nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch to using a common hostconfig at build and config time.

This commit is contained in:
Root 2021-04-07 14:03:52 -07:00
parent d835ae3e75
commit 418c04170c
40 changed files with 1015 additions and 888 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
config/domains/fudo.org.nix → config/domain-config/fudo.org.nix
View File

0
config/domains/informis.land.nix → config/domain-config/informis.land.nix
View File

0
config/domains/rus.selby.ca.nix → config/domain-config/rus.selby.ca.nix
View File

0
config/domains/sea.fudo.org.nix → config/domain-config/sea.fudo.org.nix
View File

24
config/hardware/limina.nix
View File

@ -1,9 +1,10 @@
{ config, lib, pkgs, ... }:
with lib;
{
with lib; {
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
system.stateVersion = "20.09";
boot = {
initrd = {
availableKernelModules =
@ -89,24 +90,15 @@ with lib;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
# output of: echo limina-${if}|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
extif0 = {
macAddress = "02:fd:79:94:a2:a8";
useDHCP = true;
};
extif0 = { macAddress = "02:fd:79:94:a2:a8"; };
intif0 = {
macAddress = "02:dc:59:b4:a7:8c";
};
intif0 = { macAddress = "02:dc:59:b4:a7:8c"; };
intif1 = {
macAddress = "02:df:43:1d:8a:63";
};
intif1 = { macAddress = "02:df:43:1d:8a:63"; };
intif2 = {
macAddress = "02:55:d9:05:23:36";
};
intif2 = { macAddress = "02:55:d9:05:23:36"; };
};
};
}

9
config/host-config/atom.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
fudo.laptop.use-network-manager = false;
fudo.slynk.enable = true;
services.xserver = { videoDrivers = [ "nvidia" ]; };
}

168
config/host-config/clunk.nix Normal file
View File

@ -0,0 +1,168 @@
{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.1";
dns-proxy-port = 5335;
host-packages = with pkgs; [
nixops
];
site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name};
in {
system = {
# # DO force all DNS traffic to use the local server
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0.useDHCP = true;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
forwardPorts = [{
destination = "127.0.0.1:53";
sourcePort = 53;
proto = "udp";
}];
};
};
fudo = {
garbage-collector = {
enable = true;
timing = "weekly";
};
auth.kdc = {
enable = true;
realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
}

179
config/host-config/france.nix Normal file
View File

@ -0,0 +1,179 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "208.81.3.117";
hostname = config.instance.hostname;
domain-name = config.fudo.hosts.${hostname}.domain;
domain = config.fudo.domains.${domain-name};
host-fqdn = "${hostname}.${domain-name}";
mail-hostname = "mail.fudo.org";
in {
imports = [ ./france/postgresql.nix ];
config = {
fudo = {
auth = {
ldap = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "FIXME";
kerberos-host = host-fqdn;
kerberos-keytab = "FIXME";
sslCert = "FIXME";
sslKey = "FIXME";
sslCaCert = "FIXME";
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
};
kdc = let realm = "FUDO.ORG";
in {
enable = true;
database-path = "FIXME";
realm = realm;
mkey-file = "FIXME";
acl = [
{
principal = "pam_migrate/*.fudo.org@${realm}";
access = "add";
}
{
principal = "host/*.fudo.org@${realm}";
access = "add";
}
] ++ (concatMap (user: [
{
principal = "${user}@${realm}";
access = "add,list,modify";
}
{
principal = "${user}/root@${realm}";
access = "all";
}
]) domain.admin-users);
bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
};
};
prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org";
in {
node = [ "node.${dns-root}" ];
postfix = [ "postfix.${dns-root}" ];
dovecot = [ "dovecot.${dns-root}" ];
rspamd = [ "rspamd.${dns-root}" ];
};
};
postgresql = {
enable = true;
# FIXME: ssl-private-key && ssl certificate
keytab = "/srv/postgres/secure/postgres.keytab";
local-networks = getHostLocalNetworks hostname;
admin-users = domain.admin-users;
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "FIXME";
external-interface = "extif0";
password-file = "FIXME";
};
mail-server = domain.mail-config // {
enableContainer = true;
monitoring = true;
hostname = mail-hostname;
state-directory = "FIXME";
mail-directory = "FIXME";
dovecot.ldap = {
reader-dn = "FIXME";
reader-password = "FIXME";
server-urls = [ "FIXME" ];
};
clamav.enable = true;
dkim.signing = true;
};
git = {
enable = true;
hostname = "git.fudo.org";
site-name = "Fudo Git";
user = "FIXME";
database = {
user = "FIXME";
password-file = "FIXME";
hostname = "127.0.0.1";
name = "FIXME";
};
repository-dir = "FIXME";
state-dir = "FIXME";
ssh = {
listen-ip = git-server-ip;
listen-port = 22;
};
};
minecraft-server = {
enable = true;
package = pkgs.minecraft-current;
data-dir = "FIXME";
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
};
networking = {
intif0 = {
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
extif0 = {
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 28;
}
{
address = git-server-ip;
prefixLength = 32;
}
];
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisations = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"mail.fudo.org" = {
enableACME = true;
locations."/".return = "301 https://webmail.fudo.org$request_uri";
};
};
};
};
};
}

