Working system flake builds, attempt to integrate into nixops

This commit is contained in:
niten 2021-11-18 09:51:41 -08:00
parent fbd190bd4a
commit 4168027ac2
8 changed files with 182 additions and 179 deletions

View File

@ -1,19 +1,23 @@
{ config, lib, pkgs, ... }:
{
networking = {
useDHCP = false;
config = {
boot.isContainer = true;
macvlans = {
extif0 = {
interface = "eno2";
mode = "bridge";
networking = {
useDHCP = false;
macvlans = {
extif0 = {
interface = "eno2";
mode = "bridge";
};
};
};
interfaces = {
extif0.macAddress =
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
interfaces = {
extif0.macAddress =
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
};
};
};
}

View File

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
{
config = {
boot.isContainer = true;
};
}

View File

@ -2,6 +2,8 @@
with lib;
let
hostname = "clunk";
primary-ip = "10.0.0.1";
dns-proxy-port = 5335;
@ -12,47 +14,8 @@ let
site = config.fudo.site.${site-name};
in {
system = {
# # DO force all DNS traffic to use the local server
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
networking = {
interfaces = {
enp1s0.useDHCP = true;
@ -83,19 +46,54 @@ in {
};
fudo = {
secrets.host-secrets.${hostname} = let
files = config.fudo.secrets.files;
in {
heimdal-master-key = {
source-file = files.realm-master-keys."RUS.SELBY.CA";
target-file = "/run/heimdal/master-key";
user = config.fudo.auth.kdc.user;
};
};
local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
hosts.clunk.external-interfaces = [ "enp1s0" ];
garbage-collector = {
enable = true;
timing = "weekly";
};
auth.kdc = {
enable = true;
realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
master-key-file =
secrets.heimdal-master-key.target-file;
state-directory = "/state/kerberos";
};
secure-dns-proxy = {

View File

@ -24,16 +24,16 @@ let
};
in {
imports = let
is-regular-file = filename: type: type == "regular" || type == "link";
regular-files = path:
attrNames (filterAttrs is-regular-file (builtins.readDir path));
is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
nix-files = path:
map
(file: path + "/${file}")
(filter is-nix-file (regular-files path));
in nix-files ./france;
# imports = let
# is-regular-file = filename: type: type == "regular" || type == "link";
# regular-files = path:
# attrNames (filterAttrs is-regular-file (builtins.readDir path));
# is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
# nix-files = path:
# map
# (file: path + "/${file}")
# (filter is-nix-file (regular-files path));
# in nix-files ./france;
config = {
security.acme.email = "admin@fudo.org";
@ -136,100 +136,99 @@ in {
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
};
france = {
ldap = let
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
in {
ssl-certificate = cert-copy.certificate;
ssl-private-key = cert-copy.private-key;
ssl-ca-certificate = chain;
keytab = secrets.ldap-keytab.target-file;
root-password-file = secrets.ldap-root-passwd.target-file;
};
# france = {
# ldap = let
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
# chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
# in {
# ssl-certificate = cert-copy.certificate;
# ssl-private-key = cert-copy.private-key;
# ssl-ca-certificate = chain;
# keytab = secrets.ldap-keytab.target-file;
# root-password-file = secrets.ldap-root-passwd.target-file;
# };
kdc = {
state-directory = "/state/kerberos";
master-key-file = secret-files.realm-master-keys."FUDO.ORG";
listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
};
# kdc = {
# state-directory = "/state/kerberos";
# master-key-file = secret-files.realm-master-keys."FUDO.ORG";
# listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
# };
jabber = {
ldap-servers = [ "france.fudo.org" ];
listen-ips = [ primary-ip ];
# jabber = {
# ldap-servers = [ "france.fudo.org" ];
# listen-ips = [ primary-ip ];
backplane = {
host-passwd-files = let
hosts = attrNames config.fudo.hosts;
in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
config.fudo.hosts;
service-passwd-files = {
dns = backplane-dns-password-file;
};
};
};
# backplane = {
# host-passwd-files = let
# hosts = attrNames config.fudo.hosts;
# in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
# config.fudo.hosts;
# service-passwd-files = {
# dns = backplane-dns-password-file;
# };
# };
# };
backplane-server = {
listen-ips = [ primary-ip ];
backplane-dns-password-file =
secrets.backplane-dns-password.target-file;
};
# backplane-server = {
# listen-ips = [ primary-ip ];
# backplane-dns-password-file =
# secrets.backplane-dns-password.target-file;
# };
mail = {
mail-directory = "${mail-directory}/mailboxes";
state-directory = "${mail-directory}/var";
ldap-server-urls = [
"ldap://france.fudo.org"
];
};
# mail = {
# mail-directory = "${mail-directory}/mailboxes";
# state-directory = "${mail-directory}/var";
# ldap-server-urls = [
# "ldap://france.fudo.org"
# ];
# };
webmail = {
mail-server = mail-hostname;
database.hostname = "localhost";
};
# webmail = {
# mail-server = mail-hostname;
# database.hostname = "localhost";
# };
git = {
repository-directory = "/state/gitea/repo";
state-directory = "/state/gitea/state";
ssh.listen-ip = git-server-ip;
database-host = "localhost";
};
# git = {
# repository-directory = "/state/gitea/repo";
# state-directory = "/state/gitea/state";
# ssh.listen-ip = git-server-ip;
# database-host = "localhost";
# };
postgresql = let
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
in {
keytab = secrets.postgres-keytab.target-file;
ssl-certificate = cert-copy.certificate;
ssl-private-key = cert-copy.private-key;
};
# postgresql = let
# cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
# in {
# keytab = secrets.postgres-keytab.target-file;
# ssl-certificate = cert-copy.certificate;
# ssl-private-key = cert-copy.private-key;
# };
dns = {
default-host = primary-ip;
listen-ip = primary-ip;
mail-hosts = [ "mail.fudo.org" ];
};
# dns = {
# default-host = primary-ip;
# listen-ip = primary-ip;
# mail-hosts = [ "mail.fudo.org" ];
# };
chat = {
chat-hostname = "chat.fudo.org";
mail-server = "mail.fudo.org";
database-host = "localhost";
};
};
# chat = {
# chat-hostname = "chat.fudo.org";
# mail-server = "mail.fudo.org";
# database-host = "localhost";
# };
# };
minecraft-server = {
enable = true;
package = pkgs.minecraft-current;
data-dir = "/state/minecraft/selbyland";
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
# minecraft-server = {
# enable = true;
# package = pkgs.minecraft-current;
# data-dir = "/state/minecraft/selbyland";
# world-name = "selbyland";
# motd = "Welcome to the Selby Minecraft server.";
# };
};
networking = {

