Initial re-checki

This commit is contained in:
root 2019-12-25 17:20:36 -06:00
commit 46c45f4440
33 changed files with 2646 additions and 0 deletions

95
config/fudo.nix Normal file
View File

@ -0,0 +1,95 @@
{ lib, config, pkgs, ... }:
with lib;
let
hostOpts = { config, ... }: {
options = {
ipv6Address = mkOption {
type = types.str;
description = ''
The V6 IP of a given host, if any.
'';
};
ipv4Address = mkOption {
type = types.str;
description = ''
The V4 IP of a given host, if any.
'';
};
macAddress = mkOption {
type = types.str;
description = ''
The MAC address of a given host, if desired for IP reservation.
'';
};
};
};
localNameServerOpts = { config, ... }: {
options = {
ipv6Address = mkOption {
type = types.str;
description = ''
The V6 IP of a given host, if any.
'';
};
ipv4Address = mkOption {
type = types.str;
description = ''
The V4 IP of a given host, if any.
'';
};
ipv4ReverseDomain = mkOption {
type = types.str;
description = ''
The domain of the IPv4 address range for which this nameserver is responsible.
Eg: 0.10.in-addr.arpa
'';
};
};
};
in {
imports = [
./fudo/ldap.nix
];
options = {
fudo.localNetwork.hosts = mkOption {
type = types.listOf (submodule hostOpts);
default = {};
description = ''
A map of hostname => { host_attributes }.
'';
};
fudo.localNetwork.domain = mkOption {
type = types.str;
description = ''
The domain to use for the local network.
'';
};
fudo.localNetwork.hostAliases = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
A mapping of hostAlias => hostName to use on the local network.
'';
};
fudo.localNetwork.localNameServer = mkOption {
type = (submodule localNameServerOpts);
description = ''
The master nameserver of the local network.
'';
};
};
}

415
config/fudo/ldap.nix Normal file
View File

@ -0,0 +1,415 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.auth.server;
ldapSystemUserOpts = { name, ... }: {
options = {
description = mkOption {
type = types.str;
description = ''
The description of this system user.
'';
};
hashed-password = mkOption {
type = types.str;
description = ''
The password for this user, hashed with ldappasswd.
'';
};
};
};
ldapGroupOpts = { name, ... }: {
options = {
gid = mkOption {
type = types.int;
description = ''
The GID number of this group.
'';
};
description = mkOption {
type = types.str;
description = ''
The description of this group.
'';
};
members = mkOption {
type = with types; listOf str;
default = [];
description = ''
A list of usernames representing the members of this group.
'';
};
};
};
ldapUserOpts = { name, ... }: {
options = {
uid = mkOption {
type = types.int;
description = ''
The UID number of this user.
'';
};
common-name = mkOption {
type = types.str;
description = ''
The given name of this user.
'';
};
group = mkOption {
type = types.str;
description = ''
The name of the user's primary group.
'';
};
login-shell = mkOption {
type = types.str;
default = "/bin/bash";
description = ''
The user's preferred shell. Default is /bin/bash.
'';
};
description = mkOption {
type = types.str;
default = "Fudo Member";
description = ''
The description of this user.
'';
};
hashed-password = mkOption {
type = types.str;
description = ''
The password for this user, hashed with ldappasswd.
'';
};
};
};
stringJoin = joiner: attrList:
if (length attrList) == 0 then
""
else
foldr(lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList) (init attrList);
getUserGidNumber = user: group-map: group-map.${user.group}.gid;
attrOr = attrs: attr: value:
if attrs ? ${attr} then attrs.${attr} else value;
mkHomeDir = username: user-opts:
if (user-opts.group == "admin") then
"/home/${username}"
else
"/home/${user-opts.group}/${username}";
userLdif = base: name: group-map: opts: ''
dn: uid=${name},ou=members,${base}
uid: ${name}
objectClass: account
objectClass: shadowAccount
objectClass: posixAccount
cn: ${opts.common-name}
uidNumber: ${toString(opts.uid)}
gidNumber: ${toString(getUserGidNumber opts group-map)}
homeDirectory: ${mkHomeDir name opts}
description: ${opts.description}
shadowLastChange: 12230
shadowMax: 99999
shadowWarning: 7
userPassword: ${opts.hashed-password}
'';
systemUserLdif = base: name: opts: ''
dn: cn=${name},${base}
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: ${name}
description: ${opts.description}
userPassword: ${opts.hashed-password}
'';
toMemberList = userList:
stringJoin "\n" (map (username: "memberUid: ${username}") userList);
groupLdif = base: name: opts: ''
dn: cn=${name},ou=groups,${base}
objectClass: posixGroup
cn: ${name}
gidNumber: ${toString(opts.gid)}
description: ${opts.description}
${toMemberList opts.members}
'';
systemUsersLdif = base: user-map:
stringJoin "\n" (mapAttrsToList (name: opts:
systemUserLdif base name opts
) user-map);
groupsLdif = base: group-map:
stringJoin "\n" (mapAttrsToList (name: opts:
groupLdif base name opts
) group-map);
usersLdif = base: group-map: user-map:
stringJoin "\n" (mapAttrsToList (name: opts:
userLdif base name group-map opts
) user-map);
in {
options = {
fudo = {
auth = {
server = {
enable = mkEnableOption "Fudo Authentication";
kerberos-host = mkOption {
type = types.str;
description = ''
The name of the host to use for Kerberos authentication.
'';
};
kerberos-keytab = mkOption {
type = types.str;
description = ''
The path to a keytab for the LDAP server, containing a principal for ldap/<hostname>.
'';
};
sslCert = mkOption {
type = types.str;
description = ''
The path to the SSL certificate to use for the server.
'';
};
sslKey = mkOption {
type = types.str;
description = ''
The path to the SSL key to use for the server.
'';
};
sslCACert = mkOption {
type = types.str;
description = ''
The path to the SSL CA cert used to sign the certificate.
'';
};
organization = mkOption {
type = types.str;
description = ''
The name to use for the organization.
'';
};
base = mkOption {
type = types.str;
description = ''
The base dn of the LDAP server (eg. "dc=fudo,dc=org").
'';
};
rootpw-file = mkOption {
default = "";
type = types.str;
description = ''
The path to a file containing the root password for this database.
'';
};
listen-uris = mkOption {
default = [];
type = with types; listOf str;
description = ''
A list of URIs on which the ldap server should listen.
'';
example = [
"ldap://auth.fudo.org"
"ldaps://auth.fudo.org"
];
};
users = mkOption {
default = {};
type = with types; loaOf (submodule ldapUserOpts);
example = {
tester = {
uid = 10099;
common-name = "Joe Blow";
hashed-password = "<insert password hash>";
};
};
description = ''
Users to be added to the Fudo LDAP database.
'';
};
groups = mkOption {
default = {};
type = with types; loaOf (submodule ldapGroupOpts);
example = {
admin = {
gid = 1099;
members = [
"tester"
];
};
};
description = ''
Groups to be added to the Fudo LDAP database.
'';
};
system-users = mkOption {
default = {};
type = with types; loaOf (submodule ldapSystemUserOpts);
example = {
replicator = {
description = "System user for database sync";
hashed-password = "<insert password hash>";
};
};
description = ''
System users to be added to the Fudo LDAP database.
'';
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
etc = {
"openldap/sasl2/slapd.conf" = {
mode = "0400";
user = "openldap";
group = "openldap";
text = ''
mech_list: gssapi external
keytab: /etc/ldap/ldap.keytab
'';
};
};
};
systemd.services.openldap = {
environment = {
KRB5_KTNAME = cfg.kerberos-keytab;
};
};
services.openldap = {
enable = true;
suffix = cfg.base;
rootdn = "cn=admin,${cfg.base}";
rootpwFile = "${cfg.rootpw-file}";
urlList = cfg.listen-uris;
extraConfig = ''
TLSCertificateFile ${cfg.sslCert}
TLSCertificateKeyFile ${cfg.sslKey}
TLSCACertificateFile ${cfg.sslCACert}
authz-regexp "^uid=auth/([^.]+)\.fudo\.org,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org"
authz-regexp "^uid=[^,/]+/root,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=admin,dc=fudo,dc=org"
authz-regexp "^uid=([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "uid=$1,ou=members,dc=fudo,dc=org"
authz-regexp "^uid=host/([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org"
authz-regexp "^gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth$" "cn=admin,dc=fudo,dc=org"
'';
extraDatabaseConfig = ''
# access to dn=base=""
# by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
# by * read
access to attrs=userPassword,shadowLastChange
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group.exact="cn=admin,ou=members,${cfg.base}" write
by dn.exact="cn=auth_reader,${cfg.base}" read
by dn.exact="cn=replicator,${cfg.base}" read
by self write
by * auth
access to dn.exact="cn=admin,ou=groups,${cfg.base}"
by dn.exact="cn=admin,${cfg.base}" write
by users read
by * none
access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid
by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write
by group.exact="cn=admin,ou=groups,${cfg.base}" write
by users read
by * none
access to dn.subtree="ou=members,${cfg.base}" attrs=cn,sn,homeDirectory,loginShell,gecos,description
by group.exact="cn=admin,ou=groups,${cfg.base}" write
by users read
by * none
access to dn.exact="cn=admin,ou=groups,${cfg.base}"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by users read
by * none
access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write
by group.exact="cn=admin,ou=groups,${cfg.base}" write
by users read
by * none
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by users read
by * none
'';
declarativeContents = ''
dn: ${cfg.base}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${cfg.organization}
dn: ou=groups,${cfg.base}
objectClass: organizationalUnit
description: ${cfg.organization} groups
dn: ou=members,${cfg.base}
objectClass: organizationalUnit
description: ${cfg.organization} members
dn: cn=admin,${cfg.base}
objectClass: organizationalRole
cn: admin
description: "Admin User"
${systemUsersLdif cfg.base cfg.system-users}
${groupsLdif cfg.base cfg.groups}
${usersLdif cfg.base cfg.groups cfg.users}
'';
};
};
}