32
config/host-config/lambda.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
let primary-ip = "10.0.0.3";
in {
fudo.slynk.enable = true;
networking = {
interfaces = {
enp3s0f0.useDHCP = false;
enp3s0f1.useDHCP = false;
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
extif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/${primary-ip}/tcp/5001";
};
# TODO: add camera
}

185
config/host-config/limina.nix Normal file
View File

@ -0,0 +1,185 @@
{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.6";
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
dns-proxy-port = 5335;
in {
config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
extif0 = { useDHCP = true; };
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
intif1 = { useDHCP = false; };
intif2 = { useDHCP = false; };
};
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
local-network = {
enable = false;
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "1.1.1.1";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ domain-name "fudo.org" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks.${domain-name};
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
garbage-collector = {
enable = true;
timing = "weekly";
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.${domain-name}" = {
serverAliases = [
"pihole.${domain-name}"
"hole.${domain-name}"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
# Support for statelessness
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
};
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services.openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
}

169
config/host-config/nostromo.nix Normal file
View File

@ -0,0 +1,169 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.5";
in {
fudo.local-network = let
hostname = config.instance.hostname;
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.site.${site-name};
in {
enable = true;
dns-servers = site.dns-servers;
gateway = site.gateway;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
server-ip = primary-ip;
};
fudo.slynk.enable = true;
# systemd.network.networks.eno2 = {
# extraConfig = {
# IPv6AcceptRA = true;
# IPv6PrefixDelegation = "dhcpv6";
# };
# };
networking = {
# dhcpd.extraConfig = ''
# interface eno2
# ia_na 1
# ia_pd 2 eno2/0
# '';
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
enp33s0f0.useDHCP = false;
enp33s0f1.useDHCP = false;
enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
extif0 = { useDHCP = true; };
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
};
virtualization = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = dns-proxy-ip;
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
security.acme.certs = {
"sea-camera.fudo.link".email = "niten@fudo.org";
"sea-camera-od.fudo.link".email = "niten@fudo.org";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
# Supposed to be for object detection...
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
}

50
config/host-config/plato.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }:
with lib; {
config = {
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
};
system.stateVersion = "20.09";
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
}

16
config/host-config/spark.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
interfaces = {
extif0 = { useDHCP = true; };
};
};
}

19
config/host-config/zbox.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
system.stateVersion = "20.09";
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
interfaces = {
eno1.useDHCP = false;
intif0 = { useDHCP = true; };
};
};
}

