Initial re-checki
This commit is contained in:
commit
46c45f4440
95
config/fudo.nix
Normal file
95
config/fudo.nix
Normal file
@ -0,0 +1,95 @@
|
||||
{ lib, config, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
hostOpts = { config, ... }: {
|
||||
options = {
|
||||
ipv6Address = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The V6 IP of a given host, if any.
|
||||
'';
|
||||
};
|
||||
|
||||
ipv4Address = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The V4 IP of a given host, if any.
|
||||
'';
|
||||
};
|
||||
|
||||
macAddress = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The MAC address of a given host, if desired for IP reservation.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
localNameServerOpts = { config, ... }: {
|
||||
options = {
|
||||
ipv6Address = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The V6 IP of a given host, if any.
|
||||
'';
|
||||
};
|
||||
|
||||
ipv4Address = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The V4 IP of a given host, if any.
|
||||
'';
|
||||
};
|
||||
|
||||
ipv4ReverseDomain = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The domain of the IPv4 address range for which this nameserver is responsible.
|
||||
|
||||
Eg: 0.10.in-addr.arpa
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
imports = [
|
||||
./fudo/ldap.nix
|
||||
];
|
||||
|
||||
options = {
|
||||
|
||||
fudo.localNetwork.hosts = mkOption {
|
||||
type = types.listOf (submodule hostOpts);
|
||||
default = {};
|
||||
description = ''
|
||||
A map of hostname => { host_attributes }.
|
||||
'';
|
||||
};
|
||||
|
||||
fudo.localNetwork.domain = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The domain to use for the local network.
|
||||
'';
|
||||
};
|
||||
|
||||
fudo.localNetwork.hostAliases = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
description = ''
|
||||
A mapping of hostAlias => hostName to use on the local network.
|
||||
'';
|
||||
};
|
||||
|
||||
fudo.localNetwork.localNameServer = mkOption {
|
||||
type = (submodule localNameServerOpts);
|
||||
description = ''
|
||||
The master nameserver of the local network.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
415
config/fudo/ldap.nix
Normal file
415
config/fudo/ldap.nix
Normal file
@ -0,0 +1,415 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
|
||||
cfg = config.fudo.auth.server;
|
||||
|
||||
ldapSystemUserOpts = { name, ... }: {
|
||||
options = {
|
||||
description = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The description of this system user.
|
||||
'';
|
||||
};
|
||||
|
||||
hashed-password = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The password for this user, hashed with ldappasswd.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
ldapGroupOpts = { name, ... }: {
|
||||
options = {
|
||||
gid = mkOption {
|
||||
type = types.int;
|
||||
description = ''
|
||||
The GID number of this group.
|
||||
'';
|
||||
};
|
||||
|
||||
description = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The description of this group.
|
||||
'';
|
||||
};
|
||||
|
||||
members = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of usernames representing the members of this group.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
ldapUserOpts = { name, ... }: {
|
||||
options = {
|
||||
|
||||
uid = mkOption {
|
||||
type = types.int;
|
||||
description = ''
|
||||
The UID number of this user.
|
||||
'';
|
||||
};
|
||||
|
||||
common-name = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The given name of this user.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The name of the user's primary group.
|
||||
'';
|
||||
};
|
||||
|
||||
login-shell = mkOption {
|
||||
type = types.str;
|
||||
default = "/bin/bash";
|
||||
description = ''
|
||||
The user's preferred shell. Default is /bin/bash.
|
||||
'';
|
||||
};
|
||||
|
||||
description = mkOption {
|
||||
type = types.str;
|
||||
default = "Fudo Member";
|
||||
description = ''
|
||||
The description of this user.
|
||||
'';
|
||||
};
|
||||
|
||||
hashed-password = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The password for this user, hashed with ldappasswd.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
stringJoin = joiner: attrList:
|
||||
if (length attrList) == 0 then
|
||||
""
|
||||
else
|
||||
foldr(lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList) (init attrList);
|
||||
|
||||
getUserGidNumber = user: group-map: group-map.${user.group}.gid;
|
||||
|
||||
attrOr = attrs: attr: value:
|
||||
if attrs ? ${attr} then attrs.${attr} else value;
|
||||
|
||||
mkHomeDir = username: user-opts:
|
||||
if (user-opts.group == "admin") then
|
||||
"/home/${username}"
|
||||
else
|
||||
"/home/${user-opts.group}/${username}";
|
||||
|
||||
|
||||
userLdif = base: name: group-map: opts: ''
|
||||
dn: uid=${name},ou=members,${base}
|
||||
uid: ${name}
|
||||
objectClass: account
|
||||
objectClass: shadowAccount
|
||||
objectClass: posixAccount
|
||||
cn: ${opts.common-name}
|
||||
uidNumber: ${toString(opts.uid)}
|
||||
gidNumber: ${toString(getUserGidNumber opts group-map)}
|
||||
homeDirectory: ${mkHomeDir name opts}
|
||||
description: ${opts.description}
|
||||
shadowLastChange: 12230
|
||||
shadowMax: 99999
|
||||
shadowWarning: 7
|
||||
userPassword: ${opts.hashed-password}
|
||||
'';
|
||||
|
||||
systemUserLdif = base: name: opts: ''
|
||||
dn: cn=${name},${base}
|
||||
objectClass: organizationalRole
|
||||
objectClass: simpleSecurityObject
|
||||
cn: ${name}
|
||||
description: ${opts.description}
|
||||
userPassword: ${opts.hashed-password}
|
||||
'';
|
||||
|
||||
toMemberList = userList:
|
||||
stringJoin "\n" (map (username: "memberUid: ${username}") userList);
|
||||
|
||||
groupLdif = base: name: opts: ''
|
||||
dn: cn=${name},ou=groups,${base}
|
||||
objectClass: posixGroup
|
||||
cn: ${name}
|
||||
gidNumber: ${toString(opts.gid)}
|
||||
description: ${opts.description}
|
||||
${toMemberList opts.members}
|
||||
'';
|
||||
|
||||
systemUsersLdif = base: user-map:
|
||||
stringJoin "\n" (mapAttrsToList (name: opts:
|
||||
systemUserLdif base name opts
|
||||
) user-map);
|
||||
|
||||
groupsLdif = base: group-map:
|
||||
stringJoin "\n" (mapAttrsToList (name: opts:
|
||||
groupLdif base name opts
|
||||
) group-map);
|
||||
|
||||
usersLdif = base: group-map: user-map:
|
||||
stringJoin "\n" (mapAttrsToList (name: opts:
|
||||
userLdif base name group-map opts
|
||||
) user-map);
|
||||
|
||||
in {
|
||||
|
||||
options = {
|
||||
fudo = {
|
||||
auth = {
|
||||
server = {
|
||||
enable = mkEnableOption "Fudo Authentication";
|
||||
|
||||
kerberos-host = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The name of the host to use for Kerberos authentication.
|
||||
'';
|
||||
};
|
||||
|
||||
kerberos-keytab = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to a keytab for the LDAP server, containing a principal for ldap/<hostname>.
|
||||
'';
|
||||
};
|
||||
|
||||
sslCert = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to the SSL certificate to use for the server.
|
||||
'';
|
||||
};
|
||||
|
||||
sslKey = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to the SSL key to use for the server.
|
||||
'';
|
||||
};
|
||||
|
||||
sslCACert = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to the SSL CA cert used to sign the certificate.
|
||||
'';
|
||||
};
|
||||
|
||||
organization = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The name to use for the organization.
|
||||
'';
|
||||
};
|
||||
|
||||
base = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The base dn of the LDAP server (eg. "dc=fudo,dc=org").
|
||||
'';
|
||||
};
|
||||
|
||||
rootpw-file = mkOption {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = ''
|
||||
The path to a file containing the root password for this database.
|
||||
'';
|
||||
};
|
||||
|
||||
listen-uris = mkOption {
|
||||
default = [];
|
||||
type = with types; listOf str;
|
||||
description = ''
|
||||
A list of URIs on which the ldap server should listen.
|
||||
'';
|
||||
example = [
|
||||
"ldap://auth.fudo.org"
|
||||
"ldaps://auth.fudo.org"
|
||||
];
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
default = {};
|
||||
type = with types; loaOf (submodule ldapUserOpts);
|
||||
example = {
|
||||
tester = {
|
||||
uid = 10099;
|
||||
common-name = "Joe Blow";
|
||||
hashed-password = "<insert password hash>";
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
Users to be added to the Fudo LDAP database.
|
||||
'';
|
||||
};
|
||||
|
||||
groups = mkOption {
|
||||
default = {};
|
||||
type = with types; loaOf (submodule ldapGroupOpts);
|
||||
example = {
|
||||
admin = {
|
||||
gid = 1099;
|
||||
members = [
|
||||
"tester"
|
||||
];
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
Groups to be added to the Fudo LDAP database.