138
config/postgresql_11.nix Normal file
View File

@ -0,0 +1,138 @@
{ config, lib, pkgs, ... }:
with lib;
let
catLines = builtins.concatStringsSep "\n";
userOpts = { config, ... }: {
options = {
passwd = mkOption {
type = types.str;
description = ''
The password of a given user.
'';
};
databases = mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
A list of databases to which this user should have access.
'';
};
};
};
grantDatabaseAccess = username: database: ''
GRANT CONNECT ON DATABASE ${database} TO USER ${username};
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA ${database} TO USER ${username};
'';
createUserSql = username: userOpts: ''
CREATE ROLE ${username} ENCRYPTED PASSWORD ${userOpts.passwd};
${catLines (map (grantDatabaseAccess username) userOpts.databases)}
'';
createDatabaseSql = database: dbOpts: ''
CREATE DATABASE ${database};
USE ${database};
'';
dataPath = /srv + ("/" + config.networking.hostName);
in {
options = {
fudo.postgresql = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the PostgreSQL server for Fudo services.
'';
};
databases = mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
A map of database_name => database_defn.
'';
};
users = mkOption {
type = with types; attrsOf (submodule userOpts);
default = {};
description = ''
A map of user_name => { user_attributes }.
'';
};
};
};
# config = mkIf config.fudo.postgresql.enable
# environment = {
# systemPackages = with pkgs; [
# postgresql_11_gssapi
# ];
# etc = {
# "postgresql/private/privkey.pem" = {
# mode = "0400";
# user = "postgres";
# group = "postgres";
# source = dataPath + "/certs/private/privkey.pem";
# };
# "postgresql/cert.pem" = {
# mode = "0444";
# user = "postgres";
# group = "postgres";
# source = dataPath + "/certs/cert.pem";
# };
# "postgresql/private/postgres.keytab" = {
# mode = "0400";
# user = "postgres";
# group = "postgres";
# source = dataPath + "/keytabs/postgres.keytab";
# };
# };
# };
# services.postgresql = {
# enable = true;
# package = pkgs.postgresql_11_gssapi;
# enableTCPIP = true;
# extraConfig = ''
# krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
# ssl = true
# ssl_cert_file = '/etc/postgresql/cert.pem'
# ssl_key_file = '/etc/postgresql/private/privkey.pem'
# '';
# authentication = ''
# local all all ident
# # host-local
# host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
# host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
# # local network
# host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
# host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
# '';
# initialScript = pkgs.writeText "backend-initscript" ''
# ${catLines (map createUserSql fudo.postgresql.users)}
# ${catLines (map createDatabaseSql fudo.postgresql.databases)}
# '';
# };
}