185
config/hosts.nix
View File

@ -1,177 +1,16 @@
{ config, lib, pkgs, ... }:
{
config.fudo.hosts = {
atom = {
description = "Niten's toy laptop.";
enable-gui = false;
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "laptop";
};
with lib;
let
is-nix-file = filename: type: (builtins.match ".+\.nix$" filename) != null;
is-regular-file = filename: type: type == "regular" || type == "link";
hostname-from-file = filename: builtins.replaceStrings [".nix"] [""] filename;
host-files = attrNames (filterAttrs is-nix-file (filterAttrs is-regular-file (builtins.readDir ./hosts)));
hosts = map hostname-from-file host-files;
clunk = {
description = "rus.selby.ca gateway box.";
docker-server = true;
ssh-fingerprints = [
"1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
"1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
"4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
"4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
};
downstairs-desktop = {
description = "Downstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff"
"1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e"
"3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84"
"3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b"
"4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e"
"4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
ssh-pubkey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
};
france = {
description = "Primary fudo.org server.";
docker-server = true;
ssh-fingerprints = [
"1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
"1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
"4 1 c95a198f504a589fc62893a95424b12f0b24732d"
"4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
];
rp = "admin";
admin-email = "admin@fudo.org";
domain = "fudo.org";
site = "portage";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
};
google-wifi = {
description = "Google WiFi router.";
rp = "niten";
};
lambda = {
description = "sea.fudo.org experiment server.";
docker-server = true;
ssh-fingerprints = [
"1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
"1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
"4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199"
"4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
};
nostromo = {
description = "sea.fudo.org gateway box and primary server.";
docker-server = true;
ssh-fingerprints = [
"1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
"1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
"4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
"4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
};
plato = {
description = "Niten's toy server.";
ssh-fingerprints = [
"4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
"4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
"1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
"1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
};
procul = {
description = "informis.land server.";
docker-server = true;
};
pselby-work = { description = "Google Lenovo work laptop."; };
spark = {
description = "Niten's backup desktop.";
ssh-fingerprints = [
"1 1 d26812dee9b26a19a52c38d2b346442979093142"
"1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3"
"4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63"
"4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b"
];
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa";
};
upstairs-desktop = {
description = "Upstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4"
"1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d"
"3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024"
"3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952"
"4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e"
"4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa"
];
rp = "niten";
admin-email = "niten@fudo.org";
};
zbox = {
description = "Niten's primary desktop.";
ssh-fingerprints = [
"1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d"
"1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493"
"4 1 862842d99f5afb33db4f073d2f3d1154c6417110"
"4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3"
];
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8";
};
};
load-host-file = hostname: import (./. + "/hosts/${hostname}.nix");
in {
config.fudo.hosts = genAttrs hosts (hostname: load-host-file hostname);
}

14
config/hosts/atom.nix
View File

@ -1,9 +1,9 @@
{ config, lib, pkgs, ... }:
{
fudo.laptop.use-network-manager = false;
fudo.slynk.enable = true;
services.xserver = { videoDrivers = [ "nvidia" ]; };
description = "Niten's toy laptop.";
enable-gui = false;
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "laptop";
}

181
config/hosts/clunk.nix
View File

@ -1,168 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.1";
dns-proxy-port = 5335;
host-packages = with pkgs; [
nixops
{
description = "rus.selby.ca gateway box.";
docker-server = true;
ssh-fingerprints = [
"1 1 0e23d2156b1f9fca8552a0105c125aed76e51728"
"1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5"
"4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4"
"4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696"
];
site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name};
in {
system = {
# # DO force all DNS traffic to use the local server
# activationScripts.force-local-dns = let
# wifi-ip =
# config.fudo.networks."rus.selby.ca".hosts.google-wifi.ipv4-address;
# in ''
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p udp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# ${pkgs.iptables}/bin/iptables -t nat -A OUTPUT -p tcp -s ${wifi-ip} --dport 53 -j DNAT --to ${primary-ip}:53
# '';
};
environment.systemPackages = host-packages;
fudo.local-network = let
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
in {
enable = true;
# NOTE: requests go:
# - local bind instance
# - pi-hole
# - DoH resolver
domain = domain-name;
dns-servers = [ primary-ip ];
gateway = primary-ip;
dhcp-interfaces = [ "intif0" ];
dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
network = site.network;
dhcp-dynamic-network = site.dynamic-network;
search-domains = [ "selby.ca" ];
enable-reverse-mappings = true;
network-definition = config.fudo.networks."rus.selby.ca";
};
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0.useDHCP = true;
enp2s0.useDHCP = false;
enp3s0.useDHCP = false;
enp4s0.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
forwardPorts = [{
destination = "127.0.0.1:53";
sourcePort = 53;
proto = "udp";
}];
};
};
fudo = {
garbage-collector = {
enable = true;
timing = "weekly";
};
auth.kdc = {
enable = true;
realm = "RUS.SELBY.CA";
bind-addresses = [ "10.0.0.1" "127.0.0.1" "::1" ];
acl = {
"niten" = { perms = [ "add" "change-password" "list" ]; };
"*/root" = { perms = [ "all" ]; };
};
};
secure-dns-proxy = {
enable = true;
listen-port = dns-proxy-port;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
};
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
oci-containers = {
backend = "docker";
containers = {
pihole = {
image = "pihole/pihole:v5.7";
autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
# ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = "${primary-ip}#${toString dns-proxy-port}";
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
};
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"dns-hole.rus.selby.ca" = {
serverAliases = [
"pihole.rus.selby.ca"
"hole.rus.selby.ca"
"pihole"
"dns-hole"
"hole"
];
locations."/" = { proxyPass = "http://127.0.0.1:3080"; };
};
};
};
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5";
}

