Changes for cashew, added mobile site

config/client.nix

@@ -11,7 +11,7 @@ let
     config.fudo.secrets.host-secrets.${config.instance.hostname};
 
   host-password-files = mapAttrs (hostname: hostOpts:
-    make-password-file hostname) config.fudo.hosts;
+    make-passwd-file hostname) config.fudo.hosts;
 
 in {
   config = {
@@ -19,7 +19,7 @@ in {
       secrets.host-secrets = mapAttrs (hostname: hostOpts: {
         backplane-client-passwd = {
           source-file = host-password-files.${hostname};
-          target-file = "/var/fudo/client/passwd";
+          target-file = "/var/fudo/backplane-client/passwd";
           user = config.fudo.client.dns.user;
         };
       }) config.fudo.hosts;

config/default.nix

@@ -4,6 +4,7 @@
         imports = [
                 ./aliases.nix
                 ./bash.nix
+                ./client.nix
                 ./common.nix
                 ./domains.nix
                 ./groups.nix

config/hardware/cashew.nix

@@ -1,5 +1,19 @@
 { config, lib, pkgs, ... }:
 
 {
+  networking = {
+    useDHCP = false;
 
+    macvlans = {
+      extif0 = {
+        interface = "eno2";
+        mode = "bridge";
+      };
+    };
+
+    interfaces = {
+      extif0.macAddress =
+        pkgs.lib.fudo.network.generate-mac-address config.instance.hostname "extif0";
+    };
+  };
 }

config/host-config/cashew.nix

@@ -3,13 +3,10 @@
 with lib;
 let
   hostname = config.instance.hostname;
-  host-ipv4 = pkgs.lib.fudo.network.host-ipv4 config hostname;
+  host-ipv4 = "208.81.4.82";
   site-name = config.fudo.hosts.${hostname}.site;
   site = config.fudo.sites.${site-name};
 
-  network-prefix-length =
-    pkgs.lib.fudo.ip.getNetworkMask site.network;
-
   local-packages = with pkgs; [
     bind
   ];
@@ -25,7 +22,7 @@ in {
       interfaces.extif0 = {
         ipv4.addresses = [{
           address = host-ipv4;
-          prefixLength = network-prefix-length;
+          prefixLength = 29;
         }];
       };
     };

config/host-config/nutboy3.nix

@@ -25,8 +25,6 @@ in {
 
   config = {
     networking = {
-      enableIPv6 = true;
-
       nameservers = [ "1.1.1.1" ];
       defaultGateway = {
         address = site.gateway-v4;
@@ -201,33 +199,108 @@ in {
     };
 
     containers.cashew = let
-      initialize-host = import ../../initialize.nix;
+      local-packages = with pkgs; [
-      build-timestamp = config.instance.build-timestamp;
+        bind
-      site = "nuttyclub-vm";
+        vim
-      domain = config.instance.local-domain;
+      ];
-      profile = "container";
     in {
       autoStart = true;
 
       bindMounts = {
-
+        "/state" = {
+          hostPath = "/state/cashew";
+          isReadOnly = false;
+        };
+        "/etc/bind" = {
+          hostPath = "/state/cashew/bind";
+          isReadOnly = false;
+        };
+        "/var/log" = {
+          hostPath = "/state/cashew/logs";
+          isReadOnly = false;
+        };
+        "/home" = {
+          hostPath = "/state/cashew/home";
+          isReadOnly = false;
+        };
+        "/etc/dns-root-data" = {
+          hostPath = "${pkgs.dns-root-data}/";
+          isReadOnly = true;
+        };
       };
 
-      config = { pkgs, ... }: {
+      interfaces = [ "eno2" ];
-        imports = [
-          (initialize-host {
-            inherit
-              lib
-              pkgs
-              build-timestamp
-              site
-              domain
-              profile;
-            hostname = "cashew";
-          })
-        ];
 
