nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Should work locally for sea.fudo.org (gateway, kerberos fixes)

Browse Source
This commit is contained in:
root 2020-06-25 20:51:43 -07:00
commit 705fa12391
7 changed files with 258 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
config/fudo/secure-dns-proxy.nix Normal file
View File

@ -0,0 +1,62 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.fudo.secure-dns-proxy;
in {
options.fudo.secure-dns-proxy = {
enable = mkEnableOption "Enable a DNS server using an encrypted upstream source.";
port = mkOption {
type = types.port;
description = "Port on which to listen for DNS queries.";
default = 53;
};
upstream-dns = mkOption {
type = with types; listOf str;
description = ''
The upstream DNS services to use, in a format useable by dnsproxy.
See: https://github.com/AdguardTeam/dnsproxy
'';
default = ["https://cloudflare-dns.com/dns-query"];
};
bootstrap-dns = mkOption {
type = types.str;
description = "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
default = "1.1.1.1";
};
listen-ips = mkOption {
type = with types; listOf str;
description = "A list of local IP addresses on which to listen.";
default = ["0.0.0.0"];
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
dnsproxy
];
systemd.services.secure-dns-proxy = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "DNS Proxy for secure DNS lookups";
serviceConfig = let
upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
upstream-line = concatStringsSep " " upstreams;
listen-line = concatStringsSep " "
(map (listen: "-l ${listen}") cfg.listen-ips);
cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${toString cfg.port} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
in {
ExecStart = cmd;
};
};
};
}

3
config/local.nix
View File

@ -18,8 +18,9 @@ with lib;
./fudo/node-exporter.nix
./fudo/postgres.nix
./fudo/prometheus.nix
./fudo/system.nix
./fudo/secure-dns-proxy.nix
./fudo/slynk.nix
./fudo/system.nix
./fudo/webmail.nix
../fudo/profiles

1
fudo/sites/default.nix
View File

@ -2,6 +2,7 @@
{
imports = [
./joes.nix
./portage.nix
./seattle.nix
];

57
fudo/sites/joes.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
with lib;
let
admin = "admin@fudo.org";
nameservers = [
"1.1.1.1"
"2606:4700:4700::1111"
];
hostname = config.networking.hostName;
gateway = "172.86.179.17";
in {
config = mkIf (config.fudo.common.site == "joes") {
time.timeZone = "America/Winnipeg";
services.cron = {
mailto = admin;
};
networking = {
domain = "fudo.org";
search = ["fudo.org"];
firewall.enable = false;
nameservers = nameservers;
defaultGateway = gateway;
# defaultGateway6 = gateway6;
};
fudo.node-exporter = {
enable = true;
hostname = hostname;
};
security.acme.certs.${hostname} = {
email = "admin@fudo.org";
# plugins = [
# "fullchain.pem"
# "full.pem"
# "key.pem"
# "chain.pem"
# "cert.pem"
# ];
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
};
};
}

8
fudo/sites/seattle.nix
View File

@ -28,10 +28,12 @@ in {
firewall.enable = false;
nameservers = nameservers;
defaultGateway = gateway;
# Don't set the gateway if we ARE the gateway.
# This is the most generic way I can think of to do that. local-network is really
# about running all the local servers (DNS, DHCP, and providing gateway).
defaultGateway = optionalString (config.fudo.local-network.enable != true) gateway;
# Until Comcast gets it's shit together... :(
enableIPv6 = false;
enableIPv6 = true;
# Necessary to make sure than Kerberos and Avahi both work (the former
# needs the full reverse-lookup name of the server, the latter wants