|
||||
'';
|
||||
};
|
||||
|
||||
system-users = mkOption {
|
||||
default = {};
|
||||
type = with types; loaOf (submodule ldapSystemUserOpts);
|
||||
example = {
|
||||
replicator = {
|
||||
description = "System user for database sync";
|
||||
hashed-password = "<insert password hash>";
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
System users to be added to the Fudo LDAP database.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment = {
|
||||
etc = {
|
||||
"openldap/sasl2/slapd.conf" = {
|
||||
mode = "0400";
|
||||
user = "openldap";
|
||||
group = "openldap";
|
||||
text = ''
|
||||
mech_list: gssapi external
|
||||
keytab: /etc/ldap/ldap.keytab
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.openldap = {
|
||||
environment = {
|
||||
KRB5_KTNAME = cfg.kerberos-keytab;
|
||||
};
|
||||
};
|
||||
|
||||
services.openldap = {
|
||||
|
||||
enable = true;
|
||||
suffix = cfg.base;
|
||||
rootdn = "cn=admin,${cfg.base}";
|
||||
rootpwFile = "${cfg.rootpw-file}";
|
||||
urlList = cfg.listen-uris;
|
||||
|
||||
extraConfig = ''
|
||||
|
||||
TLSCertificateFile ${cfg.sslCert}
|
||||
TLSCertificateKeyFile ${cfg.sslKey}
|
||||
TLSCACertificateFile ${cfg.sslCACert}
|
||||
|
||||
authz-regexp "^uid=auth/([^.]+)\.fudo\.org,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org"
|
||||
authz-regexp "^uid=[^,/]+/root,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=admin,dc=fudo,dc=org"
|
||||
authz-regexp "^uid=([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "uid=$1,ou=members,dc=fudo,dc=org"
|
||||
authz-regexp "^uid=host/([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org"
|
||||
authz-regexp "^gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth$" "cn=admin,dc=fudo,dc=org"
|
||||
|
||||
'';
|
||||
|
||||
extraDatabaseConfig = ''
|
||||
# access to dn=base=""
|
||||
# by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
# by * read
|
||||
|
||||
access to attrs=userPassword,shadowLastChange
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by group.exact="cn=admin,ou=members,${cfg.base}" write
|
||||
by dn.exact="cn=auth_reader,${cfg.base}" read
|
||||
by dn.exact="cn=replicator,${cfg.base}" read
|
||||
by self write
|
||||
by * auth
|
||||
|
||||
access to dn.exact="cn=admin,ou=groups,${cfg.base}"
|
||||
by dn.exact="cn=admin,${cfg.base}" write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid
|
||||
by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write
|
||||
by group.exact="cn=admin,ou=groups,${cfg.base}" write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
access to dn.subtree="ou=members,${cfg.base}" attrs=cn,sn,homeDirectory,loginShell,gecos,description
|
||||
by group.exact="cn=admin,ou=groups,${cfg.base}" write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
access to dn.exact="cn=admin,ou=groups,${cfg.base}"
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by users read
|
||||
by * none
|
||||
|
||||
access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write
|
||||
by group.exact="cn=admin,ou=groups,${cfg.base}" write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
access to *
|
||||
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
|
||||
by users read
|
||||
by * none
|
||||
'';
|
||||
|
||||
declarativeContents = ''
|
||||
dn: ${cfg.base}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
o: ${cfg.organization}
|
||||
|
||||
dn: ou=groups,${cfg.base}
|
||||
objectClass: organizationalUnit
|
||||
description: ${cfg.organization} groups
|
||||
|
||||
dn: ou=members,${cfg.base}
|
||||
objectClass: organizationalUnit
|
||||
description: ${cfg.organization} members
|
||||
|
||||
dn: cn=admin,${cfg.base}
|
||||
objectClass: organizationalRole
|
||||
cn: admin
|
||||
description: "Admin User"
|
||||
|
||||
${systemUsersLdif cfg.base cfg.system-users}
|
||||
${groupsLdif cfg.base cfg.groups}
|
||||
${usersLdif cfg.base cfg.groups cfg.users}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
138
config/postgresql_11.nix
Normal file
138
config/postgresql_11.nix
Normal file
@ -0,0 +1,138 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
catLines = builtins.concatStringsSep "\n";
|
||||
|
||||
userOpts = { config, ... }: {
|
||||
options = {
|
||||
passwd = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The password of a given user.
|
||||
'';
|
||||
};
|
||||
|
||||
databases = mkOption {
|
||||
type = types.attrsOf types.lines;
|
||||
default = {};
|
||||
description = ''
|
||||
A list of databases to which this user should have access.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
grantDatabaseAccess = username: database: ''
|
||||
GRANT CONNECT ON DATABASE ${database} TO USER ${username};
|
||||
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA ${database} TO USER ${username};
|
||||
'';
|
||||
|
||||
createUserSql = username: userOpts: ''
|
||||
CREATE ROLE ${username} ENCRYPTED PASSWORD ${userOpts.passwd};
|
||||
${catLines (map (grantDatabaseAccess username) userOpts.databases)}
|
||||
'';
|
||||
|
||||
createDatabaseSql = database: dbOpts: ''
|
||||
CREATE DATABASE ${database};
|
||||
USE ${database};
|
||||
'';
|
||||
|
||||
dataPath = /srv + ("/" + config.networking.hostName);
|
||||
|
||||
in {
|
||||
|
||||
options = {
|
||||
fudo.postgresql = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable the PostgreSQL server for Fudo services.
|
||||
'';
|
||||
};
|
||||
|
||||
databases = mkOption {
|
||||
type = types.attrsOf types.lines;
|
||||
default = {};
|
||||
description = ''
|
||||
A map of database_name => database_defn.
|
||||
'';
|
||||
};
|
||||
|
||||
users = mkOption {
|
||||
type = with types; attrsOf (submodule userOpts);
|
||||
default = {};
|
||||
description = ''
|
||||
A map of user_name => { user_attributes }.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# config = mkIf config.fudo.postgresql.enable
|
||||
|
||||
# environment = {
|
||||
|
||||
# systemPackages = with pkgs; [
|
||||
# postgresql_11_gssapi
|
||||
# ];
|
||||
|
||||
# etc = {
|
||||
# "postgresql/private/privkey.pem" = {
|
||||
# mode = "0400";
|
||||
# user = "postgres";
|
||||
# group = "postgres";
|
||||
# source = dataPath + "/certs/private/privkey.pem";
|
||||
# };
|
||||
|
||||
# "postgresql/cert.pem" = {
|
||||
# mode = "0444";
|
||||
# user = "postgres";
|
||||
# group = "postgres";
|
||||
# source = dataPath + "/certs/cert.pem";
|
||||
# };
|
||||
|
||||
# "postgresql/private/postgres.keytab" = {
|
||||
# mode = "0400";
|
||||
# user = "postgres";
|
||||
# group = "postgres";
|
||||
# source = dataPath + "/keytabs/postgres.keytab";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
# services.postgresql = {
|
||||
# enable = true;
|
||||
# package = pkgs.postgresql_11_gssapi;
|
||||
# enableTCPIP = true;
|
||||
|
||||
# extraConfig = ''
|
||||
# krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
|
||||
|
||||
# ssl = true
|
||||
# ssl_cert_file = '/etc/postgresql/cert.pem'
|
||||
# ssl_key_file = '/etc/postgresql/private/privkey.pem'
|
||||
# '';
|
||||
|
||||
# authentication = ''
|
||||
# local all all ident
|
||||
|
||||
# # host-local
|
||||
# host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
# host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
|
||||
# # local network
|
||||
# host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
# host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
# '';
|
||||
|
||||
# initialScript = pkgs.writeText "backend-initscript" ''
|
||||
# ${catLines (map createUserSql fudo.postgresql.users)}
|
||||
# ${catLines (map createDatabaseSql fudo.postgresql.databases)}
|
||||
# '';
|
||||
# };
|
||||
}
|
1
configuration.nix
Symbolic link
1
configuration.nix
Symbolic link
@ -0,0 +1 @@
|
||||
./hosts/france.nix
|
206
defaults.nix
Normal file
206
defaults.nix
Normal file
@ -0,0 +1,206 @@
|
||||
# Ref: https://learnxinyminutes.com/docs/nix/
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./packages/postgresql_11_gssapi.nix
|
||||
./packages/minecraft-server_1_15_1.nix
|
||||
./config/fudo.nix
|
||||
./config/postgresql_11.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
asdf
|
||||
atop
|
||||
autoconf
|
||||
automake
|
||||
bash
|
||||
bind
|
||||
binutils
|
||||
btrfs-progs
|
||||
bundix
|
||||
byobu
|
||||
cdrtools
|
||||
cargo
|
||||
certbot
|
||||
clang
|
||||
curl
|
||||
emacs
|
||||
fail2ban
|
||||
fortune
|
||||
gcc
|
||||
git
|
||||
gnumake
|
||||
gnupg
|
||||
google-cloud-sdk
|
||||
guile
|
||||
heimdalFull
|
||||
imagemagick
|
||||
ipfs
|
||||
iptables
|
||||
jdk
|
||||
kerberos
|
||||
libisofs
|
||||
lispPackages.alexandria
|
||||
lispPackages.cl-ppcre
|
||||
lispPackages.clx
|
||||
lispPackages.quicklisp
|
||||
lshw
|
||||
mkpasswd
|
||||
ncurses5
|
||||
nmap
|
||||
oidentd
|
||||
openldap
|
||||
openssh
|
||||
openssl_1_1
|
||||
openssh_gssapi
|
||||
pciutils
|
||||
pv
|
||||
pwgen
|
||||
racket
|
||||
ruby
|
||||
rustc
|
||||
sbcl
|
||||
screen
|
||||
service-wrapper
|
||||
stdenv
|
||||
telnet
|
||||
texlive.combined.scheme-basic
|
||||
tmux
|
||||
unzip
|
||||
vim
|
||||
wget
|
||||
];
|
||||
|
||||
system.stateVersion = "19.09";
|
||||
|
||||
system.autoUpgrade.enable = true;
|
||||
|
||||
environment.etc.current-nixos-config.source = ./.;
|
||||
|
||||
krb5.enable = true;
|
||||
krb5.libdefaults.default_realm = "FUDO.ORG";
|
||||
krb5.kerberos = pkgs.heimdalFull;
|
||||
|
||||
i18n = {
|
||||
# consoleFont = "Lat2-Terminus16";
|
||||
consoleKeyMap = "dvp";
|
||||
defaultLocale = "en_US.UTF-8";
|
||||
# consoleUseXkbConfig = true;
|
||||
};
|
||||
|
||||
programs = {
|
||||
mosh.enable = true;
|
||||
|
||||
ssh = {
|
||||
forwardX11 = true;
|
||||
extraConfig = ''
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPIDelegateCredentials yes
|
||||
'';
|
||||
};
|
||||
|
||||
bash.enableCompletion = true;
|
||||
mtr.enable = true;
|
||||
|
||||
gnupg.agent = {
|
||||
enable = true;
|
||||
enableSSHSupport = true;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
services = {
|
||||
emacs = {
|
||||
defaultEditor = true;
|
||||
enable = true;
|
||||
};
|
||||
|
||||
cron = {
|
||||
enable = true;
|
||||
};
|
||||
openssh = {
|
||||
enable = true;
|
||||
startWhenNeeded = true;
|
||||
forwardX11 = true;
|
||||
extraConfig = ''
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials yes
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.pam = {
|
||||
enableSSHAgentAuth = true;
|
||||
# TODO: add yubico?
|
||||
services.sshd = {
|
||||
# This should only ask for a code if ~/.google_authenticator exists, but it asks anyway.
|
||||
# googleAuthenticator.enable = true;
|
||||
makeHomeDir = true;
