nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Working system flake builds, attempt to integrate into nixops

Browse Source
This commit is contained in:
niten 2021-11-18 09:51:41 -08:00
parent fbd190bd4a
commit 4168027ac2
8 changed files with 182 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
config/hardware/cashew.nix
View File

@ -1,19 +1,23 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
networking = { config = {
useDHCP = false; boot.isContainer = true;
macvlans = { networking = {
extif0 = { useDHCP = false;
interface = "eno2";
mode = "bridge"; macvlans = {
extif0 = {
interface = "eno2";
mode = "bridge";
};
}; };
};
interfaces = { interfaces = {
extif0.macAddress = extif0.macAddress =
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0"; pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
};
}; };
}; };
} }

4
config/hardware/mail-container.nix
View File

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
config = {
boot.isContainer = true;
};
} }

90
config/host-config/clunk.nix
View File

@ -2,6 +2,8 @@
with lib; with lib;
let let
hostname = "clunk";
primary-ip = "10.0.0.1"; primary-ip = "10.0.0.1";
dns-proxy-port = 5335; dns-proxy-port = 5335;
@ -12,47 +14,8 @@ let
site = config.fudo.site.${site-name}; site = config.fudo.site.${site-name};
in { in {
system = {
# # DO force all DNS traffic to use the local server
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages; environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
networking = { networking = {
interfaces = { interfaces = {
enp1s0.useDHCP = true; enp1s0.useDHCP = true;
@ -83,19 +46,54 @@ in {
}; };
fudo = { fudo = {
secrets.host-secrets.${hostname} = let
files = config.fudo.secrets.files;
in {
heimdal-master-key = {
source-file = files.realm-master-keys."RUS.SELBY.CA";
target-file = "/run/heimdal/master-key";
user = config.fudo.auth.kdc.user;
};
};
local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
hosts.clunk.external-interfaces = [ "enp1s0" ];
garbage-collector = { garbage-collector = {
enable = true; enable = true;
timing = "weekly"; timing = "weekly";
}; };
auth.kdc = { auth.kdc = {
enable = true; master-key-file =
realm = "RUS.SELBY.CA"; secrets.heimdal-master-key.target-file;
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ]; state-directory = "/state/kerberos";
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
}; };
secure-dns-proxy = { secure-dns-proxy = {