18
config/hosts/downstairs-desktop.nix Normal file
View File

@ -0,0 +1,18 @@
{
description = "Downstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff"
"1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e"
"3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84"
"3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b"
"4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e"
"4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "rus.selby.ca";
site = "russell";
profile = "desktop";
ssh-pubkey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas=";
}

194
config/hosts/france.nix
View File

@ -1,179 +1,17 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "208.81.3.117";
hostname = config.instance.hostname;
domain-name = config.fudo.hosts.${hostname}.domain;
domain = config.fudo.domains.${domain-name};
host-fqdn = "${hostname}.${domain-name}";
mail-hostname = "mail.fudo.org";
in {
imports = [ ./france/postgresql.nix ];
config = {
fudo = {
auth = {
ldap = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "FIXME";
kerberos-host = host-fqdn;
kerberos-keytab = "FIXME";
sslCert = "FIXME";
sslKey = "FIXME";
sslCaCert = "FIXME";
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = config.fudo.users;
groups = config.fudo.groups;
system-users = config.fudo.system-users;
};
kdc = let realm = "FUDO.ORG";
in {
enable = true;
database-path = "FIXME";
realm = realm;
mkey-file = "FIXME";
acl = [
{
principal = "pam_migrate/*.fudo.org@${realm}";
access = "add";
}
{
principal = "host/*.fudo.org@${realm}";
access = "add";
}
] ++ (concatMap (user: [
{
principal = "${user}@${realm}";
access = "add,list,modify";
}
{
principal = "${user}/root@${realm}";
access = "all";
}
]) domain.admin-users);
bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
};
};
prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = let dns-root = "_metrics._tcp.fudo.org";
in {
node = [ "node.${dns-root}" ];
postfix = [ "postfix.${dns-root}" ];
dovecot = [ "dovecot.${dns-root}" ];
rspamd = [ "rspamd.${dns-root}" ];
};
};
postgresql = {
enable = true;
# FIXME: ssl-private-key && ssl certificate
keytab = "/srv/postgres/secure/postgres.keytab";
local-networks = getHostLocalNetworks hostname;
admin-users = domain.admin-users;
};
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "FIXME";
external-interface = "extif0";
password-file = "FIXME";
};
mail-server = domain.mail-config // {
enableContainer = true;
monitoring = true;
hostname = mail-hostname;
state-directory = "FIXME";
mail-directory = "FIXME";
dovecot.ldap = {
reader-dn = "FIXME";
reader-password = "FIXME";
server-urls = [ "FIXME" ];
};
clamav.enable = true;
dkim.signing = true;
};
git = {
enable = true;
hostname = "git.fudo.org";
site-name = "Fudo Git";
user = "FIXME";
database = {
user = "FIXME";
password-file = "FIXME";
hostname = "127.0.0.1";
name = "FIXME";
};
repository-dir = "FIXME";
state-dir = "FIXME";
ssh = {
listen-ip = git-server-ip;
listen-port = 22;
};
};
minecraft-server = {
enable = true;
package = pkgs.minecraft-current;
data-dir = "FIXME";
world-name = "selbyland";
motd = "Welcome to the Selby Minecraft server.";
};
};
networking = {
intif0 = {
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
extif0 = {
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 28;
}
{
address = git-server-ip;
prefixLength = 32;
}
];
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisations = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"mail.fudo.org" = {
enableACME = true;
locations."/".return = "301 https://webmail.fudo.org$request_uri";
};
};
};
};
};
{
description = "Primary fudo.org server.";
docker-server = true;
ssh-fingerprints = [
"1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94"
"1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80"
"4 1 c95a198f504a589fc62893a95424b12f0b24732d"
"4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96"
];
rp = "admin";
admin-email = "admin@fudo.org";
domain = "fudo.org";
site = "portage";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn";
}