|
||||
# Fails!
|
||||
# requireWheel = true;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = {
|
||||
fudosys = {
|
||||
gid = 888;
|
||||
};
|
||||
};
|
||||
|
||||
users.ldap = {
|
||||
enable = true;
|
||||
base = "dc=fudo,dc=org";
|
||||
bind.distinguishedName = "cn=auth_reader,dc=fudo,dc=org";
|
||||
bind.passwordFile = "/srv/nslcd/bind.passwd";
|
||||
bind.timeLimit = 5;
|
||||
loginPam = false;
|
||||
server = "ldap://france.fudo.org";
|
||||
timeLimit = 5;
|
||||
useTLS = true;
|
||||
extraConfig = ''
|
||||
TLS_CACERT /etc/nixos/static/fudo_ca.pem
|
||||
'';
|
||||
|
||||
daemon = {
|
||||
enable = true;
|
||||
extraConfig = ''
|
||||
tls_cacertfile /etc/nixos/static/fudo_ca.pem
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users.extraUsers = {
|
||||
niten = {
|
||||
isNormalUser = true;
|
||||
uid = 10000;
|
||||
createHome = true;
|
||||
description = "Niten";
|
||||
extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"];
|
||||
group = "users";
|
||||
home = "/home/niten";
|
||||
hashedPassword = "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
|
||||
};
|
||||
reaper = {
|
||||
isNormalUser = true;
|
||||
uid = 10049;
|
||||
createHome = true;
|
||||
description = "Reaper";
|
||||
extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"];
|
||||
group = "users";
|
||||
home = "/home/reaper";
|
||||
hashedPassword = "$6$YVCI6kiGcG5EVMT$t9lYEXjAhbnh7YkvJJPAbrzL8XE/AASsKFlWWeS.fDjBi/8S7zwXTHF0j41nDUfC//3viysn0tIOQKyZTHhzG.";
|
||||
};
|
||||
fudo = {
|
||||
isSystemUser = true;
|
||||
uid = 888;
|
||||
description = "Fudo System User";
|
||||
group = "fudosys";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
118
fudo/groups.nix
Normal file
118
fudo/groups.nix
Normal file
@ -0,0 +1,118 @@
|
||||
{
|
||||
admin = {
|
||||
gid = 1000;
|
||||
description = "Admin User Group";
|
||||
members = [
|
||||
"niten"
|
||||
"reaper"
|
||||
"swaff"
|
||||
];
|
||||
};
|
||||
|
||||
fudo = {
|
||||
gid = 1001;
|
||||
description = "Fudo User Group";
|
||||
members = [
|
||||
"andrew"
|
||||
"animus"
|
||||
"anorthe"
|
||||
"ark"
|
||||
"ben"
|
||||
"brian"
|
||||
"chad"
|
||||
"ckoo"
|
||||
"dabar"
|
||||
"dana"
|
||||
"darryl"
|
||||
"debo"
|
||||
"flowchart"
|
||||
"gaijin"
|
||||
"gubbs"
|
||||
"helen"
|
||||
"jess"
|
||||
"jill"
|
||||
"jinny"
|
||||
"joker4ever"
|
||||
"jun"
|
||||
"kevin"
|
||||
"kris"
|
||||
"laura"
|
||||
"leefolio"
|
||||
"niten"
|
||||
"r3d3"
|
||||
"reaper"
|
||||
"rob"
|
||||
"saphira"
|
||||
"slickoil"
|
||||
"splat1"
|
||||
"stewartd"
|
||||
"swaff"
|
||||
"theblacksun"
|
||||
"xiaoxuan"
|
||||
"zimm"
|
||||
];
|
||||
};
|
||||
|
||||
selby = {
|
||||
gid = 1002;
|
||||
description = "Selby User Group";
|
||||
members = [
|
||||
"andrew"
|
||||
"brian"
|
||||
"darryl"
|
||||
"helen"
|
||||
"jess"
|
||||
"ken"
|
||||
"kevin"
|
||||
"laura"
|
||||
"niten"
|
||||
"rob"
|
||||
"vee"
|
||||
"xiaoxuan"
|
||||
];
|
||||
};
|
||||
|
||||
www-fudo = {
|
||||
gid = 1005;
|
||||
description = "Fudo Web Group";
|
||||
members = [
|
||||
"niten"
|
||||
"reaper"
|
||||
"www-data"
|
||||
];
|
||||
};
|
||||
|
||||
fudo_admin = {
|
||||
gid = 1031;
|
||||
description = "Fudo Administrators";
|
||||
members = [
|
||||
"niten"
|
||||
"reaper"
|
||||
];
|
||||
};
|
||||
|
||||
sea_media = {
|
||||
gid = 1077;
|
||||
description = "Media group for Niten's home in Seattle";
|
||||
members = [
|
||||
"ken"
|
||||
"niten"
|
||||
"reaper"
|
||||
"xiaoxuan"
|
||||
];
|
||||
};
|
||||
|
||||
fudo_shell = {
|
||||
gid = 1078;
|
||||
description = "Users with shell access to fudo hosts";
|
||||
members = [
|
||||
"ansyg"
|
||||
"joker4ever"
|
||||
"niten"
|
||||
"omefire"
|
||||
"reaper"
|
||||
"swaff"
|
||||
];
|
||||
};
|
||||
|
||||
}
|
11
fudo/system-users.nix
Normal file
11
fudo/system-users.nix
Normal file
@ -0,0 +1,11 @@
|
||||
{
|
||||
replicator = {
|
||||
description = "Database Replicator";
|
||||
hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ=";
|
||||
};
|
||||
|
||||
auth_reader = {
|
||||
description = "System Authenticator";
|
||||
hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q==";
|
||||
};
|
||||
}
|
403
fudo/users.nix
Normal file
403
fudo/users.nix
Normal file
@ -0,0 +1,403 @@
|
||||
# Generate a hashed password using slappasswd.
|
||||
|
||||
{
|
||||
niten = {
|
||||
uid = 10000;
|
||||
group = "admin";
|
||||
common-name = "Peter Selby";
|
||||
hashed-password = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA";
|
||||
};
|
||||
|
||||
andrew = {
|
||||
uid = 10001;
|
||||
group = "selby";
|
||||
common-name = "Andrew Selby";
|
||||
hashed-password = "";
|
||||
};
|
||||
|
||||
animus = {
|
||||
uid = 10002;
|
||||
group = "fudo";
|
||||
common-name = "James Frazer";
|
||||
hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ==";
|
||||
};
|
||||
|
||||
ark = {
|
||||
uid = 10005;
|
||||
group = "fudo";
|
||||
common-name = "Roger Wong";
|
||||
hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk=";
|
||||
};
|
||||
|
||||
ben = {
|
||||
uid = 10007;
|
||||
group = "fudo";
|
||||
common-name = "Ben";
|
||||
hashed-password = "{MD5}v0jY5bADu30cAR1Uu/eWYQ==";
|
||||
};
|
||||
|
||||
chad = {
|
||||
uid = 10011;
|
||||
group = "fudo";
|
||||
common-name = "Chad Isbister";
|
||||
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
|
||||
};
|
||||
|
||||
ckoo = {
|
||||
uid = 10014;
|
||||
group = "fudo";
|
||||
common-name = "Jason Bush";
|
||||
hashed-password = "{MD5}KMFeaBc7e/gVzL/QUT0mYw==";
|
||||
};
|
||||
|
||||
dana = {
|
||||
uid = 10015;
|
||||
group = "fudo";
|
||||
common-name = "Dana Eftodie";
|
||||
hashed-password = "{MD5}+ijTylKau4uot2kGMqKSTA==";
|
||||
};
|
||||
|
||||
jill = {
|
||||
uid = 10030;
|
||||
group = "fudo";
|
||||
common-name = "Jill Isbister";
|
||||
hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA==";
|
||||
};
|
||||
|
||||
joker4ever = {
|
||||
uid = 10033;
|
||||
group = "fudo";
|
||||
common-name = "Jack Clarke";
|
||||
hashed-password = "{SSHA}w78XwSax9WywIDujMxEoO7o87d2LDJRo";
|
||||
};
|
||||
|
||||
ken = {
|
||||
uid = 10035;
|
||||
group = "selby";
|
||||
common-name = "Ken Selby";
|
||||
hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
|
||||
};
|
||||
|
||||
reaper = {
|
||||
uid = 10049;
|
||||
group = "admin";
|
||||
common-name = "Jonathan Stewart";
|
||||
hashed-password = "{MD5}EBvifhJ6z9dIDx0KWkAPoQ==";
|
||||
};
|
||||
|
||||
slickoil = {
|
||||
uid = 10052;
|
||||
group = "fudo";
|
||||
common-name = "Connor Cooley";
|
||||
hashed-password = "{MD5}8Qrpagi8TYnZQdFoYe02rA==";
|
||||
};
|
||||
|
||||
splat1 = {
|
||||
uid = 10053;
|
||||
group = "fudo";
|
||||
common-name = "Matt Evans";
|
||||
hashed-password = "{MD5}JeHNutGTBMHOqFgVlYjfpw==";
|
||||
};
|
||||
|
||||
swaff = {
|
||||
uid = 10055;
|
||||
group = "fudo";
|
||||
common-name = "Mark Swaffer";
|
||||
hashed-password = "{MD5}C5gIsLsaKSvIPydu4uzhNg==";
|
||||
};
|
||||
|
||||
brian = {
|
||||
uid = 10056;
|
||||
group = "selby";
|
||||
common-name = "Brian Selby";
|
||||
hashed-password = "{crypt}$1$npZLTPEO$p2bTx8TTlCg7XNiivTJsC1";
|
||||
};
|
||||
|
||||
rob = {
|
||||
uid = 10057;
|
||||
group = "selby";
|
||||
common-name = "Robert Selby";
|
||||
hashed-password = "{crypt}HD1ESf1hAGdks";
|
||||
};
|
||||
|
||||
tarbash = {
|
||||
uid = 10059;
|
||||
group = "fudo";
|
||||
common-name = "Neville";
|
||||
hashed-password = "{crypt}$1$cE6lVNbC$PLjlE9vK77SKNKwJBKiT//";
|
||||
};
|
||||
|
||||
darryl = {
|
||||
uid = 10060;
|
||||
group = "selby";
|
||||
common-name = "Darryl Kissick";
|
||||
hashed-password = "{crypt}$1$oUNTMyKU$oUs6JqBRTPKE9A/sEzlSY0";
|
||||
};
|
||||
|
||||
ayumi = {
|
||||
uid = 10061;
|
||||
group = "fudo";
|
||||
common-name = "Ayumi Kira";
|
||||
hashed-password = "{MD5}5OkpooOLxw94nF1lOfn/ZQ==";
|
||||
};
|
||||
|
||||
saphira = {
|
||||
uid = 10063;
|
||||
group = "fudo";
|
||||
common-name = "Elizabeth Stewart";
|
||||
hashed-password = "{crypt}$1$cQ/Zq25x$fUQfUtpMB.f3rBWzttPns.";
|
||||
};
|
||||
|
||||
banen = {
|
||||
uid = 10064;
|
||||
group = "fudo";
|
||||
common-name = "Travis Neis";
