From 735b44eb7a3ef0966076b39c00c347f5286b814c Mon Sep 17 00:00:00 2001 From: Niten Date: Wed, 21 Apr 2021 10:34:46 -0700 Subject: [PATCH] Strip down nostromo for nixops deploy & new config --- config/hardware/nostromo.nix | 10 --- config/host-config/limina.nix | 2 + config/host-config/nostromo.nix | 146 +++----------------------------- config/host-config/procul.nix | 40 ++++----- config/hosts/lambda.nix | 2 + config/hosts/nostromo.nix | 2 +- lib/fudo/secrets.nix | 5 +- nixops/seattle.nix | 1 + 8 files changed, 41 insertions(+), 167 deletions(-) diff --git a/config/hardware/nostromo.nix b/config/hardware/nostromo.nix index 7345673..85cd507 100644 --- a/config/hardware/nostromo.nix +++ b/config/hardware/nostromo.nix @@ -46,11 +46,6 @@ interface = "eno1"; mode = "bridge"; }; - - extif0 = { - interface = "eno2"; - mode = "bridge"; - }; }; interfaces = { @@ -58,11 +53,6 @@ # output of: echo nostromo-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' macAddress = "02:14:25:55:ee:5a"; }; - - extif0 = { - # echo nostromo-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' - macAddress = "02:cf:d7:de:f9:ad"; - }; }; }; } diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index 6d6f80a..1e9986c 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -163,6 +163,8 @@ in { security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org"; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services = { nginx = { enable = true; diff --git a/config/host-config/nostromo.nix b/config/host-config/nostromo.nix index deabe7d..94591ea 100644 --- a/config/host-config/nostromo.nix +++ b/config/host-config/nostromo.nix @@ -1,41 +1,8 @@ { config, lib, pkgs, ... }: -let - primary-ip = "10.0.0.1"; - dns-proxy-ip = "10.0.0.5"; - -in { - fudo.local-network = let - hostname = config.instance.hostname; - site-name = config.fudo.hosts.${hostname}.site; - site = config.fudo.site.${site-name}; - - in { - enable = true; - dns-servers = site.dns-servers; - gateway = site.gateway; - dhcp-interfaces = [ "intif0" ]; - dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - recursive-resolver = "${primary-ip} port 5353"; - server-ip = primary-ip; - }; - - fudo.slynk.enable = true; - - # systemd.network.networks.eno2 = { - # extraConfig = { - # IPv6AcceptRA = true; - # IPv6PrefixDelegation = "dhcpv6"; - # }; - # }; +with lib; { networking = { - # dhcpd.extraConfig = '' - # interface eno2 - # ia_na 1 - # ia_pd 2 eno2/0 - # ''; - eno1.useDHCP = false; eno2.useDHCP = false; eno3.useDHCP = false; @@ -45,125 +12,32 @@ in { enp9s0f0.useDHCP = false; enp9s0f1.useDHCP = false; - intif0 = { - useDHCP = false; - ipv4.addresses = [ - { - address = primary-ip; - prefixLength = 22; - } - { - address = dns-proxy-ip; - prefixLength = 32; - } - ]; - }; - - extif0 = { useDHCP = true; }; - - nat = { - enable = true; - externalInterface = "extif0"; - internalInterfaces = [ "intif0" ]; - }; + intif0 = { useDHCP = true; }; }; fudo = { + secrets.backplane-client-nostromo-passwd = { + source-file = /srv/secrets/backplane-client/nostromo.passwd; + target-file = "/srv/backplane/dns/client.passwd"; + target-host = "nostromo"; + user = config.fudo.client.dns.user; + }; + client.dns = { enable = true; - ipv4 = true; + ipv4 = false; ipv6 = true; user = "fudo-client"; external-interface = "extif0"; password-file = "/srv/client/secure/client.passwd"; }; - - secure-dns-proxy = { - enable = true; - port = 3535; - upstream-dns = - [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; - bootstrap-dns = "1.1.1.1"; - listen-ips = [ dns-proxy-ip ]; - }; }; virtualization = { - docker = { - enable = true; - autoPrune.enable = true; - enableOnBoot = true; - }; - libvirtd = { enable = true; qemuPackage = pkgs.qemu_kvm; onShutdown = "shutdown"; }; }; - - docker-containers = { - pihole = { - image = "pihole/pihole:4.3.2-1"; - ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; - environment = { - ServerIP = primary-ip; - VIRTUAL_HOST = "dns-hole.sea.fudo.org"; - DNS1 = dns-proxy-ip; - }; - volumes = [ - "/srv/pihole/etc-pihole/:/etc/pihole/" - "/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" - ]; - }; - }; - - security.acme.certs = { - "sea-camera.fudo.link".email = "niten@fudo.org"; - "sea-camera-od.fudo.link".email = "niten@fudo.org"; - }; - - services = { - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - - virtualHosts = { - "sea-camera.fudo.link" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://panopticon.sea.fudo.org/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - ''; - }; - }; - - # Supposed to be for object detection... - "sea-camera-od.fudo.link" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://panopticon-od.sea.fudo.org/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - ''; - }; - }; - - "pihole.sea.fudo.org" = { - serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ]; - locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; - }; - }; - }; - }; } diff --git a/config/host-config/procul.nix b/config/host-config/procul.nix index 5179594..173a83c 100644 --- a/config/host-config/procul.nix +++ b/config/host-config/procul.nix @@ -65,19 +65,28 @@ in { path = "/home/viator/gemini-public/feed/"; url = "gemini://informis.land/user/viator/feed/"; }; - }; + }; }; fudo = { hosts.procul.external-interfaces = [ "extif0" ]; - + + secrets = { + backplane-client-limina-passwd = { + source-file = /srv/secrets/backplane-client/procul.passwd; + target-file = "/srv/backplane/dns/client.passwd"; + target-host = "procul"; + user = config.fudo.client.dns.user; + }; + }; + client.dns = { enable = true; ipv4 = true; ipv6 = true; user = "fudo-client"; external-interface = "extif0"; - password-file = "/srv/client/secure/client.passwd"; + password-file = "/srv/backplane/dns/client.passwd"; }; auth.kdc = { @@ -152,27 +161,21 @@ in { }; # This should NOT include the primary domain - local-domains = [ - host-fqdn - "smtp.${domain}" - ]; + local-domains = [ host-fqdn "smtp.${domain}" ]; mail-directory = "/srv/mailserver/mail"; state-directory = "/srv/mailserver/state"; - trusted-networks = [ - "172.86.179.16/29" - "127.0.0.0/16" - ]; + trusted-networks = [ "172.86.179.16/29" "127.0.0.0/16" ]; alias-users = { - root = ["niten"]; - postmaster = ["niten"]; - hostmaster = ["niten"]; - webmaster = ["niten"]; - system = ["niten"]; - admin = ["niten"]; - dmarc-report = ["niten"]; + root = [ "niten" ]; + postmaster = [ "niten" ]; + hostmaster = [ "niten" ]; + webmaster = [ "niten" ]; + system = [ "niten" ]; + admin = [ "niten" ]; + dmarc-report = [ "niten" ]; }; }; @@ -206,7 +209,6 @@ in { hostname = "git.informis.land"; site-name = "informis git"; user = "gituser"; - # admin-email = "viator@informis.land"; repository-dir = /srv/git/repo; state-dir = /srv/git/state; database = { diff --git a/config/hosts/lambda.nix b/config/hosts/lambda.nix index 46758ee..7f53fc0 100644 --- a/config/hosts/lambda.nix +++ b/config/hosts/lambda.nix @@ -12,4 +12,6 @@ domain = "sea.fudo.org"; site = "seattle"; profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvgQsinDcoBZzneroy0QsCJUdiT8KdcI0YKWbSc++w8"; } diff --git a/config/hosts/nostromo.nix b/config/hosts/nostromo.nix index a5992d8..ec31984 100644 --- a/config/hosts/nostromo.nix +++ b/config/hosts/nostromo.nix @@ -1,5 +1,5 @@ { - description = "sea.fudo.org gateway box and primary server."; + description = "sea.fudo.org primary server."; docker-server = true; ssh-fingerprints = [ "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" diff --git a/lib/fudo/secrets.nix b/lib/fudo/secrets.nix index b26f091..8073d99 100644 --- a/lib/fudo/secrets.nix +++ b/lib/fudo/secrets.nix @@ -35,12 +35,15 @@ let wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; - ExecStartPre = pkgs.writeShellScript "prepare-secrets-dir.sh" '' + ExecStartPre = pkgs.writeShellScript "prepare-${name}-secret-dir.sh" '' TARGET_DIR=$(dirname ${target-file}) if [[ ! -d "$TARGET_DIR" ]]; then mkdir -p "$TARGET_DIR" fi ''; + ExecStop = pkgs.writeShellScript "clear-${name}-secret.sh" '' + rm -f ${target-file} + ''; ExecStart = let decrypt-keys = filter (key: key.type == key-type) config.services.openssh.hostKeys; diff --git a/nixops/seattle.nix b/nixops/seattle.nix index 338b546..36b1ba9 100644 --- a/nixops/seattle.nix +++ b/nixops/seattle.nix @@ -10,6 +10,7 @@ in { limina = define-host "10.0.0.1" "limina"; lambda = define-host "10.0.0.11" "lambda"; + nostromo = define-host "10.0.0.10" "nostromo"; plato = define-host "10.0.0.21" "plato"; spark = define-host "10.0.0.108" "spark"; zbox = define-host "10.0.0.110" "zbox";