-        instance.build-seed = build-seed;
+      config = { ... }: {
+        nixpkgs.pkgs = pkgs;
+
+        environment.systemPackages = local-packages;
+
+        users = {
+          users = {
+            niten = config.users.users.niten;
+            reaper = config.users.users.reaper // {
+              openssh.authorizedKeys.keys = [
+                "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
+              ];
+            };
+            root.openssh.authorizedKeys.keys = [
+              "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADtR1gMK7JnIOht8yZNPROr+0VHgt5eWrGFPscVPk1crVuEvIv1MF544Qk1IHi+2OA2xUvI1BTgmXp3TLvCjEn4lQF4Uc5hcUGENS6TNMPByHx69rAeXVMtmjW0sL4Tbhqd0iNh85STdtzXNZUY31+A6ugrJSnvnSt5wv9ZpMz0SFIE1Q=="
+            ];
+          };
+          groups = {
+            wheel.members = [
+              "niten"
+              "reaper"
+            ];
+            dns = {
+              members = [
+                "niten"
+                "reaper"
+                "named"
+              ];
+            };
+          };
+        };
+
+        networking = {
+          defaultGateway = {
+            address = "208.81.4.81";
+            interface = "eno2";
+          };
+
+          interfaces.eno2 = {
+            ipv4.addresses = [{
+              address = "208.81.4.82";
+              prefixLength = 29;
+            }];
+          };
+        };
+
+        services = {
+          bind = {
+            enable = true;
+            configFile = "/etc/bind/named.conf";
+          };
+
+          openssh = {
+            enable = true;
+            startWhenNeeded = true;
+            useDns = true;
+            permitRootLogin = "prohibit-password";
+            hostKeys = [
+              {
+                path = "/state/ssh/ssh_host_ed25519_key";
+                type = "ed25519";
+              }
+              {
+                path = "/state/ssh/ssh_host_rsa_key";
+                type = "rsa";
+                bits = 4096;
+              }
+            ];
+          };
+        };
       };
     };
   };

config/hosts/cashew.nix

@@ -9,4 +9,8 @@
   arch = "x86_64-linux";
   nixos-system = true;
   machine-id = "e5f456e3183a4dc186181a70bc3af2d1";
+  master-key = {
+    public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5/2uOE13eKUnXboxPYoZxZkS6sw5m0emR684HFr34l";
+    key-path = "/state/master-key/ed25519_key";
+  };
 }

config/networks/fudo.org.nix

@@ -136,6 +136,7 @@
   };
 
   hosts = {
+    cashew = { ipv4-address = "208.81.4.82"; };
     cisco = { ipv4-address = "198.163.150.211"; };
     cisco-int = { ipv4-address = "10.73.77.10"; };
     cupid = { ipv4-address = "208.38.36.100"; };

config/profile-config/host/backplane-client.nix

@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  hostname = config.instance.hostname;
-  host-cfg = config.fudo.hosts.${hostname};
-  secrets = config.fudo.secrets.host-secrets.${hostname};
-
-in {
-  config.fudo = {
-    secrets.host-secrets.${hostname} = {
-      backplane-passwd = {
-        source-file = host-cfg.backplane-password-file;
-        target-file = "/run/backplane/client/passwd";
-        user = config.fudo.client.dns.user;
-      };
-    };
-
-    client.dns.password-file =
-      secrets.backplane-passwd.target-file;
-  };
-}

config/site-config/mobile.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+}

config/sites.nix

@@ -51,8 +51,8 @@
     };
 
     nuttyclub-vm = {
-      gateway-v4 = "FIXME";
+      gateway-v4 = "208.81.4.81";
-      network = "FIXME/29";
+      network = "208.81.4.80/29";
       nameservers = [ "1.1.1.1" ];
       timezone = "America/Winnipeg";
       deploy-pubkeys = [