|
||||
hashed-password = "{crypt}$1$cyfM/Vni$vIuirRln.MnWActOR6t8S.";
|
||||
};
|
||||
|
||||
xiaoxuan = {
|
||||
uid = 10065;
|
||||
group = "fudo";
|
||||
common-name = "Xiaoxuan Jin";
|
||||
hashed-password = "{MD5}iecbyMpyVkmOaMBzSFy58Q==";
|
||||
};
|
||||
|
||||
thibor = {
|
||||
uid = 10066;
|
||||
group = "fudo";
|
||||
common-name = "";
|
||||
hashed-password = "{crypt}$1$HzQOn3zV$ogkeS5ByWrFstYo0FhXB/.";
|
||||
};
|
||||
|
||||
flowchart = {
|
||||
uid = 10067;
|
||||
group = "fudo";
|
||||
common-name = "BH Bieterse";
|
||||
hashed-password = "{crypt}$1$lQMZ42RZ$aAOsLHP0i.yfvD1a1EVsA/";
|
||||
};
|
||||
|
||||
gubbs = {
|
||||
uid = 10068;
|
||||
group = "fudo";
|
||||
common-name = "Lorcan Gavin";
|
||||
hashed-password = "{MD5}AIf4bJZyHCnvJVL3YHRnIg==";
|
||||
};
|
||||
|
||||
debo = {
|
||||
uid = 10069;
|
||||
group = "fudo";
|
||||
common-name = "Deborah Osti";
|
||||
hashed-password = "{crypt}$1$5wEBGh/8$Ggp2JAI/rQiBXxJ89G0iq1";
|
||||
};
|
||||
|
||||
leefolio = {
|
||||
uid = 10070;
|
||||
group = "fudo";
|
||||
common-name = "Ze Artiste";
|
||||
hashed-password = "{crypt}$1$LRlAYBst$sS1bPu8yEPrdYkQhoZhAq1";
|
||||
};
|
||||
|
||||
zimm = {
|
||||
uid = 10071;
|
||||
group = "fudo";
|
||||
common-name = "Ross Drinkwater";
|
||||
hashed-password = "{SSHA}er1cgYDNPJsfLwtqYLopKMGMxiZZRGdY";
|
||||
};
|
||||
|
||||
gaijin = {
|
||||
uid = 10072;
|
||||
group = "fudo";
|
||||
common-name = "Tetsuo Torigai";
|
||||
hashed-password = "{crypt}$1$bw8hyDXm$pMLLUtlDlVLwBTZiC0Lzf0";
|
||||
};
|
||||
|
||||
anorthe = {
|
||||
uid = 10073;
|
||||
group = "fudo";
|
||||
common-name = "Bonnie Wong";
|
||||
hashed-password = "{crypt}$1$DORfHzbp$nJkk0OXd7WzYDxx8LbdMK.";
|
||||
};
|
||||
|
||||
stewartd = {
|
||||
uid = 10076;
|
||||
group = "fudo";
|
||||
common-name = "Dwight Stewart";
|
||||
hashed-password = "{MD5}e2GSmH+l4ZZ808snWsFNYw==";
|
||||
};
|
||||
|
||||
jess = {
|
||||
uid = 10078;
|
||||
group = "selby";
|
||||
common-name = "Jessica Selby";
|
||||
hashed-password = "{MD5}2tbtZre16apUTNtRIK98nQ==";
|
||||
};
|
||||
|
||||
kevin = {
|
||||
uid = 10079;
|
||||
group = "selby";
|
||||
common-name = "Kevin Selby";
|
||||
hashed-password = "{crypt}$1$UYKrkMEe$SAABgc1pCBYgPFIMepNrM.";
|
||||
};
|
||||
|
||||
theblacksun = {
|
||||
uid = 10080;
|
||||
group = "fudo";
|
||||
common-name = "Brendan Goodfellow";
|
||||
hashed-password = "{MD5}Hmw6pFYYT87nmpLp0QxcQw==";
|
||||
};
|
||||
|
||||
kris = {
|
||||
uid = 10082;
|
||||
group = "selby";
|
||||
common-name = "Kris Huberdeau";
|
||||
hashed-password = "{SSHA}RUYeAEUyblnCWa9uBzY9nwsmoksy8P3Y";
|
||||
};
|
||||
|
||||
jun = {
|
||||
uid = 10083;
|
||||
group = "fudo";
|
||||
common-name = "Junichi Suzuki";
|
||||
hashed-password = "{crypt}$1$ExfgQXb8$b1ihvMRbG2dWbnlmzzI/h.";
|
||||
};
|
||||
|
||||
jinny = {
|
||||
uid = 10084;
|
||||
group = "fudo";
|
||||
common-name = "Hye-jin Kim";
|
||||
hashed-password = "{crypt}$1$6cld82N8$5a9ovCPXSacDmK3TWDaF30";
|
||||
};
|
||||
|
||||
helen = {
|
||||
uid = 10086;
|
||||
group = "selby";
|
||||
common-name = "Helen Selby";
|
||||
hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ==";
|
||||
};
|
||||
|
||||
vee = {
|
||||
uid = 10087;
|
||||
group = "selby";
|
||||
common-name = "Vee Selby";
|
||||
hashed-password = "snoinuer";
|
||||
};
|
||||
|
||||
dabar = {
|
||||
uid = 10088;
|
||||
group = "fudo";
|
||||
common-name = "Dan Bernardic";
|
||||
hashed-password = "{MD5}ULrk46YUeUZQrl0+wAQiWA==";
|
||||
};
|
||||
|
||||
r3d3 = {
|
||||
uid = 10089;
|
||||
group = "fudo";
|
||||
common-name = "Derek Veroni";
|
||||
hashed-password = "{SHA}2XyijGDovUhA1/Z/XR+9h9Ia4fY=";
|
||||
};
|
||||
|
||||
laura = {
|
||||
uid = 10090;
|
||||
group = "selby";
|
||||
common-name = "Laura Selby";
|
||||
hashed-password = "{MD5}MI65czN0duIudMhYH+BU9Q==";
|
||||
};
|
||||
|
||||
tuk = {
|
||||
uid = 10091;
|
||||
group = "fudo";
|
||||
common-name = "Taku Koba";
|
||||
hashed-password = "{MD5}DQuoQluy50128r8MxAmFkQ==";
|
||||
};
|
||||
|
||||
aki = {
|
||||
uid = 10092;
|
||||
group = "fudo";
|
||||
common-name = "Akihito Mori";
|
||||
hashed-password = "{MD5}oGAt2kJGKMqX+CmfV1w/GA==";
|
||||
};
|
||||
|
||||
ansyg = {
|
||||
uid = 10095;
|
||||
group = "fudo";
|
||||
common-name = "Anseok Joo";
|
||||
hashed-password = "{MD5}AHhHl02D3uDmWhPJZ6QPOw==";
|
||||
};
|
||||
|
||||
jackie = {
|
||||
uid = 10097;
|
||||
group = "selby";
|
||||
common-name = "Jackie Selby";
|
||||
hashed-password = "{MD5}fa6JfWySlH63sITsxrTt0Q==";
|
||||
};
|
||||
|
||||
mtopf = {
|
||||
uid = 10100;
|
||||
group = "fudo";
|
||||
common-name = "Michael Topf";
|
||||
hashed-password = "{MD5}/pleD8SiLhmnRr1RVspNcA==";
|
||||
};
|
||||
|
||||
tat = {
|
||||
uid = 10101;
|
||||
group = "fudo";
|
||||
common-name = "Tatsuro Akano";
|
||||
hashed-password = "{MD5}fAV5GX8UdjsXIFjU0Ex4SA==";
|
||||
};
|
||||
|
||||
blatzkrieg = {
|
||||
uid = 10102;
|
||||
group = "fudo";
|
||||
common-name = "Brendan Blatz";
|
||||
hashed-password = "{MD5}1nE/ndFwGbfH/wLagxvt8w==";
|
||||
};
|
||||
|
||||
ellie = {
|
||||
uid = 10103;
|
||||
group = "fudo";
|
||||
common-name = "Ellie Lee";
|
||||
hashed-password = "{MD5}gzjwt+kw2nmvJ1FKFTpSZA==";
|
||||
};
|
||||
|
||||
alan = {
|
||||
uid = 10104;
|
||||
group = "fudo";
|
||||
common-name = "Alan Wong";
|
||||
hashed-password = "{MD5}WhohVE4xfo9RIOw1kG3s1Q==";
|
||||
};
|
||||
|
||||
omefire = {
|
||||
uid = 10105;
|
||||
group = "fudo";
|
||||
common-name = "Omar Mefire";
|
||||
hashed-password = "{SSHA}W6KWo26wl/nawpV++wMqsKdwrIwrait5";
|
||||
};
|
||||
|
||||
gordon = {
|
||||
uid = 10106;
|
||||
group = "fudo";
|
||||
common-name = "Gordon Stewart";
|
||||
hashed-password = "{SSHA}jaCOc1ZjCI9klVR+v676lIBOidEg7/u0";
|
||||
};
|
||||
|
||||
jeramy = {
|
||||
uid = 10107;
|
||||
group = "selby";
|
||||
common-name = "Jeramy Ewbank";
|
||||
hashed-password = "{MD5}8j8vTniyRzylmeTNUoRwWA==";
|
||||
};
|
||||
|
||||
lauren = {
|
||||
uid = 10108;
|
||||
group = "selby";
|
||||
common-name = "Lauren Hotel";
|
||||
hashed-password = "{SSHA}DKnhrycmXSu4HKWFPeBXA9xvZ0ytgXIpZA10tg==";
|
||||
};
|
||||
|
||||
testuser = {
|
||||
uid = 10110;
|
||||
group = "fudo";
|
||||
common-name = "Test User";
|
||||
hashed-password = "{SSHA}LSz1WjWfjRwAM3xm+QZ71vFj997dnZC6";
|
||||
};
|
||||
|
||||
}
|
31
hardware-configuration.nix
Normal file
31
hardware-configuration.nix
Normal file
@ -0,0 +1,31 @@
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "usb_storage" "floppy" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ "dm-snapshot" ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/87833c39-299b-4e84-9854-beda4a8e0115";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/bfb464c0-c259-4c29-8e8f-b3011bd30c95";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/ac0fe2b7-dd7a-4e86-aaa0-942acf3d541d"; }
|
||||
];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 8;
|
||||
}
|
110
hosts/france.nix
Normal file
110
hosts/france.nix
Normal file
@ -0,0 +1,110 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "france.fudo.org";
|
||||
|
||||
in {
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
security.hideProcessInformation = true;
|
||||
|
||||
imports = [
|
||||
../defaults.nix
|
||||
../networks/fudo.org.nix
|
||||
../profiles/server.nix
|
||||
../config/fudo.nix
|
||||
../profiles/services/basic_acme.nix
|
||||
../profiles/services/heimdal_kdc.nix
|
||||
../profiles/services/minecraft.nix
|
||||
../hardware-configuration.nix
|
||||
../packages/local-packages.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
acme-ca
|
||||
lxd
|
||||
multipath-tools
|
||||
];
|
||||
|
||||
fudo.auth.server = {
|
||||
enable = true;
|
||||
base = "dc=fudo,dc=org";
|
||||
organization = "Fudo";
|
||||
rootpw-file = "/srv/ldap/secure/root.pw";
|
||||
kerberos-host = "france.fudo.org";
|
||||
kerberos-keytab = "/srv/ldap/secure/ldap.keytab";
|
||||
|
||||
sslCert = "/srv/ldap/france.fudo.org.pem";
|
||||
sslKey = "/srv/ldap/secure/france.fudo.org-key.pem";
|
||||
sslCACert = "/etc/nixos/static/fudo_ca.pem";
|
||||
|
||||
listen-uris = [
|
