From 46c45f444013af30579c19cf29384694d85d3686 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 25 Dec 2019 17:20:36 -0600 Subject: [PATCH] Initial re-checki --- config/fudo.nix | 95 ++++++ config/fudo/ldap.nix | 415 +++++++++++++++++++++++++ config/postgresql_11.nix | 138 ++++++++ configuration.nix | 1 + defaults.nix | 206 ++++++++++++ fudo/groups.nix | 118 +++++++ fudo/system-users.nix | 11 + fudo/users.nix | 403 ++++++++++++++++++++++++ hardware-configuration.nix | 31 ++ hosts/france.nix | 110 +++++++ hosts/monolith.nix | 31 ++ hosts/nostromo.nix | 76 +++++ hosts/spark.nix | 32 ++ hosts/zbox.nix | 37 +++ networks/fudo.org.nix | 27 ++ networks/sea.fudo.org.nix | 192 ++++++++++++ packages/acme-ca.nix | 30 ++ packages/local-packages.nix | 10 + packages/minecraft-server_1_15_1.nix | 13 + packages/options/postgresql_11.nix | 46 +++ packages/postgresql_11_gssapi.nix | 10 + profiles/.#ldap-server.nix | 1 + profiles/desktop.nix | 147 +++++++++ profiles/ldap-server.nix | 19 ++ profiles/server.nix | 10 + profiles/services/basic_acme.nix | 43 +++ profiles/services/heimdal_kdc.nix | 34 ++ profiles/services/local_nameserver.nix | 136 ++++++++ profiles/services/minecraft.nix | 19 ++ profiles/services/postgres.nix | 65 ++++ profiles/vm/http.nix | 42 +++ profiles/vm/postgres.nix | 75 +++++ static/fudo_ca.pem | 23 ++ 33 files changed, 2646 insertions(+) create mode 100644 config/fudo.nix create mode 100644 config/fudo/ldap.nix create mode 100644 config/postgresql_11.nix create mode 120000 configuration.nix create mode 100644 defaults.nix create mode 100644 fudo/groups.nix create mode 100644 fudo/system-users.nix create mode 100644 fudo/users.nix create mode 100644 hardware-configuration.nix create mode 100644 hosts/france.nix create mode 100644 hosts/monolith.nix create mode 100644 hosts/nostromo.nix create mode 100644 hosts/spark.nix create mode 100644 hosts/zbox.nix create mode 100644 networks/fudo.org.nix create mode 100644 networks/sea.fudo.org.nix create mode 100644 packages/acme-ca.nix create mode 100644 packages/local-packages.nix create mode 100644 packages/minecraft-server_1_15_1.nix create mode 100644 packages/options/postgresql_11.nix create mode 100644 packages/postgresql_11_gssapi.nix create mode 120000 profiles/.#ldap-server.nix create mode 100644 profiles/desktop.nix create mode 100644 profiles/ldap-server.nix create mode 100644 profiles/server.nix create mode 100644 profiles/services/basic_acme.nix create mode 100644 profiles/services/heimdal_kdc.nix create mode 100644 profiles/services/local_nameserver.nix create mode 100644 profiles/services/minecraft.nix create mode 100644 profiles/services/postgres.nix create mode 100644 profiles/vm/http.nix create mode 100644 profiles/vm/postgres.nix create mode 100644 static/fudo_ca.pem diff --git a/config/fudo.nix b/config/fudo.nix new file mode 100644 index 0000000..631a1e1 --- /dev/null +++ b/config/fudo.nix @@ -0,0 +1,95 @@ +{ lib, config, pkgs, ... }: + +with lib; + +let + hostOpts = { config, ... }: { + options = { + ipv6Address = mkOption { + type = types.str; + description = '' + The V6 IP of a given host, if any. + ''; + }; + + ipv4Address = mkOption { + type = types.str; + description = '' + The V4 IP of a given host, if any. + ''; + }; + + macAddress = mkOption { + type = types.str; + description = '' + The MAC address of a given host, if desired for IP reservation. + ''; + }; + }; + }; + + localNameServerOpts = { config, ... }: { + options = { + ipv6Address = mkOption { + type = types.str; + description = '' + The V6 IP of a given host, if any. + ''; + }; + + ipv4Address = mkOption { + type = types.str; + description = '' + The V4 IP of a given host, if any. + ''; + }; + + ipv4ReverseDomain = mkOption { + type = types.str; + description = '' + The domain of the IPv4 address range for which this nameserver is responsible. + + Eg: 0.10.in-addr.arpa + ''; + }; + }; + }; + +in { + imports = [ + ./fudo/ldap.nix + ]; + + options = { + + fudo.localNetwork.hosts = mkOption { + type = types.listOf (submodule hostOpts); + default = {}; + description = '' + A map of hostname => { host_attributes }. + ''; + }; + + fudo.localNetwork.domain = mkOption { + type = types.str; + description = '' + The domain to use for the local network. + ''; + }; + + fudo.localNetwork.hostAliases = mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + A mapping of hostAlias => hostName to use on the local network. + ''; + }; + + fudo.localNetwork.localNameServer = mkOption { + type = (submodule localNameServerOpts); + description = '' + The master nameserver of the local network. + ''; + }; + }; +} diff --git a/config/fudo/ldap.nix b/config/fudo/ldap.nix new file mode 100644 index 0000000..20ac8d8 --- /dev/null +++ b/config/fudo/ldap.nix @@ -0,0 +1,415 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + + cfg = config.fudo.auth.server; + + ldapSystemUserOpts = { name, ... }: { + options = { + description = mkOption { + type = types.str; + description = '' + The description of this system user. + ''; + }; + + hashed-password = mkOption { + type = types.str; + description = '' + The password for this user, hashed with ldappasswd. + ''; + }; + }; + }; + + ldapGroupOpts = { name, ... }: { + options = { + gid = mkOption { + type = types.int; + description = '' + The GID number of this group. + ''; + }; + + description = mkOption { + type = types.str; + description = '' + The description of this group. + ''; + }; + + members = mkOption { + type = with types; listOf str; + default = []; + description = '' + A list of usernames representing the members of this group. + ''; + }; + }; + }; + + ldapUserOpts = { name, ... }: { + options = { + + uid = mkOption { + type = types.int; + description = '' + The UID number of this user. + ''; + }; + + common-name = mkOption { + type = types.str; + description = '' + The given name of this user. + ''; + }; + + group = mkOption { + type = types.str; + description = '' + The name of the user's primary group. + ''; + }; + + login-shell = mkOption { + type = types.str; + default = "/bin/bash"; + description = '' + The user's preferred shell. Default is /bin/bash. + ''; + }; + + description = mkOption { + type = types.str; + default = "Fudo Member"; + description = '' + The description of this user. + ''; + }; + + hashed-password = mkOption { + type = types.str; + description = '' + The password for this user, hashed with ldappasswd. + ''; + }; + }; + }; + + stringJoin = joiner: attrList: + if (length attrList) == 0 then + "" + else + foldr(lAttr: rAttr: "${lAttr}${joiner}${rAttr}") (last attrList) (init attrList); + + getUserGidNumber = user: group-map: group-map.${user.group}.gid; + + attrOr = attrs: attr: value: + if attrs ? ${attr} then attrs.