nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Strip down nostromo for nixops deploy & new config

Browse Source
This commit is contained in:
Niten 2021-04-21 10:34:46 -07:00
parent 353936d509
commit 735b44eb7a
8 changed files with 41 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/hardware/nostromo.nix
View File

@ -46,11 +46,6 @@
interface = "eno1"; interface = "eno1";
mode = "bridge"; mode = "bridge";
}; };
extif0 = {
interface = "eno2";
mode = "bridge";
};
}; };
interfaces = { interfaces = {
@ -58,11 +53,6 @@
# output of: echo nostromo-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' # output of: echo nostromo-intif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:14:25:55:ee:5a"; macAddress = "02:14:25:55:ee:5a";
}; };
extif0 = {
# echo nostromo-extif0|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:cf:d7:de:f9:ad";
};
}; };
}; };
} }

2
config/host-config/limina.nix
View File

@ -163,6 +163,8 @@ in {
security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org"; security.acme.certs."sea-camera.fudo.link".email = "niten@fudo.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services = { services = {
nginx = { nginx = {
enable = true; enable = true;

146
config/host-config/nostromo.nix
View File

@ -1,41 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let with lib; {
primary-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.5";
in {
fudo.local-network = let
hostname = config.instance.hostname;
site-name = config.fudo.hosts.${hostname}.site;
site = config.fudo.site.${site-name};
in {
enable = true;
dns-servers = site.dns-servers;
gateway = site.gateway;
dhcp-interfaces = [ "intif0" ];
dns-serve-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
recursive-resolver = "${primary-ip} port 5353";
server-ip = primary-ip;
};
fudo.slynk.enable = true;
# systemd.network.networks.eno2 = {
# extraConfig = {
# IPv6AcceptRA = true;
# IPv6PrefixDelegation = "dhcpv6";
# };
# };
networking = { networking = {
# dhcpd.extraConfig = ''
# interface eno2
# ia_na 1
# ia_pd 2 eno2/0
# '';
eno1.useDHCP = false; eno1.useDHCP = false;
eno2.useDHCP = false; eno2.useDHCP = false;
eno3.useDHCP = false; eno3.useDHCP = false;
@ -45,125 +12,32 @@ in {
enp9s0f0.useDHCP = false; enp9s0f0.useDHCP = false;
enp9s0f1.useDHCP = false; enp9s0f1.useDHCP = false;
intif0 = { intif0 = { useDHCP = true; };
useDHCP = false;
ipv4.addresses = [
{
address = primary-ip;
prefixLength = 22;
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
};
extif0 = { useDHCP = true; };
nat = {
enable = true;
externalInterface = "extif0";
internalInterfaces = [ "intif0" ];
};
}; };
fudo = { fudo = {
secrets.backplane-client-nostromo-passwd = {
source-file = /srv/secrets/backplane-client/nostromo.passwd;
target-file = "/srv/backplane/dns/client.passwd";
target-host = "nostromo";
user = config.fudo.client.dns.user;
};
client.dns = { client.dns = {
enable = true; enable = true;
ipv4 = true; ipv4 = false;
ipv6 = true; ipv6 = true;
user = "fudo-client"; user = "fudo-client";
external-interface = "extif0"; external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd"; password-file = "/srv/client/secure/client.passwd";
}; };
secure-dns-proxy = {
enable = true;
port = 3535;
upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ];
};
}; };
virtualization = { virtualization = {
docker = {
enable = true;
autoPrune.enable = true;
enableOnBoot = true;
};
libvirtd = { libvirtd = {
enable = true; enable = true;
qemuPackage = pkgs.qemu_kvm; qemuPackage = pkgs.qemu_kvm;
onShutdown = "shutdown"; onShutdown = "shutdown";
}; };
}; };
docker-containers = {
pihole = {
image = "pihole/pihole:4.3.2-1";
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = {
ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.sea.fudo.org";
DNS1 = dns-proxy-ip;
};
volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/"
"/srv/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/"
];
};
};
security.acme.certs = {
"sea-camera.fudo.link".email = "niten@fudo.org";
"sea-camera-od.fudo.link".email = "niten@fudo.org";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"sea-camera.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
# Supposed to be for object detection...
"sea-camera-od.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://panopticon-od.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"pihole.sea.fudo.org" = {
serverAliases = [ "dns-hole.sea.fudo.org" "hole.sea.fudo.org" ];
locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
};
};
};
};
} }

