nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changes for cashew, added mobile site

This commit is contained in:
niten 2021-11-17 17:32:27 -08:00
parent b5cdfc7293
commit 451ee1d0ae
14 changed files with 262 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/client.nix
View File

@ -11,7 +11,7 @@ let
config.fudo.secrets.host-secrets.${config.instance.hostname};
host-password-files = mapAttrs (hostname: hostOpts:
make-password-file hostname) config.fudo.hosts;
make-passwd-file hostname) config.fudo.hosts;
in {
config = {
@ -19,7 +19,7 @@ in {
secrets.host-secrets = mapAttrs (hostname: hostOpts: {
backplane-client-passwd = {
source-file = host-password-files.${hostname};
target-file = "/var/fudo/client/passwd";
target-file = "/var/fudo/backplane-client/passwd";
user = config.fudo.client.dns.user;
};
}) config.fudo.hosts;

1
config/default.nix
View File

@ -4,6 +4,7 @@
imports = [
./aliases.nix
./bash.nix
./client.nix
./common.nix
./domains.nix
./groups.nix

14
config/hardware/cashew.nix
View File

@ -1,5 +1,19 @@
{ config, lib, pkgs, ... }:
{
networking = {
useDHCP = false;
macvlans = {
extif0 = {
interface = "eno2";
mode = "bridge";
};
};
interfaces = {
extif0.macAddress =
pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
};
};
}

7
config/host-config/cashew.nix
View File

@ -3,13 +3,10 @@
with lib;
let
hostname = config.instance.hostname;
host-ipv4 = pkgs.lib.fudo.network.host-ipv4 config hostname;
host-ipv4 = "208.81.4.82";
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.sites.${site-name};
network-prefix-length =
pkgs.lib.fudo.ip.getNetworkMask site.network;
local-packages = with pkgs; [
bind
];
@ -25,7 +22,7 @@ in {
interfaces.extif0 = {
ipv4.addresses = [{
address = host-ipv4;
prefixLength = network-prefix-length;
prefixLength = 29;
}];
};
};

117
config/host-config/nutboy3.nix
View File

@ -25,8 +25,6 @@ in {
config = {
networking = {
enableIPv6 = true;
nameservers = [ "1.1.1.1" ];
defaultGateway = {
address = site.gateway-v4;
@ -201,33 +199,108 @@ in {
};
containers.cashew = let
initialize-host = import ../../initialize.nix;
build-timestamp = config.instance.build-timestamp;
site = "nuttyclub-vm";
domain = config.instance.local-domain;
profile = "container";
local-packages = with pkgs; [
bind
vim
];
in {
autoStart = true;
bindMounts = {
"/state" = {
hostPath = "/state/cashew";
isReadOnly = false;
};
"/etc/bind" = {
hostPath = "/state/cashew/bind";
isReadOnly = false;
};
"/var/log" = {
hostPath = "/state/cashew/logs";
isReadOnly = false;
};
"/home" = {
hostPath = "/state/cashew/home";
isReadOnly = false;
};
"/etc/dns-root-data" = {
hostPath = "${pkgs.dns-root-data}/";
isReadOnly = true;
};
};
config = { pkgs, ... }: {
imports = [
(initialize-host {
inherit
lib
pkgs
build-timestamp
site
domain
profile;
hostname = "cashew";
})
];
interfaces = [ "eno2" ];
instance.build-seed = build-seed;
config = { ... }: {
nixpkgs.pkgs = pkgs;
environment.systemPackages = local-packages;
users = {
users = {
niten = config.users.users.niten;
reaper = config.users.users.reaper // {
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
];
};
root.openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
];
};
groups = {
wheel.members = [
"niten"
"reaper"
];
dns = {
members = [
"niten"
"reaper"
"named"
];
};
};
};
networking = {
defaultGateway = {
address = "208.81.4.81";
interface = "eno2";
};
interfaces.eno2 = {
ipv4.addresses = [{
address = "208.81.4.82";
prefixLength = 29;
}];
};
};
services = {
bind = {
enable = true;
configFile = "/etc/bind/named.conf";
};
openssh = {
enable = true;
startWhenNeeded = true;
useDns = true;
permitRootLogin = "prohibit-password";
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
};
};

4
config/hosts/cashew.nix
View File

@ -9,4 +9,8 @@
arch = "x86_64-linux";
nixos-system = true;
machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
master-key = {
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5/2uOE13eKUnXboxPYoZxZkS6sw5m0emR684HFr34l";
key-path = "/state/master-key/ed25519_key";
};
}

1
config/networks/fudo.org.nix
View File

@ -136,6 +136,7 @@
};
hosts = {
cashew = { ipv4-address = "208.81.4.82"; };
cisco = { ipv4-address = "198.163.150.211"; };
cisco-int = { ipv4-address = "10.73.77.10"; };
cupid = { ipv4-address = "208.38.36.100"; };

6
config/profile-config/common.nix
View File

@ -142,9 +142,9 @@ in {
package = pkgs.openssh_gssapi;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
};