||||
"ldap://${hostname}/"
|
||||
"ldaps://${hostname}/"
|
||||
"ldap://localhost/"
|
||||
"ldaps://localhost/"
|
||||
"ldapi:///"
|
||||
];
|
||||
|
||||
users = import ../fudo/users.nix;
|
||||
|
||||
groups = import ../fudo/groups.nix;
|
||||
|
||||
system-users = import ../fudo/system-users.nix;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = hostname;
|
||||
|
||||
dhcpcd.enable = false;
|
||||
useDHCP = false;
|
||||
interfaces.enp4s0f0.useDHCP = true;
|
||||
interfaces.enp4s0f1.useDHCP = true;
|
||||
|
||||
enableIPv6 = true;
|
||||
|
||||
# Create a bridge for VMs to use
|
||||
macvlans = {
|
||||
extif0 = {
|
||||
interface = "enp4s0f0";
|
||||
mode = "bridge";
|
||||
};
|
||||
intif0 = {
|
||||
interface = "enp4s0f1";
|
||||
mode = "bridge";
|
||||
};
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
extif0 = {
|
||||
# result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
macAddress = "02:d4:e8:3b:10:2f";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "208.81.3.117";
|
||||
prefixLength = 28;
|
||||
}
|
||||
];
|
||||
};
|
||||
intif0 = {
|
||||
# result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
macAddress = "02:ba:ba:e9:08:21";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "192.168.11.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
hardware.bluetooth.enable = false;
|
||||
|
||||
virtualisation.lxd = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
31
hosts/monolith.nix
Normal file
31
hosts/monolith.nix
Normal file
@ -0,0 +1,31 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "monolith";
|
||||
|
||||
in {
|
||||
imports = [
|
||||
../defaults.nix
|
||||
../networks/sea.fudo.org.nix
|
||||
../profiles/desktop.nix
|
||||
../hardware-configuration.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
glxinfo
|
||||
];
|
||||
|
||||
networking.hostName = hostname;
|
||||
|
||||
services.xserver.videoDrivers = ["nvidia"];
|
||||
|
||||
hardware.bluetooth.enable = false;
|
||||
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.opengl.driSupport = true;
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
}
|
76
hosts/nostromo.nix
Normal file
76
hosts/nostromo.nix
Normal file
@ -0,0 +1,76 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "nostromo";
|
||||
|
||||
in {
|
||||
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.device = "/dev/sdb";
|
||||
|
||||
imports = [
|
||||
../defaults.nix
|
||||
../networks/sea.fudo.org.nix
|
||||
../profiles/server.nix
|
||||
../hardware-configuration.nix
|
||||
|
||||
../profiles/services/postgres.nix
|
||||
# ../profiles/services/local_nameserver.nix
|
||||
];
|
||||
|
||||
networking = {
|
||||
hostName = hostname;
|
||||
|
||||
defaultGateway = "10.0.0.1";
|
||||
|
||||
nameservers = [ "10.0.0.1" ];
|
||||
|
||||
# Turn off for hypervisor: dhcp by default everywhere is a fuckin pain.
|
||||
dhcpcd.enable = false;
|
||||
|
||||
# Create a bridge for VMs to use
|
||||
macvlans.intlan0 = {
|
||||
interface = "eno1";
|
||||
mode = "bridge";
|
||||
};
|
||||
|
||||
interfaces = {
|
||||
intlan0 = {
|
||||
macAddress = "46:54:76:06:f1:10";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.0.0.2";
|
||||
prefixLength = 23;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
hardware.bluetooth.enable = false;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
ipfs
|
||||
libguestfs-with-appliance
|
||||
libvirt
|
||||
virtmanager
|
||||
];
|
||||
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
qemuPackage = pkgs.qemu_kvm;
|
||||
onShutdown = "shutdown";
|
||||
};
|
||||
|
||||
services.ipfs = {
|
||||
enable = true;
|
||||
enableGC = true;
|
||||
autoMount = false;
|
||||
defaultMode = "online";
|
||||
apiAddress = "/ip4/10.0.0.2/tcp/5001";
|
||||
gatewayAddress = "/ipv4/10.0.0.2/tcp/8080";
|
||||
};
|
||||
}
|
32
hosts/spark.nix
Normal file
32
hosts/spark.nix
Normal file
@ -0,0 +1,32 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "spark";
|
||||
|
||||
in {
|
||||
imports = [
|
||||
../defaults.nix
|
||||
../networks/sea.fudo.org.nix
|
||||
../profiles/desktop.nix
|
||||
../hardware-configuration.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi = {
|
||||
canTouchEfiVariables = true;
|
||||
efibootmgr = {
|
||||
efiDisk = "/dev/sda1";
|
||||
};
|
||||
|
||||
# efiSysMountPoint = "/boot/efi";
|
||||
};
|
||||
|
||||
networking.hostName = hostname;
|
||||
|
||||
hardware.bluetooth.enable = false;
|
||||
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.opengl.driSupport = true;
|
||||
|
||||
}
|
37
hosts/zbox.nix
Normal file
37
hosts/zbox.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "zbox";
|
||||
|
||||
in {
|
||||
imports = [
|
||||
../defaults.nix
|
||||
../networks/sea.fudo.org.nix
|
||||
../profiles/desktop.nix
|
||||
../hardware-configuration.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
glxinfo
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
|
||||
programs.bash.enableCompletion = true;
|
||||
|
||||
services.xserver = {
|
||||
videoDrivers = ["nvidia"];
|
||||
displayManager.gdm.wayland = false;
|
||||
};
|
||||
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.opengl.driSupport = true;
|
||||
|
||||
networking.hostName = hostname;
|
||||
|
||||
hardware.bluetooth.enable = true;
|
||||
}
|
27
networks/fudo.org.nix
Normal file
27
networks/fudo.org.nix
Normal file
@ -0,0 +1,27 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config.time.timeZone = "America/Winnipeg";
|
||||
|
||||
config.services.cron = {
|
||||
mailto = "admin@fudo.org";
|
||||
};
|
||||
|
||||
config.networking = {
|
||||
domain = "fudo.org";
|
||||
|
||||
search = ["fudo.org"];
|
||||
|
||||
firewall.enable = false;
|
||||
|
||||
networkmanager.enable = pkgs.lib.mkForce false;
|
||||
|
||||
defaultGateway = "208.81.3.113";
|
||||
|
||||
nameservers = [ "1.1.1.1" "208.81.7.14" "2606:4700:4700::1111" ];
|
||||
};
|
||||
|
||||
config.services.prometheus.exporters = {
|
||||
node.enable = true;
|
||||
};
|
||||
}
|
192
networks/sea.fudo.org.nix
Normal file
192
networks/sea.fudo.org.nix
Normal file
@ -0,0 +1,192 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
config.time.timeZone = "America/Los_Angeles";
|
||||
|
||||
config.services.cron = {
|
||||
mailto = "niten@fudo.org";
|
||||
};
|
||||
|
||||
services.printing.enable = true;
|
||||
|
||||
config.networking = {
|
||||
domain = "sea.fudo.org";
|
||||
search = ["sea.fudo.org" "fudo.org"];
|
||||
firewall.enable = false;
|
||||
networkmanager.enable = pkgs.lib.mkForce false;
|
||||
|
||||
# Until Comcast gets it's shit together... :(
|
||||
enableIPv6 = false;
|
||||
};
|
||||
|
||||
config.fileSystems."/mnt/documents" = {
|
||||
device = "whitedwarf.sea.fudo.org:/volume1/Documents";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
config.fileSystems."/mnt/downloads" = {
|
||||
device = "whitedwarf.sea.fudo.org:/volume1/Downloads";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
config.fileSystems."/mnt/music" = {
|
||||
device = "doraemon.sea.fudo.org:/volume1/Music";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
config.fileSystems."/mnt/video" = {
|
||||
device = "doraemon.sea.fudo.org:/volume1/Video";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
# fileSystems."/mnt/security" = {
|
||||
# device = "panopticon.sea.fudo.org:/srv/kerberos/data";
|
||||
# fsType = "nfs4";
|
||||
# };
|
||||
config.fileSystems."/mnt/cargo_video" = {
|
||||
device = "cargo.sea.fudo.org:/volume1/video";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
config.fileSystems."/mnt/photo" = {
|
||||
device = "cargo.sea.fudo.org:/volume1/pictures";
|
||||
fsType = "nfs4";
|
||||
};
|
||||
|
||||
config.users.extraUsers = {
|
||||
guest = {
|
||||
isNormalUser = true;
|
||||
uid = 1000;
|
||||
description = "Guest User";
|
||||
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
|
||||
};
|
||||
ken = {
|
||||
isNormalUser = true;
|
||||
uid = 10035;
|
||||
createHome = true;
|
||||
description = "Ken Selby";
|
||||
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
|
||||
group = "users";
|
||||
home = "/home/selby/ken";
|