173
config/host-config/france.nix
View File

@ -24,16 +24,16 @@ let
}; };
in { in {
imports = let # imports = let
is-regular-file = filename: type: type == "regular" || type == "link"; # is-regular-file = filename: type: type == "regular" || type == "link";
regular-files = path: # regular-files = path:
attrNames (filterAttrs is-regular-file (builtins.readDir path)); # attrNames (filterAttrs is-regular-file (builtins.readDir path));
is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null; # is-nix-file = filename: (builtins.match "^(.+)\.nix$" filename) != null;
nix-files = path: # nix-files = path:
map # map
(file: path + "/${file}") # (file: path + "/${file}")
(filter is-nix-file (regular-files path)); # (filter is-nix-file (regular-files path));
in nix-files ./france; # in nix-files ./france;
config = { config = {
security.acme.email = "admin@fudo.org"; security.acme.email = "admin@fudo.org";
@ -136,100 +136,99 @@ in {
}; };
client.dns = { client.dns = {
enable = true;
ipv4 = true; ipv4 = true;
ipv6 = true; ipv6 = true;
user = "fudo-client"; user = "fudo-client";
external-interface = "extif0"; external-interface = "extif0";
}; };
france = { # france = {
ldap = let # ldap = let
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap;
chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; # chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}";
in { # in {
ssl-certificate = cert-copy.certificate; # ssl-certificate = cert-copy.certificate;
ssl-private-key = cert-copy.private-key; # ssl-private-key = cert-copy.private-key;
ssl-ca-certificate = chain; # ssl-ca-certificate = chain;
keytab = secrets.ldap-keytab.target-file; # keytab = secrets.ldap-keytab.target-file;
root-password-file = secrets.ldap-root-passwd.target-file; # root-password-file = secrets.ldap-root-passwd.target-file;
}; # };
kdc = { # kdc = {
state-directory = "/state/kerberos"; # state-directory = "/state/kerberos";
master-key-file = secret-files.realm-master-keys."FUDO.ORG"; # master-key-file = secret-files.realm-master-keys."FUDO.ORG";
listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; # listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
}; # };
jabber = { # jabber = {
ldap-servers = [ "france.fudo.org" ]; # ldap-servers = [ "france.fudo.org" ];
listen-ips = [ primary-ip ]; # listen-ips = [ primary-ip ];
backplane = { # backplane = {
host-passwd-files = let # host-passwd-files = let
hosts = attrNames config.fudo.hosts; # hosts = attrNames config.fudo.hosts;
in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) # in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file)
config.fudo.hosts; # config.fudo.hosts;
service-passwd-files = { # service-passwd-files = {
dns = backplane-dns-password-file; # dns = backplane-dns-password-file;
}; # };
}; # };
}; # };
backplane-server = { # backplane-server = {
listen-ips = [ primary-ip ]; # listen-ips = [ primary-ip ];
backplane-dns-password-file = # backplane-dns-password-file =
secrets.backplane-dns-password.target-file; # secrets.backplane-dns-password.target-file;
}; # };
mail = { # mail = {
mail-directory = "${mail-directory}/mailboxes"; # mail-directory = "${mail-directory}/mailboxes";
state-directory = "${mail-directory}/var"; # state-directory = "${mail-directory}/var";
ldap-server-urls = [ # ldap-server-urls = [
"ldap://france.fudo.org" # "ldap://france.fudo.org"
]; # ];
}; # };
webmail = { # webmail = {
mail-server = mail-hostname; # mail-server = mail-hostname;
database.hostname = "localhost"; # database.hostname = "localhost";
}; # };
git = { # git = {
repository-directory = "/state/gitea/repo"; # repository-directory = "/state/gitea/repo";
state-directory = "/state/gitea/state"; # state-directory = "/state/gitea/state";
ssh.listen-ip = git-server-ip; # ssh.listen-ip = git-server-ip;
database-host = "localhost"; # database-host = "localhost";
}; # };
postgresql = let # postgresql = let
cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres;
in { # in {
keytab = secrets.postgres-keytab.target-file; # keytab = secrets.postgres-keytab.target-file;
ssl-certificate = cert-copy.certificate; # ssl-certificate = cert-copy.certificate;
ssl-private-key = cert-copy.private-key; # ssl-private-key = cert-copy.private-key;
}; # };
dns = { # dns = {
default-host = primary-ip; # default-host = primary-ip;
listen-ip = primary-ip; # listen-ip = primary-ip;
mail-hosts = [ "mail.fudo.org" ]; # mail-hosts = [ "mail.fudo.org" ];
}; # };
chat = { # chat = {
chat-hostname = "chat.fudo.org"; # chat-hostname = "chat.fudo.org";
mail-server = "mail.fudo.org"; # mail-server = "mail.fudo.org";
database-host = "localhost"; # database-host = "localhost";
}; # };
}; # };
minecraft-server = { # minecraft-server = {
enable = true; # enable = true;
package = pkgs.minecraft-current; # package = pkgs.minecraft-current;
data-dir = "/state/minecraft/selbyland"; # data-dir = "/state/minecraft/selbyland";
world-name = "selbyland"; # world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server."; # motd = "Welcome to the Selby Minecraft server.";
}; # };
}; };
networking = { networking = {

1
config/sites.nix
View File

@ -68,7 +68,6 @@
network = "10.0.0.0/16"; network = "10.0.0.0/16";
dynamic-network = "10.0.1.0/24"; dynamic-network = "10.0.1.0/24";
timezone = "America/Winnipeg"; timezone = "America/Winnipeg";
gateway-host = "clunk";
mail-server = "mail.fudo.org"; mail-server = "mail.fudo.org";
}; };