21
config/profile-config/host/backplane-client.nix
View File

@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
let
hostname = config.instance.hostname;
host-cfg = config.fudo.hosts.${hostname};
secrets = config.fudo.secrets.host-secrets.${hostname};
in {
config.fudo = {
secrets.host-secrets.${hostname} = {
backplane-passwd = {
source-file = host-cfg.backplane-password-file;
target-file = "/run/backplane/client/passwd";
user = config.fudo.client.dns.user;
};
};
client.dns.password-file =
secrets.backplane-passwd.target-file;
};
}

5
config/site-config/mobile.nix Normal file
View File

@ -0,0 +1,5 @@
{ config, lib, pkgs, ... }:
{
}

4
config/sites.nix
View File

@ -51,8 +51,8 @@
};
nuttyclub-vm = {
gateway-v4 = "FIXME";
network = "FIXME/29";
gateway-v4 = "208.81.4.81";
network = "208.81.4.80/29";
nameservers = [ "1.1.1.1" ];
timezone = "America/Winnipeg";
deploy-pubkeys = [

134
flake.lock
View File

@ -1,26 +1,38 @@
{
"nodes": {
"backplane-passwords": {
"flake": false,
"locked": {
"narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=",
"path": "./backplane-passwords",
"type": "path"
},
"original": {
"path": "./backplane-passwords",
"type": "path"
}
},
"build-keypairs": {
"flake": false,
"locked": {
"narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=",
"path": "./build-keypairs",
"path": "/state/secrets/build-keypairs",
"type": "path"
},
"original": {
"path": "./build-keypairs",
"path": "/state/secrets/build-keypairs",
"type": "path"
}
},
"build-seed": {
"flake": false,
"locked": {
"narHash": "sha256-6rzGK/itD/RBRoNGw1L2wLV1IcVbn2b0V49ay1J9z7k=",
"path": "/state/secrets/build.seed",
"type": "path"
},
"original": {
"path": "/state/secrets/build.seed",
"type": "path"
}
},
"dnssec-keys": {
"flake": false,
"locked": {
"narHash": "sha256-KGZFtyc7Sd5mGjLxnM+R/XnCtOwyZ4IuOMcblIjlCnM=",
"path": "/state/secrets/dnssec-keys",
"type": "path"
},
"original": {
"path": "/state/secrets/dnssec-keys",
"type": "path"
}
},
@ -193,11 +205,11 @@
"flake": false,
"locked": {
"narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=",
"path": "./filesystem-keys",
"path": "/state/secrets/filesystem-keys",
"type": "path"
},
"original": {
"path": "./filesystem-keys",
"path": "/state/secrets/filesystem-keys",
"type": "path"
}
},
@ -220,29 +232,44 @@
"inputs": {
"doom-emacs": "doom-emacs",
"home-manager": "home-manager",
"niten-doom-config": "niten-doom-config"
"niten-doom-config": "niten-doom-config",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"narHash": "sha256-7vxYISWq8BAp88ej37PCdv9Rg6+WgTtFxcOVBH6C1Sw=",
"path": "./nix-home",
"narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=",
"path": "/state/nixops/fudo-home",
"type": "path"
},
"original": {
"path": "./nix-home",
"path": "/state/nixops/fudo-home",
"type": "path"
}
},
"fudo-pkgs": {
"locked": {
"narHash": "sha256-XwEs/VkqJp1mNwYUeBUqCPrW6GUEwAxbXMVOy7bF2P8=",
"path": "/state/nixops/fudo-pkgs",
"type": "path"
},
"original": {
"path": "/state/nixops/fudo-pkgs",
"type": "path"
}
},
"fudo-secrets": {
"inputs": {
"backplane-passwords": "backplane-passwords",
"build-keypairs": "build-keypairs",
"build-seed": "build-seed",
"dnssec-keys": "dnssec-keys",
"filesystem-keys": "filesystem-keys",
"host-keytabs": "host-keytabs",
"realm-master-keys": "realm-master-keys",
"service-keytabs": "service-keytabs",
"service-passwords": "service-passwords",
"ssh-keypairs": "ssh-keypairs"
},
"locked": {
"narHash": "sha256-cCvorbK8puCKs25oad9l11xveVq2UfKcAs+FJ4LD8r0=",
"narHash": "sha256-Q89s52d8KAMIbxh7aBoUwUTFAbgUBE5IaAIwd267k20=",
"path": "/state/secrets",
"type": "path"
},
@ -253,7 +280,10 @@
},
"home-manager": {
"inputs": {
"nixpkgs": "nixpkgs_2"
"nixpkgs": [
"fudo-home",
"nixpkgs"
]
},
"locked": {
"lastModified": 1633291410,
@ -273,12 +303,12 @@
"host-keytabs": {
"flake": false,
"locked": {
"narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=",
"path": "./kerberos/host-keytabs",
"narHash": "sha256-LzDfB9ubACWyQzjXzsPH6eNoESmSVcMFFb3V025Xgow=",
"path": "/state/secrets/kerberos/host-keytabs",
"type": "path"
},
"original": {
"path": "./kerberos/host-keytabs",
"path": "/state/secrets/kerberos/host-keytabs",
"type": "path"
}
},
@ -332,25 +362,26 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1633381874,
"narHash": "sha256-RkoVeo4K1IKqQzCI9W28UOyw4ic3Lhb3XoMDFDp7X74=",
"lastModified": 1636944046,
"narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "35b808214a1ca158a04d6980cb95cc1a77ce1f94",
"rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1633267966,
"narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=",
"lastModified": 1636944046,
"narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d",
"rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
"type": "github"
},
"original": {
@ -455,6 +486,18 @@
"type": "github"
}
},
"realm-master-keys": {
"flake": false,
"locked": {
"narHash": "sha256-5hDmPweE6lshRKA+AKRgJv7VwWxHsYekwMT32uAUKJU=",
"path": "/state/secrets/kerberos/master-keys",
"type": "path"
},
"original": {
"path": "/state/secrets/kerberos/master-keys",
"type": "path"
}
},
"revealjs": {
"flake": false,
"locked": {
@ -474,6 +517,7 @@
"root": {
"inputs": {
"fudo-home": "fudo-home",
"fudo-pkgs": "fudo-pkgs",
"fudo-secrets": "fudo-secrets",
"nixpkgs": "nixpkgs_3"
}
@ -494,27 +538,39 @@
"type": "github"
}
},
"service-passwords": {
"service-keytabs": {
"flake": false,
"locked": {
"narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=",
"path": "./service-passwords",
"narHash": "sha256-9lw22Gh1IDX+MtXMLi+o3XbjvqEhOiZQG9FiG/xz/U0=",
"path": "/state/secrets/kerberos/service-keytabs",
"type": "path"
},
"original": {
"path": "./service-passwords",
"path": "/state/secrets/kerberos/service-keytabs",
"type": "path"
}
},
"service-passwords": {
"flake": false,
"locked": {
"narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=",
"path": "/state/secrets/service-passwords",
"type": "path"
},
"original": {
"path": "/state/secrets/service-passwords",
"type": "path"
}
},
"ssh-keypairs": {
"flake": false,
"locked": {
"narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=",
"path": "./ssh-keypairs",
"narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=",
"path": "/state/secrets/ssh-keypairs",
"type": "path"
},
"original": {
"path": "./ssh-keypairs",
"path": "/state/secrets/ssh-keypairs",
"type": "path"
}
}