||||
hashedPassword = "$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf.";
|
||||
};
|
||||
xiaoxuan = {
|
||||
isNormalUser = true;
|
||||
uid = 10065;
|
||||
createHome = true;
|
||||
description = "Xiaoxuan Jin";
|
||||
extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"];
|
||||
group = "users";
|
||||
home = "/home/xiaoxuan";
|
||||
hashedPassword = "$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0";
|
||||
};
|
||||
};
|
||||
|
||||
config.fudo.localNetwork = {
|
||||
masterNameServer = {
|
||||
ip = "10.0.0.1";
|
||||
ipReverseDomain = "0.10.in-addr.arpa";
|
||||
};
|
||||
|
||||
domain = "sea.fudo.org";
|
||||
|
||||
hostAliases = {
|
||||
kadmin = "slab";
|
||||
kdc = "slab";
|
||||
photo = "doraemon";
|
||||
music = "doraemon";
|
||||
panopticon = "hyperion";
|
||||
hole = "dnshole";
|
||||
ipfs = "nostromo";
|
||||
};
|
||||
|
||||
hosts = {
|
||||
slab = {
|
||||
ipv4Address = "10.0.0.1";
|
||||
};
|
||||
volsung = {
|
||||
ipv4Address = "10.0.0.106";
|
||||
macAddress = "ac:bc:32:7b:75:a5";
|
||||
};
|
||||
nest = {
|
||||
ipv4Address = "10.0.0.176";
|
||||
macAddress = "18:b4:30:16:7c:5a";
|
||||
};
|
||||
monolith = {
|
||||
ipv4Address = "10.0.0.100";
|
||||
macAddress = "6c:62:6d:c8:b0:d8";
|
||||
};
|
||||
brother-wireless = {
|
||||
ipv4Address = "10.0.0.160";
|
||||
macAddress = "c0:38:96:64:49:65";
|
||||
};
|
||||
doraemon = {
|
||||
ipv4Address = "10.0.0.52";
|
||||
macAddress = "00:11:32:0a:06:c5";
|
||||
};
|
||||
lm = {
|
||||
ipv4Address = "10.0.0.21";
|
||||
macAddress = "52:54:00:D8:34:92";
|
||||
};
|
||||
ubiquiti-wifi = {
|
||||
ipv4Address = "10.0.0.126";
|
||||
macAddress = "04:18:d6:20:48:fb";
|
||||
};
|
||||
front-light = {
|
||||
ipv4Address = "10.0.0.221";
|
||||
macAddress = "94:10:3e:48:94:ed";
|
||||
};
|
||||
ipad = {
|
||||
ipv4Address = "10.0.0.202";
|
||||
macAddress = "9c:35:eb:48:6e:71";
|
||||
};
|
||||
chromecast-2 = {
|
||||
ipv4Address = "10.0.0.215";
|
||||
macAddress = "a4:77:33:59:a2:ba";
|
||||
};
|
||||
taipan = {
|
||||
ipv4Address = "10.0.0.107";
|
||||
macAddress = "52:54:00:34:c4:78";
|
||||
};
|
||||
dns-hole = {
|
||||
ipv4Address = "10.0.0.185";
|
||||
macAddress = "b8:27:eb:b2:95:fd";
|
||||
};
|
||||
family-tv = {
|
||||
ipv4Address = "10.0.0.205";
|
||||
macAddress = "84:a4:66:3a:b1:f8";
|
||||
};
|
||||
spark = {
|
||||
ipv4Address = "10.0.0.108";
|
||||
macAddress = "78:24:af:04:f7:dd";
|
||||
};
|
||||
babycam = {
|
||||
ipv4Address = "10.0.0.206";
|
||||
macAddress = "08:ea:40:59:5f:9e";
|
||||
};
|
||||
hyperion = {
|
||||
ipv4Address = "10.0.0.109";
|
||||
macAddress = "52:54:00:33:46:de";
|
||||
};
|
||||
cargo = {
|
||||
ipv4Address = "10.0.0.50";
|
||||
macAddress = "00:11:32:75:d8:b7";
|
||||
};
|
||||
cam-entrance = {
|
||||
ipv4Address = "10.0.0.31";
|
||||
macAddress = "9c:8e:cd:0e:99:7b";
|
||||
};
|
||||
cam-driveway = {
|
||||
ipv4Address = "10.0.0.32";
|
||||
macAddress = "9c:8e:cd:0d:3b:09";
|
||||
};
|
||||
cam-deck = {
|
||||
ipv4Address = "10.0.0.33";
|
||||
macAddress = "9c:8e:cd:0e:98:c8";
|
||||
};
|
||||
nostromo = {
|
||||
ipv4Address = "10.0.0.2";
|
||||
macAddress = "14:fe:b5:ca:a2:c9";
|
||||
};
|
||||
zbox = {
|
||||
ipv4Address = "10.0.0.110";
|
||||
macAddress = "18:60:24:91:CC:27";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
30
packages/acme-ca.nix
Normal file
30
packages/acme-ca.nix
Normal file
@ -0,0 +1,30 @@
|
||||
{ stdenv, fetchurl }:
|
||||
|
||||
let
|
||||
# url = "https://letsencrypt.org/certs/isrgrootx1.pem.txt";
|
||||
# sha256 = "4c99356c265ee06c0ae0502e74d38231263513726d001cfe28ea25e70af2cc7f";
|
||||
url = "https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt";
|
||||
sha256 = "b6dd03f7fb8508e4f7ffe82ca8a3f98dde163e0bd44897e112a0850a5b606acf";
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
|
||||
name = "letsencrypt-ca";
|
||||
|
||||
src = fetchurl {
|
||||
name = "isrgrootx1.pem.txt";
|
||||
url = url;
|
||||
sha256 = sha256;
|
||||
};
|
||||
|
||||
phases = [ "installPhase" ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -pv $out/etc/ssl/letsencrypt
|
||||
cp -v $src $out/etc/ssl/letsencrypt/ca.pem
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = https://letsencrypt.com;
|
||||
description = "Certificate Authority (CA) certificate for LetsEncrypt";
|
||||
};
|
||||
}
|
10
packages/local-packages.nix
Normal file
10
packages/local-packages.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.config.packageOverrides = pkgs: rec {
|
||||
acme-ca = import ./acme-ca.nix {
|
||||
stdenv = pkgs.stdenv;
|
||||
fetchurl = builtins.fetchurl;
|
||||
};
|
||||
};
|
||||
}
|
13
packages/minecraft-server_1_15_1.nix
Normal file
13
packages/minecraft-server_1_15_1.nix
Normal file
@ -0,0 +1,13 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.config.packageOverrides = pkgs: rec {
|
||||
minecraft-server_1_15_1 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec {
|
||||
version = "1.15.1";
|
||||
src = builtins.fetchurl {
|
||||
url = "https://launcher.mojang.com/v1/objects/4d1826eebac84847c71a77f9349cc22afd0cf0a1/server.jar";
|
||||
sha256 = "a0c062686bee5a92d60802ca74d198548481802193a70dda6d5fe7ecb7207993";
|
||||
};
|
||||
});
|
||||
};
|
||||
}
|
46
packages/options/postgresql_11.nix
Normal file
46
packages/options/postgresql_11.nix
Normal file
@ -0,0 +1,46 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
userOpts = { name, config, ... }: {
|
||||
options = {
|
||||
passwd = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The password of a given user.
|
||||
'';
|
||||
};
|
||||
|
||||
databases = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
A list of databases to which this user should have access.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
|
||||
options = {
|
||||
fudo.postgresql = {
|
||||
databases = mkOption {
|
||||
type = types.attrsOf types.lines;
|
||||
default = {};
|
||||
description = ''
|
||||
A map of database_name => database_defn.
|
||||
'';
|
||||
};
|
||||
users = mkOption {
|
||||
type = with types; attrsOf (submodule userOpts);
|
||||
default = {};
|
||||
description = ''
|
||||
A map of user_name => { user_attributes }.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
10
packages/postgresql_11_gssapi.nix
Normal file
10
packages/postgresql_11_gssapi.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.config.packageOverrides = pkgs: rec {
|
||||
postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec {
|
||||
configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ];
|
||||
buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
|
||||
});
|
||||
};
|
||||
}
|
1
profiles/.#ldap-server.nix
Symbolic link
1
profiles/.#ldap-server.nix
Symbolic link
@ -0,0 +1 @@
|
||||
root@france.26610:1573312038
|
147
profiles/desktop.nix
Normal file
147
profiles/desktop.nix
Normal file
@ -0,0 +1,147 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
cool-retro-term
|
||||
chrome-gnome-shell
|
||||
chromium
|
||||
ffmpeg-full
|
||||
firefox
|
||||
gimp
|
||||
glxinfo
|
||||
gnome3.gnome-shell
|
||||
gnome3.gnome-session
|
||||
google-chrome
|
||||
gtk2
|
||||
gtk2-x11
|
||||
gtk3
|
||||
gtkimageview
|
||||
i3lock
|
||||
libfixposix
|
||||
minecraft
|
||||
mplayer
|
||||
nomacs
|
||||
openssl_1_1
|
||||
redshift
|
||||
rhythmbox
|
||||
shotwell
|
||||
spotify
|
||||
sqlite
|
||||
steam
|
||||
system-config-printer
|
||||
virtmanager
|
||||
xorg.xev
|
||||
xzgv
|
||||
virtmanager-qt
|
||||
];
|
||||
|
||||
boot.plymouth.enable = true;
|
||||
|
||||
services.avahi = {
|
||||
enable = true;
|
||||
browseDomains = ["sea.fudo.org"];
|
||||
domainName = "sea.fudo.org";
|
||||
};
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
|
||||
layout = "us";
|
||||
xkbVariant = "dvp";
|
||||
xkbOptions = "ctrl:nocaps";
|
||||
|
||||
desktopManager.gnome3.enable = true;
|
||||
desktopManager.default = "gnome3";
|
||||
|
||||
displayManager.gdm.enable = true;
|
||||
|
||||
windowManager.session = pkgs.lib.singleton {
|
||||
name = "stumpwm";
|
||||
start = ''
|
||||
${pkgs.lispPackages.stumpwm}/bin/stumpwm &
|
||||
waidPID=$!