45
config/hosts/lambda.nix
View File

@ -1,32 +1,15 @@
{ config, lib, pkgs, ... }:
let primary-ip = "10.0.0.3";
in {
fudo.slynk.enable = true;
networking = {
interfaces = {
enp3s0f0.useDHCP = false;
enp3s0f1.useDHCP = false;
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
extif0 = {
useDHCP = false;
ipv4.addresses = [{
address = primary-ip;
prefixLength = 22;
}];
};
};
};
fudo.ipfs = {
enable = true;
users = [ "niten" ];
api-address = "/ip4/${primary-ip}/tcp/5001";
};
# TODO: add camera
{
description = "sea.fudo.org experiment server.";
docker-server = true;
ssh-fingerprints = [
"1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
"1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
"4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199"
"4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
}

70
config/hosts/limina.nix
View File

@ -1,56 +1,16 @@
{ config, lib, pkgs, ... }:
with lib; {
config = {
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
};
system.stateVersion = "20.09";
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
{
description = "Seattle Gateway Server.";
ssh-fingerprints = [
"1 1 36cbb85f83e84a4052777cf9b3cfb0f7947f3e4e"
"1 2 041c59238f599f7a3a4ec39151f5bc79fdcf917ec7ef2c400ed19a8d148fbeeb"
"4 1 07318d35f52203d337d4f457acc6d00ebf0e1aad"
"4 2 c58ef49cb6e150995ae0bd5dd502a0fc18289caf1438fb0bc9821455c8d1f41f"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
}

184
config/hosts/nostromo.nix
View File

@ -1,169 +1,17 @@
{ config, lib, pkgs, ... }:
let
primary-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.5";
in {
fudo.local-network = let
hostname = config.instance.hostname;
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.site.${site-name};
in {
enable = true;
dns-servers = site.dns-servers;
gateway = site.gateway;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
server-ip = primary-ip;
};
fudo.slynk.enable = true;
# systemd.network.networks.eno2 = {
# extraConfig = {
# IPv6AcceptRA = true;
# IPv6PrefixDelegation = "dhcpv6";
# };
# };
networking = {
# dhcpd.extraConfig = ''
# interface eno2
# ia_na 1
# ia_pd 2 eno2/0
# '';
eno1.useDHCP = false;
eno2.useDHCP = false;
eno3.useDHCP = false;
eno4.useDHCP = false;
enp33s0f0.useDHCP = false;
enp33s0f1.useDHCP = false;
enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false;
intif0 = {
useDHCP = false;
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
extif0 = { useDHCP = true; };
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
};
fudo = {
client.dns = {
enable = true;
ipv4 = true;
ipv6 = true;
user = "fudo-client";
external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd";
};
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
};
virtualization = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
};
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = dns-proxy-ip;
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
security.acme.certs = {
"sea-camera.fudo.link".email = "niten@fudo.org";
"sea-camera-od.fudo.link".email = "niten@fudo.org";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
# Supposed to be for object detection...
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
{
description = "sea.fudo.org gateway box and primary server.";
docker-server = true;
ssh-fingerprints = [
"1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"
"1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e"
"4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42"
"4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb";
}

64
config/hosts/plato.nix
View File

@ -1,50 +1,16 @@
{ config, lib, pkgs, ... }:
with lib; {
config = {
environment.etc = {
nixos.source = "/state/nixos";
adjtime.source = "/state/etc/adjtime";
NIXOS.source = "/state/etc/NIXOS";
machine-id.source = "/state/etc/machine-id";
"host-config.nix".source = "/state/etc/host-config.nix";
};
system.stateVersion = "20.09";
boot.initrd.postDeviceCommands = lib.mkAfter ''
${pkgs.zfs}/bin/zfs rollback -r zroot/transient/root@blank
'';
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.emacs.d - - - - /state/root/emacs.d"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key"
"L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key"
];
services = {
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
{
description = "Niten's toy server.";
ssh-fingerprints = [
"4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9"
"4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c"
"1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e"
"1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3"
];
rp = "niten";
admin-email = "niten@fudo.org";
domain = "sea.fudo.org";
site = "seattle";
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b";
}

