From 72cf88bdecbac25d16ba217f038ef453c65f106b Mon Sep 17 00:00:00 2001 From: Niten Date: Mon, 1 Mar 2021 16:43:27 -0600 Subject: [PATCH] Seems to be almost working --- config/default.nix | 1 + config/hosts.nix | 107 ++++++++- config/hosts/clunk.nix | 26 +-- config/networks.nix | 8 + config/networks/fudo.org.nix | 186 +++++++++++++++ .../rus.selby.ca.nix | 82 +++---- .../sea.fudo.org.nix | 0 config/profiles/server.nix | 2 +- configuration.nix | 2 +- lib/default.nix | 1 + lib/fudo/dns.nix | 3 + lib/fudo/domains.nix | 4 +- lib/fudo/hosts.nix | 40 ++-- lib/fudo/local-network.nix | 73 +++--- lib/fudo/networks.nix | 13 ++ lib/fudo/networks/rus.selby.ca.nix | 86 +++++++ lib/fudo/networks/sea.fudo.org.nix | 214 ++++++++++++++++++ lib/types/network-definition.nix | 43 ++-- 18 files changed, 754 insertions(+), 137 deletions(-) create mode 100644 config/networks.nix create mode 100644 config/networks/fudo.org.nix rename config/{local-network => networks}/rus.selby.ca.nix (73%) rename config/{local-network => networks}/sea.fudo.org.nix (100%) create mode 100644 lib/fudo/networks.nix create mode 100644 lib/fudo/networks/rus.selby.ca.nix create mode 100644 lib/fudo/networks/sea.fudo.org.nix diff --git a/config/default.nix b/config/default.nix index b6bafaf..030ced4 100644 --- a/config/default.nix +++ b/config/default.nix @@ -7,6 +7,7 @@ ./domains.nix ./groups.nix ./hosts.nix + ./networks.nix ./sites.nix ./users.nix ./wireless-networks.nix diff --git a/config/hosts.nix b/config/hosts.nix index e586b2a..3bc38b6 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -5,30 +5,112 @@ atom = { description = "Niten's toy laptop."; enable-gui = false; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "laptop"; }; clunk = { description = "rus.selby.ca gateway box."; docker-server = true; + ssh-fingerprints = [ + "1 1 0e23d2156b1f9fca8552a0105c125aed76e51728" + "1 2 6d8dfc355102c9870945c6d79c1d19934d29e8b63303260101df51716963b7f5" + "4 1 c31a6ecaa02210e3ad72a835a072a05f043c2ef4" + "4 2 296ce1b91ac942a8b91e5c6316ea520d0cec14ac819a04bb262af6d4bdced696" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "server"; + }; + + downstairs-desktop = { + description = "Downstairs desktop in Russell."; + ssh-fingerprints = [ + "1 1 ce704716ec0c3e330a243648531a10a2c78dd1ff" + "1 2 6042bbc9b16122a4b63b1cfb84e179ae65911361e9d88ee3f0cd6659428ba27e" + "3 1 de6dda3f72ee7043c804a7ad382033f3565b3b84" + "3 2 cb611dd503fa15e913a101be15295f9084fa585b3225b6c1084521bff9b2140b" + "4 1 a9a139b92851b3d9df2742a13bfea59c3e6e842e" + "4 2 2260bfab177ab1ffb6a855b02b5a1aa719d765610e6a7bc79b09c340ce7c1236" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "desktop"; }; france = { description = "Primary fudo.org server."; docker-server = true; + ssh-fingerprints = [ + "1 1 1b6d62dafae9ebc59169dfb4ef828582a5450d94" + "1 2 079e7a57873542541095bf3d2f97b7350bb457d027b423a6fb56f7f6aa84ac80" + "4 1 c95a198f504a589fc62893a95424b12f0b24732d" + "4 2 3e7dad879d6cab7f7fb6769e156d7988d0c01281618d03b793834eea2f09bc96" + ]; + rp = "admin"; + admin-email = "admin@fudo.org"; + domain = "fudo.org"; + site = "portage"; + profile = "server"; + }; + + google-wifi = { + description = "Google WiFi router."; + rp = "niten"; }; lambda = { description = "sea.fudo.org experiment server."; docker-server = true; + ssh-fingerprints = [ + "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35" + "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88" + "4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199" + "4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; }; nostromo = { description = "sea.fudo.org gateway box and primary server."; docker-server = true; + ssh-fingerprints = [ + "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" + "1 2 17a555b21fe08841c8dfb0d598dc2da117b94bf5a94cbf2c6b391eafd3e2c15e" + "4 1 ce86eabbe6f015e6422d0f5ef9ae32cc7beb1f42" + "4 