View File

@ -68,7 +68,6 @@
network = "10.0.0.0/16";
dynamic-network = "10.0.1.0/24";
timezone = "America/Winnipeg";
gateway-host = "clunk";
mail-server = "mail.fudo.org";
};

16
flake.lock generated
View File

@ -236,7 +236,7 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=",
"narHash": "sha256-TpFI+nD+c9JXhKKDBgIHJhIfveTScBD6gotTPt8tvg4=",
"path": "/state/nixops/fudo-home",
"type": "path"
},
@ -286,11 +286,11 @@
]
},
"locked": {
"lastModified": 1633291410,
"narHash": "sha256-IxUzCGwj+s2Rn/+u0NtY36ix5I8MopMOO8Ip59PnBlw=",
"lastModified": 1637019201,
"narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "382505714d10c6791a96712e0554587c75c5bf8b",
"rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
"type": "github"
},
"original": {
@ -315,11 +315,11 @@
"niten-doom-config": {
"flake": false,
"locked": {
"lastModified": 1628274414,
"narHash": "sha256-EIGqjTHcYnjVXceY1tpjaYxNmORh8NNiL2FVWCI5sBo=",
"lastModified": 1633712607,
"narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=",
"ref": "master",
"rev": "0ab1532c856ccdb6ce46c5948054279f439eb1f2",
"revCount": 34,
"rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8",
"revCount": 35,
"type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git"
},

View File

@ -38,8 +38,6 @@
site = hostOpts.site;
domain = hostOpts.domain;
profile = hostOpts.profile;
build-seed =
builtins.readFile fudo-secrets.build-seed;
in nixpkgs.lib.nixosSystem {
inherit system;
@ -56,10 +54,12 @@
(config-path + /profile-config/${profile}.nix)
(config-path + /domain-config/${domain}.nix)
(config-path + /site-config/${site}.nix)
({ ... }: {
({ config, ... }: {
config = {
instance = {
inherit hostname build-timestamp build-seed;
inherit hostname build-timestamp;
build-seed = builtins.readFile
config.fudo.secrets.files.build-seed;
};
nixpkgs.pkgs = pkgs-for system;

View File

@ -1,30 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.backplane;
backplane-server = cfg.backplane-host;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host"
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
cfg.client-hosts);
service-auth-file = generate-auth-file "service"
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
cfg.services);
in {
{
config = mkIf config.fudo.jabber.enable {
fudo = let
cfg = config.fudo.backplane;
fudo = {
hostname = config.instance.hostname;
backplane-server = cfg.backplane-host;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host"
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
cfg.client-hosts);
service-auth-file = generate-auth-file "service"
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
cfg.services);
in {
secrets.host-secrets.${hostname} = {
backplane-host-auth = {
source-file = host-auth-file;