1
configuration.nix Symbolic link
View File

@ -0,0 +1 @@
./hosts/france.nix

206
defaults.nix Normal file
View File

@ -0,0 +1,206 @@
# Ref: https://learnxinyminutes.com/docs/nix/
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./packages/postgresql_11_gssapi.nix
./packages/minecraft-server_1_15_1.nix
./config/fudo.nix
./config/postgresql_11.nix
];
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
asdf
atop
autoconf
automake
bash
bind
binutils
btrfs-progs
bundix
byobu
cdrtools
cargo
certbot
clang
curl
emacs
fail2ban
fortune
gcc
git
gnumake
gnupg
google-cloud-sdk
guile
heimdalFull
imagemagick
ipfs
iptables
jdk
kerberos
libisofs
lispPackages.alexandria
lispPackages.cl-ppcre
lispPackages.clx
lispPackages.quicklisp
lshw
mkpasswd
ncurses5
nmap
oidentd
openldap
openssh
openssl_1_1
openssh_gssapi
pciutils
pv
pwgen
racket
ruby
rustc
sbcl
screen
service-wrapper
stdenv
telnet
texlive.combined.scheme-basic
tmux
unzip
vim
wget
];
system.stateVersion = "19.09";
system.autoUpgrade.enable = true;
environment.etc.current-nixos-config.source = ./.;
krb5.enable = true;
krb5.libdefaults.default_realm = "FUDO.ORG";
krb5.kerberos = pkgs.heimdalFull;
i18n = {
# consoleFont = "Lat2-Terminus16";
consoleKeyMap = "dvp";
defaultLocale = "en_US.UTF-8";
# consoleUseXkbConfig = true;
};
programs = {
mosh.enable = true;
ssh = {
forwardX11 = true;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
'';
};
bash.enableCompletion = true;
mtr.enable = true;
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
services = {
emacs = {
defaultEditor = true;
enable = true;
};
cron = {
enable = true;
};
openssh = {
enable = true;
startWhenNeeded = true;
forwardX11 = true;
extraConfig = ''
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
'';
};
};
security.pam = {
enableSSHAgentAuth = true;
# TODO: add yubico?
services.sshd = {
# This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
# googleAuthenticator.enable = true;
makeHomeDir = true;
# Fails!
# requireWheel = true;
};
};
users.groups = {
fudosys = {
gid = 888;
};
};
users.ldap = {
enable = true;
base = "dc=fudo,dc=org";
bind.distinguishedName = "cn=auth_reader,dc=fudo,dc=org";
bind.passwordFile = "/srv/nslcd/bind.passwd";
bind.timeLimit = 5;
loginPam = false;
server = "ldap://france.fudo.org";
timeLimit = 5;
useTLS = true;
extraConfig = ''
TLS_CACERT /etc/nixos/static/fudo_ca.pem
'';
daemon = {
enable = true;
extraConfig = ''
tls_cacertfile /etc/nixos/static/fudo_ca.pem
'';
};
};
users.extraUsers = {
niten = {
isNormalUser = true;
uid = 10000;
createHome = true;
description = "Niten";
extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"];
group = "users";
home = "/home/niten";
hashedPassword = "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
};
reaper = {
isNormalUser = true;
uid = 10049;
createHome = true;
description = "Reaper";
extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"];
group = "users";
home = "/home/reaper";
hashedPassword = "$6$YVCI6kiGcG5EVMT$t9lYEXjAhbnh7YkvJJPAbrzL8XE/AASsKFlWWeS.fDjBi/8S7zwXTHF0j41nDUfC//3viysn0tIOQKyZTHhzG.";
};
fudo = {
isSystemUser = true;
uid = 888;
description = "Fudo System User";
group = "fudosys";
};
};
}

118
fudo/groups.nix Normal file
View File

@ -0,0 +1,118 @@
{
admin = {
gid = 1000;
description = "Admin User Group";
members = [
"niten"
"reaper"
"swaff"
];
};
fudo = {
gid = 1001;
description = "Fudo User Group";
members = [
"andrew"
"animus"
"anorthe"
"ark"
"ben"
"brian"
"chad"
"ckoo"
"dabar"
"dana"
"darryl"
"debo"
"flowchart"
"gaijin"
"gubbs"
"helen"
"jess"
"jill"
"jinny"
"joker4ever"
"jun"
"kevin"
"kris"
"laura"
"leefolio"
"niten"
"r3d3"
"reaper"
"rob"
"saphira"
"slickoil"
"splat1"
"stewartd"
"swaff"
"theblacksun"
"xiaoxuan"
"zimm"
];
};
selby = {
gid = 1002;
description = "Selby User Group";
members = [
"andrew"
"brian"
"darryl"
"helen"
"jess"
"ken"
"kevin"
"laura"
"niten"
"rob"
"vee"
"xiaoxuan"
];
};
www-fudo = {
gid = 1005;
description = "Fudo Web Group";
members = [
"niten"
"reaper"
"www-data"
];
};
fudo_admin = {
gid = 1031;
description = "Fudo Administrators";
members = [
"niten"
"reaper"
];
};
sea_media = {
gid = 1077;
description = "Media group for Niten's home in Seattle";
members = [
"ken"
"niten"
"reaper"
"xiaoxuan"
];
};
fudo_shell = {
gid = 1078;
description = "Users with shell access to fudo hosts";
members = [
"ansyg"
"joker4ever"
"niten"
"omefire"
"reaper"
"swaff"
];
};
}

11
fudo/system-users.nix Normal file
View File

@ -0,0 +1,11 @@
{
replicator = {
description = "Database Replicator";
hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ=";
};
auth_reader = {
description = "System Authenticator";
hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q==";
};
}