4
config/hosts/procul.nix Normal file
View File

@ -0,0 +1,4 @@
{
description = "informis.land server.";
docker-server = true;
}

3
config/hosts/pselby-work.nix Normal file
View File

@ -0,0 +1,3 @@
{
description = "Google Lenovo work laptop.";
}

24
config/hosts/spark.nix
View File

@ -1,16 +1,14 @@
{ config, lib, pkgs, ... }:
{
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
description = "Niten's backup desktop.";
ssh-fingerprints = [
"1 1 d26812dee9b26a19a52c38d2b346442979093142"
"1 2 981db46fdd0ad1639651c700a527602425237c1d4999265372ed92e093a965b3"
"4 1 67fa0a36e51fd4a5ed2b71ff9817cb9a372d0a63"
"4 2 c17d46061d722e1e6c878341b8e3c0bf87ea6e0e1426c54a989107dfb604d81b"
];
fudo.slynk.enable = true;
networking = {
interfaces = {
extif0 = { useDHCP = true; };
};
};
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO67/CNhiG9UynaflmZUUK7f3O/GwFpnXri/PxpgHcPa";
}

13
config/hosts/upstairs-desktop.nix Normal file
View File

@ -0,0 +1,13 @@
{
description = "Upstairs desktop in Russell.";
ssh-fingerprints = [
"1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4"
"1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d"
"3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024"
"3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952"
"4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e"
"4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa"
];
rp = "niten";
admin-email = "niten@fudo.org";
}

27
config/hosts/zbox.nix
View File

@ -1,19 +1,14 @@
{ config, lib, pkgs, ... }:
{
system.stateVersion = "20.09";
# TODO: remove?
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
description = "Niten's primary desktop.";
ssh-fingerprints = [
"1 1 3aff8c913615c81512be3a42fc83daeb90d94a3d"
"1 2 39c7500f08022963f3f2db4f3ebb7aad08c92d0cc937984ba86c4eba204ed493"
"4 1 862842d99f5afb33db4f073d2f3d1154c6417110"
"4 2 373536d3d59f2354b1bfc25c02120c86e9b3af574b6c1984210d9e9c1d5244e3"
];
fudo.slynk.enable = true;
networking = {
interfaces = {
eno1.useDHCP = false;
intif0 = { useDHCP = true; };
};
};
rp = "niten";
admin-email = "niten@fudo.org";
enable-gui = true;
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKVhHfRf2086SAqOmu2dNbsJI9UUAQWop+1lrcJlNgl8";
}

0
config/profiles/common-ui.nix → config/profile-config/common-ui.nix
View File

0
config/profiles/common.nix → config/profile-config/common.nix
View File

0
config/profiles/desktop.nix → config/profile-config/desktop.nix
View File

0
config/profiles/laptop.nix → config/profile-config/laptop.nix
View File

0
config/profiles/server.nix → config/profile-config/server.nix
View File

0
config/sites/joes-datacenter-0.nix → config/site-config/joes-datacenter-0.nix
View File

0
config/sites/portage.nix → config/site-config/portage.nix
View File

0
config/sites/russell.nix → config/site-config/russell.nix
View File

0
config/sites/seattle.nix → config/site-config/seattle.nix
View File

3
configuration.nix
View File

@ -8,9 +8,6 @@ in {
imports = [
(initialize {
hostname = local.hostname;
profile = local.profile;
site = local.site;
domain = local.domain;
home-manager-package = builtins.fetchGit {
url = "https://github.com/nix-community/home-manager.git";
ref = "release-20.09";

21
initialize.nix
View File

@ -1,27 +1,24 @@
{ hostname, profile, domain, site, home-manager-package, pkgs, ... }:
{ hostname, home-manager-package, pkgs, ... }:
{
let
host-config = import (./. + "/config/hosts/${hostname}.nix");
in {
imports = [
./lib
./config
./packages
(./. + "/config/hardware/${hostname}.nix")
(./. + "/config/hosts/${hostname}.nix")
(./. + "/config/profiles/${profile}.nix")
(./. + "/config/domains/${domain}.nix")
(./. + "/config/sites/${site}.nix")
(./. + "/config/host-config/${hostname}.nix")
(./. + "/config/profile-config/${host-config.profile}.nix")
(./. + "/config/domain-config/${host-config.domain}.nix")
(./. + "/config/site-config/${host-config.site}.nix")
(import "${home-manager-package}/nixos")
];
config = {
instance = { hostname = hostname; };
fudo.hosts."${hostname}" = {
domain = domain;
site = site;
profile = profile;
};
};
}

2
lib/fudo/hosts.nix
View File

@ -78,7 +78,7 @@ let
ssh-fingerprints = mkOption {
type = listOf str;
description = ''
A list of DNS SSHFP records for this host.
A list of DNS SSHFP records for this host. Get with `ssh-keygen -r <hostname>`
'';
default = [ ];
};