From 4168027ac234de6f8c2cc29c888b44c2897cef58 Mon Sep 17 00:00:00 2001 From: niten Date: Thu, 18 Nov 2021 09:51:41 -0800 Subject: [PATCH] Working system flake builds, attempt to integrate into nixops --- config/hardware/cashew.nix | 24 ++-- config/hardware/mail-container.nix | 4 +- config/host-config/clunk.nix | 90 ++++++++------- config/host-config/france.nix | 173 ++++++++++++++--------------- config/sites.nix | 1 - flake.lock | 16 +-- flake.nix | 8 +- lib/fudo/backplane/jabber.nix | 45 ++++---- 8 files changed, 182 insertions(+), 179 deletions(-) diff --git a/config/hardware/cashew.nix b/config/hardware/cashew.nix index 1e0aaa9..f8a271d 100644 --- a/config/hardware/cashew.nix +++ b/config/hardware/cashew.nix @@ -1,19 +1,23 @@ { config, lib, pkgs, ... }: { - networking = { - useDHCP = false; + config = { + boot.isContainer = true; - macvlans = { - extif0 = { - interface = "eno2"; - mode = "bridge"; + networking = { + useDHCP = false; + + macvlans = { + extif0 = { + interface = "eno2"; + mode = "bridge"; + }; }; - }; - interfaces = { - extif0.macAddress = - pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0"; + interfaces = { + extif0.macAddress = + pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0"; + }; }; }; } diff --git a/config/hardware/mail-container.nix b/config/hardware/mail-container.nix index 865d469..091058e 100644 --- a/config/hardware/mail-container.nix +++ b/config/hardware/mail-container.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: { - + config = { + boot.isContainer = true; + }; } diff --git a/config/host-config/clunk.nix b/config/host-config/clunk.nix index 61fc3ce..f70ade7 100644 --- a/config/host-config/clunk.nix +++ b/config/host-config/clunk.nix @@ -2,6 +2,8 @@ with lib; let + hostname = "clunk"; + primary-ip = "10.0.0.1"; dns-proxy-port = 5335; @@ -12,47 +14,8 @@ let site = config.fudo.site.${site-name}; in { - system = { - # # DO force all DNS traffic to use the local server - # activationScripts.force-local-dns = let - # wifi-ip = - # config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address; - # in '' - # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 - # ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53 - # ''; - }; - environment.systemPackages = host-packages; - fudo.local-network = let - host-config = config.fudo.hosts.${config.instance.hostname}; - site-name = host-config.site; - site = config.fudo.sites.${site-name}; - domain-name = host-config.domain; - domain = config.fudo.domains.${domain-name}; - - in { - enable = true; - # NOTE: requests go: - # - local bind instance - # - pi-hole - # - DoH resolver - domain = domain-name; - dns-servers = [ primary-ip ]; - gateway = primary-ip; - dhcp-interfaces = [ "intif0" ]; - dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - recursive-resolver = "${primary-ip} port 5353"; - network = site.network; - dhcp-dynamic-network = site.dynamic-network; - search-domains = [ "selby.ca" ]; - enable-reverse-mappings = true; - network-definition = config.fudo.networks."rus.selby.ca"; - }; - - fudo.hosts.clunk.external-interfaces = [ "enp1s0" ]; - networking = { interfaces = { enp1s0.useDHCP = true; @@ -83,19 +46,54 @@ in { }; fudo = { + + secrets.host-secrets.${hostname} = let + files = config.fudo.secrets.files; + in { + heimdal-master-key = { + source-file = files.realm-master-keys."RUS.SELBY.CA"; + target-file = "/run/heimdal/master-key"; + user = config.fudo.auth.kdc.user; + }; + }; + + local-network = let + host-config = config.fudo.hosts.${config.instance.hostname}; + site-name = host-config.site; + site = config.fudo.sites.${site-name}; + domain-name = host-config.domain; + domain = config.fudo.domains.${domain-name}; + + in { + enable = true; + # NOTE: requests go: + # - local bind instance + # - pi-hole + # - DoH resolver + domain = domain-name; + dns-servers = [ primary-ip ]; + gateway = primary-ip; + dhcp-interfaces = [ "intif0" ]; + dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + recursive-resolver = "${primary-ip} port 5353"; + network = site.network; + dhcp-dynamic-network = site.dynamic-network; + search-domains = [ "selby.ca" ]; + enable-reverse-mappings = true; + network-definition = config.fudo.networks."rus.selby.ca"; + }; + + hosts.clunk.external-interfaces = [ "enp1s0" ]; + garbage-collector = { enable = true; timing = "weekly"; }; auth.kdc = { - enable = true; - realm = "RUS.SELBY.CA"; - bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; - acl = { - "niten" = { perms = [ "add" "change-password" "list" ]; }; - "*/root" = { perms = [ "all" ]; }; - }; + master-key-file = + secrets.heimdal-master-key.target-file; + state-directory = "/state/kerberos"; }; secure-dns-proxy = { diff --git a/config/host-config/france.nix b/config/host-config/france.nix index 356f2e3..7dd17eb 100644 --- a/config/host-config/france.nix +++ b/config/host-config/france.nix @@ -24,16 +24,16 @@ let }; in { - imports = let - is-regular-file = filename: type: type == "regular" || type == "link"; - regular-files = path: - attrNames (filterAttrs is-regular-file (builtins.readDir path)); - is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null; - nix-files = path: - map - (file: path + "/${file}") - (filter is-nix-file (regular-files path)); - in nix-files ./france; + # imports = let + # is-regular-file = filename: type: type == "regular" || type == "link"; + # regular-files = path: + # attrNames (filterAttrs is-regular-file (builtins.readDir path)); + # is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null; + # nix-files = path: + # map + # (file: path + "/${file}") + # (filter is-nix-file (regular-files path)); + # in nix-files ./france; config = { security.acme.email = "admin@fudo.org"; @@ -136,100 +136,99 @@ in { }; client.dns = { - enable = true; ipv4 = true; ipv6 = true; user = "fudo-client"; external-interface = "extif0"; }; - france = { - ldap = let - cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; - chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; - in { - ssl-certificate = cert-copy.certificate; - ssl-private-key = cert-copy.private-key; - ssl-ca-certificate = chain; - keytab = secrets.ldap-keytab.target-file; - root-password-file = secrets.ldap-root-passwd.target-file; - }; + # france = { + # ldap = let + # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; + # chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; + # in { + # ssl-certificate = cert-copy.certificate; + # ssl-private-key = cert-copy.private-key; + # ssl-ca-certificate = chain; + # keytab = secrets.ldap-keytab.target-file; + # root-password-file = secrets.ldap-root-passwd.target-file; + # }; - kdc = { - state-directory = "/state/kerberos"; - master-key-file = secret-files.realm-master-keys."FUDO.ORG"; - listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - }; + # kdc = { + # state-directory = "/state/kerberos"; + # master-key-file = secret-files.realm-master-keys."FUDO.ORG"; + # listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + # }; - jabber = { - ldap-servers = [ "france.fudo.org" ]; - listen-ips = [ primary-ip ]; + # jabber = { + # ldap-servers = [ "france.fudo.org" ]; + # listen-ips = [ primary-ip ]; - backplane = { - host-passwd-files = let - hosts = attrNames config.fudo.hosts; - in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) - config.fudo.hosts; - service-passwd-files = { - dns = backplane-dns-password-file; - }; - }; - }; + # backplane = { + # host-passwd-files = let + # hosts = attrNames config.fudo.hosts; + # in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) + # config.fudo.hosts; + # service-passwd-files = { + # dns = backplane-dns-password-file; + # }; + # }; + # }; - backplane-server = { - listen-ips = [ primary-ip ]; - backplane-dns-password-file = - secrets.backplane-dns-password.target-file; - }; + # backplane-server = { + # listen-ips = [ primary-ip ]; + # backplane-dns-password-file = + # secrets.backplane-dns-password.target-file; + # }; - mail = { - mail-directory = "${mail-directory}/mailboxes"; - state-directory = "${mail-directory}/var"; - ldap-server-urls = [ - "ldap://france.fudo.org" - ]; - }; + # mail = { + # mail-directory = "${mail-directory}/mailboxes"; + # state-directory = "${mail-directory}/var"; + # ldap-server-urls = [ + # "ldap://france.fudo.org" + # ]; + # }; - webmail = { - mail-server = mail-hostname; - database.hostname = "localhost"; - }; + # webmail = { + # mail-server = mail-hostname; + # database.hostname = "localhost"; + # }; - git = { - repository-directory = "/state/gitea/repo"; - state-directory = "/state/gitea/state"; - ssh.listen-ip = git-server-ip; - database-host = "localhost"; - }; + # git = { + # repository-directory = "/state/gitea/repo"; + # state-directory = "/state/gitea/state"; + # ssh.listen-ip = git-server-ip; + # database-host = "localhost"; + # }; - postgresql = let - cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; - in { - keytab = secrets.postgres-keytab.target-file; - ssl-certificate = cert-copy.certificate; - ssl-private-key = cert-copy.private-key; - }; + # postgresql = let + # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; + # in { + # keytab = secrets.postgres-keytab.target-file; + # ssl-certificate = cert-copy.certificate; + # ssl-private-key = cert-copy.private-key; + # }; - dns = { - default-host = primary-ip; - listen-ip = primary-ip; - mail-hosts = [ "mail.fudo.org" ]; - }; + # dns = { + # default-host = primary-ip; + # listen-ip = primary-ip; + # mail-hosts = [ "mail.fudo.org" ]; + # }; - chat = { - chat-hostname = "chat.fudo.org"; - mail-server = "mail.fudo.org"; - database-host = "localhost"; - }; - }; + # chat = { + # chat-hostname = "chat.fudo.org"; + # mail-server = "mail.fudo.org"; + # database-host = "localhost"; + # }; + # }; - minecraft-server = { - enable = true; - package = pkgs.minecraft-current; - data-dir = "/state/minecraft/selbyland"; - world-name = "selbyland"; - motd = "Welcome to the Selby Minecraft server."; - }; + # minecraft-server = { + # enable = true; + # package = pkgs.minecraft-current; + # data-dir = "/state/minecraft/selbyland"; + # world-name = "selbyland"; + # motd = "Welcome to the Selby Minecraft server."; + # }; }; networking = { diff --git a/config/sites.nix b/config/sites.nix index c821cee..7af42cf 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -68,7 +68,6 @@ network = "10.0.0.0/16"; dynamic-network = "10.0.1.0/24"; timezone = "America/Winnipeg"; - gateway-host = "clunk"; mail-server = "mail.fudo.org"; }; diff --git a/flake.lock b/flake.lock index dc0b9ea..237dca0 100644 --- a/flake.lock +++ b/flake.lock @@ -236,7 +236,7 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=", + "narHash": "sha256-TpFI+nD+c9JXhKKDBgIHJhIfveTScBD6gotTPt8tvg4=", "path": "/state/nixops/fudo-home", "type": "path" }, @@ -286,11 +286,11 @@ ] }, "locked": { - "lastModified": 1633291410, - "narHash": "sha256-IxUzCGwj+s2Rn/+u0NtY36ix5I8MopMOO8Ip59PnBlw=", + "lastModified": 1637019201, + "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=", "owner": "nix-community", "repo": "home-manager", - "rev": "382505714d10c6791a96712e0554587c75c5bf8b", + "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1", "type": "github" }, "original": { @@ -315,11 +315,11 @@ "niten-doom-config": { "flake": false, "locked": { - "lastModified": 1628274414, - "narHash": "sha256-EIGqjTHcYnjVXceY1tpjaYxNmORh8NNiL2FVWCI5sBo=", + "lastModified": 1633712607, + "narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=", "ref": "master", - "rev": "0ab1532c856ccdb6ce46c5948054279f439eb1f2", - "revCount": 34, + "rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8", + "revCount": 35, "type": "git", "url": "https://git.fudo.org/niten/doom-emacs.git" }, diff --git a/flake.nix b/flake.nix index 0bc5796..5610d09 100644 --- a/flake.nix +++ b/flake.nix @@ -38,8 +38,6 @@ site = hostOpts.site; domain = hostOpts.domain; profile = hostOpts.profile; - build-seed = - builtins.readFile fudo-secrets.build-seed; in nixpkgs.lib.nixosSystem { inherit system; @@ -56,10 +54,12 @@ (config-path + /profile-config/${profile}.nix) (config-path + /domain-config/${domain}.nix) (config-path + /site-config/${site}.nix) - ({ ... }: { + ({ config, ... }: { config = { instance = { - inherit hostname build-timestamp build-seed; + inherit hostname build-timestamp; + build-seed = builtins.readFile + config.fudo.secrets.files.build-seed; }; nixpkgs.pkgs = pkgs-for system; diff --git a/lib/fudo/backplane/jabber.nix b/lib/fudo/backplane/jabber.nix index d3bac4f..8f6e988 100644 --- a/lib/fudo/backplane/jabber.nix +++ b/lib/fudo/backplane/jabber.nix @@ -1,30 +1,31 @@ { config, lib, pkgs, ... }: with lib; -let - cfg = config.fudo.backplane; - - backplane-server = cfg.backplane-host; - - generate-auth-file = name: files: let - make-entry = name: passwd-file: - ''("${name}" . "${readFile passwd-file}")''; - entries = mapAttrsToList make-entry files; - content = concatStringsSep "\n" entries; - in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})"; - - host-auth-file = generate-auth-file "host" - (mapAttrs (hostname: hostOpts: hostOpts.password-file) - cfg.client-hosts); - - service-auth-file = generate-auth-file "service" - (mapAttrs (service: serviceOpts: serviceOpts.password-file) - cfg.services); - -in { +{ config = mkIf config.fudo.jabber.enable { + fudo = let + cfg = config.fudo.backplane; - fudo = { + hostname = config.instance.hostname; + + backplane-server = cfg.backplane-host; + + generate-auth-file = name: files: let + make-entry = name: passwd-file: + ''("${name}" . "${readFile passwd-file}")''; + entries = mapAttrsToList make-entry files; + content = concatStringsSep "\n" entries; + in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})"; + + host-auth-file = generate-auth-file "host" + (mapAttrs (hostname: hostOpts: hostOpts.password-file) + cfg.client-hosts); + + service-auth-file = generate-auth-file "service" + (mapAttrs (service: serviceOpts: serviceOpts.password-file) + cfg.services); + + in { secrets.host-secrets.${hostname} = { backplane-host-auth = { source-file = host-auth-file;