403
fudo/users.nix Normal file
View File

@ -0,0 +1,403 @@
# Generate a hashed password using slappasswd.
{
niten = {
uid = 10000;
group = "admin";
common-name = "Peter Selby";
hashed-password = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA";
};
andrew = {
uid = 10001;
group = "selby";
common-name = "Andrew Selby";
hashed-password = "";
};
animus = {
uid = 10002;
group = "fudo";
common-name = "James Frazer";
hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ==";
};
ark = {
uid = 10005;
group = "fudo";
common-name = "Roger Wong";
hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk=";
};
ben = {
uid = 10007;
group = "fudo";
common-name = "Ben";
hashed-password = "{MD5}v0jY5bADu30cAR1Uu/eWYQ==";
};
chad = {
uid = 10011;
group = "fudo";
common-name = "Chad Isbister";
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
};
ckoo = {
uid = 10014;
group = "fudo";
common-name = "Jason Bush";
hashed-password = "{MD5}KMFeaBc7e/gVzL/QUT0mYw==";
};
dana = {
uid = 10015;
group = "fudo";
common-name = "Dana Eftodie";
hashed-password = "{MD5}+ijTylKau4uot2kGMqKSTA==";
};
jill = {
uid = 10030;
group = "fudo";
common-name = "Jill Isbister";
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
};
joker4ever = {
uid = 10033;
group = "fudo";
common-name = "Jack Clarke";
hashed-password = "{SSHA}w78XwSax9WywIDujMxEoO7o87d2LDJRo";
};
ken = {
uid = 10035;
group = "selby";
common-name = "Ken Selby";
hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
};
reaper = {
uid = 10049;
group = "admin";
common-name = "Jonathan Stewart";
hashed-password = "{MD5}EBvifhJ6z9dIDx0KWkAPoQ==";
};
slickoil = {
uid = 10052;
group = "fudo";
common-name = "Connor Cooley";
hashed-password = "{MD5}8Qrpagi8TYnZQdFoYe02rA==";
};
splat1 = {
uid = 10053;
group = "fudo";
common-name = "Matt Evans";
hashed-password = "{MD5}JeHNutGTBMHOqFgVlYjfpw==";
};
swaff = {
uid = 10055;
group = "fudo";
common-name = "Mark Swaffer";
hashed-password = "{MD5}C5gIsLsaKSvIPydu4uzhNg==";
};
brian = {
uid = 10056;
group = "selby";
common-name = "Brian Selby";
hashed-password = "{crypt}$1$npZLTPEO$p2bTx8TTlCg7XNiivTJsC1";
};
rob = {
uid = 10057;
group = "selby";
common-name = "Robert Selby";
hashed-password = "{crypt}HD1ESf1hAGdks";
};
tarbash = {
uid = 10059;
group = "fudo";
common-name = "Neville";
hashed-password = "{crypt}$1$cE6lVNbC$PLjlE9vK77SKNKwJBKiT//";
};
darryl = {
uid = 10060;
group = "selby";
common-name = "Darryl Kissick";
hashed-password = "{crypt}$1$oUNTMyKU$oUs6JqBRTPKE9A/sEzlSY0";
};
ayumi = {
uid = 10061;
group = "fudo";
common-name = "Ayumi Kira";
hashed-password = "{MD5}5OkpooOLxw94nF1lOfn/ZQ==";
};
saphira = {
uid = 10063;
group = "fudo";
common-name = "Elizabeth Stewart";
hashed-password = "{crypt}$1$cQ/Zq25x$fUQfUtpMB.f3rBWzttPns.";
};
banen = {
uid = 10064;
group = "fudo";
common-name = "Travis Neis";
hashed-password = "{crypt}$1$cyfM/Vni$vIuirRln.MnWActOR6t8S.";
};
xiaoxuan = {
uid = 10065;
group = "fudo";
common-name = "Xiaoxuan Jin";
hashed-password = "{MD5}iecbyMpyVkmOaMBzSFy58Q==";
};
thibor = {
uid = 10066;
group = "fudo";
common-name = "";
hashed-password = "{crypt}$1$HzQOn3zV$ogkeS5ByWrFstYo0FhXB/.";
};
flowchart = {
uid = 10067;
group = "fudo";
common-name = "BH Bieterse";
hashed-password = "{crypt}$1$lQMZ42RZ$aAOsLHP0i.yfvD1a1EVsA/";
};
gubbs = {
uid = 10068;
group = "fudo";
common-name = "Lorcan Gavin";
hashed-password = "{MD5}AIf4bJZyHCnvJVL3YHRnIg==";
};
debo = {
uid = 10069;
group = "fudo";
common-name = "Deborah Osti";
hashed-password = "{crypt}$1$5wEBGh/8$Ggp2JAI/rQiBXxJ89G0iq1";
};
leefolio = {
uid = 10070;
group = "fudo";
common-name = "Ze Artiste";
hashed-password = "{crypt}$1$LRlAYBst$sS1bPu8yEPrdYkQhoZhAq1";
};
zimm = {
uid = 10071;
group = "fudo";
common-name = "Ross Drinkwater";
hashed-password = "{SSHA}er1cgYDNPJsfLwtqYLopKMGMxiZZRGdY";
};
gaijin = {
uid = 10072;
group = "fudo";
common-name = "Tetsuo Torigai";
hashed-password = "{crypt}$1$bw8hyDXm$pMLLUtlDlVLwBTZiC0Lzf0";
};
anorthe = {
uid = 10073;
group = "fudo";
common-name = "Bonnie Wong";
hashed-password = "{crypt}$1$DORfHzbp$nJkk0OXd7WzYDxx8LbdMK.";
};
stewartd = {
uid = 10076;
group = "fudo";
common-name = "Dwight Stewart";
hashed-password = "{MD5}e2GSmH+l4ZZ808snWsFNYw==";
};
jess = {
uid = 10078;
group = "selby";
common-name = "Jessica Selby";
hashed-password = "{MD5}2tbtZre16apUTNtRIK98nQ==";
};
kevin = {
uid = 10079;
group = "selby";
common-name = "Kevin Selby";
hashed-password = "{crypt}$1$UYKrkMEe$SAABgc1pCBYgPFIMepNrM.";
};
theblacksun = {
uid = 10080;
group = "fudo";
common-name = "Brendan Goodfellow";
hashed-password = "{MD5}Hmw6pFYYT87nmpLp0QxcQw==";
};
kris = {
uid = 10082;
group = "selby";
common-name = "Kris Huberdeau";
hashed-password = "{SSHA}RUYeAEUyblnCWa9uBzY9nwsmoksy8P3Y";
};
jun = {
uid = 10083;
group = "fudo";
common-name = "Junichi Suzuki";
hashed-password = "{crypt}$1$ExfgQXb8$b1ihvMRbG2dWbnlmzzI/h.";
};
jinny = {
uid = 10084;
group = "fudo";
common-name = "Hye-jin Kim";
hashed-password = "{crypt}$1$6cld82N8$5a9ovCPXSacDmK3TWDaF30";
};
helen = {
uid = 10086;
group = "selby";
common-name = "Helen Selby";
hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ==";
};
vee = {
uid = 10087;
group = "selby";
common-name = "Vee Selby";
hashed-password = "snoinuer";
};
dabar = {
uid = 10088;
group = "fudo";
common-name = "Dan Bernardic";
hashed-password = "{MD5}ULrk46YUeUZQrl0+wAQiWA==";
};
r3d3 = {
uid = 10089;
group = "fudo";
common-name = "Derek Veroni";
hashed-password = "{SHA}2XyijGDovUhA1/Z/XR+9h9Ia4fY=";
};
laura = {
uid = 10090;
group = "selby";
common-name = "Laura Selby";
hashed-password = "{MD5}MI65czN0duIudMhYH+BU9Q==";
};
tuk = {
uid = 10091;
group = "fudo";
common-name = "Taku Koba";
hashed-password = "{MD5}DQuoQluy50128r8MxAmFkQ==";
};
aki = {
uid = 10092;
group = "fudo";
common-name = "Akihito Mori";
hashed-password = "{MD5}oGAt2kJGKMqX+CmfV1w/GA==";
};
ansyg = {
uid = 10095;
group = "fudo";
common-name = "Anseok Joo";
hashed-password = "{MD5}AHhHl02D3uDmWhPJZ6QPOw==";
};
jackie = {
uid = 10097;
group = "selby";
common-name = "Jackie Selby";
hashed-password = "{MD5}fa6JfWySlH63sITsxrTt0Q==";
};
mtopf = {
uid = 10100;
group = "fudo";
common-name = "Michael Topf";
hashed-password = "{MD5}/pleD8SiLhmnRr1RVspNcA==";
};
tat = {
uid = 10101;
group = "fudo";
common-name = "Tatsuro Akano";
hashed-password = "{MD5}fAV5GX8UdjsXIFjU0Ex4SA==";
};
blatzkrieg = {
uid = 10102;
group = "fudo";
common-name = "Brendan Blatz";
hashed-password = "{MD5}1nE/ndFwGbfH/wLagxvt8w==";
};
ellie = {
uid = 10103;
group = "fudo";
common-name = "Ellie Lee";
hashed-password = "{MD5}gzjwt+kw2nmvJ1FKFTpSZA==";
};
alan = {
uid = 10104;
group = "fudo";
common-name = "Alan Wong";
hashed-password = "{MD5}WhohVE4xfo9RIOw1kG3s1Q==";
};
omefire = {
uid = 10105;
group = "fudo";
common-name = "Omar Mefire";
hashed-password = "{SSHA}W6KWo26wl/nawpV++wMqsKdwrIwrait5";
};
gordon = {
uid = 10106;
group = "fudo";
common-name = "Gordon Stewart";
hashed-password = "{SSHA}jaCOc1ZjCI9klVR+v676lIBOidEg7/u0";
};
jeramy = {
uid = 10107;
group = "selby";
common-name = "Jeramy Ewbank";
hashed-password = "{MD5}8j8vTniyRzylmeTNUoRwWA==";
};
lauren = {
uid = 10108;
group = "selby";
common-name = "Lauren Hotel";
hashed-password = "{SSHA}DKnhrycmXSu4HKWFPeBXA9xvZ0ytgXIpZA10tg==";
};
testuser = {
uid = 10110;
group = "fudo";
common-name = "Test User";
hashed-password = "{SSHA}LSz1WjWfjRwAM3xm+QZ71vFj997dnZC6";
};
}

View File

@ -0,0 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "usb_storage" "floppy" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/87833c39-299b-4e84-9854-beda4a8e0115";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/bfb464c0-c259-4c29-8e8f-b3011bd30c95";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/ac0fe2b7-dd7a-4e86-aaa0-942acf3d541d"; }
];
nix.maxJobs = lib.mkDefault 8;
}