90
hosts/nostromo.nix
View File

@ -1,9 +1,8 @@
{ lib, config, pkgs, ... }:
let
hostname = "nostromo.sea.fudo.org";
hostname = "nostromo";
host-internal-ip = "10.0.0.1";
local-gateway = "10.0.0.1";
inherit (lib.strings) concatStringsSep;
in {
@ -30,7 +29,7 @@ in {
enable = true;
# See fudo/sites/seattle.nix for general settings
dns-servers = [ host-internal-ip ];
gateway = local-gateway;
gateway = host-internal-ip;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ host-internal-ip "127.0.0.1" "127.0.1.1" ];
# Using a pihole running in docker, see below
@ -39,27 +38,21 @@ in {
server-ip = host-internal-ip;
};
fudo.slynk = {
enable = true;
};
networking = {
hostName = hostname;
# defaultGateway = local-gateway;
nameservers = [ host-internal-ip ];
# Turn off for hypervisor: dhcp by default everywhere is a fuckin pain.
#dhcpcd.enable = true;
# Create a bridge for VMs to use
macvlans = {
intif0 = {
interface = "eno1";
mode = "bridge";
};
# extif0 = {
# interface = "eno2";
# mode = "bridge";
# };
};
interfaces = {
@ -73,7 +66,6 @@ in {
eno2.useDHCP = true;
intif0 = {
useDHCP = false;
macAddress = "46:54:76:06:f1:10";
@ -88,10 +80,6 @@ in {
}
];
};
# extif0 = {
# useDHCP = true;
# };
};
nat = {
@ -114,13 +102,19 @@ in {
];
};
# secure-dns = {
# enable = true;
# port = 9053;
# };
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns = [
"https://cloudflare-dns.com/dns-query"
# "https://dns.adguard.com/dns-query"
];
bootstrap-dns = "1.1.1.1";
};
};
environment.systemPackages = with pkgs; [
dnsproxy
libguestfs-with-appliance
libvirt
virtmanager
@ -159,9 +153,9 @@ in {
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
# TODO: DNS-over-HTTPS via cloudflared
extraDockerOptions = [
"--dns=1.1.1.1"
];
# extraDockerOptions = [
# "--dns=1.1.1.1"
# ];
};
};
@ -199,32 +193,32 @@ in {
};
};
ceph = {
enable = true;
# ceph = {
# enable = true;
global = {
clusterName = "sea-data";
clusterNetwork = "10.0.10.0/24";
fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3";
monHost = "10.0.10.2";
monInitialMembers = "mon-1";
publicNetwork = "10.0.0.0/22";
};
# global = {
# clusterName = "sea-data";
# clusterNetwork = "10.0.10.0/24";
# fsid = "d443e192-896d-4102-a60f-f8f0777eb2a3";
# monHost = "10.0.10.2";
# monInitialMembers = "mon-1";
# publicNetwork = "10.0.0.0/22";
# };
mds = {
enable = true;
daemons = ["srv-2"];
};
# mds = {
# enable = true;
# daemons = ["srv-2"];
# };
mgr = {
enable = true;
daemons = ["srv-2"];
};
# mgr = {
# enable = true;
# daemons = ["srv-2"];
# };
mon = {
enable = true;
daemons = ["srv-2"];
};
};
# mon = {
# enable = true;
# daemons = ["srv-2"];
# };
# };
};
}

89
hosts/procul.nix Normal file
View File

@ -0,0 +1,89 @@
{ config, pkgs, lib, ... }:
with lib;
let
hostname = "procul";
mail-hostname = hostname;
host_ipv4 = "172.86.179.18";
all-hostnames = [];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
fudo-ca = "/etc/nixos/static/fudo_ca.pem";
in {
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sdb";
};
imports = [
../hardware-configuration.nix
../defaults.nix
];
fudo.common = {
# Sets some server-common settings. See /etc/nixos/fudo/profiles/...
profile = "server";
# Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
site = "joes";
local-networks = [
"172.86.179.18/29"
"208.81.1.128/28"
"208.81.3.112/28"
"172.17.0.0/16"
"127.0.0.0/8"
];
};
environment.systemPackages = with pkgs; [
multipath-tools
];
# Not all users need access to procul; don't allow LDAP-user access.
fudo.authentication.enable = false;
# TODO: not used yet
fudo.acme.hostnames = all-hostnames;
networking = {
hostName = hostname;
dhcpcd.enable = false;
useDHCP = false;
# TODO: fix IPv6
enableIPv6 = true;
# Create a bridge for VMs to use
macvlans = {
extif0 = {
interface = "enp0s25";
mode = "bridge";
};
};
interfaces = {
extif0 = {
# result of:
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:e2:b7:db:e8:af";
ipv4.addresses = [
{
address = host_ipv4;
prefixLength = 29;
}
];
};
};
};
hardware.bluetooth.enable = false;
}