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.printing = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
services.gnome3 = {
|
||||
evolution-data-server.enable = pkgs.lib.mkForce false;
|
||||
gnome-user-share.enable = pkgs.lib.mkForce false;
|
||||
};
|
||||
|
||||
services.dbus.socketActivated = true;
|
||||
|
||||
sound.enable = true;
|
||||
|
||||
hardware.pulseaudio.enable = true;
|
||||
|
||||
fonts = {
|
||||
enableCoreFonts = true;
|
||||
enableFontDir = true;
|
||||
enableGhostscriptFonts = false;
|
||||
fontconfig.ultimate.enable = true;
|
||||
|
||||
fonts = with pkgs; [
|
||||
cantarell_fonts
|
||||
dejavu_fonts
|
||||
dina-font
|
||||
dosemu_fonts
|
||||
fira-code
|
||||
fira-code-symbols
|
||||
freefont_ttf
|
||||
liberation_ttf
|
||||
mplus-outline-fonts
|
||||
nerdfonts
|
||||
noto-fonts
|
||||
noto-fonts-cjk
|
||||
noto-fonts-emoji
|
||||
proggyfonts
|
||||
terminus_font
|
||||
ubuntu_font_family
|
||||
ucsFonts
|
||||
unifont
|
||||
vistafonts
|
||||
xlibs.fontadobe100dpi
|
||||
xlibs.fontadobe75dpi
|
||||
xlibs.fontadobeutopia100dpi
|
||||
xlibs.fontadobeutopia75dpi
|
||||
xlibs.fontadobeutopiatype1
|
||||
xlibs.fontarabicmisc
|
||||
xlibs.fontbh100dpi
|
||||
xlibs.fontbh75dpi
|
||||
xlibs.fontbhlucidatypewriter100dpi
|
||||
xlibs.fontbhlucidatypewriter75dpi
|
||||
xlibs.fontbhttf
|
||||
xlibs.fontbhtype1
|
||||
xlibs.fontbitstream100dpi
|
||||
xlibs.fontbitstream75dpi
|
||||
xlibs.fontbitstreamtype1
|
||||
xlibs.fontcronyxcyrillic
|
||||
xlibs.fontcursormisc
|
||||
xlibs.fontdaewoomisc
|
||||
xlibs.fontdecmisc
|
||||
xlibs.fontibmtype1
|
||||
xlibs.fontisasmisc
|
||||
xlibs.fontjismisc
|
||||
xlibs.fontmicromisc
|
||||
xlibs.fontmisccyrillic
|
||||
xlibs.fontmiscethiopic
|
||||
xlibs.fontmiscmeltho
|
||||
xlibs.fontmiscmisc
|
||||
xlibs.fontmuttmisc
|
||||
xlibs.fontschumachermisc
|
||||
xlibs.fontscreencyrillic
|
||||
xlibs.fontsonymisc
|
||||
xlibs.fontsunmisc
|
||||
xlibs.fontwinitzkicyrillic
|
||||
xlibs.fontxfree86type1
|
||||
];
|
||||
};
|
||||
|
||||
}
|
19
profiles/ldap-server.nix
Normal file
19
profiles/ldap-server.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
base = "dc=fudo,dc=org";
|
||||
ldap = import ../config/fudo/ldap.nix;
|
||||
|
||||
in {
|
||||
|
||||
imports = [
|
||||
../config/fudo/ldap.nix
|
||||
];
|
||||
|
||||
services.openldap = {
|
||||
enable = true;
|
||||
suffix = base;
|
||||
rootdn = "cn=admin,${base}";
|
||||
rootpwFile = "/srv/ldap/secure/root.pw";
|
||||
};
|
||||
}
|
10
profiles/server.nix
Normal file
10
profiles/server.nix
Normal file
@ -0,0 +1,10 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
];
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
services.xserver.enable = false;
|
||||
}
|
43
profiles/services/basic_acme.nix
Normal file
43
profiles/services/basic_acme.nix
Normal file
@ -0,0 +1,43 @@
|
||||
# Starts an Nginx server on $HOSTNAME just to get a cert for this host
|
||||
|
||||
{ config, pkgs, environment, ... }:
|
||||
|
||||
let
|
||||
hostname = config.networking.hostName;
|
||||
|
||||
wwwRoot = pkgs.writeTextFile {
|
||||
name = "index.html";
|
||||
|
||||
text = ''
|
||||
<html>
|
||||
<head>
|
||||
<title>${hostname}</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>${hostname}</title>
|
||||
</body>
|
||||
</html>
|
||||
'';
|
||||
destination = "/www";
|
||||
};
|
||||
|
||||
in {
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts."${hostname}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = wwwRoot + ("/" + "www");
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs = {
|
||||
${hostname}.email = "admin@fudo.org";
|
||||
};
|
||||
}
|
34
profiles/services/heimdal_kdc.nix
Normal file
34
profiles/services/heimdal_kdc.nix
Normal file
@ -0,0 +1,34 @@
|
||||
{ config, pkgs, environment, ... }:
|
||||
|
||||
let
|
||||
databasePath = /var/heimdal/heimdal;
|
||||
|
||||
in {
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
heimdalFull
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
heimdal-kdc = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
description = "Heimdal Kerberos Key Distribution Center (ticket server)";
|
||||
serviceConfig = {
|
||||
ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kdc'';
|
||||
};
|
||||
};
|
||||
|
||||
heimdal-admin-server = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
description = "Heimdal Kerberos Remote Administration Server";
|
||||
serviceConfig = {
|
||||
ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kadmind'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
136
profiles/services/local_nameserver.nix
Normal file
136
profiles/services/local_nameserver.nix
Normal file
@ -0,0 +1,136 @@
|
||||
{ config, pkgs, environment, ... }:
|
||||
|
||||
let
|
||||
databaseName = "powerdns";
|
||||
userName = "powerdns";
|
||||
reverseIp = ip: builtins.concatStringsSep "." (lib.lists.reverseList(lib.strings.splitString "." ip));
|
||||
fullReverseIp = ip: "${reverseIp ip}.in-addr.arpa";
|
||||
hostRecord = domain_id: type: name: content: ''
|
||||
INSERT INTO records (domain_id, name, type, content) VALUES ($domain_id, '${name}', '${type}', '${content}');
|
||||
'';
|
||||
|
||||
in {
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
postgresql_11_gssapi
|
||||
powerdns
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresql.users."${userName}" = {
|
||||
passwd = "some_junk";
|
||||
databases = ["${databaseName}"];
|
||||
};
|
||||
|
||||
services.postgresql.databases."${databaseName} = {
|
||||
"${databaseName}" = ''
|
||||
CREATE TABLE domains (
|
||||
id SERIAL PRIMARY KEY,
|
||||
name VARCHAR(255) NOT NULL,
|
||||
master VARCHAR(128) DEFAULT NULL,
|
||||
last_check INT DEFAULT NULL,
|
||||
type VARCHAR(6) NOT NULL,
|
||||
notified_serial INT DEFAULT NULL,
|
||||
account VARCHAR(40) DEFAULT NULL,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE UNIQUE INDEX name_index ON domains(name);
|
||||
|
||||
|
||||
CREATE TABLE records (
|
||||
id BIGSERIAL PRIMARY KEY,
|
||||
domain_id INT DEFAULT NULL,
|
||||
name VARCHAR(255) DEFAULT NULL,
|
||||
type VARCHAR(10) DEFAULT NULL,
|
||||
content VARCHAR(65535) DEFAULT NULL,
|
||||
ttl INT DEFAULT NULL,
|
||||
prio INT DEFAULT NULL,
|
||||
disabled BOOL DEFAULT 'f',
|
||||
ordername VARCHAR(255),
|
||||
auth BOOL DEFAULT 't',
|
||||
CONSTRAINT domain_exists
|
||||
FOREIGN KEY(domain_id) REFERENCES domains(id)
|
||||
ON DELETE CASCADE,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE INDEX rec_name_index ON records(name);
|
||||
CREATE INDEX nametype_index ON records(name,type);
|
||||
CREATE INDEX domain_id ON records(domain_id);
|
||||
CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops);
|
||||
|
||||
|
||||
CREATE TABLE supermasters (
|
||||
ip INET NOT NULL,
|
||||
nameserver VARCHAR(255) NOT NULL,
|
||||
account VARCHAR(40) NOT NULL,
|
||||
PRIMARY KEY(ip, nameserver)
|
||||
);
|
||||
|
||||
|
||||
CREATE TABLE comments (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT NOT NULL,
|
||||
name VARCHAR(255) NOT NULL,
|
||||
type VARCHAR(10) NOT NULL,
|
||||
modified_at INT NOT NULL,
|
||||
account VARCHAR(40) DEFAULT NULL,
|
||||
comment VARCHAR(65535) NOT NULL,
|
||||
CONSTRAINT domain_exists
|
||||
FOREIGN KEY(domain_id) REFERENCES domains(id)
|
||||
ON DELETE CASCADE,
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE INDEX comments_domain_id_idx ON comments (domain_id);
|
||||
CREATE INDEX comments_name_type_idx ON comments (name, type);
|
||||
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
|
||||
|
||||
|
||||
CREATE TABLE domainmetadata (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
|
||||
kind VARCHAR(32),
|
||||
content TEXT
|
||||
);
|
||||
|
||||
CREATE INDEX domainidmetaindex ON domainmetadata(domain_id);
|
||||
|
||||
|
||||
CREATE TABLE cryptokeys (
|
||||
id SERIAL PRIMARY KEY,
|
||||
domain_id INT REFERENCES domains(id) ON DELETE CASCADE,
|
||||
flags INT NOT NULL,
|
||||
active BOOL,
|
||||
content TEXT
|
||||
);
|
||||
|
||||
CREATE INDEX domainidindex ON cryptokeys(domain_id);
|
||||
|
||||
|
||||
CREATE TABLE tsigkeys (
|
||||
id SERIAL PRIMARY KEY,
|
||||
name VARCHAR(255),
|
||||
algorithm VARCHAR(50),
|
||||
secret VARCHAR(255),
|
||||
CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT)))
|
||||
);
|
||||
|
||||
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);
|
||||
|
||||
INSERT INTO domains (id, name, master, type) VALUES (1, '${config.fudo.localNetwork.domain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER');