2 44a5741825d43e571f6f9eb91e8c102eea75a4632dd8a9c80668e091a5fdf7f5" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "sea.fudo.org"; + site = "seattle"; + profile = "server"; }; plato = { description = "Niten's toy server."; + ssh-fingerprints = [ + "4 1 9cc052ed00cbfd82c60530ebb3a35c25c0aeace9" + "4 2 5938044054e9fa6cf3ad8176ef8e81b86eede598c19388220d4b07587f6f1c3c" + "1 1 eebe1d4a24e0e2dbc46a7cb1107333c06e60d89e" + "1 2 a96609da442372bd73044d823b4b56bbaa597725c846b4326be76c323bb47ab3" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "server"; }; procul = { @@ -36,12 +118,27 @@ docker-server = true; }; - spark = { - description = "Niten's backup desktop."; + pselby-work = { description = "Google Lenovo work laptop."; }; + + spark = { description = "Niten's backup desktop."; }; + + upstairs-desktop = { + description = "Upstairs desktop in Russell."; + ssh-fingerprints = [ + "1 1 f927527d712391b57aef6d2e7c3f225a86b62bf4" + "1 2 17aece61156ba14c439aeae2e7b0f86daf97eea904241c35980f974ca1744c3d" + "3 1 70f5f613e66e53a74534d33cd7ebf248cfdc3024" + "3 2 774f1f00614751e51faa0add55183973893313d3a236d269adc3ab3c1f67c952" + "4 1 e81e07d1ae7526c457a46ab1f18af3c016b4f48e" + "4 2 e5af579cfb7f68b22492f5286b5249c5de74debf2a6cac78c070790f424566aa" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "rus.selby.ca"; + site = "russell"; + profile = "desktop"; }; - zbox = { - description = "Niten's primary desktop."; - }; + zbox = { description = "Niten's primary desktop."; }; }; } diff --git a/config/hosts/clunk.nix b/config/hosts/clunk.nix index c68d5f9..70cdd14 100644 --- a/config/hosts/clunk.nix +++ b/config/hosts/clunk.nix @@ -16,23 +16,22 @@ in { domain = config.fudo.domains.${domain-name}; in { - # FIXME: think about this -- actual network config? enable = true; # NOTE: requests go: # - local bind instance # - pi-hole # - DoH resolver + domain = domain-name; dns-servers = [ primary-ip ]; gateway = primary-ip; dhcp-interfaces = [ "intif0" ]; - dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + dns-listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; recursive-resolver = "${primary-ip} port 5353"; - server-ip = primary-ip; - domain = "rus.selby.ca"; network = site.network; dhcp-dynamic-network = site.dynamic-network; - hosts = domain.hosts; - + search-domains = [ domain-name "selby.ca" ]; + enable-reverse-mappings = true; + network-definition = config.fudo.networks."rus.selby.ca"; }; networking = { @@ -43,12 +42,11 @@ in { }; interfaces = { + enp1s0.useDHCP = false; enp2s0.useDHCP = false; enp3s0.useDHCP = false; enp4s0.useDHCP = false; - enp1s0.useDHCP = true; - intif0 = { useDHCP = false; ipv4.addresses = [ @@ -132,17 +130,7 @@ in { "hole" ]; - locations."/" = { - proxyPass = "http://127.0.0.1:3080"; - - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-By $server_addr:$server_port; - # proxy_set_header X-Forwarded-For $remote_addr; - # proxy_set_header X-Forwarded-Proto $scheme; - # ''; - }; + locations."/" = { proxyPass = "http://127.0.0.1:3080"; }; }; }; }; diff --git a/config/networks.nix b/config/networks.nix new file mode 100644 index 0000000..744ee27 --- /dev/null +++ b/config/networks.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + config.fudo.networks = { + "rus.selby.ca" = import ./networks/rus.selby.ca.nix { inherit config lib; }; + "sea.fudo.org" = import ./networks/rus.selby.ca.nix { inherit config lib; }; + }; +} diff --git a/config/networks/fudo.org.nix b/config/networks/fudo.org.nix new file mode 100644 index 0000000..546a5c0 --- /dev/null +++ b/config/networks/fudo.org.nix @@ -0,0 +1,186 @@ +{ config, lib, ... }: + +{ + mx = [ "mail.fudo.org" ]; + + default-host = "208.81.3.117"; + + aliases = { + pop = "mail.fudo.org."; + smtp = "mail.fudo.org."; + imap = "mail.fudo.org."; + webmail = "france.fudo.org."; + + archiva = "france.fudo.org."; + auth = "france.fudo.org."; + backplane = "france.fudo.org."; + chat = "france.fudo.org."; + de = "germany.fudo.org."; + fr = "france.fudo.org."; + git = "france.fudo.org."; + metrics = "france.fudo.org."; + minecraft = "france.fudo.org."; + monitor = "france.fudo.org."; + user = "paris.fudo.org."; + u = "user.fudo.org."; + w = "www.fudo.org."; + ww = "www.fudo.org."; + www = "hanover.fudo.org."; + wiki = "hanover.fudo.org."; + }; + + extra-dns-records = [ + ''@ IN TXT "v=spf1 mx ip4:208.81.3.112/28 ip6:2605:e200:d200::1/48 -all"'' + ''@ IN SPF "v=spf1 mx ip4:208.81.3.112/28 ip6:2605:e200:d200::1/48 -all"'' + ]; + + dmarc-report-address = "dmarc-report@fudo.org"; + + srv-records = { + tcp = { + domain = [ + { + host = "ns1.fudo.org"; + port = 53; + } + { + host = "ns2.fudo.org"; + port = 53; + } + { + host = "ns3.fudo.org"; + port = 53; + } + { + host = "ns4.fudo.org"; + port = 53; + } + ]; + ssh = [{ + host = "france.fudo.org"; + port = 22; + }]; + smtp = [{ + host = "mail.fudo.org"; + port = 25; + }]; + submission = [{ + host = "mail.fudo.org"; + port = 587; + }]; + kerberos = [{ + host = "france.fudo.org"; + port = 88; + }]; + imaps = [{ + host = "mail.fudo.org"; + port = 993; + }]; + ldap = [{ + host = "france.fudo.org"; + port = 389; + }]; + ldaps = [{ + host = "france.fudo.org"; + port = 636; + }]; + pop3s = [{ + host = "mail.fudo.org"; + port = 995; + }]; + http = [{ + host = "wiki.fudo.org"; + port = 80; + }]; + https = [{ + host = "wiki.fudo.org"; + port = 80; + }]; + xmpp-server = [{ + host = "fudo.im"; + port = 5269; + }]; + xmpp-client = [{ + host = "fudo.im"; + port = 5222; + }]; + }; + udp = { + domain = [ + { + host = "ns1.fudo.org"; + port = 53; + } + { + host = "ns2.fudo.org"; + port = 53; + } + { + host = "ns3.fudo.org"; + port = 53; + } + { + host = "ns4.fudo.org"; + port = 53; + } + ]; + kerberos = [{ + host = "france.fudo.org"; + port = 88; + }]; + kerberos-master = [{ + host = "france.fudo.org"; + port = 88; + }]; + kpasswd = [{ + host = "france.fudo.org"; + port = 464; + }]; + xmpp-server = [{ + host = "fudo.im"; + port = 5269; + }]; + }; + }; + + hosts = { + cisco = { ipv4-address = "198.163.150.211"; }; + cisco-int = { ipv4-address = "10.73.77.10"; }; + cupid = { ipv4-address = "208.38.36.100"; }; + docker = { ipv4-address = "208.81.3.126"; }; + france = { ipv4-address = "208.81.3.117"; }; + frankfurt = { + ipv4-address = "208.81.3.120"; + ipv6-address = "2605:e200:d200:1:5054:ff:fe8c:9738"; + }; + germany = { + ipv4-address = "208.81.3.116"; + ipv6-address = "2605:e200:d200:1:78d9:d8ff:fe0f:dd88"; + }; + hanover = { + ipv4-address = "208.81.1.130"; + ipv6-address = "2605:e200:d100:1:5054:ff:fe61:ac8b"; + }; + localhost = { ipv4-address = "127.0.0.1"; }; + lsbb-gba = { ipv4-address = "199.101.56.34"; }; + lsbb-abg = { ipv4-address = "199.101.56.38"; }; + lsbb-hwd = { ipv4-address = "199.101.56.106"; }; + lsbb-hcl = { ipv4-address = "199.101.56.110"; }; + procul = { ipv4-address = "172.86.179.18"; }; + prunel = { ipv4-address = "208.81.3.123"; }; + mbix = { ipv4-address = "208.81.7.146"; }; + ns3-fudo = { ipv4-address = "208.75.74.205"; }; + ns3-dair = { ipv4-address = "208.75.74.205"; }; + ns4-fudo = { ipv4-address = "208.75.75.157"; }; + ns4-dair = { ipv4-address = "208.75.75.157"; }; + paris = { + ipv4-address = "208.81.3.125"; + ipv6-address = "2605:e200:d200:1:5054:ff:fe67:d0c1"; + }; + probe = { ipv4-address = "208.81.3.119"; }; + tours = { + ipv4-address = "208.81.3.121"; + ipv6-address = "2605:e200:d200:1:5054:ff:fe95:34e5"; + }; + }; +} diff --git a/config/local-network/rus.selby.ca.nix b/config/networks/rus.selby.ca.nix similarity index 73% rename from config/local-network/rus.selby.ca.nix rename to config/networks/rus.selby.ca.nix index 1478037..d97e413 100644 --- a/config/local-network/rus.selby.ca.nix +++ b/config/networks/rus.selby.ca.nix @@ -1,12 +1,52 @@ +{ config, lib, ... }: + let local-domain = "rus.selby.ca"; + in { - domain = "${local-domain}"; + default-host = "10.0.0.1"; - network = "10.0.0.0/16"; + mx = [ "mail.fudo.org" ]; - dhcp-dynamic-network = "10.0.1.0/24"; + gssapi-realm = "FUDO.ORG"; - enable-reverse-mappings = true; + hosts = { + clunk = { + ipv4-address = "10.0.0.1"; + mac-address = "02:44:d1:eb:c3:6b"; + }; + + dns-proxy = { + ipv4-address = "10.0.0.2"; + # This is just an alias for clunk's primary interface + }; + + google-wifi = { + ipv4-address = "10.0.0.11"; + mac-address = "70:3a:cb:c0:3b:09"; + }; + + pselby-work = { + ipv4-address = "10.0.0.151"; + mac-address = "00:50:b6:aa:bd:b3"; + }; + + downstairs-desktop = { + ipv4-address = "10.0.0.100"; + mac-address = "90:b1:1c:8e:29:cf"; + }; + + upstairs-desktop = { + ipv4-address = "10.0.0.101"; + mac-address = "80:e8:2c:22:65:c2"; + }; + }; + + aliases = { + dns-hole = "clunk"; + gateway = "clunk"; + upstairs = "upstairs-desktop"; + downstairs = "downstairs-desktop"; + }; srv-records = { tcp = { @@ -47,38 +87,4 @@ in { }]; }; }; - - aliases = { dns-hole = "clunk"; }; - - hosts = { - clunk = { - ip-address = "10.0.0.1"; - mac-address = "02:44:d1:eb:c3:6b"; - }; - - dns-proxy = { - ip-address = "10.0.0.2"; - # This is just an alias for clunk's primary interface - }; - - google-wifi = { - ip-address = "10.0.0.11"; - mac-address = "70:3a:cb:c0:3b:09"; - }; - - pselby-work = { - ip-address = "10.0.0.151"; - mac-address = "00:50:b6:aa:bd:b3"; - }; - - downstairs-desktop = { - ip-address = "10.0.0.100"; - mac-address = "90:b1:1c:8e:29:cf"; - }; - - upstairs-desktop = { - ip-address = "10.0.0.101"; - mac-address = "80:e8:2c:22:65:c2"; - }; - }; } diff --git a/config/local-network/sea.fudo.org.nix b/config/networks/sea.fudo.org.nix similarity index 100% rename from config/local-network/sea.fudo.org.nix rename to config/networks/sea.fudo.org.nix diff --git a/config/profiles/server.nix b/config/profiles/server.nix index 9d1eb6f..477712e 100644 --- a/config/profiles/server.nix +++ b/config/profiles/server.nix @@ -48,7 +48,7 @@ in { emacs-nox ldns ldns.examples - jdk14_headless + jdk12_headless racket-minimal reboot-if-necessary test-config diff --git a/configuration.nix b/configuration.nix index 92d48ab..ecf4d52 100644 --- a/configuration.nix +++ b/configuration.nix @@ -13,7 +13,7 @@ in { domain = local.domain; home-manager-package = builtins.fetchGit { url = "https://github.com/nix-community/home-manager.git"; - ref = "release-20.09"; + ref = "release-20.03"; }; }) ]; diff --git a/lib/default.nix b/lib/default.nix index 3620f53..bad6bcf 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -29,6 +29,7 @@ with lib; { ./fudo/mail-container.nix ./fudo/minecraft-server.nix ./fudo/netinfo-email.nix + ./fudo/networks.nix ./fudo/node-exporter.nix ./fudo/password.nix ./fudo/postgres.nix diff --git a/lib/fudo/dns.nix b/lib/fudo/dns.nix index fda7e41..af7ed49 100644 --- a/lib/fudo/dns.nix +++ b/lib/fudo/dns.nix @@ -123,6 +123,9 @@ in { $TTL 6h + ${optionalString (dom-cfg.gssapi-realm != null) + ''_kerberos IN TXT "${dom-cfg.gssapi-realm}"''} + ${nsRecords dom cfg.nameservers} ${join-lines (mapAttrsToList hostRecords cfg.nameservers)} diff --git a/lib/fudo/domains.nix b/lib/fudo/domains.nix index 08ef16e..5575f53 100644 --- a/lib/fudo/domains.nix +++ b/lib/fudo/domains.nix @@ -33,8 +33,8 @@ let local-groups = mkOption { type = with types; listOf str; - description = "List of groups which should exist within this domain."; - default = [ ]; + description = "List of groups which should exist within this domain."; + default = [ ]; }; admin-email = mkOption { diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 2a3c76b..0465608 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -3,7 +3,7 @@ with lib; let hostOpts = { hostname, ... }: { - options = { + options = with types; { hostname = mkOption { type = types.str; description = "Hostname (without domain name)."; @@ -23,7 +23,7 @@ let }; local-networks = mkOption { - type = with types; listof str; + type = listof str; description = "A list of networks to be considered trusted by this host."; default = [ "127.0.0.0/8" ]; @@ -31,25 +31,19 @@ let profile = mkOption { # FIXME: get this list from profiles directly - type = with types; listof (enum "desktop" "laptop" "server"); + type = listof (enum "desktop" "laptop" "server"); description = "The profile to be applied to the host, determining what software is included."; }; admin-email = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Email for the administrator of this host."; default = null; }; - hardware-configuration = mkOption { - type = types.attrs; - description = - "The hardware configuration of the host (i.e. the contents of hardware-configuration.nix)"; - }; - local-users = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of users who should have local (i.e. login) access to the host."; default = [ ]; @@ -62,25 +56,20 @@ let }; local-admins = mkOption { - type = with types; listOf str; + type = listOf str; description = "A list of users who should have admin access to this host."; default = [ ]; }; local-groups = mkOption { - type = with types; listOf str; + type = listOf str; description = "List of groups which should exist on this host."; default = [ ]; }; - hardware-config = mkOption { - type = types.str; - description = "Path to the hardware configuration for this host."; - }; - ssh-fingerprints = mkOption { - type = with types; listOf str; + type = listOf str; description = '' A list of DNS SSHFP records for this host. ''; @@ -88,7 +77,7 @@ let }; rp = mkOption { - type = with types; nullOr str; + type = nullOr str; description = "Responsible person."; default = null; }; @@ -100,11 +89,12 @@ let }; in { - options.fudo.hosts = mkOption { - type = with types; attrsOf (submodule hostOpts); - description = "Host configurations for all hosts known to the system."; - default = { }; - }; + options.fudo.hosts = with types; + mkOption { + type = attrsOf (submodule hostOpts); + description = "Host configurations for all hosts known to the system."; + default = { }; + }; config = let hostname = config.instance.hostname; diff --git a/lib/fudo/local-network.nix b/lib/fudo/local-network.nix index 203ae80..baf2d20 100644 --- a/lib/fudo/local-network.nix +++ b/lib/fudo/local-network.nix @@ -12,12 +12,6 @@ let traceout = out: builtins.trace out out; - hosts = let - existingHosts = filterAttrs (host: hostOpts: hasAttr host cfg.fudo.hosts) - cfg.network-definition.hosts; - in mapAttrs (host: hostAttrs: hostAttrs // cfg.fudo.hosts.${host}) - existingHosts; - in { options.fudo.local-network = with types; { @@ -31,7 +25,7 @@ in { dns-servers = mkOption { type = listOf str; - description = "A list of domain name servers to pass to local clients.."; + description = "A list of domain name servers to pass to local clients."; }; dhcp-interfaces = mkOption { @@ -74,12 +68,7 @@ in { recursive-resolver = mkOption { type = str; description = "DNS nameserver to use for recursive resolution."; - default = "1.1.1.1"; - }; - - dns-server-ip = mkOption { - type = str; - description = "IP of the DNS server."; + default = "1.1.1.1 port 53"; }; search-domains = mkOption { @@ -89,15 +78,18 @@ in { default = [ ]; }; - network-definition = mkOption { - type = - submodule (import ../types/network-definition.nix { inherit lib; }); - description = "Definition of network to be served by local server."; - }; + network-definition = + let networkOpts = import ../types/network-definition.nix { inherit lib; }; + in mkOption { + type = submodule networkOpts; + description = "Definition of network to be served by local server."; + default = { }; + }; }; config = mkIf cfg.enable { - services.dhcpd4 = { + services.dhcpd4 = let network = cfg.network-definition; + in { enable = true; machines = mapAttrsToList (hostname: hostOpts: { @@ -105,7 +97,8 @@ in { hostName = hostname; ipAddress = hostOpts.ipv4-address; }) (filterAttrs (host: hostOpts: - hostOpts.mac-address != null && hostOpts.ipv4-address != null) hosts); + hostOpts.mac-address != null && hostOpts.ipv4-address != null) + network.hosts); interfaces = cfg.dhcp-interfaces; @@ -137,7 +130,7 @@ in { file = let # We should add these...but need a domain to assign them to. # ip-last-el = ip: toInt (last (splitString "." ip)); - # used-els = map (host-data: ip-last-el host-data.ip-address) hosts-data; + # used-els = map (host-data: ip-last-el host-data.ipv4-address) hosts-data; # unused-els = subtractLists used-els (map toString (range 1 255)); in pkgs.writeText "db.${block}-zone" '' @@ -160,22 +153,31 @@ in { ipToBlock = ip: concatStringsSep "." (reverseList (take 3 (splitString "." ip))); compactHosts = - mapAttrsToList (host: data: data // { host = host; }) hosts; + mapAttrsToList (host: data: data // { host = host; }) network.hosts; hostsByBlock = - groupBy (host-data: ipToBlock host-data.ip-address) compactHosts; + groupBy (host-data: ipToBlock host-data.ipv4-address) compactHosts; hostPtrRecord = host-data: "${ - last (splitString "." host-data.ip-address) + last (splitString "." host-data.ipv4-address) } IN PTR ${host-data.host}.${cfg.domain}."; blockZones = mapAttrsToList blockHostsToZone hostsByBlock; - hostARecord = host: data: "${host} IN A ${data.ip-address}"; + hostARecord = host: data: "${host} IN A ${data.ipv4-address}"; hostSshFpRecords = host: data: - join-lines - (map (sshfp: "${host} IN SSHFP ${sshfp}") data.ssh-fingerprints); + let + ssh-fingerprints = if (hasAttr host known-hosts) then + known-hosts.${host}.ssh-fingerprints + else + [ ]; + in join-lines + (map (sshfp: "${host} IN SSHFP ${sshfp}") ssh-fingerprints); cnameRecord = alias: host: "${alias} IN CNAME ${host}"; + network = cfg.network-definition; + + known-hosts = config.fudo.hosts; + in { enable = true; cacheNetworks = [ cfg.network "localhost" "localnets" ]; @@ -207,12 +209,17 @@ in { $TTL 30m - ns1 IN A ${cfg.server-ip} - ${join-lines (mapAttrsToList hostARecord cfg.hosts)} - ${join-lines (mapAttrsToList hostSshFpRecords cfg.hosts)} - ${join-lines (mapAttrsToList cnameRecord cfg.aliases)} - ${join-lines cfg.extra-dns-records} - ${dns.srvRecordsToBindZone cfg.srv-records} + ${optionalString (network.gssapi-realm != null) + ''_kerberos IN TXT "${network.gssapi-realm}"''} + + ${join-lines + (imap1 (i: server-ip: "ns${toString i} IN A ${server-ip}") + cfg.dns-servers)} + ${join-lines (mapAttrsToList hostARecord network.hosts)} + ${join-lines (mapAttrsToList hostSshFpRecords network.hosts)} + ${join-lines (mapAttrsToList cnameRecord network.aliases)} + ${join-lines network.verbatim-dns-records} + ${dns.srvRecordsToBindZone network.srv-records} ''; }] ++ blockZones; }; diff --git a/lib/fudo/networks.nix b/lib/fudo/networks.nix new file mode 100644 index 0000000..aa2fe1a --- /dev/null +++ b/lib/fudo/networks.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +with lib; +with types; +let networkOpts = import ../types/network-definition.nix { inherit lib; }; + +in { + options.fudo.networks = mkOption { + type = attrsOf (submodule networkOpts); + description = "A map of networks to network definitions."; + default = { }; + }; +} diff --git a/lib/fudo/networks/rus.selby.ca.nix b/lib/fudo/networks/rus.selby.ca.nix new file mode 100644 index 0000000..3d5d744 --- /dev/null +++ b/lib/fudo/networks/rus.selby.ca.nix @@ -0,0 +1,86 @@ +{ config, lib, ... }: + +{ + default-host = "10.0.0.1"; + + mx = [ "mail.fudo.org" ]; + + hosts = { + clunk = { + ipv4-address = "10.0.0.1"; + mac-address = "02:44:d1:eb:c3:6b"; + }; + + dns-proxy = { + ipv4-address = "10.0.0.2"; + # This is just a second IP on clunk, for the