flake.lock

@@ -1,26 +1,38 @@
 {
   "nodes": {
-    "backplane-passwords": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-Bf5sVg4oSg6uCKMJl21btfBH4NQI/Wz4SU9j130Shyg=",
-        "path": "./backplane-passwords",
-        "type": "path"
-      },
-      "original": {
-        "path": "./backplane-passwords",
-        "type": "path"
-      }
-    },
     "build-keypairs": {
       "flake": false,
       "locked": {
         "narHash": "sha256-4eRLRLCzZ6kQIRZqy51bj60jhFSQ/wlKLeNgABPhTyw=",
-        "path": "./build-keypairs",
+        "path": "/state/secrets/build-keypairs",
         "type": "path"
       },
       "original": {
-        "path": "./build-keypairs",
+        "path": "/state/secrets/build-keypairs",
+        "type": "path"
+      }
+    },
+    "build-seed": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-6rzGK/itD/RBRoNGw1L2wLV1IcVbn2b0V49ay1J9z7k=",
+        "path": "/state/secrets/build.seed",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/secrets/build.seed",
+        "type": "path"
+      }
+    },
+    "dnssec-keys": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-KGZFtyc7Sd5mGjLxnM+R/XnCtOwyZ4IuOMcblIjlCnM=",
+        "path": "/state/secrets/dnssec-keys",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/secrets/dnssec-keys",
         "type": "path"
       }
     },
@@ -193,11 +205,11 @@
       "flake": false,
       "locked": {
         "narHash": "sha256-K2wdsA4vcNTaLR9A9qxB+aMaeANL0LXOwBWvUm63lX0=",
-        "path": "./filesystem-keys",
+        "path": "/state/secrets/filesystem-keys",
         "type": "path"
       },
       "original": {
-        "path": "./filesystem-keys",
+        "path": "/state/secrets/filesystem-keys",
         "type": "path"
       }
     },
@@ -220,29 +232,44 @@
       "inputs": {
         "doom-emacs": "doom-emacs",
         "home-manager": "home-manager",
-        "niten-doom-config": "niten-doom-config"
+        "niten-doom-config": "niten-doom-config",
+        "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "narHash": "sha256-7vxYISWq8BAp88ej37PCdv9Rg6+WgTtFxcOVBH6C1Sw=",
+        "narHash": "sha256-7Yl9CqBD8dahWQvJJEKrvqUMLDYkoLTApNP7BzqGGpg=",
-        "path": "./nix-home",
+        "path": "/state/nixops/fudo-home",
         "type": "path"
       },
       "original": {
-        "path": "./nix-home",
+        "path": "/state/nixops/fudo-home",
+        "type": "path"
+      }
+    },
+    "fudo-pkgs": {
+      "locked": {
+        "narHash": "sha256-XwEs/VkqJp1mNwYUeBUqCPrW6GUEwAxbXMVOy7bF2P8=",
+        "path": "/state/nixops/fudo-pkgs",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/nixops/fudo-pkgs",
         "type": "path"
       }
     },
     "fudo-secrets": {
       "inputs": {
-        "backplane-passwords": "backplane-passwords",
         "build-keypairs": "build-keypairs",
+        "build-seed": "build-seed",
+        "dnssec-keys": "dnssec-keys",
         "filesystem-keys": "filesystem-keys",
         "host-keytabs": "host-keytabs",
+        "realm-master-keys": "realm-master-keys",
+        "service-keytabs": "service-keytabs",
         "service-passwords": "service-passwords",
         "ssh-keypairs": "ssh-keypairs"
       },
       "locked": {
-        "narHash": "sha256-cCvorbK8puCKs25oad9l11xveVq2UfKcAs+FJ4LD8r0=",
+        "narHash": "sha256-Q89s52d8KAMIbxh7aBoUwUTFAbgUBE5IaAIwd267k20=",
         "path": "/state/secrets",
         "type": "path"
       },
@@ -253,7 +280,10 @@
     },
     "home-manager": {
       "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": [
+          "fudo-home",
+          "nixpkgs"
+        ]
       },
       "locked": {
         "lastModified": 1633291410,
@@ -273,12 +303,12 @@
     "host-keytabs": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-yvGgY3mgzaGjYBNHr0m4Lg2rxrB0+CRlzWdJ2A06MeM=",
+        "narHash": "sha256-LzDfB9ubACWyQzjXzsPH6eNoESmSVcMFFb3V025Xgow=",
-        "path": "./kerberos/host-keytabs",
+        "path": "/state/secrets/kerberos/host-keytabs",
         "type": "path"
       },
       "original": {
-        "path": "./kerberos/host-keytabs",
+        "path": "/state/secrets/kerberos/host-keytabs",
         "type": "path"
       }
     },
@@ -332,25 +362,26 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1633381874,
+        "lastModified": 1636944046,
-        "narHash": "sha256-RkoVeo4K1IKqQzCI9W28UOyw4ic3Lhb3XoMDFDp7X74=",
+        "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "35b808214a1ca158a04d6980cb95cc1a77ce1f94",
+        "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
+        "ref": "nixos-21.05",
         "type": "indirect"
       }
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1633267966,
+        "lastModified": 1636944046,
-        "narHash": "sha256-gFKvZ5AmV/dDTKXVxacPbXe4R0BsFpwtVaQxuIm2nnk=",
+        "narHash": "sha256-74KLDsiWSBsYXKj/ql9EGbw1TbIJRE7clFkhl30HV/c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7daf35532d2d8bf5e6f7f962e6cd13a66d01a71d",
+        "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
         "type": "github"
       },
       "original": {
@@ -455,6 +486,18 @@
         "type": "github"
       }
     },
+    "realm-master-keys": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-5hDmPweE6lshRKA+AKRgJv7VwWxHsYekwMT32uAUKJU=",
+        "path": "/state/secrets/kerberos/master-keys",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/secrets/kerberos/master-keys",
+        "type": "path"
+      }
+    },
     "revealjs": {
       "flake": false,
       "locked": {
@@ -474,6 +517,7 @@
     "root": {
       "inputs": {
         "fudo-home": "fudo-home",
+        "fudo-pkgs": "fudo-pkgs",
         "fudo-secrets": "fudo-secrets",
         "nixpkgs": "nixpkgs_3"
       }
@@ -494,27 +538,39 @@
         "type": "github"
       }
     },
-    "service-passwords": {
+    "service-keytabs": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-JPMZdokzw+vyWoIKwgDhD60BYi5gch/MfgQyvx5AXZA=",
+        "narHash": "sha256-9lw22Gh1IDX+MtXMLi+o3XbjvqEhOiZQG9FiG/xz/U0=",
-        "path": "./service-passwords",
+        "path": "/state/secrets/kerberos/service-keytabs",
         "type": "path"
       },
       "original": {
-        "path": "./service-passwords",
+        "path": "/state/secrets/kerberos/service-keytabs",
+        "type": "path"
+      }
+    },
+    "service-passwords": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-4xEJlPU+KeBtQuFqRlB1bzJMXUQ6a+DT2v3OptaHyTg=",
+        "path": "/state/secrets/service-passwords",
+        "type": "path"
+      },
+      "original": {
+        "path": "/state/secrets/service-passwords",
         "type": "path"
       }
     },
     "ssh-keypairs": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-fD2ZTNMc399XtlVWLCU4crC0RZZ8yTZPFzEm9VWjiL8=",
+        "narHash": "sha256-TlRfaYFuJxLUCarxZ1XYnW8PruKyYO5RErVGo5hTgo4=",
-        "path": "./ssh-keypairs",
+        "path": "/state/secrets/ssh-keypairs",
         "type": "path"
       },
       "original": {
-        "path": "./ssh-keypairs",
+        "path": "/state/secrets/ssh-keypairs",
         "type": "path"
       }
     }