|
||||
INSERT INTO domains (id, name, master, type) VALUES (2, '${config.fudo.localNetwork.masterNameServer.ipReverseDomain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER');
|
||||
|
||||
${hostRecord 1 "SOA" config.fudo.localDomain "${config.fudo.localNetwork.domain}. hostmaster.${config.fudo.localNetwork.domain}."}
|
||||
${hostRecord 2 "SOA" config.fudo.masterNameServer.ipReverseDomain "${config.fudo.localNetwork.masterNameServer.ipReverseDomain} hostmaster.${config.fudo.localNetwork.domain}."}
|
||||
${hostRecord 1 "NS" config.fudo.localNetwork.domain config.fudo.localNetwork.masterNameServer.ip}
|
||||
${hostRecord 2 "NS" config.fudo.localNetwork.masterNameServer.ipReverseDomain config.fudo.localNetwork.masterNameServer.ip}
|
||||
|
||||
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 1 "A" host attrs.ipv4Address) config.fudo.localNetwork.hosts)}
|
||||
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 2 "PTR" (fullReverseIp attrs.ipv4Address) host) config.fudo.localNetworkhosts)}
|
||||
${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (alias: host: hostRecord 1 "CNAME" alias host) config.fudo.localNetwork.hostAliases)}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
19
profiles/services/minecraft.nix
Normal file
19
profiles/services/minecraft.nix
Normal file
@ -0,0 +1,19 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
dataDir = /srv/minecraft/data;
|
||||
in {
|
||||
services.minecraft-server = {
|
||||
enable = true;
|
||||
package = pkgs.minecraft-server_1_15_1;
|
||||
dataDir = dataDir;
|
||||
eula = true;
|
||||
declarative = true;
|
||||
serverProperties = {
|
||||
level-name = "selbyland";
|
||||
motd = "Welcome to the Selby Minecraft Server";
|
||||
difficulty = 2;
|
||||
gamemode = "survival";
|
||||
};
|
||||
};
|
||||
}
|
65
profiles/services/postgres.nix
Normal file
65
profiles/services/postgres.nix
Normal file
@ -0,0 +1,65 @@
|
||||
{ config, pkgs, environment, ... }:
|
||||
|
||||
let
|
||||
dataPath = /srv + ("/" + config.networking.hostName);
|
||||
|
||||
in {
|
||||
|
||||
environment = {
|
||||
|
||||
systemPackages = with pkgs; [
|
||||
postgresql_11_gssapi
|
||||
];
|
||||
|
||||
etc = {
|
||||
"postgresql/private/privkey.pem" = {
|
||||
mode = "0400";
|
||||
user = "postgres";
|
||||
group = "postgres";
|
||||
source = dataPath + "/certs/private/privkey.pem";
|
||||
};
|
||||
|
||||
"postgresql/cert.pem" = {
|
||||
mode = "0444";
|
||||
user = "postgres";
|
||||
group = "postgres";
|
||||
source = dataPath + "/certs/cert.pem";
|
||||
};
|
||||
|
||||
"postgresql/private/postgres.keytab" = {
|
||||
mode = "0400";
|
||||
user = "postgres";
|
||||
group = "postgres";
|
||||
source = dataPath + "/keytabs/postgres.keytab";
|
||||
};
|
||||
};
|
||||
};
|
||||
<
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_11_gssapi;
|
||||
enableTCPIP = true;
|
||||
|
||||
extraConfig =
|
||||
''
|
||||
krb_server_keyfile = '/etc/postgresql/private/postgres.keytab'
|
||||
|
||||
ssl = true
|
||||
ssl_cert_file = '/etc/postgresql/cert.pem'
|
||||
ssl_key_file = '/etc/postgresql/private/privkey.pem'
|
||||
'';
|
||||
|
||||
authentication =
|
||||
''
|
||||
local all all ident
|
||||
|
||||
# host-local
|
||||
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
|
||||
# local network
|
||||
host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
'';
|
||||
};
|
||||
}
|
42
profiles/vm/http.nix
Normal file
42
profiles/vm/http.nix
Normal file
@ -0,0 +1,42 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{ containers.https =
|
||||
let
|
||||
hostname = "${config.hostname}.fudo.link";
|
||||
incomingCertDir = "/srv/${config.hostname}/certs";
|
||||
containerCertsDir = "/etc/letsencrypt/live";
|
||||
|
||||
in {
|
||||
autoStart = true;
|
||||
|
||||
bindMounts = [
|
||||
{
|
||||
"${containerCertsDir}" = {
|
||||
hostPath = "${incomingCertsDir}";
|
||||
isReadOnly = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
config = { config, pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
nginx
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."${hostname}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
root = "/var/www";
|
||||
};
|
||||
|
||||
security.acme.certs = {
|
||||
"${hostname}".email = config.adminEmail;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
75
profiles/vm/postgres.nix
Normal file
75
profiles/vm/postgres.nix
Normal file
@ -0,0 +1,75 @@
|
||||
{ config, pkgs, environment, ... }:
|
||||
|
||||
let
|
||||
hostPath = /srv + ("/" + config.networking.hostName);
|
||||
srcCertificateDirectory = hostPath + "/certs";
|
||||
dstCertificateDirectory = "/etc/pki/certs/postgres";
|
||||
dstPrivateKey = dstCertificateDirectory + /private/privkey.pem;
|
||||
srcKeytabPath = hostPath + /keytabs/postgres;
|
||||
dstKeytabPath = "/etc/postgresql-common/keytab";
|
||||
|
||||
in {
|
||||
|
||||
containers.postgres = {
|
||||
autoStart = true;
|
||||
|
||||
bindMounts = {
|
||||
"${dstCertificateDirectory}" = {
|
||||
hostPath = "${srcCertificateDirectory}";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"${dstKeytabPath}" = {
|
||||
hostPath = "${srcKeytabPath}";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
config = { config, pkgs, environment, ... }: {
|
||||
environment.etc."${dstPrivateKey}".mode = "0400";
|
||||
|
||||
boot.tmpOnTmpfs = true;
|
||||
|
||||
# Kind of a stupid hack...bindMounts can't specify perms, and it defaults to
|
||||
# permissive (even for nested files). So, explicitly make the keys private.
|
||||
# TODO: eventually, use bindMount perms, hopefully?
|
||||
boot.postBootCommands = ''
|
||||
chown postgres ${dstKeytabPath}/postgres.keytab
|
||||
chmod 400 ${dstKeytabPath}/postgres.keytab
|
||||
chown -R postgres ${dstCertificateDirectory}
|
||||
chown 400 ${dstCertificateDirectory}/private/privkey.pem
|
||||
'';
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_10;
|
||||
enableTCPIP = true;
|
||||
|
||||
extraConfig =
|
||||
''
|
||||
krb_server_keyfile = '${dstKeytabPath}/postgres.keytab'
|
||||
|
||||
ssl = true
|
||||
ssl_cert_file = '${dstCertificateDirectory}/cert.pem'
|
||||
ssl_key_file = '${dstCertificateDirectory}/private/privkey.pem'
|
||||
'';
|
||||
|
||||
authentication =
|
||||
''
|
||||
local all all ident
|
||||
|
||||
# host-local
|
||||
host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
|
||||
# local network
|
||||
host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG
|
||||
'';
|
||||
|
||||
initialScript = pkgs.writeText "backend-initscript" ''
|
||||
CREATE ROLE niten;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
23
static/fudo_ca.pem
Normal file
23
static/fudo_ca.pem
Normal file
@ -0,0 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDvzCCAyigAwIBAgIJAIO7c/KlNXiJMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
|
||||
VQQGEwJDQTERMA8GA1UECBMITWFuaXRvYmExETAPBgNVBAcTCFdpbm5pcGVnMREw
|
||||
DwYDVQQKEwhGdWRvLm9yZzERMA8GA1UECxMIU2VjdXJpdHkxIjAgBgNVBAMTGUZ1
|
||||
ZG8ub3JnIFJvb3QgQ2VydGlmaWNhdGUxHTAbBgkqhkiG9w0BCQEWDmFkbWluQGZ1
|
||||
ZG8ub3JnMB4XDTA2MTIyMjIyMTYxMVoXDTE2MTIxOTIyMTYxMVowgZwxCzAJBgNV
|
||||
BAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8GA1UEBxMIV2lubmlwZWcxETAP
|
||||
BgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZRnVk
|
||||
by5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AZnVk
|
||||
by5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANZpJiFZjgs1M744PTLH
|
||||
nAQVMC2VzH76+qNbLClNK3n6dknrx+FMFq35naXnJLnkmEhHW5DFMeQBudCAD1tv
|
||||
DTj6KxgBbBoMFIXfukQjMOjFIXcPE0MsbfJowjJxGDA3KFE5pLs5u5suGPLXPpog
|
||||
6ASSTg1n75crFSU/d9hN+drVAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUQS8uOVCa
|
||||
rLmMGYU6T0pIkDAnQr8wgdEGA1UdIwSByTCBxoAUQS8uOVCarLmMGYU6T0pIkDAn
|
||||
Qr+hgaKkgZ8wgZwxCzAJBgNVBAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8G
|
||||
A1UEBxMIV2lubmlwZWcxETAPBgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1
|
||||
cml0eTEiMCAGA1UEAxMZRnVkby5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqG
|
||||
SIb3DQEJARYOYWRtaW5AZnVkby5vcmeCCQCDu3PypTV4iTAMBgNVHRMEBTADAQH/
|
||||
MA0GCSqGSIb3DQEBBQUAA4GBAH2ZUJoSeNcslGlQUs7xPWwTSKVZ0OGpfhdI/pmA
|
||||
WQGC6Kj5MzlEunqaBEKaLSJ9yx/t0l5c5aFT77ERFacH0lhWme+AACEDAKuCbMeL
|
||||
fRnsQYoPZ0jEygnxvdG4IHl9dmKWr9SR361OWOP0uYpvWtiuF5w0GvFLJ0L5x7jy
|
||||
xZuP
|
||||
-----END CERTIFICATE-----
|
Loading…
Reference in New Issue
Block a user