${attr} else value; + + mkHomeDir = username: user-opts: + if (user-opts.group == "admin") then + "/home/${username}" + else + "/home/${user-opts.group}/${username}"; + + + userLdif = base: name: group-map: opts: '' + dn: uid=${name},ou=members,${base} + uid: ${name} + objectClass: account + objectClass: shadowAccount + objectClass: posixAccount + cn: ${opts.common-name} + uidNumber: ${toString(opts.uid)} + gidNumber: ${toString(getUserGidNumber opts group-map)} + homeDirectory: ${mkHomeDir name opts} + description: ${opts.description} + shadowLastChange: 12230 + shadowMax: 99999 + shadowWarning: 7 + userPassword: ${opts.hashed-password} +''; + + systemUserLdif = base: name: opts: '' + dn: cn=${name},${base} + objectClass: organizationalRole + objectClass: simpleSecurityObject + cn: ${name} + description: ${opts.description} + userPassword: ${opts.hashed-password} +''; + + toMemberList = userList: + stringJoin "\n" (map (username: "memberUid: ${username}") userList); + + groupLdif = base: name: opts: '' + dn: cn=${name},ou=groups,${base} + objectClass: posixGroup + cn: ${name} + gidNumber: ${toString(opts.gid)} + description: ${opts.description} + ${toMemberList opts.members} +''; + + systemUsersLdif = base: user-map: + stringJoin "\n" (mapAttrsToList (name: opts: + systemUserLdif base name opts + ) user-map); + + groupsLdif = base: group-map: + stringJoin "\n" (mapAttrsToList (name: opts: + groupLdif base name opts + ) group-map); + + usersLdif = base: group-map: user-map: + stringJoin "\n" (mapAttrsToList (name: opts: + userLdif base name group-map opts + ) user-map); + +in { + + options = { + fudo = { + auth = { + server = { + enable = mkEnableOption "Fudo Authentication"; + + kerberos-host = mkOption { + type = types.str; + description = '' + The name of the host to use for Kerberos authentication. + ''; + }; + + kerberos-keytab = mkOption { + type = types.str; + description = '' + The path to a keytab for the LDAP server, containing a principal for ldap/. + ''; + }; + + sslCert = mkOption { + type = types.str; + description = '' + The path to the SSL certificate to use for the server. + ''; + }; + + sslKey = mkOption { + type = types.str; + description = '' + The path to the SSL key to use for the server. + ''; + }; + + sslCACert = mkOption { + type = types.str; + description = '' + The path to the SSL CA cert used to sign the certificate. + ''; + }; + + organization = mkOption { + type = types.str; + description = '' + The name to use for the organization. + ''; + }; + + base = mkOption { + type = types.str; + description = '' + The base dn of the LDAP server (eg. "dc=fudo,dc=org"). + ''; + }; + + rootpw-file = mkOption { + default = ""; + type = types.str; + description = '' + The path to a file containing the root password for this database. + ''; + }; + + listen-uris = mkOption { + default = []; + type = with types; listOf str; + description = '' + A list of URIs on which the ldap server should listen. + ''; + example = [ + "ldap://auth.fudo.org" + "ldaps://auth.fudo.org" + ]; + }; + + users = mkOption { + default = {}; + type = with types; loaOf (submodule ldapUserOpts); + example = { + tester = { + uid = 10099; + common-name = "Joe Blow"; + hashed-password = ""; + }; + }; + description = '' + Users to be added to the Fudo LDAP database. + ''; + }; + + groups = mkOption { + default = {}; + type = with types; loaOf (submodule ldapGroupOpts); + example = { + admin = { + gid = 1099; + members = [ + "tester" + ]; + }; + }; + description = '' + Groups to be added to the Fudo LDAP database. + ''; + }; + + system-users = mkOption { + default = {}; + type = with types; loaOf (submodule ldapSystemUserOpts); + example = { + replicator = { + description = "System user for database sync"; + hashed-password = ""; + }; + }; + description = '' + System users to be added to the Fudo LDAP database. + ''; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + + environment = { + etc = { + "openldap/sasl2/slapd.conf" = { + mode = "0400"; + user = "openldap"; + group = "openldap"; + text = '' + mech_list: gssapi external + keytab: /etc/ldap/ldap.keytab + ''; + }; + }; + }; + + systemd.services.openldap = { + environment = { + KRB5_KTNAME = cfg.kerberos-keytab; + }; + }; + + services.openldap = { + + enable = true; + suffix = cfg.base; + rootdn = "cn=admin,${cfg.base}"; + rootpwFile = "${cfg.rootpw-file}"; + urlList = cfg.listen-uris; + + extraConfig = '' + + TLSCertificateFile ${cfg.sslCert} + TLSCertificateKeyFile ${cfg.sslKey} + TLSCACertificateFile ${cfg.sslCACert} + + authz-regexp "^uid=auth/([^.]+)\.fudo\.org,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org" + authz-regexp "^uid=[^,/]+/root,cn=fudo\.org,cn=gssapi,cn=auth$" "cn=admin,dc=fudo,dc=org" + authz-regexp "^uid=([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "uid=$1,ou=members,dc=fudo,dc=org" + authz-regexp "^uid=host/([^,/]+),cn=fudo\.org,cn=gssapi,cn=auth$" "cn=$1,ou=hosts,dc=fudo,dc=org" + authz-regexp "^gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth$" "cn=admin,dc=fudo,dc=org" + + ''; + + extraDatabaseConfig = '' +# access to dn=base="" +# by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage +# by * read + +access to attrs=userPassword,shadowLastChange + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by group.exact="cn=admin,ou=members,${cfg.base}" write + by dn.exact="cn=auth_reader,${cfg.base}" read + by dn.exact="cn=replicator,${cfg.base}" read + by self write + by * auth + +access to dn.exact="cn=admin,ou=groups,${cfg.base}" + by dn.exact="cn=admin,${cfg.base}" write + by users read + by * none + +access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid + by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write + by group.exact="cn=admin,ou=groups,${cfg.base}" write + by users read + by * none + +access to dn.subtree="ou=members,${cfg.base}" attrs=cn,sn,homeDirectory,loginShell,gecos,description + by group.exact="cn=admin,ou=groups,${cfg.base}" write + by users read + by * none + +access to dn.exact="cn=admin,ou=groups,${cfg.base}" + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by users read + by * none + +access to dn.subtree="ou=groups,${cfg.base}" attrs=memberUid + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by dn.regex="cn=[a-zA-Z][a-zA-Z0-9_]+,ou=hosts,${cfg.base}" write + by group.exact="cn=admin,ou=groups,${cfg.base}" write + by users read + by * none + +access to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by users read + by * none + ''; + + declarativeContents = '' + dn: ${cfg.base} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${cfg.organization} + + dn: ou=groups,${cfg.base} + objectClass: organizationalUnit + description: ${cfg.organization} groups + + dn: ou=members,${cfg.base} + objectClass: organizationalUnit + description: ${cfg.organization} members + + dn: cn=admin,${cfg.base} + objectClass: organizationalRole + cn: admin + description: "Admin User" + + ${systemUsersLdif cfg.base cfg.system-users} + ${groupsLdif cfg.base cfg.groups} + ${usersLdif cfg.base cfg.groups cfg.users} + ''; + }; + }; +} diff --git a/config/postgresql_11.nix b/config/postgresql_11.nix new file mode 100644 index 0000000..ff75b52 --- /dev/null +++ b/config/postgresql_11.nix @@ -0,0 +1,138 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + catLines = builtins.concatStringsSep "\n"; + + userOpts = { config, ... }: { + options = { + passwd = mkOption { + type = types.str; + description = '' + The password of a given user. + ''; + }; + + databases = mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + A list of databases to which this user should have access. + ''; + }; + }; + }; + + grantDatabaseAccess = username: database: '' + GRANT CONNECT ON DATABASE ${database} TO USER ${username}; + GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA ${database} TO USER ${username}; + ''; + + createUserSql = username: userOpts: '' + CREATE ROLE ${username} ENCRYPTED PASSWORD ${userOpts.passwd}; + ${catLines (map (grantDatabaseAccess username) userOpts.databases)} + ''; + + createDatabaseSql = database: dbOpts: '' + CREATE DATABASE ${database}; + USE ${database}; + ''; + + dataPath = /srv + ("/" + config.networking.hostName); + +in { + + options = { + fudo.postgresql = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the PostgreSQL server for Fudo services. + ''; + }; + + databases = mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + A map of database_name => database_defn. + ''; + }; + + users = mkOption { + type = with types; attrsOf (submodule userOpts); + default = {}; + description = '' + A map of user_name => { user_attributes }. + ''; + }; + }; + }; + + # config = mkIf config.fudo.postgresql.enable + + # environment = { + + # systemPackages = with pkgs; [ + # postgresql_11_gssapi + # ]; + + # etc = { + # "postgresql/private/privkey.pem" = { + # mode = "0400"; + # user = "postgres"; + # group = "postgres"; + # source = dataPath + "/certs/private/privkey.pem"; + # }; + + # "postgresql/cert.pem" = { + # mode = "0444"; + # user = "postgres"; + # group = "postgres"; + # source = dataPath + "/certs/cert.pem"; + # }; + + # "postgresql/private/postgres.keytab" = { + # mode = "0400"; + # user = "postgres"; + # group = "postgres"; + # source = dataPath + "/keytabs/postgres.keytab"; + # }; + # }; + # }; + + # services.postgresql = { + # enable = true; + # package = pkgs.postgresql_11_gssapi; + # enableTCPIP = true; + + # extraConfig = '' + # krb_server_keyfile = '/etc/postgresql/private/postgres.keytab' + + # ssl = true + # ssl_cert_file = '/etc/postgresql/cert.pem' + # ssl_key_file = '/etc/postgresql/private/privkey.pem' + # ''; + + # authentication = '' + # local all all ident + + # # host-local + # host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG + # host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG + + # # local network + # host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG + # host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG + # ''; + + # initialScript = pkgs.writeText "backend-initscript" '' + # ${catLines (map createUserSql fudo.postgresql.users)} + # ${catLines (map createDatabaseSql fudo.postgresql.databases)} + # ''; + # }; +} diff --git a/configuration.nix b/configuration.nix new file mode 120000 index 0000000..4de3171 --- /dev/null +++ b/configuration.nix @@ -0,0 +1 @@ +./hosts/france.nix \ No newline at end of file diff --git a/defaults.nix b/defaults.nix new file mode 100644 index 0000000..772758e --- /dev/null +++ b/defaults.nix @@ -0,0 +1,206 @@ +# Ref: https://learnxinyminutes.com/docs/nix/ + +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./packages/postgresql_11_gssapi.nix + ./packages/minecraft-server_1_15_1.nix + ./config/fudo.nix + ./config/postgresql_11.nix + ]; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + asdf + atop + autoconf + automake + bash + bind + binutils + btrfs-progs + bundix + byobu + cdrtools + cargo + certbot + clang + curl + emacs + fail2ban + fortune + gcc + git + gnumake + gnupg + google-cloud-sdk + guile + heimdalFull + imagemagick + ipfs + iptables + jdk + kerberos + libisofs + lispPackages.alexandria + lispPackages.cl-ppcre + lispPackages.clx + lispPackages.quicklisp + lshw + mkpasswd + ncurses5 + nmap + oidentd + openldap + openssh + openssl_1_1 + openssh_gssapi + pciutils + pv + pwgen + racket + ruby + rustc + sbcl + screen + service-wrapper + stdenv + telnet + texlive.combined.scheme-basic + tmux + unzip + vim + wget + ]; + + system.stateVersion = "19.09"; + + system.autoUpgrade.enable = true; + + environment.etc.current-nixos-config.source = ./.; + + krb5.enable = true; + krb5.libdefaults.default_realm = "FUDO.ORG"; + krb5.kerberos = pkgs.heimdalFull; + + i18n = { + # consoleFont = "Lat2-Terminus16"; + consoleKeyMap = "dvp"; + defaultLocale = "en_US.UTF-8"; + # consoleUseXkbConfig = true; + }; + + programs = { + mosh.enable = true; + + ssh = { + forwardX11 = true; + extraConfig = '' + GSSAPIAuthentication yes + GSSAPIDelegateCredentials yes + ''; + }; + + bash.enableCompletion = true; + mtr.enable = true; + + gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + }; + + services = { + emacs = { + defaultEditor = true; + enable = true; + }; + + cron = { + enable = true; + }; + openssh = { + enable = true; + startWhenNeeded = true; + forwardX11 = true; + extraConfig = '' + GSSAPIAuthentication yes + GSSAPICleanupCredentials yes + ''; + }; + }; + + security.pam = { + enableSSHAgentAuth = true; + # TODO: add yubico? + services.sshd = { + # This should only ask for a code if ~/.google_authenticator exists, but it asks anyway. + # googleAuthenticator.enable = true; + makeHomeDir = true; + # Fails! + # requireWheel = true; + }; + }; + + users.groups = { + fudosys = { + gid = 888; + }; + }; + + users.ldap = { + enable = true; + base = "dc=fudo,dc=org"; + bind.distinguishedName = "cn=auth_reader,dc=fudo,dc=org"; + bind.passwordFile = "/srv/nslcd/bind.passwd"; + bind.timeLimit = 5; + loginPam = false; + server = "ldap://france.fudo.org"; + timeLimit = 5; + useTLS = true; + extraConfig = '' + TLS_CACERT /etc/nixos/static/fudo_ca.pem + ''; + + daemon = { + enable = true; + extraConfig = '' + tls_cacertfile /etc/nixos/static/fudo_ca.pem + ''; + }; + }; + + users.extraUsers = { + niten = { + isNormalUser = true; + uid = 10000; + createHome = true; + description = "Niten"; + extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"]; + group = "users"; + home = "/home/niten"; + hashedPassword = "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/"; + }; + reaper = { + isNormalUser = true; + uid = 10049; + createHome = true; + description = "Reaper"; + extraGroups = ["wheel" "audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "dialout" "adm" "input" "systemd-journal" "fudosys" "libvirtd"]; + group = "users"; + home = "/home/reaper"; + hashedPassword = "$6$YVCI6kiGcG5EVMT$t9lYEXjAhbnh7YkvJJPAbrzL8XE/AASsKFlWWeS.fDjBi/8S7zwXTHF0j41nDUfC//3viysn0tIOQKyZTHhzG."; + }; + fudo = { + isSystemUser = true; + uid = 888; + description = "Fudo System User"; + group = "fudosys"; + }; + }; + +} diff --git a/fudo/groups.nix b/fudo/groups.nix new file mode 100644 index 0000000..5fb0c39 --- /dev/null +++ b/fudo/groups.nix @@ -0,0 +1,118 @@ +{ + admin = { + gid = 1000; + description = "Admin User Group"; + members = [ + "niten" + "reaper" + "swaff" + ]; + }; + + fudo = { + gid = 1001; + description = "Fudo User Group"; + members = [ + "andrew" + "animus" + "anorthe" + "ark" + "ben" + "brian" + "chad" + "ckoo" + "dabar" + "dana" + "darryl" + "debo" + "flowchart" + "gaijin" + "gubbs" + "helen" + "jess" + "jill" + "jinny" + "joker4ever" + "jun" + "kevin" + "kris" + "laura" + "leefolio" + "niten" + "r3d3" + "reaper" + "rob" + "saphira" + "slickoil" + "splat1" + "stewartd" + "swaff" + "theblacksun" + "xiaoxuan" + "zimm" + ]; + }; + + selby = { + gid = 1002; + description = "Selby User Group"; + members = [ + "andrew" + "brian" + "darryl" + "helen" + "jess" + "ken" + "kevin" + "laura" + "niten" + "rob" + "vee" + "xiaoxuan" + ]; + }; + + www-fudo = { + gid = 1005; + description = "Fudo Web Group"; + members = [ + "niten" + "reaper" + "www-data" + ]; + }; + + fudo_admin = { + gid = 1031; + description = "Fudo Administrators"; + members = [ + "niten" + "reaper" + ]; + }; + + sea_media = { + gid = 1077; + description = "Media group for Niten's home in Seattle"; + members = [ + "ken" + "niten" + "reaper" + "xiaoxuan" + ]; + }; + + fudo_shell = { + gid = 1078; + description = "Users with shell access to fudo hosts"; + members = [ + "ansyg" + "joker4ever" + "niten" + "omefire" + "reaper" + "swaff" + ]; + }; + +} diff --git a/fudo/system-users.nix b/fudo/system-users.nix new file mode 100644 index 0000000..ec57dc4 --- /dev/null +++ b/fudo/system-users.nix @@ -0,0 +1,11 @@ +{ + replicator = { + description = "Database Replicator"; + hashed-password = "{SHA}HpiRMyxLR+0ZFHz/COvG9lcNYyQ="; + }; + + auth_reader = { + description = "System Authenticator"; + hashed-password = "{MD5}N36/kQ64mev1HARddvVk7Q=="; + }; +} diff --git a/fudo/users.nix b/fudo/users.nix new file mode 100644 index 0000000..75b7e76 --- /dev/null +++ b/fudo/users.nix @@ -0,0 +1,403 @@ +# Generate a hashed password using slappasswd. + +{ + niten = { + uid = 10000; + group = "admin"; + common-name = "Peter Selby"; + hashed-password = "{SSHA}dF/5NGkafL8M1kpa3LYZKdh0Pc7a02gA"; + }; + + andrew = { + uid = 10001; + group = "selby"; + common-name = "Andrew Selby"; + hashed-password = ""; + }; + + animus = { + uid = 10002; + group = "fudo"; + common-name = "James Frazer"; + hashed-password = "{MD5}5EenPxFXCKCkxMGFmSAHqQ=="; + }; + + ark = { + uid = 10005; + group = "fudo"; + common-name = "Roger Wong"; + hashed-password = "{SHA}H1+3u18I7JG+xcy7jBaKu1M6GFk="; + }; + + ben = { + uid = 10007; + group = "fudo"; + common-name = "Ben"; + hashed-password = "{MD5}v0jY5bADu30cAR1Uu/eWYQ=="; + }; + + chad = { + uid = 10011; + group = "fudo"; + common-name = "Chad Isbister"; + hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA=="; + }; + + ckoo = { + uid = 10014; + group = "fudo"; + common-name = "Jason Bush"; + hashed-password = "{MD5}KMFeaBc7e/gVzL/QUT0mYw=="; + }; + + dana = { + uid = 10015; + group = "fudo"; + common-name = "Dana Eftodie"; + hashed-password = "{MD5}+ijTylKau4uot2kGMqKSTA=="; + }; + + jill = { + uid = 10030; + group = "fudo"; + common-name = "Jill Isbister"; + hashed-password = "{MD5}fQ309GUF2DvHlJ3R+5wNuA=="; + }; + + joker4ever = { + uid = 10033; + group = "fudo"; + common-name = "Jack Clarke"; + hashed-password = "{SSHA}w78XwSax9WywIDujMxEoO7o87d2LDJRo"; + }; + + ken = { + uid = 10035; + group = "selby"; + common-name = "Ken Selby"; + hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc"; + }; + + reaper = { + uid = 10049; + group = "admin"; + common-name = "Jonathan Stewart"; + hashed-password = "{MD5}EBvifhJ6z9dIDx0KWkAPoQ=="; + }; + + slickoil = { + uid = 10052; + group = "fudo"; + common-name = "Connor Cooley"; + hashed-password = "{MD5}8Qrpagi8TYnZQdFoYe02rA=="; + }; + + splat1 = { + uid = 10053; + group = "fudo"; + common-name = "Matt Evans"; + hashed-password = "{MD5}JeHNutGTBMHOqFgVlYjfpw=="; + }; + + swaff = { + uid = 10055; + group = "fudo"; + common-name = "Mark Swaffer"; + hashed-password = "{MD5}C5gIsLsaKSvIPydu4uzhNg=="; + }; + + brian = { + uid = 10056; + group = "selby"; + common-name = "Brian Selby"; + hashed-password = "{crypt}$1$npZLTPEO$p2bTx8TTlCg7XNiivTJsC1"; + }; + + rob = { + uid = 10057; + group = "selby"; + common-name = "Robert Selby"; + hashed-password = "{crypt}HD1ESf1hAGdks"; + }; + + tarbash = { + uid = 10059; + group = "fudo"; + common-name = "Neville"; + hashed-password = "{crypt}$1$cE6lVNbC$PLjlE9vK77SKNKwJBKiT//"; + }; + + darryl = { + uid = 10060; + group = "selby"; + common-name = "Darryl Kissick"; + hashed-password = "{crypt}$1$oUNTMyKU$oUs6JqBRTPKE9A/sEzlSY0"; + }; + + ayumi = { + uid = 10061; + group = "fudo"; + common-name = "Ayumi Kira"; + hashed-password = "{MD5}5OkpooOLxw94nF1lOfn/ZQ=="; + }; + + saphira = { + uid = 10063; + group = "fudo"; + common-name = "Elizabeth Stewart"; + hashed-password = "{crypt}$1$cQ/Zq25x$fUQfUtpMB.f3rBWzttPns."; + }; + + banen = { + uid = 10064; + group = "fudo"; + common-name = "Travis Neis"; + hashed-password = "{crypt}$1$cyfM/Vni$vIuirRln.MnWActOR6t8S."; + }; + + xiaoxuan = { + uid = 10065; + group = "fudo"; + common-name = "Xiaoxuan Jin"; + hashed-password = "{MD5}iecbyMpyVkmOaMBzSFy58Q=="; + }; + + thibor = { + uid = 10066; + group = "fudo"; + common-name = ""; + hashed-password = "{crypt}$1$HzQOn3zV$ogkeS5ByWrFstYo0FhXB/."; + }; + + flowchart = { + uid = 10067; + group = "fudo"; + common-name = "BH Bieterse"; + hashed-password = "{crypt}$1$lQMZ42RZ$aAOsLHP0i.yfvD1a1EVsA/"; + }; + + gubbs = { + uid = 10068; + group = "fudo"; + common-name = "Lorcan Gavin"; + hashed-password = "{MD5}AIf4bJZyHCnvJVL3YHRnIg=="; + }; + + debo = { + uid = 10069; + group = "fudo"; + common-name = "Deborah Osti"; + hashed-password = "{crypt}$1$5wEBGh/8$Ggp2JAI/rQiBXxJ89G0iq1"; + }; + + leefolio = { + uid = 10070; + group = "fudo"; + common-name = "Ze Artiste"; + hashed-password = "{crypt}$1$LRlAYBst$sS1bPu8yEPrdYkQhoZhAq1"; + }; + + zimm = { + uid = 10071; + group = "fudo"; + common-name = "Ross Drinkwater"; + hashed-password = "{SSHA}er1cgYDNPJsfLwtqYLopKMGMxiZZRGdY"; + }; + + gaijin = { + uid = 10072; + group = "fudo"; + common-name = "Tetsuo Torigai"; + hashed-password = "{crypt}$1$bw8hyDXm$pMLLUtlDlVLwBTZiC0Lzf0"; + }; + + anorthe = { + uid = 10073; + group = "fudo"; + common-name = "Bonnie Wong"; + hashed-password = "{crypt}$1$DORfHzbp$nJkk0OXd7WzYDxx8LbdMK."; + }; + + stewartd = { + uid = 10076; + group = "fudo"; + common-name = "Dwight Stewart"; + hashed-password = "{MD5}e2GSmH+l4ZZ808snWsFNYw=="; + }; + + jess = { + uid = 10078; + group = "selby"; + common-name = "Jessica Selby"; + hashed-password = "{MD5}2tbtZre16apUTNtRIK98nQ=="; + }; + + kevin = { + uid = 10079; + group = "selby"; + common-name = "Kevin Selby"; + hashed-password = "{crypt}$1$UYKrkMEe$SAABgc1pCBYgPFIMepNrM."; + }; + + theblacksun = { + uid = 10080; + group = "fudo"; + common-name = "Brendan Goodfellow"; + hashed-password = "{MD5}Hmw6pFYYT87nmpLp0QxcQw=="; + }; + + kris = { + uid = 10082; + group = "selby"; + common-name = "Kris Huberdeau"; + hashed-password = "{SSHA}RUYeAEUyblnCWa9uBzY9nwsmoksy8P3Y"; + }; + + jun = { + uid = 10083; + group = "fudo"; + common-name = "Junichi Suzuki"; + hashed-password = "{crypt}$1$ExfgQXb8$b1ihvMRbG2dWbnlmzzI/h."; + }; + + jinny = { + uid = 10084; + group = "fudo"; + common-name = "Hye-jin Kim"; + hashed-password = "{crypt}$1$6cld82N8$5a9ovCPXSacDmK3TWDaF30"; + }; + + helen = { + uid = 10086; + group = "selby"; + common-name = "Helen Selby"; + hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ=="; + }; + + vee = { + uid = 10087; + group = "selby"; + common-name = "Vee Selby"; + hashed-password = "snoinuer"; + }; + + dabar = { + uid = 10088; + group = "fudo"; + common-name = "Dan Bernardic"; + hashed-password = "{MD5}ULrk46YUeUZQrl0+wAQiWA=="; + }; + + r3d3 = { + uid = 10089; + group = "fudo"; + common-name = "Derek Veroni"; + hashed-password = "{SHA}2XyijGDovUhA1/Z/XR+9h9Ia4fY="; + }; + + laura = { + uid = 10090; + group = "selby"; + common-name = "Laura Selby"; + hashed-password = "{MD5}MI65czN0duIudMhYH+BU9Q=="; + }; + + tuk = { + uid = 10091; + group = "fudo"; + common-name = "Taku Koba"; + hashed-password = "{MD5}DQuoQluy50128r8MxAmFkQ=="; + }; + + aki = { + uid = 10092; + group = "fudo"; + common-name = "Akihito Mori"; + hashed-password = "{MD5}oGAt2kJGKMqX+CmfV1w/GA=="; + }; + + ansyg = { + uid = 10095; + group = "fudo"; + common-name = "Anseok Joo"; + hashed-password = "{MD5}AHhHl02D3uDmWhPJZ6QPOw=="; + }; + + jackie = { + uid = 10097; + group = "selby"; + common-name = "Jackie Selby"; + hashed-password = "{MD5}fa6JfWySlH63sITsxrTt0Q=="; + }; + + mtopf = { + uid = 10100; + group = "fudo"; + common-name = "Michael Topf"; + hashed-password = "{MD5}/pleD8SiLhmnRr1RVspNcA=="; + }; + + tat = { + uid = 10101; + group = "fudo"; + common-name = "Tatsuro Akano"; + hashed-password = "{MD5}fAV5GX8UdjsXIFjU0Ex4SA=="; + }; + + blatzkrieg = { + uid = 10102; + group = "fudo"; + common-name = "Brendan Blatz"; + hashed-password = "{MD5}1nE/ndFwGbfH/wLagxvt8w=="; + }; + + ellie = { + uid = 10103; + group = "fudo"; + common-name = "Ellie Lee"; + hashed-password = "{MD5}gzjwt+kw2nmvJ1FKFTpSZA=="; + }; + + alan = { + uid = 10104; + group = "fudo"; + common-name = "Alan Wong"; + hashed-password = "{MD5}WhohVE4xfo9RIOw1kG3s1Q=="; + }; + + omefire = { + uid = 10105; + group = "fudo"; + common-name = "Omar Mefire"; + hashed-password = "{SSHA}W6KWo26wl/nawpV++wMqsKdwrIwrait5"; + }; + + gordon = { + uid = 10106; + group = "fudo"; + common-name = "Gordon Stewart"; + hashed-password = "{SSHA}jaCOc1ZjCI9klVR+v676lIBOidEg7/u0"; + }; + + jeramy = { + uid = 10107; + group = "selby"; + common-name = "Jeramy Ewbank"; + hashed-password = "{MD5}8j8vTniyRzylmeTNUoRwWA=="; + }; + + lauren = { + uid = 10108; + group = "selby"; + common-name = "Lauren Hotel"; + hashed-password = "{SSHA}DKnhrycmXSu4HKWFPeBXA9xvZ0ytgXIpZA10tg=="; + }; + + testuser = { + uid = 10110; + group = "fudo"; + common-name = "Test User"; + hashed-password = "{SSHA}LSz1WjWfjRwAM3xm+QZ71vFj997dnZC6"; + }; + +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..e6d1fe0 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "ahci" "usb_storage" "floppy" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/87833c39-299b-4e84-9854-beda4a8e0115"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/bfb464c0-c259-4c29-8e8f-b3011bd30c95"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/ac0fe2b7-dd7a-4e86-aaa0-942acf3d541d"; } + ]; + + nix.maxJobs = lib.mkDefault 8; +} diff --git a/hosts/france.nix b/hosts/france.nix new file mode 100644 index 0000000..b0e770b --- /dev/null +++ b/hosts/france.nix @@ -0,0 +1,110 @@ +{ config, pkgs, ... }: + +let + hostname = "france.fudo.org"; + +in { + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + security.hideProcessInformation = true; + + imports = [ + ../defaults.nix + ../networks/fudo.org.nix + ../profiles/server.nix + ../config/fudo.nix + ../profiles/services/basic_acme.nix + ../profiles/services/heimdal_kdc.nix + ../profiles/services/minecraft.nix + ../hardware-configuration.nix + ../packages/local-packages.nix + ]; + + environment.systemPackages = with pkgs; [ + acme-ca + lxd + multipath-tools + ]; + + fudo.auth.server = { + enable = true; + base = "dc=fudo,dc=org"; + organization = "Fudo"; + rootpw-file = "/srv/ldap/secure/root.pw"; + kerberos-host = "france.fudo.org"; + kerberos-keytab = "/srv/ldap/secure/ldap.keytab"; + + sslCert = "/srv/ldap/france.fudo.org.pem"; + sslKey = "/srv/ldap/secure/france.fudo.org-key.pem"; + sslCACert = "/etc/nixos/static/fudo_ca.pem"; + + listen-uris = [ + "ldap://${hostname}/" + "ldaps://${hostname}/" + "ldap://localhost/" + "ldaps://localhost/" + "ldapi:///" + ]; + + users = import ../fudo/users.nix; + + groups = import ../fudo/groups.nix; + + system-users = import ../fudo/system-users.nix; + }; + + networking = { + hostName = hostname; + + dhcpcd.enable = false; + useDHCP = false; + interfaces.enp4s0f0.useDHCP = true; + interfaces.enp4s0f1.useDHCP = true; + + enableIPv6 = true; + + # Create a bridge for VMs to use + macvlans = { + extif0 = { + interface = "enp4s0f0"; + mode = "bridge"; + }; + intif0 = { + interface = "enp4s0f1"; + mode = "bridge"; + }; + }; + + interfaces = { + extif0 = { + # result of: echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:d4:e8:3b:10:2f"; + ipv4.addresses = [ + { + address = "208.81.3.117"; + prefixLength = 28; + } + ]; + }; + intif0 = { + # result of: echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:ba:ba:e9:08:21"; + ipv4.addresses = [ + { + address = "192.168.11.1"; + prefixLength = 24; + } + ]; + }; + }; + }; + + hardware.bluetooth.enable = false; + + virtualisation.lxd = { + enable = true; + }; +} diff --git a/hosts/monolith.nix b/hosts/monolith.nix new file mode 100644 index 0000000..d4c531e --- /dev/null +++ b/hosts/monolith.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: + +let + hostname = "monolith"; + +in { + imports = [ + ../defaults.nix + ../networks/sea.fudo.org.nix + ../profiles/desktop.nix + ../hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + glxinfo + ]; + + networking.hostName = hostname; + + services.xserver.videoDrivers = ["nvidia"]; + + hardware.bluetooth.enable = false; + + hardware.opengl.driSupport32Bit = true; + hardware.opengl.driSupport = true; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + +} diff --git a/hosts/nostromo.nix b/hosts/nostromo.nix new file mode 100644 index 0000000..24e5b64 --- /dev/null +++ b/hosts/nostromo.nix @@ -0,0 +1,76 @@ +{ config, pkgs, ... }: + +let + hostname = "nostromo"; + +in { + + boot.kernelModules = [ "kvm-amd" ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sdb"; + + imports = [ + ../defaults.nix + ../networks/sea.fudo.org.nix + ../profiles/server.nix + ../hardware-configuration.nix + + ../profiles/services/postgres.nix + # ../profiles/services/local_nameserver.nix + ]; + + networking = { + hostName = hostname; + + defaultGateway = "10.0.0.1"; + + nameservers = [ "10.0.0.1" ]; + + # Turn off for hypervisor: dhcp by default everywhere is a fuckin pain. + dhcpcd.enable = false; + + # Create a bridge for VMs to use + macvlans.intlan0 = { + interface = "eno1"; + mode = "bridge"; + }; + + interfaces = { + intlan0 = { + macAddress = "46:54:76:06:f1:10"; + ipv4.addresses = [ + { + address = "10.0.0.2"; + prefixLength = 23; + } + ]; + }; + }; + }; + + hardware.bluetooth.enable = false; + + environment.systemPackages = with pkgs; [ + ipfs + libguestfs-with-appliance + libvirt + virtmanager + ]; + + virtualisation.libvirtd = { + enable = true; + qemuPackage = pkgs.qemu_kvm; + onShutdown = "shutdown"; + }; + + services.ipfs = { + enable = true; + enableGC = true; + autoMount = false; + defaultMode = "online"; + apiAddress = "/ip4/10.0.0.2/tcp/5001"; + gatewayAddress = "/ipv4/10.0.0.2/tcp/8080"; + }; +} diff --git a/hosts/spark.nix b/hosts/spark.nix new file mode 100644 index 0000000..bc2adae --- /dev/null +++ b/hosts/spark.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: + +let + hostname = "spark"; + +in { + imports = [ + ../defaults.nix + ../networks/sea.fudo.org.nix + ../profiles/desktop.nix + ../hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi = { + canTouchEfiVariables = true; + efibootmgr = { + efiDisk = "/dev/sda1"; + }; + + # efiSysMountPoint = "/boot/efi"; + }; + + networking.hostName = hostname; + + hardware.bluetooth.enable = false; + + hardware.opengl.driSupport32Bit = true; + hardware.opengl.driSupport = true; + +} diff --git a/hosts/zbox.nix b/hosts/zbox.nix new file mode 100644 index 0000000..eb74542 --- /dev/null +++ b/hosts/zbox.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +let + hostname = "zbox"; + +in { + imports = [ + ../defaults.nix + ../networks/sea.fudo.org.nix + ../profiles/desktop.nix + ../hardware-configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + glxinfo + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + hardware.cpu.intel.updateMicrocode = true; + + programs.bash.enableCompletion = true; + + services.xserver = { + videoDrivers = ["nvidia"]; + displayManager.gdm.wayland = false; + }; + + hardware.opengl.driSupport32Bit = true; + hardware.opengl.driSupport = true; + + networking.hostName = hostname; + + hardware.bluetooth.enable = true; +} diff --git a/networks/fudo.org.nix b/networks/fudo.org.nix new file mode 100644 index 0000000..96f0666 --- /dev/null +++ b/networks/fudo.org.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +{ + config.time.timeZone = "America/Winnipeg"; + + config.services.cron = { + mailto = "admin@fudo.org"; + }; + + config.networking = { + domain = "fudo.org"; + + search = ["fudo.org"]; + + firewall.enable = false; + + networkmanager.enable = pkgs.lib.mkForce false; + + defaultGateway = "208.81.3.113"; + + nameservers = [ "1.1.1.1" "208.81.7.14" "2606:4700:4700::1111" ]; + }; + + config.services.prometheus.exporters = { + node.enable = true; + }; +} diff --git a/networks/sea.fudo.org.nix b/networks/sea.fudo.org.nix new file mode 100644 index 0000000..b3e3a86 --- /dev/null +++ b/networks/sea.fudo.org.nix @@ -0,0 +1,192 @@ +{ config, pkgs, ... }: + +{ + config.time.timeZone = "America/Los_Angeles"; + + config.services.cron = { + mailto = "niten@fudo.org"; + }; + + services.printing.enable = true; + + config.networking = { + domain = "sea.fudo.org"; + search = ["sea.fudo.org" "fudo.org"]; + firewall.enable = false; + networkmanager.enable = pkgs.lib.mkForce false; + + # Until Comcast gets it's shit together... :( + enableIPv6 = false; + }; + + config.fileSystems."/mnt/documents" = { + device = "whitedwarf.sea.fudo.org:/volume1/Documents"; + fsType = "nfs4"; + }; + config.fileSystems."/mnt/downloads" = { + device = "whitedwarf.sea.fudo.org:/volume1/Downloads"; + fsType = "nfs4"; + }; + config.fileSystems."/mnt/music" = { + device = "doraemon.sea.fudo.org:/volume1/Music"; + fsType = "nfs4"; + }; + config.fileSystems."/mnt/video" = { + device = "doraemon.sea.fudo.org:/volume1/Video"; + fsType = "nfs4"; + }; + # fileSystems."/mnt/security" = { + # device = "panopticon.sea.fudo.org:/srv/kerberos/data"; + # fsType = "nfs4"; + # }; + config.fileSystems."