-reverse-mappings = true;
|
||||
network-definition = config.fudo.networks."rus.selby.ca";
|
||||
};
|
||||
|
||||
hosts.clunk.external-interfaces = [ "enp1s0" ];
|
||||
|
||||
garbage-collector = {
|
||||
enable = true;
|
||||
timing = "weekly";
|
||||
};
|
||||
|
||||
auth.kdc = {
|
||||
enable = true;
|
||||
realm = "RUS.SELBY.CA";
|
||||
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
|
||||
acl = {
|
||||
"niten" = { perms = [ "add" "change-password" "list" ]; };
|
||||
"*/root" = { perms = [ "all" ]; };
|
||||
};
|
||||
master-key-file =
|
||||
secrets.heimdal-master-key.target-file;
|
||||
state-directory = "/state/kerberos";
|
||||
};
|
||||
|
||||
secure-dns-proxy = {
|
||||
|
@ -24,16 +24,16 @@ let
|
||||
};
|
||||
|
||||
in {
|
||||
imports = let
|
||||
is-regular-file = filename: type: type == "regular" || type == "link";
|
||||
regular-files = path:
|
||||
attrNames (filterAttrs is-regular-file (builtins.readDir path));
|
||||
is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
|
||||
nix-files = path:
|
||||
map
|
||||
(file: path + "/${file}")
|
||||
(filter is-nix-file (regular-files path));
|
||||
in nix-files ./france;
|
||||
# imports = let
|
||||
# is-regular-file = filename: type: type == "regular" || type == "link";
|
||||
# regular-files = path:
|
||||
# attrNames (filterAttrs is-regular-file (builtins.readDir path));
|
||||
# is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
|
||||
# nix-files = path:
|
||||
# map
|
||||
# (file: path + "/${file}")
|
||||
# (filter is-nix-file (regular-files path));
|
||||
# in nix-files ./france;
|
||||
|
||||
config = {
|
||||
security.acme.email = "admin@fudo.org";
|
||||
@ -136,100 +136,99 @@ in {
|
||||
};
|
||||
|
||||
client.dns = {
|
||||
enable = true;
|
||||
ipv4 = true;
|
||||
ipv6 = true;
|
||||
user = "fudo-client";
|
||||
external-interface = "extif0";
|
||||
};
|
||||
|
||||
france = {
|
||||
ldap = let
|
||||
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
|
||||
chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
|
||||
in {
|
||||
ssl-certificate = cert-copy.certificate;
|
||||
ssl-private-key = cert-copy.private-key;
|
||||
ssl-ca-certificate = chain;
|
||||
keytab = secrets.ldap-keytab.target-file;
|
||||
root-password-file = secrets.ldap-root-passwd.target-file;
|
||||
};
|
||||
# france = {
|
||||
# ldap = let
|
||||
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
|
||||
# chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
|
||||
# in {
|
||||
# ssl-certificate = cert-copy.certificate;
|
||||
# ssl-private-key = cert-copy.private-key;
|
||||
# ssl-ca-certificate = chain;
|
||||
# keytab = secrets.ldap-keytab.target-file;
|
||||
# root-password-file = secrets.ldap-root-passwd.target-file;
|
||||
# };
|
||||
|
||||
kdc = {
|
||||
state-directory = "/state/kerberos";
|
||||
master-key-file = secret-files.realm-master-keys."FUDO.ORG";
|
||||
listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
||||
};
|
||||
# kdc = {
|
||||
# state-directory = "/state/kerberos";
|
||||
# master-key-file = secret-files.realm-master-keys."FUDO.ORG";
|
||||
# listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
|
||||
# };
|
||||
|
||||
jabber = {
|
||||
ldap-servers = [ "france.fudo.org" ];
|
||||
listen-ips = [ primary-ip ];
|
||||
# jabber = {
|
||||
# ldap-servers = [ "france.fudo.org" ];
|
||||
# listen-ips = [ primary-ip ];
|
||||
|
||||
backplane = {
|
||||
host-passwd-files = let
|
||||
hosts = attrNames config.fudo.hosts;
|
||||
in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
|
||||
config.fudo.hosts;
|
||||
service-passwd-files = {
|
||||
dns = backplane-dns-password-file;
|
||||
};
|
||||