36
config/host-config/procul.nix
View File

@ -71,13 +71,22 @@ in {
fudo = { fudo = {
hosts.procul.external-interfaces = [ "extif0" ]; hosts.procul.external-interfaces = [ "extif0" ];
secrets = {
backplane-client-limina-passwd = {
source-file = /srv/secrets/backplane-client/procul.passwd;
target-file = "/srv/backplane/dns/client.passwd";
target-host = "procul";
user = config.fudo.client.dns.user;
};
};
client.dns = { client.dns = {
enable = true; enable = true;
ipv4 = true; ipv4 = true;
ipv6 = true; ipv6 = true;
user = "fudo-client"; user = "fudo-client";
external-interface = "extif0"; external-interface = "extif0";
password-file = "/srv/client/secure/client.passwd"; password-file = "/srv/backplane/dns/client.passwd";
}; };
auth.kdc = { auth.kdc = {
@ -152,27 +161,21 @@ in {
}; };
# This should NOT include the primary domain # This should NOT include the primary domain
local-domains = [ local-domains = [ host-fqdn "smtp.${domain}" ];
host-fqdn
"smtp.${domain}"
];
mail-directory = "/srv/mailserver/mail"; mail-directory = "/srv/mailserver/mail";
state-directory = "/srv/mailserver/state"; state-directory = "/srv/mailserver/state";
trusted-networks = [ trusted-networks = [ "172.86.179.16/29" "127.0.0.0/16" ];
"172.86.179.16/29"
"127.0.0.0/16"
];
alias-users = { alias-users = {
root = ["niten"]; root = [ "niten" ];
postmaster = ["niten"]; postmaster = [ "niten" ];
hostmaster = ["niten"]; hostmaster = [ "niten" ];
webmaster = ["niten"]; webmaster = [ "niten" ];
system = ["niten"]; system = [ "niten" ];
admin = ["niten"]; admin = [ "niten" ];
dmarc-report = ["niten"]; dmarc-report = [ "niten" ];
}; };
}; };
@ -206,7 +209,6 @@ in {
hostname = "git.informis.land"; hostname = "git.informis.land";
site-name = "informis git"; site-name = "informis git";
user = "gituser"; user = "gituser";
# admin-email = "viator@informis.land";
repository-dir = /srv/git/repo; repository-dir = /srv/git/repo;
state-dir = /srv/git/state; state-dir = /srv/git/state;
database = { database = {

2
config/hosts/lambda.nix
View File

@ -12,4 +12,6 @@
domain = "sea.fudo.org"; domain = "sea.fudo.org";
site = "seattle"; site = "seattle";
profile = "server"; profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvgQsinDcoBZzneroy0QsCJUdiT8KdcI0YKWbSc++w8";
} }

2
config/hosts/nostromo.nix
View File

@ -1,5 +1,5 @@
{ {
description = "sea.fudo.org gateway box and primary server."; description = "sea.fudo.org primary server.";
docker-server = true; docker-server = true;
ssh-fingerprints = [ ssh-fingerprints = [
"1 1 075ee0ae86debffa6fd61436984b39e4699c93c6" "1 1 075ee0ae86debffa6fd61436984b39e4699c93c6"

5
lib/fudo/secrets.nix
View File

@ -35,12 +35,15 @@ let
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStartPre = pkgs.writeShellScript "prepare-secrets-dir.sh" '' ExecStartPre = pkgs.writeShellScript "prepare-${name}-secret-dir.sh" ''
TARGET_DIR=$(dirname ${target-file}) TARGET_DIR=$(dirname ${target-file})
if [[ ! -d "$TARGET_DIR" ]]; then if [[ ! -d "$TARGET_DIR" ]]; then
mkdir -p "$TARGET_DIR" mkdir -p "$TARGET_DIR"
fi fi
''; '';
ExecStop = pkgs.writeShellScript "clear-${name}-secret.sh" ''
rm -f ${target-file}
'';
ExecStart = let ExecStart = let
decrypt-keys = decrypt-keys =
filter (key: key.type == key-type) config.services.openssh.hostKeys; filter (key: key.type == key-type) config.services.openssh.hostKeys;

1
nixops/seattle.nix
View File

@ -10,6 +10,7 @@ in {
limina = define-host "10.0.0.1" "limina"; limina = define-host "10.0.0.1" "limina";
lambda = define-host "10.0.0.11" "lambda"; lambda = define-host "10.0.0.11" "lambda";
nostromo = define-host "10.0.0.10" "nostromo";
plato = define-host "10.0.0.21" "plato"; plato = define-host "10.0.0.21" "plato";
spark = define-host "10.0.0.108" "spark"; spark = define-host "10.0.0.108" "spark";
zbox = define-host "10.0.0.110" "zbox"; zbox = define-host "10.0.0.110" "zbox";