/mnt/cargo_video" = { + device = "cargo.sea.fudo.org:/volume1/video"; + fsType = "nfs4"; + }; + config.fileSystems."/mnt/photo" = { + device = "cargo.sea.fudo.org:/volume1/pictures"; + fsType = "nfs4"; + }; + + config.users.extraUsers = { + guest = { + isNormalUser = true; + uid = 1000; + description = "Guest User"; + extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"]; + }; + ken = { + isNormalUser = true; + uid = 10035; + createHome = true; + description = "Ken Selby"; + extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"]; + group = "users"; + home = "/home/selby/ken"; + hashedPassword = "$6$EwK9fpbH8$gYVzYY1IYw2/G0wCeUxXrZZqvjWCkCZbBqCOhxowbMuYtC5G0vp.AoYhVKWOJcHJM2c7TdPmAdnhLIe2KYStf."; + }; + xiaoxuan = { + isNormalUser = true; + uid = 10065; + createHome = true; + description = "Xiaoxuan Jin"; + extraGroups = ["audio" "video" "disk" "floppy" "lp" "cdrom" "tape" "input"]; + group = "users"; + home = "/home/xiaoxuan"; + hashedPassword = "$6$C8lYHrK7KvdKm/RE$cHZ2hg5gEOEjTV8Zoayik8sz5h.Vh0.ClCgOlQn8l/2Qx/qdxqZ7xCsAZ1GZ.IEyESfhJeJbjLpykXDwPpfVF0"; + }; + }; + + config.fudo.localNetwork = { + masterNameServer = { + ip = "10.0.0.1"; + ipReverseDomain = "0.10.in-addr.arpa"; + }; + + domain = "sea.fudo.org"; + + hostAliases = { + kadmin = "slab"; + kdc = "slab"; + photo = "doraemon"; + music = "doraemon"; + panopticon = "hyperion"; + hole = "dnshole"; + ipfs = "nostromo"; + }; + + hosts = { + slab = { + ipv4Address = "10.0.0.1"; + }; + volsung = { + ipv4Address = "10.0.0.106"; + macAddress = "ac:bc:32:7b:75:a5"; + }; + nest = { + ipv4Address = "10.0.0.176"; + macAddress = "18:b4:30:16:7c:5a"; + }; + monolith = { + ipv4Address = "10.0.0.100"; + macAddress = "6c:62:6d:c8:b0:d8"; + }; + brother-wireless = { + ipv4Address = "10.0.0.160"; + macAddress = "c0:38:96:64:49:65"; + }; + doraemon = { + ipv4Address = "10.0.0.52"; + macAddress = "00:11:32:0a:06:c5"; + }; + lm = { + ipv4Address = "10.0.0.21"; + macAddress = "52:54:00:D8:34:92"; + }; + ubiquiti-wifi = { + ipv4Address = "10.0.0.126"; + macAddress = "04:18:d6:20:48:fb"; + }; + front-light = { + ipv4Address = "10.0.0.221"; + macAddress = "94:10:3e:48:94:ed"; + }; + ipad = { + ipv4Address = "10.0.0.202"; + macAddress = "9c:35:eb:48:6e:71"; + }; + chromecast-2 = { + ipv4Address = "10.0.0.215"; + macAddress = "a4:77:33:59:a2:ba"; + }; + taipan = { + ipv4Address = "10.0.0.107"; + macAddress = "52:54:00:34:c4:78"; + }; + dns-hole = { + ipv4Address = "10.0.0.185"; + macAddress = "b8:27:eb:b2:95:fd"; + }; + family-tv = { + ipv4Address = "10.0.0.205"; + macAddress = "84:a4:66:3a:b1:f8"; + }; + spark = { + ipv4Address = "10.0.0.108"; + macAddress = "78:24:af:04:f7:dd"; + }; + babycam = { + ipv4Address = "10.0.0.206"; + macAddress = "08:ea:40:59:5f:9e"; + }; + hyperion = { + ipv4Address = "10.0.0.109"; + macAddress = "52:54:00:33:46:de"; + }; + cargo = { + ipv4Address = "10.0.0.50"; + macAddress = "00:11:32:75:d8:b7"; + }; + cam-entrance = { + ipv4Address = "10.0.0.31"; + macAddress = "9c:8e:cd:0e:99:7b"; + }; + cam-driveway = { + ipv4Address = "10.0.0.32"; + macAddress = "9c:8e:cd:0d:3b:09"; + }; + cam-deck = { + ipv4Address = "10.0.0.33"; + macAddress = "9c:8e:cd:0e:98:c8"; + }; + nostromo = { + ipv4Address = "10.0.0.2"; + macAddress = "14:fe:b5:ca:a2:c9"; + }; + zbox = { + ipv4Address = "10.0.0.110"; + macAddress = "18:60:24:91:CC:27"; + }; + }; + }; +} diff --git a/packages/acme-ca.nix b/packages/acme-ca.nix new file mode 100644 index 0000000..f4aaca0 --- /dev/null +++ b/packages/acme-ca.nix @@ -0,0 +1,30 @@ +{ stdenv, fetchurl }: + +let + # url = "https://letsencrypt.org/certs/isrgrootx1.pem.txt"; + # sha256 = "4c99356c265ee06c0ae0502e74d38231263513726d001cfe28ea25e70af2cc7f"; + url = "https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt"; + sha256 = "b6dd03f7fb8508e4f7ffe82ca8a3f98dde163e0bd44897e112a0850a5b606acf"; + +in stdenv.mkDerivation { + + name = "letsencrypt-ca"; + + src = fetchurl { + name = "isrgrootx1.pem.txt"; + url = url; + sha256 = sha256; + }; + + phases = [ "installPhase" ]; + + installPhase = '' + mkdir -pv $out/etc/ssl/letsencrypt + cp -v $src $out/etc/ssl/letsencrypt/ca.pem + ''; + + meta = { + homepage = https://letsencrypt.com; + description = "Certificate Authority (CA) certificate for LetsEncrypt"; + }; +} diff --git a/packages/local-packages.nix b/packages/local-packages.nix new file mode 100644 index 0000000..e93431f --- /dev/null +++ b/packages/local-packages.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: + +{ + nixpkgs.config.packageOverrides = pkgs: rec { + acme-ca = import ./acme-ca.nix { + stdenv = pkgs.stdenv; + fetchurl = builtins.fetchurl; + }; + }; +} diff --git a/packages/minecraft-server_1_15_1.nix b/packages/minecraft-server_1_15_1.nix new file mode 100644 index 0000000..a923bf4 --- /dev/null +++ b/packages/minecraft-server_1_15_1.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + nixpkgs.config.packageOverrides = pkgs: rec { + minecraft-server_1_15_1 = pkgs.minecraft-server.overrideAttrs (oldAttrs: rec { + version = "1.15.1"; + src = builtins.fetchurl { + url = "https://launcher.mojang.com/v1/objects/4d1826eebac84847c71a77f9349cc22afd0cf0a1/server.jar"; + sha256 = "a0c062686bee5a92d60802ca74d198548481802193a70dda6d5fe7ecb7207993"; + }; + }); + }; +} diff --git a/packages/options/postgresql_11.nix b/packages/options/postgresql_11.nix new file mode 100644 index 0000000..51d14c7 --- /dev/null +++ b/packages/options/postgresql_11.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + userOpts = { name, config, ... }: { + options = { + passwd = mkOption { + type = types.str; + description = '' + The password of a given user. + ''; + }; + + databases = mkOption { + type = types.listOf types.str; + default = []; + description = '' + A list of databases to which this user should have access. + ''; + }; + }; + }; + +in { + + options = { + fudo.postgresql = { + databases = mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + A map of database_name => database_defn. + ''; + }; + users = mkOption { + type = with types; attrsOf (submodule userOpts); + default = {}; + description = '' + A map of user_name => { user_attributes }. + ''; + }; + }; + }; +} diff --git a/packages/postgresql_11_gssapi.nix b/packages/postgresql_11_gssapi.nix new file mode 100644 index 0000000..12700ea --- /dev/null +++ b/packages/postgresql_11_gssapi.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: + +{ + nixpkgs.config.packageOverrides = pkgs: rec { + postgresql_11_gssapi = pkgs.postgresql_11.overrideAttrs (oldAttrs: rec { + configureFlags = oldAttrs.configureFlags ++ [ "--with-gssapi" ]; + buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ]; + }); + }; +} diff --git a/profiles/.#ldap-server.nix b/profiles/.#ldap-server.nix new file mode 120000 index 0000000..e216937 --- /dev/null +++ b/profiles/.