110
hosts/france.nix Normal file
View File

@ -0,0 +1,110 @@
{ config, pkgs, ... }:
let
hostname = "france.fudo.org";
in {
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
security.hideProcessInformation = true;
imports = [
../defaults.nix
../networks/fudo.org.nix
../profiles/server.nix
../config/fudo.nix
../profiles/services/basic_acme.nix
../profiles/services/heimdal_kdc.nix
../profiles/services/minecraft.nix
../hardware-configuration.nix
../packages/local-packages.nix
];
environment.systemPackages = with pkgs; [
acme-ca
lxd
multipath-tools
];
fudo.auth.server = {
enable = true;
base = "dc=fudo,dc=org";
organization = "Fudo";
rootpw-file = "/srv/ldap/secure/root.pw";
kerberos-host = "france.fudo.org";
kerberos-keytab = "/srv/ldap/secure/ldap.keytab";
sslCert = "/srv/ldap/france.fudo.org.pem";
sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
sslCACert = "/etc/nixos/static/fudo_ca.pem";
listen-uris = [
"ldap://${hostname}/"
"ldaps://${hostname}/"
"ldap://localhost/"
"ldaps://localhost/"
"ldapi:///"
];
users = import ../fudo/users.nix;
groups = import ../fudo/groups.nix;
system-users = import ../fudo/system-users.nix;
};
networking = {
hostName = hostname;
dhcpcd.enable = false;
useDHCP = false;
interfaces.enp4s0f0.useDHCP = true;
interfaces.enp4s0f1.useDHCP = true;
enableIPv6 = true;
# Create a bridge for VMs to use
macvlans = {
extif0 = {
interface = "enp4s0f0";
mode = "bridge";
};
intif0 = {
interface = "enp4s0f1";
mode = "bridge";
};
};
interfaces = {
extif0 = {
# result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:d4:e8:3b:10:2f";
ipv4.addresses = [
{
address = "208.81.3.117";
prefixLength = 28;
}
];
};
intif0 = {
# result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:ba:ba:e9:08:21";
ipv4.addresses = [
{
address = "192.168.11.1";
prefixLength = 24;
}
];
};
};
};
hardware.bluetooth.enable = false;
virtualisation.lxd = {
enable = true;
};
}

31
hosts/monolith.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
let
hostname = "monolith";
in {
imports = [
../defaults.nix
../networks/sea.fudo.org.nix
../profiles/desktop.nix
../hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
glxinfo
];
networking.hostName = hostname;
services.xserver.videoDrivers = ["nvidia"];
hardware.bluetooth.enable = false;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.driSupport = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
}

76
hosts/nostromo.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, pkgs, ... }:
let
hostname = "nostromo";
in {
boot.kernelModules = [ "kvm-amd" ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sdb";
imports = [
../defaults.nix
../networks/sea.fudo.org.nix
../profiles/server.nix
../hardware-configuration.nix
../profiles/services/postgres.nix
# ../profiles/services/local_nameserver.nix
];
networking = {
hostName = hostname;
defaultGateway = "10.0.0.1";
nameservers = [ "10.0.0.1" ];
# Turn off for hypervisor: dhcp by default everywhere is a fuckin pain.
dhcpcd.enable = false;
# Create a bridge for VMs to use
macvlans.intlan0 = {
interface = "eno1";
mode = "bridge";
};
interfaces = {
intlan0 = {
macAddress = "46:54:76:06:f1:10";
ipv4.addresses = [
{
address = "10.0.0.2";
prefixLength = 23;
}
];
};
};
};
hardware.bluetooth.enable = false;
environment.systemPackages = with pkgs; [
ipfs
libguestfs-with-appliance
libvirt
virtmanager
];
virtualisation.libvirtd = {
enable = true;
qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown";
};
services.ipfs = {
enable = true;
enableGC = true;
autoMount = false;
defaultMode = "online";
apiAddress = "/ip4/10.0.0.2/tcp/5001";
gatewayAddress = "/ipv4/10.0.0.2/tcp/8080";
};
}

32
hosts/spark.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
let
hostname = "spark";
in {
imports = [
../defaults.nix
../networks/sea.fudo.org.nix
../profiles/desktop.nix
../hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi = {
canTouchEfiVariables = true;
efibootmgr = {
efiDisk = "/dev/sda1";
};
# efiSysMountPoint = "/boot/efi";
};
networking.hostName = hostname;
hardware.bluetooth.enable = false;
hardware.opengl.driSupport32Bit = true;
hardware.opengl.driSupport = true;
}

37
hosts/zbox.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, pkgs, ... }:
let
hostname = "zbox";
in {
imports = [
../defaults.nix
../networks/sea.fudo.org.nix
../profiles/desktop.nix
../hardware-configuration.nix
];
environment.systemPackages = with pkgs; [
glxinfo
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
programs.bash.enableCompletion = true;
services.xserver = {
videoDrivers = ["nvidia"];
displayManager.gdm.wayland = false;
};
hardware.opengl.driSupport32Bit = true;
hardware.opengl.driSupport = true;
networking.hostName = hostname;
hardware.bluetooth.enable = true;
}

27
networks/fudo.org.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, ... }:
{
config.time.timeZone = "America/Winnipeg";
config.services.cron = {
mailto = "admin@fudo.org";
};
config.networking = {
domain = "fudo.org";
search = ["fudo.org"];
firewall.enable = false;
networkmanager.enable = pkgs.lib.mkForce false;
defaultGateway = "208.81.3.113";
nameservers = [ "1.1.1.1" "208.81.7.14" "2606:4700:4700::1111" ];
};
config.services.prometheus.exporters = {
node.enable = true;
};
}