};
|
||||
};
|
||||
# backplane = {
|
||||
# host-passwd-files = let
|
||||
# hosts = attrNames config.fudo.hosts;
|
||||
# in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
|
||||
# config.fudo.hosts;
|
||||
# service-passwd-files = {
|
||||
# dns = backplane-dns-password-file;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
backplane-server = {
|
||||
listen-ips = [ primary-ip ];
|
||||
backplane-dns-password-file =
|
||||
secrets.backplane-dns-password.target-file;
|
||||
};
|
||||
# backplane-server = {
|
||||
# listen-ips = [ primary-ip ];
|
||||
# backplane-dns-password-file =
|
||||
# secrets.backplane-dns-password.target-file;
|
||||
# };
|
||||
|
||||
mail = {
|
||||
mail-directory = "${mail-directory}/mailboxes";
|
||||
state-directory = "${mail-directory}/var";
|
||||
ldap-server-urls = [
|
||||
"ldap://france.fudo.org"
|
||||
];
|
||||
};
|
||||
# mail = {
|
||||
# mail-directory = "${mail-directory}/mailboxes";
|
||||
# state-directory = "${mail-directory}/var";
|
||||
# ldap-server-urls = [
|
||||
# "ldap://france.fudo.org"
|
||||
# ];
|
||||
# };
|
||||
|
||||
webmail = {
|
||||
mail-server = mail-hostname;
|
||||
database.hostname = "localhost";
|
||||
};
|
||||
# webmail = {
|
||||
# mail-server = mail-hostname;
|
||||
# database.hostname = "localhost";
|
||||
# };
|
||||
|
||||
git = {
|
||||
repository-directory = "/state/gitea/repo";
|
||||
state-directory = "/state/gitea/state";
|
||||
ssh.listen-ip = git-server-ip;
|
||||
database-host = "localhost";
|
||||
};
|
||||
# git = {
|
||||
# repository-directory = "/state/gitea/repo";
|
||||
# state-directory = "/state/gitea/state";
|
||||
# ssh.listen-ip = git-server-ip;
|
||||
# database-host = "localhost";
|
||||
# };
|
||||
|
||||
postgresql = let
|
||||
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
|
||||
in {
|
||||
keytab = secrets.postgres-keytab.target-file;
|
||||
ssl-certificate = cert-copy.certificate;
|
||||
ssl-private-key = cert-copy.private-key;
|
||||
};
|
||||
# postgresql = let
|
||||
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
|
||||
# in {
|
||||
# keytab = secrets.postgres-keytab.target-file;
|
||||
# ssl-certificate = cert-copy.certificate;
|
||||
# ssl-private-key = cert-copy.private-key;
|
||||
# };
|
||||
|
||||
dns = {
|
||||
default-host = primary-ip;
|
||||
listen-ip = primary-ip;
|
||||
mail-hosts = [ "mail.fudo.org" ];
|
||||
};
|
||||
# dns = {
|
||||
# default-host = primary-ip;
|
||||
# listen-ip = primary-ip;
|
||||
# mail-hosts = [ "mail.fudo.org" ];
|
||||
# };
|
||||
|
||||
chat = {
|
||||
chat-hostname = "chat.fudo.org";
|
||||
mail-server = "mail.fudo.org";
|
||||
database-host = "localhost";
|
||||
};
|
||||
};
|
||||
# chat = {
|
||||
# chat-hostname = "chat.fudo.org";
|
||||
# mail-server = "mail.fudo.org";
|
||||
# database-host = "localhost";
|
||||
# };
|
||||
# };
|
||||
|
||||
minecraft-server = {
|
||||
enable = true;
|
||||
package = pkgs.minecraft-current;
|
||||
data-dir = "/state/minecraft/selbyland";
|
||||
world-name = "selbyland";
|
||||
motd = "Welcome to the Selby Minecraft server.";
|
||||
};
|
||||
# minecraft-server = {
|
||||
# enable = true;
|
||||
# package = pkgs.minecraft-current;
|
||||
# data-dir = "/state/minecraft/selbyland";
|
||||
# world-name = "selbyland";
|
||||
# motd = "Welcome to the Selby Minecraft server.";
|
||||
# };
|
||||
};
|
||||
|
||||
networking = {
|
||||
|
@ -68,7 +68,6 @@
|
||||
network = "10.0.0.0/16";
|
||||
dynamic-network = "10.0.1.0/24";
|
||||
timezone = "America/Winnipeg";
|
||||
gateway-host = "clunk";
|
||||
mail-server = "mail.fudo.org";
|
||||
};
|
||||
|
||||
|
16
flake.lock
generated
16
flake.lock
generated