#ldap-server.nix @@ -0,0 +1 @@ +root@france.26610:1573312038 \ No newline at end of file diff --git a/profiles/desktop.nix b/profiles/desktop.nix new file mode 100644 index 0000000..3b28702 --- /dev/null +++ b/profiles/desktop.nix @@ -0,0 +1,147 @@ +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + cool-retro-term + chrome-gnome-shell + chromium + ffmpeg-full + firefox + gimp + glxinfo + gnome3.gnome-shell + gnome3.gnome-session + google-chrome + gtk2 + gtk2-x11 + gtk3 + gtkimageview + i3lock + libfixposix + minecraft + mplayer + nomacs + openssl_1_1 + redshift + rhythmbox + shotwell + spotify + sqlite + steam + system-config-printer + virtmanager + xorg.xev + xzgv + virtmanager-qt + ]; + + boot.plymouth.enable = true; + + services.avahi = { + enable = true; + browseDomains = ["sea.fudo.org"]; + domainName = "sea.fudo.org"; + }; + + boot.tmpOnTmpfs = true; + + services.xserver = { + enable = true; + + layout = "us"; + xkbVariant = "dvp"; + xkbOptions = "ctrl:nocaps"; + + desktopManager.gnome3.enable = true; + desktopManager.default = "gnome3"; + + displayManager.gdm.enable = true; + + windowManager.session = pkgs.lib.singleton { + name = "stumpwm"; + start = '' + ${pkgs.lispPackages.stumpwm}/bin/stumpwm & + waidPID=$! + ''; + }; + }; + + services.printing = { + enable = true; + }; + + services.gnome3 = { + evolution-data-server.enable = pkgs.lib.mkForce false; + gnome-user-share.enable = pkgs.lib.mkForce false; + }; + + services.dbus.socketActivated = true; + + sound.enable = true; + + hardware.pulseaudio.enable = true; + + fonts = { + enableCoreFonts = true; + enableFontDir = true; + enableGhostscriptFonts = false; + fontconfig.ultimate.enable = true; + + fonts = with pkgs; [ + cantarell_fonts + dejavu_fonts + dina-font + dosemu_fonts + fira-code + fira-code-symbols + freefont_ttf + liberation_ttf + mplus-outline-fonts + nerdfonts + noto-fonts + noto-fonts-cjk + noto-fonts-emoji + proggyfonts + terminus_font + ubuntu_font_family + ucsFonts + unifont + vistafonts + xlibs.fontadobe100dpi + xlibs.fontadobe75dpi + xlibs.fontadobeutopia100dpi + xlibs.fontadobeutopia75dpi + xlibs.fontadobeutopiatype1 + xlibs.fontarabicmisc + xlibs.fontbh100dpi + xlibs.fontbh75dpi + xlibs.fontbhlucidatypewriter100dpi + xlibs.fontbhlucidatypewriter75dpi + xlibs.fontbhttf + xlibs.fontbhtype1 + xlibs.fontbitstream100dpi + xlibs.fontbitstream75dpi + xlibs.fontbitstreamtype1 + xlibs.fontcronyxcyrillic + xlibs.fontcursormisc + xlibs.fontdaewoomisc + xlibs.fontdecmisc + xlibs.fontibmtype1 + xlibs.fontisasmisc + xlibs.fontjismisc + xlibs.fontmicromisc + xlibs.fontmisccyrillic + xlibs.fontmiscethiopic + xlibs.fontmiscmeltho + xlibs.fontmiscmisc + xlibs.fontmuttmisc + xlibs.fontschumachermisc + xlibs.fontscreencyrillic + xlibs.fontsonymisc + xlibs.fontsunmisc + xlibs.fontwinitzkicyrillic + xlibs.fontxfree86type1 + ]; + }; + +} diff --git a/profiles/ldap-server.nix b/profiles/ldap-server.nix new file mode 100644 index 0000000..84378d3 --- /dev/null +++ b/profiles/ldap-server.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: + +let + base = "dc=fudo,dc=org"; + ldap = import ../config/fudo/ldap.nix; + +in { + + imports = [ + ../config/fudo/ldap.nix + ]; + + services.openldap = { + enable = true; + suffix = base; + rootdn = "cn=admin,${base}"; + rootpwFile = "/srv/ldap/secure/root.pw"; + }; +} diff --git a/profiles/server.nix b/profiles/server.nix new file mode 100644 index 0000000..8dfc03c --- /dev/null +++ b/profiles/server.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + ]; + + boot.tmpOnTmpfs = true; + + services.xserver.enable = false; +} diff --git a/profiles/services/basic_acme.nix b/profiles/services/basic_acme.nix new file mode 100644 index 0000000..b323c04 --- /dev/null +++ b/profiles/services/basic_acme.nix @@ -0,0 +1,43 @@ +# Starts an Nginx server on $HOSTNAME just to get a cert for this host + +{ config, pkgs, environment, ... }: + +let + hostname = config.networking.hostName; + + wwwRoot = pkgs.writeTextFile { + name = "index.html"; + + text = '' + + + ${hostname} + + +

${hostname} + + + ''; + destination = "/www"; + }; + +in { + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + virtualHosts."${hostname}" = { + enableACME = true; + forceSSL = true; + root = wwwRoot + ("/" + "www"); + }; + }; + + security.acme.certs = { + ${hostname}.email = "admin@fudo.org"; + }; +} diff --git a/profiles/services/heimdal_kdc.nix b/profiles/services/heimdal_kdc.nix new file mode 100644 index 0000000..4f9d46b --- /dev/null +++ b/profiles/services/heimdal_kdc.nix @@ -0,0 +1,34 @@ +{ config, pkgs, environment, ... }: + +let + databasePath = /var/heimdal/heimdal; + +in { + environment = { + systemPackages = with pkgs; [ + heimdalFull + ]; + }; + + systemd.services = { + heimdal-kdc = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Heimdal Kerberos Key Distribution Center (ticket server)"; + serviceConfig = { + ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kdc''; + }; + }; + + heimdal-admin-server = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + description = "Heimdal Kerberos Remote Administration Server"; + serviceConfig = { + ExecStart = ''${pkgs.heimdalFull}/libexec/heimdal/kadmind''; + }; + }; + }; +} diff --git a/profiles/services/local_nameserver.nix b/profiles/services/local_nameserver.nix new file mode 100644 index 0000000..c744fe8 --- /dev/null +++ b/profiles/services/local_nameserver.nix @@ -0,0 +1,136 @@ +{ config, pkgs, environment, ... }: + +let + databaseName = "powerdns"; + userName = "powerdns"; + reverseIp = ip: builtins.concatStringsSep "." (lib.lists.reverseList(lib.strings.splitString "." ip)); + fullReverseIp = ip: "${reverseIp ip}.in-addr.arpa"; + hostRecord = domain_id: type: name: content: '' + INSERT INTO records (domain_id, name, type, content) VALUES ($domain_id, '${name}', '${type}', '${content}'); + ''; + +in { + environment = { + systemPackages = with pkgs; [ + postgresql_11_gssapi + powerdns + ]; + }; + + services.postgresql.users."${userName}" = { + passwd = "some_junk"; + databases = ["${databaseName}"]; + }; + + services.postgresql.databases."${databaseName} = { + "${databaseName}" = '' + CREATE TABLE domains ( + id SERIAL PRIMARY KEY, + name VARCHAR(255) NOT NULL, + master VARCHAR(128) DEFAULT NULL, + last_check INT DEFAULT NULL, + type VARCHAR(6) NOT NULL, + notified_serial INT DEFAULT NULL, + account VARCHAR(40) DEFAULT NULL, + CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) + ); + + CREATE UNIQUE INDEX name_index ON domains(name); + + + CREATE TABLE records ( + id BIGSERIAL PRIMARY KEY, + domain_id INT DEFAULT NULL, + name VARCHAR(255) DEFAULT NULL, + type VARCHAR(10) DEFAULT NULL, + content VARCHAR(65535) DEFAULT NULL, + ttl INT DEFAULT NULL, + prio INT DEFAULT NULL, + disabled BOOL DEFAULT 'f', + ordername VARCHAR(255), + auth BOOL DEFAULT 't', + CONSTRAINT domain_exists + FOREIGN KEY(domain_id) REFERENCES domains(id) + ON DELETE CASCADE, + CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) + ); + + CREATE INDEX rec_name_index ON records(name); + CREATE INDEX nametype_index ON records(name,type); + CREATE INDEX domain_id ON records(domain_id); + CREATE INDEX recordorder ON records (domain_id, ordername text_pattern_ops); + + + CREATE TABLE supermasters ( + ip INET NOT NULL, + nameserver VARCHAR(255) NOT NULL, + account VARCHAR(40) NOT NULL, + PRIMARY KEY(ip, nameserver) + ); + + + CREATE TABLE comments ( + id SERIAL PRIMARY KEY, + domain_id INT NOT NULL, + name VARCHAR(255) NOT NULL, + type VARCHAR(10) NOT NULL, + modified_at INT NOT NULL, + account VARCHAR(40) DEFAULT NULL, + comment VARCHAR(65535) NOT NULL, + CONSTRAINT domain_exists + FOREIGN KEY(domain_id) REFERENCES domains(id) + ON DELETE CASCADE, + CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) + ); + + CREATE INDEX comments_domain_id_idx ON comments (domain_id); + CREATE INDEX comments_name_type_idx ON comments (name, type); + CREATE INDEX comments_order_idx ON comments (domain_id, modified_at); + + + CREATE TABLE domainmetadata ( + id SERIAL PRIMARY KEY, + domain_id INT REFERENCES domains(id) ON DELETE CASCADE, + kind VARCHAR(32), + content TEXT + ); + + CREATE INDEX domainidmetaindex ON domainmetadata(domain_id); + + + CREATE TABLE cryptokeys ( + id SERIAL PRIMARY KEY, + domain_id INT REFERENCES domains(id) ON DELETE CASCADE, + flags INT NOT NULL, + active BOOL, + content TEXT + ); + + CREATE INDEX domainidindex ON cryptokeys(domain_id); + + + CREATE TABLE tsigkeys ( + id SERIAL PRIMARY KEY, + name VARCHAR(255), + algorithm VARCHAR(50), + secret VARCHAR(255), + CONSTRAINT c_lowercase_name CHECK (((name)::TEXT = LOWER((name)::TEXT))) + ); + + CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm); + + INSERT INTO domains (id, name, master, type) VALUES (1, '${config.fudo.localNetwork.domain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER'); + INSERT INTO domains (id, name, master, type) VALUES (2, '${config.fudo.localNetwork.masterNameServer.ipReverseDomain}', '${config.fudo.localNetwork.masterNameServer.ip}', 'MASTER'); + + ${hostRecord 1 "SOA" config.fudo.localDomain "${config.fudo.localNetwork.domain}. hostmaster.