192
networks/sea.fudo.org.nix Normal file
View File

@ -0,0 +1,192 @@
{ config, pkgs, ... }:
{
config.time.timeZone = "America/Los_Angeles";
config.services.cron = {
mailto = "niten@fudo.org";
};
services.printing.enable = true;
config.networking = {
domain = "sea.fudo.org";
search = ["sea.fudo.org" "fudo.org"];
firewall.enable = false;
networkmanager.enable = pkgs.lib.mkForce false;
# Until Comcast gets it's shit together... :(
enableIPv6 = false;
};
config.fileSystems."/mnt/documents" = {
device = "whitedwarf.sea.fudo.org:/volume1/Documents";
fsType = "nfs4";
};
config.fileSystems."/mnt/downloads" = {
device = "whitedwarf.sea.fudo.org:/volume1/Downloads";
fsType = "nfs4";
};
config.fileSystems."/mnt/music" = {
device = "doraemon.sea.fudo.org:/volume1/Music";
fsType = "nfs4";
};
config.fileSystems."/mnt/video" = {
device = "doraemon.sea.fudo.org:/volume1/Video";
fsType = "nfs4";
};
# fileSystems."/mnt/security" = {
# device = "panopticon.sea.fudo.org:/srv/kerberos/data";
# fsType = "nfs4";
# };
config.fileSystems."/mnt/cargo_video" = {
device = "cargo.sea.fudo.org:/volume1/video";
fsType = "nfs4";
};
config.fileSystems."/mnt/photo" = {
device = "cargo.sea.fudo.org:/volume1/pictures";
fsType = "nfs4";
};
config.users.extraUsers = {
guest = {
isNormalUser = true;
uid = 1000;
description = "Guest User";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
};
ken = {
isNormalUser = true;
uid = 10035;
createHome = true;
description = "Ken Selby";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
group = "users";
home = "/home/selby/ken";
hashedPassword = "$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf.";
};
xiaoxuan = {
isNormalUser = true;
uid = 10065;
createHome = true;
description = "Xiaoxuan Jin";
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
group = "users";
home = "/home/xiaoxuan";
hashedPassword = "$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0";
};
};
config.fudo.localNetwork = {
masterNameServer = {
ip = "10.0.0.1";
ipReverseDomain = "0.10.in-addr.arpa";
};
domain = "sea.fudo.org";
hostAliases = {
kadmin = "slab";
kdc = "slab";
photo = "doraemon";
music = "doraemon";
panopticon = "hyperion";
hole = "dnshole";
ipfs = "nostromo";
};
hosts = {
slab = {
ipv4Address = "10.0.0.1";
};
volsung = {
ipv4Address = "10.0.0.106";
macAddress = "ac:bc:32:7b:75:a5";
};
nest = {
ipv4Address = "10.0.0.176";
macAddress = "18:b4:30:16:7c:5a";
};
monolith = {
ipv4Address = "10.0.0.100";
macAddress = "6c:62:6d:c8:b0:d8";
};
brother-wireless = {
ipv4Address = "10.0.0.160";
macAddress = "c0:38:96:64:49:65";
};
doraemon = {
ipv4Address = "10.0.0.52";
macAddress = "00:11:32:0a:06:c5";
};
lm = {
ipv4Address = "10.0.0.21";
macAddress = "52:54:00:D8:34:92";
};
ubiquiti-wifi = {
ipv4Address = "10.0.0.126";
macAddress = "04:18:d6:20:48:fb";
};
front-light = {
ipv4Address = "10.0.0.221";
macAddress = "94:10:3e:48:94:ed";
};
ipad = {
ipv4Address = "10.0.0.202";
macAddress = "9c:35:eb:48:6e:71";
};
chromecast-2 = {
ipv4Address = "10.0.0.215";
macAddress = "a4:77:33:59:a2:ba";
};
taipan = {
ipv4Address = "10.0.0.107";
macAddress = "52:54:00:34:c4:78";
};
dns-hole = {
ipv4Address = "10.0.0.185";
macAddress = "b8:27:eb:b2:95:fd";
};
family-tv = {
ipv4Address = "10.0.0.205";
macAddress = "84:a4:66:3a:b1:f8";
};
spark = {
ipv4Address = "10.0.0.108";
macAddress = "78:24:af:04:f7:dd";
};
babycam = {
ipv4Address = "10.0.0.206";
macAddress = "08:ea:40:59:5f:9e";
};
hyperion = {
ipv4Address = "10.0.0.109";
macAddress = "52:54:00:33:46:de";
};
cargo = {
ipv4Address = "10.0.0.50";
macAddress = "00:11:32:75:d8:b7";
};
cam-entrance = {
ipv4Address = "10.0.0.31";
macAddress = "9c:8e:cd:0e:99:7b";
};
cam-driveway = {
ipv4Address = "10.0.0.32";
macAddress = "9c:8e:cd:0d:3b:09";
};
cam-deck = {
ipv4Address = "10.0.0.33";
macAddress = "9c:8e:cd:0e:98:c8";
};
nostromo = {
ipv4Address = "10.0.0.2";
macAddress = "14:fe:b5:ca:a2:c9";
};
zbox = {
ipv4Address = "10.0.0.110";
macAddress = "18:60:24:91:CC:27";
};
};
};
}

30
packages/acme-ca.nix Normal file
View File

@ -0,0 +1,30 @@
{ stdenv, fetchurl }:
let
# url = "https://letsencrypt.org/certs/isrgrootx1.pem.txt";
# sha256 = "4c99356c265ee06c0ae0502e74d38231263513726d001cfe28ea25e70af2cc7f";
url = "https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt";
sha256 = "b6dd03f7fb8508e4f7ffe82ca8a3f98dde163e0bd44897e112a0850a5b606acf";
in stdenv.mkDerivation {
name = "letsencrypt-ca";
src = fetchurl {
name = "isrgrootx1.pem.txt";
url = url;
sha256 = sha256;
};
phases = [ "installPhase" ];
installPhase = ''
mkdir -pv $out/etc/ssl/letsencrypt
cp -v $src $out/etc/ssl/letsencrypt/ca.pem
'';
meta = {
homepage = https://letsencrypt.com;
description = "Certificate Authority (CA) certificate for LetsEncrypt";
};
}

View File

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides = pkgs: rec {
acme-ca = import ./acme-ca.nix {
stdenv = pkgs.stdenv;
fetchurl = builtins.fetchurl;
};
};
}

View File

@ -0,0 +1,13 @@
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides = pkgs: rec {
minecraft-server_1_15_1 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec {
version = "1.15.1";
src = builtins.fetchurl {
url = "https://launcher.mojang.com/v1/objects/4d1826eebac84847c71a77f9349cc22afd0cf0a1/server.jar";
sha256 = "a0c062686bee5a92d60802ca74d198548481802193a70dda6d5fe7ecb7207993";
};
});
};
}

View File

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
with lib;
let
userOpts = { name, config, ... }: {
options = {
passwd = mkOption {
type = types.str;
description = ''
The password of a given user.
'';
};
databases = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of databases to which this user should have access.
'';
};
};
};
in {
options = {
fudo.postgresql = {
databases = mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
A map of database_name => database_defn.
'';
};
users = mkOption {
type = with types; attrsOf (submodule userOpts);
default = {};
description = ''
A map of user_name => { user_attributes }.
'';
};
};
};
}

View File

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides = pkgs: rec {
postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec {
configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
});
};
}