16
flake.lock generated
View File

@ -236,7 +236,7 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=", "narHash": "sha256-TpFI+nD+c9JXhKKDBgIHJhIfveTScBD6gotTPt8tvg4=",
"path": "/state/nixops/fudo-home", "path": "/state/nixops/fudo-home",
"type": "path" "type": "path"
}, },
@ -286,11 +286,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1633291410, "lastModified": 1637019201,
"narHash": "sha256-IxUzCGwj+s2Rn/+u0NtY36ix5I8MopMOO8Ip59PnBlw=", "narHash": "sha256-lq4gz51fx4m5FXfx1SCB444aEBeaYtLMVm3P18Wi9ls=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "382505714d10c6791a96712e0554587c75c5bf8b", "rev": "bcf03fa16a1f06b8a0abb27bf49afa8d6fffe8f1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -315,11 +315,11 @@
"niten-doom-config": { "niten-doom-config": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1628274414, "lastModified": 1633712607,
"narHash": "sha256-EIGqjTHcYnjVXceY1tpjaYxNmORh8NNiL2FVWCI5sBo=", "narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=",
"ref": "master", "ref": "master",
"rev": "0ab1532c856ccdb6ce46c5948054279f439eb1f2", "rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8",
"revCount": 34, "revCount": 35,
"type": "git", "type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git" "url": "https://git.fudo.org/niten/doom-emacs.git"
}, },

8
flake.nix
View File

@ -38,8 +38,6 @@
site = hostOpts.site; site = hostOpts.site;
domain = hostOpts.domain; domain = hostOpts.domain;
profile = hostOpts.profile; profile = hostOpts.profile;
build-seed =
builtins.readFile fudo-secrets.build-seed;
in nixpkgs.lib.nixosSystem { in nixpkgs.lib.nixosSystem {
inherit system; inherit system;
@ -56,10 +54,12 @@
(config-path + /profile-config/${profile}.nix) (config-path + /profile-config/${profile}.nix)
(config-path + /domain-config/${domain}.nix) (config-path + /domain-config/${domain}.nix)
(config-path + /site-config/${site}.nix) (config-path + /site-config/${site}.nix)
({ ... }: { ({ config, ... }: {
config = { config = {
instance = { instance = {
inherit hostname build-timestamp build-seed; inherit hostname build-timestamp;
build-seed = builtins.readFile
config.fudo.secrets.files.build-seed;
}; };
nixpkgs.pkgs = pkgs-for system; nixpkgs.pkgs = pkgs-for system;

45
lib/fudo/backplane/jabber.nix
View File

@ -1,30 +1,31 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let {
cfg = config.fudo.backplane;
backplane-server = cfg.backplane-host;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host"
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
cfg.client-hosts);
service-auth-file = generate-auth-file "service"
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
cfg.services);
in {
config = mkIf config.fudo.jabber.enable { config = mkIf config.fudo.jabber.enable {
fudo = let
cfg = config.fudo.backplane;
fudo = { hostname = config.instance.hostname;
backplane-server = cfg.backplane-host;
generate-auth-file = name: files: let
make-entry = name: passwd-file:
''("${name}" . "${readFile passwd-file}")'';
entries = mapAttrsToList make-entry files;
content = concatStringsSep "\n" entries;
in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})";
host-auth-file = generate-auth-file "host"
(mapAttrs (hostname: hostOpts: hostOpts.password-file)
cfg.client-hosts);
service-auth-file = generate-auth-file "service"
(mapAttrs (service: serviceOpts: serviceOpts.password-file)
cfg.services);
in {
secrets.host-secrets.${hostname} = { secrets.host-secrets.${hostname} = {
backplane-host-auth = { backplane-host-auth = {
source-file = host-auth-file; source-file = host-auth-file;