diff --git a/config/client.nix b/config/client.nix index a45f40a..f88dbcf 100644 --- a/config/client.nix +++ b/config/client.nix @@ -11,7 +11,7 @@ let config.fudo.secrets.host-secrets.${config.instance.hostname}; host-password-files = mapAttrs (hostname: hostOpts: - make-password-file hostname) config.fudo.hosts; + make-passwd-file hostname) config.fudo.hosts; in { config = { @@ -19,7 +19,7 @@ in { secrets.host-secrets = mapAttrs (hostname: hostOpts: { backplane-client-passwd = { source-file = host-password-files.${hostname}; - target-file = "/var/fudo/client/passwd"; + target-file = "/var/fudo/backplane-client/passwd"; user = config.fudo.client.dns.user; }; }) config.fudo.hosts; diff --git a/config/default.nix b/config/default.nix index 4a81385..a8a443a 100644 --- a/config/default.nix +++ b/config/default.nix @@ -4,6 +4,7 @@ imports = [ ./aliases.nix ./bash.nix + ./client.nix ./common.nix ./domains.nix ./groups.nix diff --git a/config/hardware/cashew.nix b/config/hardware/cashew.nix index 865d469..1e0aaa9 100644 --- a/config/hardware/cashew.nix +++ b/config/hardware/cashew.nix @@ -1,5 +1,19 @@ { config, lib, pkgs, ... }: { + networking = { + useDHCP = false; + macvlans = { + extif0 = { + interface = "eno2"; + mode = "bridge"; + }; + }; + + interfaces = { + extif0.macAddress = + pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0"; + }; + }; } diff --git a/config/host-config/cashew.nix b/config/host-config/cashew.nix index b78744d..88500cb 100644 --- a/config/host-config/cashew.nix +++ b/config/host-config/cashew.nix @@ -3,13 +3,10 @@ with lib; let hostname = config.instance.hostname; - host-ipv4 = pkgs.lib.fudo.network.host-ipv4 config hostname; + host-ipv4 = "208.81.4.82"; site-name = config.fudo.hosts.${hostname}.site; site = config.fudo.sites.${site-name}; - network-prefix-length = - pkgs.lib.fudo.ip.getNetworkMask site.network; - local-packages = with pkgs; [ bind ]; @@ -25,7 +22,7 @@ in { interfaces.extif0 = { ipv4.addresses = [{ address = host-ipv4; - prefixLength = network-prefix-length; + prefixLength = 29; }]; }; }; diff --git a/config/host-config/nutboy3.nix b/config/host-config/nutboy3.nix index 3a7a955..732b949 100644 --- a/config/host-config/nutboy3.nix +++ b/config/host-config/nutboy3.nix @@ -25,8 +25,6 @@ in { config = { networking = { - enableIPv6 = true; - nameservers = [ "1.1.1.1" ]; defaultGateway = { address = site.gateway-v4; @@ -201,33 +199,108 @@ in { }; containers.cashew = let - initialize-host = import ../../initialize.nix; - build-timestamp = config.instance.build-timestamp; - site = "nuttyclub-vm"; - domain = config.instance.local-domain; - profile = "container"; + local-packages = with pkgs; [ + bind + vim + ]; in { autoStart = true; bindMounts = { - + "/state" = { + hostPath = "/state/cashew"; + isReadOnly = false; + }; + "/etc/bind" = { + hostPath = "/state/cashew/bind"; + isReadOnly = false; + }; + "/var/log" = { + hostPath = "/state/cashew/logs"; + isReadOnly = false; + }; + "/home" = { + hostPath = "/state/cashew/home"; + isReadOnly = false; + }; + "/etc/dns-root-data" = { + hostPath = "${pkgs.dns-root-data}/"; + isReadOnly = true; + }; }; - config = { pkgs, ... }: { - imports = [ - (initialize-host { - inherit - lib - pkgs - build-timestamp - site - domain - profile; - hostname = "cashew"; - }) - ]; + interfaces = [ "eno2" ]; - instance.build-seed = build-seed; + config = { ... }: { + nixpkgs.pkgs = pkgs; + + environment.systemPackages = local-packages; + + users = { + users = { + niten = config.users.users.niten; + reaper = config.users.users.reaper // { + openssh.authorizedKeys.keys = [ + "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q==" + ]; + }; + root.openssh.authorizedKeys.keys = [ + "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q==" + ]; + }; + groups = { + wheel.members = [ + "niten" + "reaper" + ]; + dns = { + members = [ + "niten" + "reaper" + "named" + ]; + }; + }; + }; + + networking = { + defaultGateway = { + address = "208.81.4.81"; + interface = "eno2"; + }; + + interfaces.eno2 = { + ipv4.addresses = [{ + address = "208.81.4.82"; + prefixLength = 29; + }]; + }; + }; + + services = { + bind = { + enable = true; + configFile = "/etc/bind/named.conf"; + }; + + openssh = { + enable = true; + startWhenNeeded = true; + useDns = true; + permitRootLogin = "prohibit-password"; + hostKeys = [ + { + path = "/state/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/state/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + }; }; }; }; diff --git a/config/hosts/cashew.nix b/config/hosts/cashew.nix index ced361a..fa78817 100644 --- a/config/hosts/cashew.nix +++ b/config/hosts/cashew.nix @@ -9,4 +9,8 @@ arch = "x86_64-linux"; nixos-system = true; machine-id = "e5f456e3183a4dc186181a70bc3af2d1"; + master-key = { + public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5/2uOE13eKUnXboxPYoZxZkS6sw5m0emR684HFr34l"; + key-path = "/state/master-key/ed25519_key"; + }; } diff --git a/config/networks/fudo.org.nix b/config/networks/fudo.org.nix index 6373558..5423b43 100644 --- a/config/networks/fudo.org.nix +++ b/config/networks/fudo.org.nix @@ -136,6 +136,7 @@ }; hosts = { + cashew = { ipv4-address = "208.81.4.82"; }; cisco = { ipv4-address = "198.163.150.211"; }; cisco-int = { ipv4-address = "10.73.77.10"; }; cupid = { ipv4-address = "208.38.36.100"; }; diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index e198f0e..664d7ea 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -142,9 +142,9 @@ in { package = pkgs.openssh_gssapi; extraConfig = '' - GSSAPIAuthentication yes - GSSAPIDelegateCredentials yes - ''; + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + ''; }; }; diff --git a/config/profile-config/host/backplane-client.nix b/config/profile-config/host/backplane-client.nix deleted file mode 100644 index 2fc6f26..0000000 --- a/config/profile-config/host/backplane-client.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - hostname = config.instance.hostname; - host-cfg = config.fudo.hosts.${hostname}; - secrets = config.fudo.secrets.host-secrets.${hostname}; - -in { - config.fudo = { - secrets.host-secrets.${hostname} = { - backplane-passwd = { - source-file = host-cfg.backplane-password-file; - target-file = "/run/backplane/client/passwd"; - user = config.fudo.client.dns.user; - }; - }; - - client.dns.password-file = - secrets.backplane-passwd.target-file; - }; -} diff --git a/config/site-config/mobile.nix b/config/site-config/mobile.nix new file mode 100644 index 0000000..865d469 --- /dev/null +++ b/config/site-config/mobile.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + +} diff --git a/config/sites.nix b/config/sites.nix index 1fdd6c0..71366a0 100644 --- a/config/sites.nix +++ b/config/sites.nix @@ -51,8 +51,8 @@ }; nuttyclub-vm = { - gateway-v4 = "FIXME"; - network = "FIXME/29"; + gateway-v4 = "208.81.4.81"; + network = "208.81.4.80/29"; nameservers = [ "1.1.1.1" ]; timezone = "America/Winnipeg"; deploy-pubkeys = [ diff --git a/flake.lock b/flake.lock index 6e1cd72..dc0b9ea 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,38 @@ { "nodes": { - "backplane-passwords": { - "flake": false, - "locked": { - "narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=", - "path": "./backplane-passwords", - "type": "path" - }, - "original": { - "path": "./backplane-passwords", - "type": "path" - } - }, "build-keypairs": { "flake": false, "locked": { "narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=", - "path": "./build-keypairs", + "path": "/state/secrets/build-keypairs", "type": "path" }, "original": { - "path": "./build-keypairs", + "path": "/state/secrets/build-keypairs", + "type": "path" + } + }, + "build-seed": { + "flake": false, + "locked": { + "narHash": "sha256-6rzGK/itD/RBRoNGw1L2wLV1IcVbn2b0V49ay1J9z7k=", + "path": "/state/secrets/build.seed", + "type": "path" + }, + "original": { + "path": "/state/secrets/build.seed", + "type": "path" + } + }, + "dnssec-keys": { + "flake": false, + "locked": { + "narHash": "sha256-KGZFtyc7Sd5mGjLxnM+R/XnCtOwyZ4IuOMcblIjlCnM=", + "path": "/state/secrets/dnssec-keys", + "type": "path" + }, + "original": { + "path": "/state/secrets/dnssec-keys", "type": "path" } }, @@ -193,11 +205,11 @@ "flake": false, "locked": { "narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=", - "path": "./filesystem-keys", + "path": "/state/secrets/filesystem-keys", "type": "path" }, "original": { - "path": "./filesystem-keys", + "path": "/state/secrets/filesystem-keys", "type": "path" } }, @@ -220,29 +232,44 @@ "inputs": { "doom-emacs": "doom-emacs", "home-manager": "home-manager", - "niten-doom-config": "niten-doom-config" + "niten-doom-config": "niten-doom-config", + "nixpkgs": "nixpkgs_2" }, "locked": { - "narHash": "sha256-7vxYISWq8BAp88ej37PCdv9Rg6+WgTtFxcOVBH6C1Sw=", - "path": "./nix-home", + "narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=", + "path": "/state/nixops/fudo-home", "type": "path" }, "original": { - "path": "./nix-home", + "path": "/state/nixops/fudo-home", + "type": "path" + } + }, + "fudo-pkgs": { + "locked": { + "narHash": "sha256-XwEs/VkqJp1mNwYUeBUqCPrW6GUEwAxbXMVOy7bF2P8=", + "path": "/state/nixops/fudo-pkgs", + "type": "path" + }, + "original": { + "path": "/state/nixops/fudo-pkgs", "type": "path" } }, "fudo-secrets": { "inputs": { - "backplane-passwords": "backplane-passwords", "build-keypairs": "build-keypairs", + "build-seed": "build-seed", + "dnssec-keys": "dnssec-keys", "filesystem-keys": "filesystem-keys", "host-keytabs": "host-keytabs", + "realm-master-keys": "realm-master-keys", + "service-keytabs": "service-keytabs", "service-passwords": "service-passwords", "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-cCvorbK8puCKs25oad9l11xveVq2UfKcAs+FJ4LD8r0=", + "narHash": "sha256-Q89s52d8KAMIbxh7aBoUwUTFAbgUBE5IaAIwd267k20=", "path": "/state/secrets", "type": "path" }, @@ -253,7 +280,10 @@ }, "home-manager": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "fudo-home", + "nixpkgs" + ] }, "locked": { "lastModified": 1633291410, @@ -273,12 +303,12 @@ "host-keytabs": { "flake": false, "locked": { - "narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=", - "path": "./kerberos/host-keytabs", + "narHash": "sha256-LzDfB9ubACWyQzjXzsPH6eNoESmSVcMFFb3V025Xgow=", + "path": "/state/secrets/kerberos/host-keytabs", "type": "path" }, "original": { - "path": "./kerberos/host-keytabs", + "path": "/state/secrets/kerberos/host-keytabs", "type": "path" } }, @@ -332,25 +362,26 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1633381874, - "narHash": "sha256-RkoVeo4K1IKqQzCI9W28UOyw4ic3Lhb3XoMDFDp7X74=", + "lastModified": 1636944046, + "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "35b808214a1ca158a04d6980cb95cc1a77ce1f94", + "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-21.05", "type": "indirect" } }, "nixpkgs_3": { "locked": { - "lastModified": 1633267966, - "narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=", + "lastModified": 1636944046, + "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d", + "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4", "type": "github" }, "original": { @@ -455,6 +486,18 @@ "type": "github" } }, + "realm-master-keys": { + "flake": false, + "locked": { + "narHash": "sha256-5hDmPweE6lshRKA+AKRgJv7VwWxHsYekwMT32uAUKJU=", + "path": "/state/secrets/kerberos/master-keys", + "type": "path" + }, + "original": { + "path": "/state/secrets/kerberos/master-keys", + "type": "path" + } + }, "revealjs": { "flake": false, "locked": { @@ -474,6 +517,7 @@ "root": { "inputs": { "fudo-home": "fudo-home", + "fudo-pkgs": "fudo-pkgs", "fudo-secrets": "fudo-secrets", "nixpkgs": "nixpkgs_3" } @@ -494,27 +538,39 @@ "type": "github" } }, - "service-passwords": { + "service-keytabs": { "flake": false, "locked": { - "narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=", - "path": "./service-passwords", + "narHash": "sha256-9lw22Gh1IDX+MtXMLi+o3XbjvqEhOiZQG9FiG/xz/U0=", + "path": "/state/secrets/kerberos/service-keytabs", "type": "path" }, "original": { - "path": "./service-passwords", + "path": "/state/secrets/kerberos/service-keytabs", + "type": "path" + } + }, + "service-passwords": { + "flake": false, + "locked": { + "narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=", + "path": "/state/secrets/service-passwords", + "type": "path" + }, + "original": { + "path": "/state/secrets/service-passwords", "type": "path" } }, "ssh-keypairs": { "flake": false, "locked": { - "narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=", - "path": "./ssh-keypairs", + "narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=", + "path": "/state/secrets/ssh-keypairs", "type": "path" }, "original": { - "path": "./ssh-keypairs", + "path": "/state/secrets/ssh-keypairs", "type": "path" } } diff --git a/flake.nix b/flake.nix index 8791c88..9318843 100644 --- a/flake.nix +++ b/flake.nix @@ -4,25 +4,27 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-21.05"; - fudo-home.url = "path:./nix-home"; + fudo-home.url = "path:/state/nixops/fudo-home"; + + fudo-pkgs.url = "path:/state/nixops/fudo-pkgs"; fudo-secrets.url = "path:/state/secrets"; }; - outputs = { self, nixpkgs, fudo-secrets, fudo-home, ... }: { + outputs = { self, nixpkgs, fudo-home, fudo-pkgs, fudo-secrets, ... }: { nixosConfigurations = let lib = nixpkgs.lib; hostlib = import ./lib/hosts.nix { inherit lib; }; - hosts = lib.filterAttrs (hostname: hostOpts: + nixos-hosts = lib.filterAttrs (hostname: hostOpts: hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts); build-timestamp = self.sourceInfo.lastModified; - in lib.mapAttrs (hostname: hostOpts: let - pkgs = import nixpkgs { - system = hostOpts.arch; + + pkgs-for = arch: import nixpkgs { + system = arch; config = { allowUnfree = true; permittedInsecurePackages = [ @@ -30,20 +32,43 @@ ]; }; overlays = [ - (import ./fudo-pkgs/overlay.nix) + fudo-pkgs.overlay (import ./lib/overlay.nix) ]; }; - in lib.nixosSystem { + in lib.mapAttrs (hostname: hostOpts: let system = hostOpts.arch; + pkgs = pkgs-for system; + lib = pkgs.lib; + site = hostOpts.site; + domain = hostOpts.domain; + profile = hostOpts.profile; + build-seed = + builtins.readFile fudo-secrets.build-seed; + in nixpkgs.lib.nixosSystem { + inherit system; - modules = [ + modules = let + config-path = ./config; + in [ fudo-home.nixosModule fudo-secrets.nixosModule - (import ./initialize.nix { - inherit hostname lib pkgs build-timestamp fudo-secrets; + ./lib + ./config + + (config-path + /hardware/${hostname}.nix) + (config-path + /host-config/${hostname}.nix) + (config-path + /profile-config/${profile}.nix) + (config-path + /domain-config/${domain}.nix) + (config-path + /site-config/${site}.nix) + ({ ... }: { + config = { + instance = { + inherit hostname build-timestamp build-seed; + }; + }; }) ]; - }) hosts; + }) nixos-hosts; }; } diff --git a/initialize.nix b/initialize.nix index f7bcd30..a45c3ee 100644 --- a/initialize.nix +++ b/initialize.nix @@ -2,8 +2,7 @@ with lib; let - # Get info on this host so we know what to load - config-dir = ./. + "/config"; + config-dir = ./config; in { imports = [