1
profiles/.#ldap-server.nix Symbolic link
View File

@ -0,0 +1 @@
root@france.26610:1573312038

147
profiles/desktop.nix Normal file
View File

@ -0,0 +1,147 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
cool-retro-term
chrome-gnome-shell
chromium
ffmpeg-full
firefox
gimp
glxinfo
gnome3.gnome-shell
gnome3.gnome-session
google-chrome
gtk2
gtk2-x11
gtk3
gtkimageview
i3lock
libfixposix
minecraft
mplayer
nomacs
openssl_1_1
redshift
rhythmbox
shotwell
spotify
sqlite
steam
system-config-printer
virtmanager
xorg.xev
xzgv
virtmanager-qt
];
boot.plymouth.enable = true;
services.avahi = {
enable = true;
browseDomains = ["sea.fudo.org"];
domainName = "sea.fudo.org";
};
boot.tmpOnTmpfs = true;
services.xserver = {
enable = true;
layout = "us";
xkbVariant = "dvp";
xkbOptions = "ctrl:nocaps";
desktopManager.gnome3.enable = true;
desktopManager.default = "gnome3";
displayManager.gdm.enable = true;
windowManager.session = pkgs.lib.singleton {
name = "stumpwm";
start = ''
${pkgs.lispPackages.stumpwm}/bin/stumpwm &
waidPID=$!
'';
};
};
services.printing = {
enable = true;
};
services.gnome3 = {
evolution-data-server.enable = pkgs.lib.mkForce false;
gnome-user-share.enable = pkgs.lib.mkForce false;
};
services.dbus.socketActivated = true;
sound.enable = true;
hardware.pulseaudio.enable = true;
fonts = {
enableCoreFonts = true;
enableFontDir = true;
enableGhostscriptFonts = false;
fontconfig.ultimate.enable = true;
fonts = with pkgs; [
cantarell_fonts
dejavu_fonts
dina-font
dosemu_fonts
fira-code
fira-code-symbols
freefont_ttf
liberation_ttf
mplus-outline-fonts
nerdfonts
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
proggyfonts
terminus_font
ubuntu_font_family
ucsFonts
unifont
vistafonts
xlibs.fontadobe100dpi
xlibs.fontadobe75dpi
xlibs.fontadobeutopia100dpi
xlibs.fontadobeutopia75dpi
xlibs.fontadobeutopiatype1
xlibs.fontarabicmisc
xlibs.fontbh100dpi
xlibs.fontbh75dpi
xlibs.fontbhlucidatypewriter100dpi
xlibs.fontbhlucidatypewriter75dpi
xlibs.fontbhttf
xlibs.fontbhtype1
xlibs.fontbitstream100dpi
xlibs.fontbitstream75dpi
xlibs.fontbitstreamtype1
xlibs.fontcronyxcyrillic
xlibs.fontcursormisc
xlibs.fontdaewoomisc
xlibs.fontdecmisc
xlibs.fontibmtype1
xlibs.fontisasmisc
xlibs.fontjismisc
xlibs.fontmicromisc
xlibs.fontmisccyrillic
xlibs.fontmiscethiopic
xlibs.fontmiscmeltho
xlibs.fontmiscmisc
xlibs.fontmuttmisc
xlibs.fontschumachermisc
xlibs.fontscreencyrillic
xlibs.fontsonymisc
xlibs.fontsunmisc
xlibs.fontwinitzkicyrillic
xlibs.fontxfree86type1
];
};
}

19
profiles/ldap-server.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, pkgs, ... }:
let
base = "dc=fudo,dc=org";
ldap = import ../config/fudo/ldap.nix;
in {
imports = [
../config/fudo/ldap.nix
];
services.openldap = {
enable = true;
suffix = base;
rootdn = "cn=admin,${base}";
rootpwFile = "/srv/ldap/secure/root.pw";
};
}

10
profiles/server.nix Normal file
View File

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
];
boot.tmpOnTmpfs = true;
services.xserver.enable = false;
}

View File

@ -0,0 +1,43 @@
# Starts an Nginx server on $HOSTNAME just to get a cert for this host
{ config, pkgs, environment, ... }:
let
hostname = config.networking.hostName;
wwwRoot = pkgs.writeTextFile {
name = "index.html";
text = ''
<html>
<head>
<title>${hostname}</title>
</head>
<body>
<h1>${hostname}</title>
</body>
</html>
'';
destination = "/www";
};
in {
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."${hostname}" = {
enableACME = true;
forceSSL = true;
root = wwwRoot + ("/" + "www");
};
};
security.acme.certs = {
${hostname}.email = "admin@fudo.org";
};
}

View File

@ -0,0 +1,34 @@
{ config, pkgs, environment, ... }:
let
databasePath = /var/heimdal/heimdal;
in {
environment = {
systemPackages = with pkgs; [
heimdalFull
];
};
systemd.services = {
heimdal-kdc = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Heimdal Kerberos Key Distribution Center (ticket server)";
serviceConfig = {
ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kdc'';
};
};
heimdal-admin-server = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Heimdal Kerberos Remote Administration Server";
serviceConfig = {
ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kadmind'';
};
};
};
}

View File

@ -0,0 +1,136 @@
{ config, pkgs, environment, ... }:
let
databaseName = "powerdns";
userName = "powerdns";
reverseIp = ip: builtins.concatStringsSep "." (lib.lists.reverseList(lib.strings.splitString "." ip));
fullReverseIp = ip: "${reverseIp ip}.in-addr.arpa";
hostRecord = domain_id: type: name: content: ''
INSERT INTO records (domain_id, name, type, content) VALUES ($domain_id, '${name}', '${type}', '${content}');
'';
in {
environment = {
systemPackages = with pkgs; [
postgresql_11_gssapi
powerdns
];
};
services.postgresql.users."${userName}" = {
passwd = "some_junk";
databases = ["${databaseName}"];
};
services.postgresql.databases."${databaseName} = {
"${databaseName}" = ''
CREATE TABLE domains (
id SERIAL PRIMARY KEY,
name VARCHAR(255) NOT NULL,
master VARCHAR(128) DEFAULT NULL,
last_check INT DEFAULT NULL,
type VARCHAR(6) NOT NULL,
notified_serial INT DEFAULT NULL,
account VARCHAR(40) DEFAULT NULL,
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
);
CREATE UNIQUE INDEX name_index ON domains(name);
CREATE TABLE records (
id BIGSERIAL PRIMARY KEY,
domain_id INT DEFAULT NULL,
name VARCHAR(255) DEFAULT NULL,
type VARCHAR(10) DEFAULT NULL,
content VARCHAR(65535) DEFAULT NULL,
ttl INT DEFAULT NULL,
prio INT DEFAULT NULL,
disabled BOOL DEFAULT 'f',
ordername VARCHAR(255),
auth BOOL DEFAULT 't',
CONSTRAINT domain_exists
FOREIGN KEY(domain_id) REFERENCES domains(id)
ON DELETE CASCADE,
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
);
CREATE INDEX rec_name_index ON records(name);
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops);
CREATE TABLE supermasters (
ip INET NOT NULL,
nameserver VARCHAR(255) NOT NULL,
account VARCHAR(40) NOT NULL,
PRIMARY KEY(ip, nameserver)
);
CREATE TABLE comments (
id SERIAL PRIMARY KEY,
domain_id INT NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(10) NOT NULL,
modified_at INT NOT NULL,
account VARCHAR(40) DEFAULT NULL,
comment VARCHAR(65535) NOT NULL,
CONSTRAINT domain_exists
FOREIGN KEY(domain_id) REFERENCES domains(id)
ON DELETE CASCADE,
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
);
CREATE INDEX comments_domain_id_idx ON comments (domain_id);
CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
CREATE TABLE domainmetadata (
id SERIAL PRIMARY KEY,
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
kind VARCHAR(32),
content TEXT
);
CREATE INDEX domainidmetaindex ON domainmetadata(domain_id);
CREATE TABLE cryptokeys (
id SERIAL PRIMARY KEY,
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
flags INT NOT NULL,
active BOOL,
content TEXT
);
CREATE INDEX domainidindex ON cryptokeys(domain_id);
CREATE TABLE tsigkeys (
id SERIAL PRIMARY KEY,
name VARCHAR(255),
algorithm VARCHAR(50),
secret VARCHAR(255),
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
);
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
INSERT INTO domains (id, name, master, type) VALUES (1, '${config.fudo.localNetwork.domain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER');
INSERT INTO domains (id, name, master, type) VALUES (2, '${config.fudo.localNetwork.masterNameServer.ipReverseDomain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER');
${hostRecord 1 "SOA" config.fudo.localDomain "${config.fudo.localNetwork.domain}. hostmaster.${config.fudo.localNetwork.domain}."}
${hostRecord 2 "SOA" config.fudo.masterNameServer.ipReverseDomain "${config.fudo.localNetwork.masterNameServer.ipReverseDomain} hostmaster.${config.fudo.localNetwork.domain}."}
${hostRecord 1 "NS" config.fudo.localNetwork.domain config.fudo.localNetwork.masterNameServer.ip}
${hostRecord 2 "NS" config.fudo.localNetwork.masterNameServer.ipReverseDomain config.fudo.localNetwork.masterNameServer.ip}
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 1 "A" host attrs.ipv4Address) config.fudo.localNetwork.hosts)}
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 2 "PTR" (fullReverseIp attrs.ipv4Address) host) config.fudo.localNetworkhosts)}
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (alias: host: hostRecord 1 "CNAME" alias host) config.fudo.localNetwork.hostAliases)}
'';
};
};
}