${config.fudo.localNetwork.domain}."} + ${hostRecord 2 "SOA" config.fudo.masterNameServer.ipReverseDomain "${config.fudo.localNetwork.masterNameServer.ipReverseDomain} hostmaster.${config.fudo.localNetwork.domain}."} + ${hostRecord 1 "NS" config.fudo.localNetwork.domain config.fudo.localNetwork.masterNameServer.ip} + ${hostRecord 2 "NS" config.fudo.localNetwork.masterNameServer.ipReverseDomain config.fudo.localNetwork.masterNameServer.ip} + + ${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 1 "A" host attrs.ipv4Address) config.fudo.localNetwork.hosts)} + ${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (host: attrs: hostRecord 2 "PTR" (fullReverseIp attrs.ipv4Address) host) config.fudo.localNetworkhosts)} + ${builtins.concatStringsSep "\n" (lib.attrSets.mapAttrs (alias: host: hostRecord 1 "CNAME" alias host) config.fudo.localNetwork.hostAliases)} + ''; + }; + }; +} diff --git a/profiles/services/minecraft.nix b/profiles/services/minecraft.nix new file mode 100644 index 0000000..47ba6c1 --- /dev/null +++ b/profiles/services/minecraft.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +let + dataDir = /srv/minecraft/data; +in { + services.minecraft-server = { + enable = true; + package = pkgs.minecraft-server_1_15_1; + dataDir = dataDir; + eula = true; + declarative = true; + serverProperties = { + level-name = "selbyland"; + motd = "Welcome to the Selby Minecraft Server"; + difficulty = 2; + gamemode = "survival"; + }; + }; +} diff --git a/profiles/services/postgres.nix b/profiles/services/postgres.nix new file mode 100644 index 0000000..d097882 --- /dev/null +++ b/profiles/services/postgres.nix @@ -0,0 +1,65 @@ +{ config, pkgs, environment, ... }: + +let + dataPath = /srv + ("/" + config.networking.hostName); + +in { + + environment = { + + systemPackages = with pkgs; [ + postgresql_11_gssapi + ]; + + etc = { + "postgresql/private/privkey.pem" = { + mode = "0400"; + user = "postgres"; + group = "postgres"; + source = dataPath + "/certs/private/privkey.pem"; + }; + + "postgresql/cert.pem" = { + mode = "0444"; + user = "postgres"; + group = "postgres"; + source = dataPath + "/certs/cert.pem"; + }; + + "postgresql/private/postgres.keytab" = { + mode = "0400"; + user = "postgres"; + group = "postgres"; + source = dataPath + "/keytabs/postgres.keytab"; + }; + }; + }; +< + services.postgresql = { + enable = true; + package = pkgs.postgresql_11_gssapi; + enableTCPIP = true; + + extraConfig = + '' + krb_server_keyfile = '/etc/postgresql/private/postgres.keytab' + + ssl = true + ssl_cert_file = '/etc/postgresql/cert.pem' + ssl_key_file = '/etc/postgresql/private/privkey.pem' + ''; + + authentication = + '' + local all all ident + + # host-local + host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG + host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG + + # local network + host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG + host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG + ''; + }; +} diff --git a/profiles/vm/http.nix b/profiles/vm/http.nix new file mode 100644 index 0000000..b644ef4 --- /dev/null +++ b/profiles/vm/http.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: + +{ containers.https = + let + hostname = "${config.hostname}.fudo.link"; + incomingCertDir = "/srv/${config.hostname}/certs"; + containerCertsDir = "/etc/letsencrypt/live"; + + in { + autoStart = true; + + bindMounts = [ + { + "${containerCertsDir}" = { + hostPath = "${incomingCertsDir}"; + isReadOnly = false; + }; + } + ]; + + config = { config, pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + nginx + ]; + + services.nginx = { + enable = true; + + virtualHosts."${hostname}" = { + enableACME = true; + forceSSL = true; + root = "/var/www"; + }; + + security.acme.certs = { + "${hostname}".email = config.adminEmail; + }; + }; + }; + }; +} diff --git a/profiles/vm/postgres.nix b/profiles/vm/postgres.nix new file mode 100644 index 0000000..fde59a8 --- /dev/null +++ b/profiles/vm/postgres.nix @@ -0,0 +1,75 @@ +{ config, pkgs, environment, ... }: + +let + hostPath = /srv + ("/" + config.networking.hostName); + srcCertificateDirectory = hostPath + "/certs"; + dstCertificateDirectory = "/etc/pki/certs/postgres"; + dstPrivateKey = dstCertificateDirectory + /private/privkey.pem; + srcKeytabPath = hostPath + /keytabs/postgres; + dstKeytabPath = "/etc/postgresql-common/keytab"; + +in { + + containers.postgres = { + autoStart = true; + + bindMounts = { + "${dstCertificateDirectory}" = { + hostPath = "${srcCertificateDirectory}"; + isReadOnly = false; + }; + "${dstKeytabPath}" = { + hostPath = "${srcKeytabPath}"; + isReadOnly = false; + }; + }; + + config = { config, pkgs, environment, ... }: { + environment.etc."${dstPrivateKey}".mode = "0400"; + + boot.tmpOnTmpfs = true; + + # Kind of a stupid hack...bindMounts can't specify perms, and it defaults to + # permissive (even for nested files). So, explicitly make the keys private. + # TODO: eventually, use bindMount perms, hopefully? + boot.postBootCommands = '' + chown postgres ${dstKeytabPath}/postgres.keytab + chmod 400 ${dstKeytabPath}/postgres.keytab + chown -R postgres ${dstCertificateDirectory} + chown 400 ${dstCertificateDirectory}/private/privkey.pem + ''; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_10; + enableTCPIP = true; + + extraConfig = + '' + krb_server_keyfile = '${dstKeytabPath}/postgres.keytab' + + ssl = true + ssl_cert_file = '${dstCertificateDirectory}/cert.pem' + ssl_key_file = '${dstCertificateDirectory}/private/privkey.pem' + ''; + + authentication = + '' + local all all ident + + # host-local + host all all 127.0.0.1/32 gss include_realm=0 krb_realm=FUDO.ORG + host all all ::1/128 gss include_realm=0 krb_realm=FUDO.ORG + + # local network + host all all 10.0.0.1/24 gss include_realm=0 krb_realm=FUDO.ORG + host all all 2601:600:997f:fc00::/60 gss include_realm=0 krb_realm=FUDO.ORG + ''; + + initialScript = pkgs.writeText "backend-initscript" '' + CREATE ROLE niten; + ''; + }; + }; + }; +} diff --git a/static/fudo_ca.pem b/static/fudo_ca.pem new file mode 100644 index 0000000..cddc528 --- /dev/null +++ b/static/fudo_ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvzCCAyigAwIBAgIJAIO7c/KlNXiJMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD +VQQGEwJDQTERMA8GA1UECBMITWFuaXRvYmExETAPBgNVBAcTCFdpbm5pcGVnMREw +DwYDVQQKEwhGdWRvLm9yZzERMA8GA1UECxMIU2VjdXJpdHkxIjAgBgNVBAMTGUZ1 +ZG8ub3JnIFJvb3QgQ2VydGlmaWNhdGUxHTAbBgkqhkiG9w0BCQEWDmFkbWluQGZ1 +ZG8ub3JnMB4XDTA2MTIyMjIyMTYxMVoXDTE2MTIxOTIyMTYxMVowgZwxCzAJBgNV +BAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8GA1UEBxMIV2lubmlwZWcxETAP +BgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZRnVk +by5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AZnVk +by5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANZpJiFZjgs1M744PTLH +nAQVMC2VzH76+qNbLClNK3n6dknrx+FMFq35naXnJLnkmEhHW5DFMeQBudCAD1tv +DTj6KxgBbBoMFIXfukQjMOjFIXcPE0MsbfJowjJxGDA3KFE5pLs5u5suGPLXPpog +6ASSTg1n75crFSU/d9hN+drVAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUQS8uOVCa +rLmMGYU6T0pIkDAnQr8wgdEGA1UdIwSByTCBxoAUQS8uOVCarLmMGYU6T0pIkDAn +Qr+hgaKkgZ8wgZwxCzAJBgNVBAYTAkNBMREwDwYDVQQIEwhNYW5pdG9iYTERMA8G +A1UEBxMIV2lubmlwZWcxETAPBgNVBAoTCEZ1ZG8ub3JnMREwDwYDVQQLEwhTZWN1 +cml0eTEiMCAGA1UEAxMZRnVkby5vcmcgUm9vdCBDZXJ0aWZpY2F0ZTEdMBsGCSqG +SIb3DQEJARYOYWRtaW5AZnVkby5vcmeCCQCDu3PypTV4iTAMBgNVHRMEBTADAQH/ +MA0GCSqGSIb3DQEBBQUAA4GBAH2ZUJoSeNcslGlQUs7xPWwTSKVZ0OGpfhdI/pmA +WQGC6Kj5MzlEunqaBEKaLSJ9yx/t0l5c5aFT77ERFacH0lhWme+AACEDAKuCbMeL +fRnsQYoPZ0jEygnxvdG4IHl9dmKWr9SR361OWOP0uYpvWtiuF5w0GvFLJ0L5x7jy +xZuP +-----END CERTIFICATE-----