49
flake.nix
View File

@ -4,25 +4,27 @@
inputs = {
nixpkgs.url = "nixpkgs/nixos-21.05";
fudo-home.url = "path:./nix-home";
fudo-home.url = "path:/state/nixops/fudo-home";
fudo-pkgs.url = "path:/state/nixops/fudo-pkgs";
fudo-secrets.url = "path:/state/secrets";
};
outputs = { self, nixpkgs, fudo-secrets, fudo-home, ... }: {
outputs = { self, nixpkgs, fudo-home, fudo-pkgs, fudo-secrets, ... }: {
nixosConfigurations = let
lib = nixpkgs.lib;
hostlib = import ./lib/hosts.nix { inherit lib; };
hosts = lib.filterAttrs (hostname: hostOpts:
nixos-hosts = lib.filterAttrs (hostname: hostOpts:
hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts);
build-timestamp = self.sourceInfo.lastModified;
in lib.mapAttrs (hostname: hostOpts: let
pkgs = import nixpkgs {
system = hostOpts.arch;
pkgs-for = arch: import nixpkgs {
system = arch;
config = {
allowUnfree = true;
permittedInsecurePackages = [
@ -30,20 +32,43 @@
];
};
overlays = [
(import ./fudo-pkgs/overlay.nix)
fudo-pkgs.overlay
(import ./lib/overlay.nix)
];
};
in lib.nixosSystem {
in lib.mapAttrs (hostname: hostOpts: let
system = hostOpts.arch;
pkgs = pkgs-for system;
lib = pkgs.lib;
site = hostOpts.site;
domain = hostOpts.domain;
profile = hostOpts.profile;
build-seed =
builtins.readFile fudo-secrets.build-seed;
in nixpkgs.lib.nixosSystem {
inherit system;
modules = [
modules = let
config-path = ./config;
in [
fudo-home.nixosModule
fudo-secrets.nixosModule
(import ./initialize.nix {
inherit hostname lib pkgs build-timestamp fudo-secrets;
./lib
./config
(config-path + /hardware/${hostname}.nix)
(config-path + /host-config/${hostname}.nix)
(config-path + /profile-config/${profile}.nix)
(config-path + /domain-config/${domain}.nix)
(config-path + /site-config/${site}.nix)
({ ... }: {
config = {
instance = {
inherit hostname build-timestamp build-seed;
};
};
})
];
}) hosts;
}) nixos-hosts;
};
}

3
initialize.nix
View File

@ -2,8 +2,7 @@
with lib;
let
# Get info on this host so we know what to load
config-dir = ./. + "/config";
config-dir = ./config;
in {
imports = [