View File

@ -0,0 +1,19 @@
{ pkgs, ... }:
let
dataDir = /srv/minecraft/data;
in {
services.minecraft-server = {
enable = true;
package = pkgs.minecraft-server_1_15_1;
dataDir = dataDir;
eula = true;
declarative = true;
serverProperties = {
level-name = "selbyland";
motd = "Welcome to the Selby Minecraft Server";
difficulty = 2;
gamemode = "survival";
};
};
}

View File

@ -0,0 +1,65 @@
{ config, pkgs, environment, ... }:
let
dataPath = /srv + ("/" + config.networking.hostName);
in {
environment = {
systemPackages = with pkgs; [
postgresql_11_gssapi
];
etc = {
"postgresql/private/privkey.pem" = {
mode = "0400";
user = "postgres";
group = "postgres";
source = dataPath + "/certs/private/privkey.pem";
};
"postgresql/cert.pem" = {
mode = "0444";
user = "postgres";
group = "postgres";
source = dataPath + "/certs/cert.pem";
};
"postgresql/private/postgres.keytab" = {
mode = "0400";
user = "postgres";
group = "postgres";
source = dataPath + "/keytabs/postgres.keytab";
};
};
};
<
services.postgresql = {
enable = true;
package = pkgs.postgresql_11_gssapi;
enableTCPIP = true;
extraConfig =
''
krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
ssl = true
ssl_cert_file = '/etc/postgresql/cert.pem'
ssl_key_file = '/etc/postgresql/private/privkey.pem'
'';
authentication =
''
local all all ident
# host-local
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
# local network
host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
'';
};
}

42
profiles/vm/http.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, pkgs, ... }:
{ containers.https =
let
hostname = "${config.hostname}.fudo.link";
incomingCertDir = "/srv/${config.hostname}/certs";
containerCertsDir = "/etc/letsencrypt/live";
in {
autoStart = true;
bindMounts = [
{
"${containerCertsDir}" = {
hostPath = "${incomingCertsDir}";
isReadOnly = false;
};
}
];
config = { config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
nginx
];
services.nginx = {
enable = true;
virtualHosts."${hostname}" = {
enableACME = true;
forceSSL = true;
root = "/var/www";
};
security.acme.certs = {
"${hostname}".email = config.adminEmail;
};
};
};
};
}

75
profiles/vm/postgres.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, environment, ... }:
let
hostPath = /srv + ("/" + config.networking.hostName);
srcCertificateDirectory = hostPath + "/certs";
dstCertificateDirectory = "/etc/pki/certs/postgres";
dstPrivateKey = dstCertificateDirectory + /private/privkey.pem;
srcKeytabPath = hostPath + /keytabs/postgres;
dstKeytabPath = "/etc/postgresql-common/keytab";
in {
containers.postgres = {
autoStart = true;
bindMounts = {
"${dstCertificateDirectory}" = {
hostPath = "${srcCertificateDirectory}";
isReadOnly = false;
};
"${dstKeytabPath}" = {
hostPath = "${srcKeytabPath}";
isReadOnly = false;
};
};
config = { config, pkgs, environment, ... }: {
environment.etc."${dstPrivateKey}".mode = "0400";
boot.tmpOnTmpfs = true;
# Kind of a stupid hack...bindMounts can't specify perms, and it defaults to
# permissive (even for nested files). So, explicitly make the keys private.
# TODO: eventually, use bindMount perms, hopefully?
boot.postBootCommands = ''
chown postgres ${dstKeytabPath}/postgres.keytab
chmod 400 ${dstKeytabPath}/postgres.keytab
chown -R postgres ${dstCertificateDirectory}
chown 400 ${dstCertificateDirectory}/private/privkey.pem
'';
services.postgresql = {
enable = true;
package = pkgs.postgresql_10;
enableTCPIP = true;
extraConfig =
''
krb_server_keyfile = '${dstKeytabPath}/postgres.keytab'
ssl = true
ssl_cert_file = '${dstCertificateDirectory}/cert.pem'
ssl_key_file = '${dstCertificateDirectory}/private/privkey.pem'
'';
authentication =
''
local all all ident
# host-local
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
# local network
host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
'';
initialScript = pkgs.writeText "backend-initscript" ''
CREATE ROLE niten;
'';
};
};
};
}

23
static/fudo_ca.pem Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDvzCCAyigAwIBAgIJAIO7c/KlNXiJMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJDQTERMA8GA1UECBMITWFuaXRvYmExETAPBgNVBAcTCFdpbm5pcGVnMREw
DwYDVQQKEwhGdWRvLm9yZzERMA8GA1UECxMIU2VjdXJpdHkxIjAgBgNVBAMTGUZ1
ZG8ub3JnIFJvb3QgQ2VydGlmaWNhdGUxHTAbBgkqhkiG9w0BCQEWDmFkbWluQGZ1
ZG8ub3JnMB4XDTA2MTIyMjIyMTYxMVoXDTE2MTIxOTIyMTYxMVowgZwxCzAJBgNV
BAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8GA1UEBxMIV2lubmlwZWcxETAP
BgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZRnVk
by5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AZnVk
by5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANZpJiFZjgs1M744PTLH
nAQVMC2VzH76+qNbLClNK3n6dknrx+FMFq35naXnJLnkmEhHW5DFMeQBudCAD1tv
DTj6KxgBbBoMFIXfukQjMOjFIXcPE0MsbfJowjJxGDA3KFE5pLs5u5suGPLXPpog
6ASSTg1n75crFSU/d9hN+drVAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUQS8uOVCa
rLmMGYU6T0pIkDAnQr8wgdEGA1UdIwSByTCBxoAUQS8uOVCarLmMGYU6T0pIkDAn
Qr+hgaKkgZ8wgZwxCzAJBgNVBAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8G
A1UEBxMIV2lubmlwZWcxETAPBgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1
cml0eTEiMCAGA1UEAxMZRnVkby5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqG
SIb3DQEJARYOYWRtaW5AZnVkby5vcmeCCQCDu3PypTV4iTAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBQUAA4GBAH2ZUJoSeNcslGlQUs7xPWwTSKVZ0OGpfhdI/pmA
WQGC6Kj5MzlEunqaBEKaLSJ9yx/t0l5c5aFT77ERFacH0lhWme+AACEDAKuCbMeL
fRnsQYoPZ0jEygnxvdG4IHl9dmKWr9SR361OWOP0uYpvWtiuF5w0GvFLJ0L5x7jy
xZuP
-----END CERTIFICATE-----