@ -236,7 +236,7 @@
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=",
|
||||
"narHash": "sha256-TpFI+nD+c9JXhKKDBgIHJhIfveTScBD6gotTPt8tvg4=",
|
||||
"path": "/state/nixops/fudo-home",
|
||||
"type": "path"
|
||||
},
|
||||
@ -286,11 +286,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1633291410,
|
||||
"narHash": "sha256-IxUzCGwj+s2Rn/+u0NtY36ix5I8MopMOO8Ip59PnBlw=",
|
||||
"lastModified": 1637019201,
|
||||
"narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "382505714d10c6791a96712e0554587c75c5bf8b",
|
||||
"rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -315,11 +315,11 @@
|
||||
"niten-doom-config": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1628274414,
|
||||
"narHash": "sha256-EIGqjTHcYnjVXceY1tpjaYxNmORh8NNiL2FVWCI5sBo=",
|
||||
"lastModified": 1633712607,
|
||||
"narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=",
|
||||
"ref": "master",
|
||||
"rev": "0ab1532c856ccdb6ce46c5948054279f439eb1f2",
|
||||
"revCount": 34,
|
||||
"rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8",
|
||||
"revCount": 35,
|
||||
"type": "git",
|
||||
"url": "https://git.fudo.org/niten/doom-emacs.git"
|
||||
},
|
||||
|
@ -38,8 +38,6 @@
|
||||
site = hostOpts.site;
|
||||
domain = hostOpts.domain;
|
||||
profile = hostOpts.profile;
|
||||
build-seed =
|
||||
builtins.readFile fudo-secrets.build-seed;
|
||||
in nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
|
||||
@ -56,10 +54,12 @@
|
||||
(config-path + /profile-config/${profile}.nix)
|
||||
(config-path + /domain-config/${domain}.nix)
|
||||
(config-path + /site-config/${site}.nix)
|
||||
({ ... }: {
|
||||
({ config, ... }: {
|
||||
config = {
|
||||
instance = {
|
||||
inherit hostname build-timestamp build-seed;
|
||||
inherit hostname build-timestamp;
|
||||
build-seed = builtins.readFile
|
||||
config.fudo.secrets.files.build-seed;
|
||||
};
|
||||
|
||||
nixpkgs.pkgs = pkgs-for system;
|
||||
|
@ -1,30 +1,31 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.fudo.backplane;
|
||||
|
||||
backplane-server = cfg.backplane-host;
|
||||
|
||||
generate-auth-file = name: files: let
|
||||
make-entry = name: passwd-file:
|
||||
''("${name}" . "${readFile passwd-file}")'';
|
||||
entries = mapAttrsToList make-entry files;
|
||||
content = concatStringsSep "\n" entries;
|
||||
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
|
||||
|
||||
host-auth-file = generate-auth-file "host"
|
||||
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
|
||||
cfg.client-hosts);
|
||||
|
||||
service-auth-file = generate-auth-file "service"
|
||||
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
|
||||
cfg.services);
|
||||
|
||||
in {
|
||||
{
|
||||
config = mkIf config.fudo.jabber.enable {
|
||||
fudo = let
|
||||
cfg = config.fudo.backplane;
|
||||
|
||||
fudo = {
|
||||
hostname = config.instance.hostname;
|
||||
|
||||
backplane-server = cfg.backplane-host;
|
||||
|
||||
generate-auth-file = name: files: let
|
||||
make-entry = name: passwd-file:
|
||||
''("${name}" . "${readFile passwd-file}")'';
|
||||
entries = mapAttrsToList make-entry files;
|
||||
content = concatStringsSep "\n" entries;
|
||||
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
|
||||
|
||||
host-auth-file = generate-auth-file "host"
|
||||
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
|
||||
cfg.client-hosts);
|
||||
|
||||
service-auth-file = generate-auth-file "service"
|
||||
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
|
||||
cfg.services);
|
||||
|
||||
in {
|
||||
secrets.host-secrets.${hostname} = {
|
||||
backplane-host-auth = {
|
||||
source-file = host-auth-file;
|
||||
|
Loading…
Reference in New Issue
Block a user