flake.nix

@@ -4,25 +4,27 @@
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-21.05";
 
-    fudo-home.url = "path:./nix-home";
+    fudo-home.url = "path:/state/nixops/fudo-home";
+
+    fudo-pkgs.url = "path:/state/nixops/fudo-pkgs";
 
     fudo-secrets.url = "path:/state/secrets";
   };
 
-  outputs = { self, nixpkgs, fudo-secrets, fudo-home, ... }: {
+  outputs = { self, nixpkgs, fudo-home, fudo-pkgs, fudo-secrets, ... }: {
 
     nixosConfigurations = let
       lib = nixpkgs.lib;
 
       hostlib = import ./lib/hosts.nix { inherit lib; };
 
-      hosts = lib.filterAttrs (hostname: hostOpts:
+      nixos-hosts = lib.filterAttrs (hostname: hostOpts:
         hostOpts.nixos-system) (hostlib.base-host-config ./config/hosts);
 
       build-timestamp = self.sourceInfo.lastModified;
-    in lib.mapAttrs (hostname: hostOpts: let
+
-      pkgs = import nixpkgs {
+      pkgs-for = arch: import nixpkgs {
-        system = hostOpts.arch;
+        system = arch;
         config = {
           allowUnfree = true;
           permittedInsecurePackages = [
@@ -30,20 +32,43 @@
           ];
         };
         overlays = [
-          (import ./fudo-pkgs/overlay.nix)
+          fudo-pkgs.overlay
           (import ./lib/overlay.nix)
         ];
       };
-    in lib.nixosSystem {
+    in lib.mapAttrs (hostname: hostOpts: let
       system = hostOpts.arch;
+      pkgs = pkgs-for system;
+      lib = pkgs.lib;
+      site = hostOpts.site;
+      domain = hostOpts.domain;
+      profile = hostOpts.profile;
+      build-seed =
+        builtins.readFile fudo-secrets.build-seed;
+    in nixpkgs.lib.nixosSystem {
+      inherit system;
 
-      modules = [
+      modules = let
+        config-path = ./config;
+      in [
         fudo-home.nixosModule
         fudo-secrets.nixosModule
-        (import ./initialize.nix {
+        ./lib
-          inherit hostname lib pkgs build-timestamp fudo-secrets;
+        ./config
+
+        (config-path + /hardware/${hostname}.nix)
+        (config-path + /host-config/${hostname}.nix)
+        (config-path + /profile-config/${profile}.nix)
+        (config-path + /domain-config/${domain}.nix)
+        (config-path + /site-config/${site}.nix)
+        ({ ... }: {
+          config = {
+            instance = {
+              inherit hostname build-timestamp build-seed;
+            };
+          };
         })
       ];
-    }) hosts;
+    }) nixos-hosts;
   };
 }

initialize.nix

@@ -2,8 +2,7 @@
 
 with lib;
 let
-  # Get info on this host so we know what to load
+  config-dir = ./config;
-  config-dir = ./. + "/config";
 
 in {
   imports = [