pihole + }; + + google-wifi = { + ipv4-address = "10.0.0.11"; + mac-address = "70:3a:cb:c0:3b:09"; + }; + + pselby-work = { + ipv4-address = "10.0.0.151"; + mac-address = "00:50:b6:aa:bd:b3"; + }; + + downstairs-desktop = { + ipv4-address = "10.0.0.100"; + mac-address = "90:b1:1c:8e:29:cf"; + }; + + upstairs-desktop = { + ipv4-address = "10.0.0.101"; + mac-address = "80:e8:2c:22:65:c2"; + }; + }; + + aliases = { + dns-hole = "clunk"; + gateway = "clunk"; + upstairs = "upstairs-desktop"; + downstairs = "downstairs-desktop"; + }; + + srv-records = { + tcp = { + domain = [{ + port = 53; + host = "clunk.${local-domain}"; + }]; + kerberos = [{ + port = 88; + host = "france.fudo.org"; + }]; + kerberos-adm = [{ + port = 88; + host = "france.fudo.org"; + }]; + ssh = [{ + port = 22; + host = "clunk.${local-domain}"; + }]; + }; + + udp = { + domain = [{ + port = 53; + host = "clunk.${local-domain}"; + }]; + kerberos = [{ + port = 88; + host = "france.fudo.org"; + }]; + kerboros-master = [{ + port = 88; + host = "france.fudo.org"; + }]; + kpasswd = [{ + port = 464; + host = "france.fudo.org"; + }]; + }; + }; +} diff --git a/lib/fudo/networks/sea.fudo.org.nix b/lib/fudo/networks/sea.fudo.org.nix new file mode 100644 index 0000000..68e017b --- /dev/null +++ b/lib/fudo/networks/sea.fudo.org.nix @@ -0,0 +1,214 @@ +{ config, lib, ... }: + +{ + default-host = "10.0.0.1"; + + mx = [ "mail.fudo.org" ]; + + aliases = { + kadmin = "nostromo"; + kdc = "nostromo"; + photo = "doraemon"; + music = "doraemon"; + panopticon = "lambda"; + panopticon-od = "lambda"; + ipfs = "nostromo"; + hole = "nostromo"; + pihole = "nostromo"; + dns-hole = "nostromo"; + mon-1 = "srv-1"; + }; + + srv-records = { + tcp = { + domain = [{ + port = 53; + host = "nostromo.sea.fudo.org"; + }]; + kerberos = [{ + port = 88; + host = "france.fudo.org"; + }]; + kerberos-adm = [{ + port = 88; + host = "france.fudo.org"; + }]; + ssh = [{ + port = 22; + host = "nostromo.sea.fudo.org"; + }]; + ldap = [{ + port = 389; + host = "france.fudo.org"; + }]; + }; + + udp = { + domain = [{ + port = 53; + host = "nostromo.sea.fudo.org"; + }]; + kerberos = [{ + port = 88; + host = "france.fudo.org"; + }]; + kerboros-master = [{ + port = 88; + host = "france.fudo.org"; + }]; + kpasswd = [{ + port = 464; + host = "france.fudo.org"; + }]; + }; + }; + + hosts = { + nostromo = { + ip-address = "10.0.0.1"; + mac-address = "46:54:76:06:f1:10"; + }; + lm = { + ip-address = "10.0.0.2"; + mac-address = "00:23:7d:e6:d9:ea"; + }; + lambda = { + ip-address = "10.0.0.3"; + mac-address = "02:50:f6:52:9f:9d"; + }; + switch-master = { + ip-address = "10.0.0.5"; + mac-address = "00:14:1C:B6:BB:40"; + }; + google-wifi = { + ip-address = "10.0.0.7"; + mac-address = "7C:D9:5C:9F:6F:E9"; + }; + cam-entrance = { + ip-address = "10.0.0.31"; + mac-address = "9c:8e:cd:0e:99:7b"; + }; + cam-driveway = { + ip-address = "10.0.0.32"; + mac-address = "9c:8e:cd:0d:3b:09"; + }; + cam-deck = { + ip-address = "10.0.0.33"; + mac-address = "9c:8e:cd:0e:98:c8"; + }; + cargo = { + ip-address = "10.0.0.50"; + mac-address = "00:11:32:75:d8:b7"; + }; + whitedwarf = { + ip-address = "10.0.0.51"; + mac-address = "00:11:32:12:14:1d"; + }; + doraemon = { + ip-address = "10.0.0.52"; + mac-address = "00:11:32:0a:06:c5"; + }; + android = { + ip-address = "10.0.0.81"; + mac-address = "00:16:3e:43:39:fc"; + }; + retro-wired = { + ip-address = "10.0.0.82"; + mac-address = "dc:a6:32:6b:57:43"; + }; + retro = { + ip-address = "10.0.0.83"; + mac-address = "dc:a6:32:6b:57:45"; + }; + monolith = { + ip-address = "10.0.0.100"; + mac-address = "6c:62:6d:c8:b0:d8"; + }; + taipan = { + ip-address = "10.0.0.107"; + mac-address = "52:54:00:34:c4:78"; + }; + spark = { + ip-address = "10.0.0.108"; + mac-address = "78:24:af:04:f7:dd"; + }; + hyperion = { + ip-address = "10.0.0.109"; + mac-address = "52:54:00:33:46:de"; + }; + zbox = { + ip-address = "10.0.0.110"; + mac-address = "02:dd:80:52:83:9b"; + }; + ubiquiti-wifi = { + ip-address = "10.0.0.126"; + mac-address = "04:18:d6:20:48:fb"; + }; + generator-wireless = { + ip-address = "10.0.0.130"; + mac-address = "B8:27:EB:A6:32:26"; + }; + brother-wireless = { + ip-address = "10.0.0.160"; + mac-address = "c0:38:96:64:49:65"; + }; + nest = { + ip-address = "10.0.0.176"; + mac-address = "18:b4:30:16:7c:5a"; + }; + xixi-phone = { + ip-address = "10.0.0.193"; + mac-address = "48:43:7c:75:89:42"; + }; + ipad = { + ip-address = "10.0.0.202"; + mac-address = "9c:35:eb:48:6e:71"; + }; + cam-front = { + ip-address = "10.0.0.203"; + mac-address = "c4:d6:55:3e:b4:c3"; + }; + family-tv = { + ip-address = "10.0.0.205"; + mac-address = "84:a4:66:3a:b1:f8"; + }; + babycam = { + ip-address = "10.0.0.206"; + mac-address = "08:ea:40:59:5f:9e"; + }; + workphone = { + ip-address = "10.0.0.211"; + mac-address = "a8:8e:24:5c:12:67"; + }; + chromecast-2 = { + ip-address = "10.0.0.215"; + mac-address = "a4:77:33:59:a2:ba"; + }; + front-light = { + ip-address = "10.0.0.221"; + mac-address = "94:10:3e:48:94:ed"; + }; + + # Ceph network + srv-1 = { + ip-address = "10.0.10.1"; + mac-address = "02:65:d7:00:7d:1b"; + }; + node-1 = { + ip-address = "10.0.10.101"; + mac-address = "00:1e:06:36:81:cf"; + }; + node-2 = { + ip-address = "10.0.10.102"; + mac-address = "00:1e:06:36:ec:3e"; + }; + node-3 = { + ip-address = "10.0.10.103"; + mac-address = "00:1e:06:36:ec:4b"; + }; + node-4 = { + ip-address = "10.0.10.104"; + mac-address = "00:1e:06:36:dd:8c"; + }; + }; +} diff --git a/lib/types/network-definition.nix b/lib/types/network-definition.nix index b3681e7..7fe2304 100644 --- a/lib/types/network-definition.nix +++ b/lib/types/network-definition.nix @@ -7,6 +7,7 @@ let service = { type = str; description = "Service name of SRV record."; + default = service; }; priority = mkOption { @@ -15,6 +16,13 @@ let default = 0; }; + weight = mkOption { + type = int; + description = + "Weight to give this record, among records of equivalent priority."; + default = 5; + }; + port = mkOption { type = port; description = "Port for service on this host."; @@ -29,7 +37,7 @@ let }; }; - hostOpts = { hostname, ... }: { + networkHostOpts = { hostname, ... }: { options = with types; { hostname = mkOption { type = str; @@ -40,22 +48,18 @@ let ipv4-address = mkOption { type = nullOr str; - description = '' - The V4 IP of a given host, if any. - ''; + description = "The V4 IP of a given host, if any."; default = null; }; ipv6-address = mkOption { type = nullOr str; - description = '' - The V6 IP of a given host, if any. - ''; + description = "The V6 IP of a given host, if any."; default = null; }; mac-address = mkOption { - type = with types; nullOr types.str; + type = nullOr types.str; description = "The MAC address of a given host, if desired for IP reservation."; default = null; @@ -65,16 +69,22 @@ let in { options = with types; { - hosts = { - type = attrsOf networkHostOpts; + hosts = mkOption { + type = attrsOf (submodule networkHostOpts); description = "Hosts on the local network, with relevant settings."; + example = { + my-host = { + ipv4-address = "192.168.0.1"; + mac-address = "aa:aa:aa:aa:aa"; + }; + }; default = { }; }; - srv-records = { - type = attrsOf (attrsOf (listOf (submodule protocolSrvRecords))); + srv-records = mkOption { + type = attrsOf (attrsOf (listOf (submodule srvRecordOpts))); description = "SRV records for the network."; - default = { + example = { tcp = { kerberos = { port = 88; @@ -82,6 +92,7 @@ in { }; }; }; + default = { }; }; aliases = mkOption { @@ -121,5 +132,11 @@ in { description = "A list of mail servers serving this domain."; default = [ ]; }; + + gssapi-realm = mkOption { + type = nullOr str; + description = "Kerberos GSSAPI realm of the network."; + default = null; + }; }; }