nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merged with upstream

This commit is contained in:
root@procul 2021-04-13 05:30:35 +00:00
parent f846cf2bb9 f99759d5cb
commit 7e6c08b1ec
14 changed files with 78 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/host-config/clunk.nix
View File

@ -6,9 +6,7 @@ let
dns-proxy-port = 5335;
host-packages = with pkgs; [
nixops
];
host-packages = with pkgs; [ nixops ];
site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name};
@ -53,13 +51,9 @@ in {
network-definition = config.fudo.networks."rus.selby.ca";
};
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
networking = {
interfaces = {
enp1s0.useDHCP = true;

6
config/host-config/lambda.nix
View File

@ -5,7 +5,7 @@
nixpkgs.config.permittedInsecurePackages = [
"openssh-with-gssapi-8.4p1" # CVE-2021-28041
];
fudo.slynk.enable = true;
networking = {
@ -15,9 +15,7 @@
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
intif0 = {
useDHCP = true;
};
intif0 = { useDHCP = true; };
};
};

14
config/host-config/limina.nix
View File

@ -21,12 +21,6 @@ in {
];
networking = {
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
allowedTCPPorts = [ 22 ];
};
interfaces = {
enp1s0 = { useDHCP = true; };
@ -41,14 +35,20 @@ in {
intif2 = { useDHCP = false; };
};
# FIXME: this should be automatic
firewall.trustedInterfaces =
[ "intif0" "intif1" "intif2" "lo" "docker0" ];
nat = {
enable = true;
externalInterface = "enp1s0";
internalInterfaces = [ "intif0" ];
internalInterfaces = [ "intif0" "intif1" "intif2" ];
};
};
fudo = {
hosts.limina.external-interfaces = [ "enp1s0" ];
local-network = {
enable = true;
domain = domain-name;

1
config/hosts/limina.nix
View File

@ -13,4 +13,5 @@
profile = "server";
ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
tmp-on-tmpfs = false;
}

1
config/hosts/plato.nix
View File

@ -16,4 +16,5 @@
build-pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
];
tmp-on-tmpfs = false;
}

3
config/hosts/pselby-work.nix
View File

@ -1,3 +1,6 @@
{
description = "Google Lenovo work laptop.";
site = "seattle";
profile = "laptop";
domain = "sea.fudo.org";
}

3
config/hosts/upstairs-desktop.nix
View File

@ -10,4 +10,7 @@
];
rp = "niten";
admin-email = "niten@fudo.org";
site = "russell";
domain = "rus.selby.ca";
profile = "desktop";
}

2
config/networks/sea.fudo.org.nix
View File

@ -80,7 +80,7 @@ in {
};
lambda = {
ipv4-address = "10.0.0.11";
mac-address = "e8:39:35:2c:38:08";
mac-address = "02:f5:fe:8c:22:fe";
};
plato = { ipv4-address = "10.0.0.21"; };
cam-entrance = {

15
config/profile-config/common.nix
View File

@ -31,7 +31,7 @@ in {
};
libdefaults = {
allow_weak_crypto = false;
allow_weak_crypto = true;
dns_lookup_kdc = true;
dns_lookup_realm = true;
forwardable = true;
@ -45,7 +45,7 @@ in {
openssh = {
enable = true;
startWhenNeeded = true;
# useDns = true;
useDns = true;
permitRootLogin = "prohibit-password";
extraConfig = ''
GSSAPIAuthentication yes
@ -55,10 +55,13 @@ in {
'';
};
fail2ban = {
enable = true;
bantime-increment.enable = true;
};
fail2ban =
let domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
in {
enable = config.networking.firewall.enable;
bantime-increment.enable = true;
ignoreIP = config.fudo.domains.${domain-name}.local-networks;
};
xserver = {
layout = "us";

12
config/profile-config/server.nix
View File

@ -2,11 +2,7 @@
with lib;
let
serverPackages = with pkgs; [
emacs-nox
reboot-if-necessary
test-config
];
serverPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ];
reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
if [ $# -ne 1 ]; then
@ -50,9 +46,7 @@ in {
imports = [ ./common.nix ];
config = {
environment = {
systemPackages = serverPackages;
};
environment = { systemPackages = serverPackages; };
system.autoUpgrade.enable = false;
@ -60,8 +54,6 @@ in {
networking.networkmanager.enable = mkForce false;
boot.tmpOnTmpfs = true;
services = {
xserver.enable = false;

1
config/sites.nix
View File

@ -21,6 +21,7 @@
speed-factor = 2;
};
};
enable-distributed-builds = true;
# FIXME: good idea?
# network-mounts = {
# "/mnt/documents" = {

40
lib/fudo/hosts.nix
View File

@ -89,6 +89,13 @@ let
default = null;
};
tmp-on-tmpfs = mkOption {
type = bool;
description =
"Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
default = true;
};
enable-gui = mkEnableOption "Install desktop GUI software.";
docker-server = mkEnableOption "Enable Docker on the current host.";
@ -112,6 +119,12 @@ let
description = "SSH public keys used to access the build server.";
default = [ ];
};
external-interfaces = mkOption {
type = listOf str;
description = "A list of interfaces on which to enable the firewall.";
default = [ ];
};
};
};
@ -136,6 +149,7 @@ in {
in {
networking = {
hostName = config.instance.hostname;
domain = domain-name;
nameservers = site.nameservers;
# This will cause a loop on the gateway itself
#defaultGateway = site.gateway-v4;
@ -143,13 +157,33 @@ in {
# Necessary to ensure that Kerberos and Avahi both work. Kerberos needs
# the fqdn of the host, whereas Avahi wants just the simple hostname.`
hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; };
hosts = {
"127.0.0.2" = [ "${hostname}.${domain-name}" "${hostname}" ];
"127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
"::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
};
firewall = {
enable = (length host-cfg.external-interfaces) > 0;
allowedTCPPorts = [ 22 ];
};
};
environment.etc.hosts = mkForce {
text = ''
127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost
127.0.0.2 ${hostname} localhost
::1 ${hostname}.${domain-name} ${hostname} localhost
'';
user = "root";
group = "root";
mode = "0444";
};
nix = mkIf
(has-build-servers && has-build-keys && site.enable-distributed-builds) {
buildMachines = mapAttrsToList (hostname: buildOpts: {
hostName = "${hostname}.${domain}";
hostName = "${hostname}.${domain-name}";
maxJobs = buildOpts.max-jobs;
speedFactor = buildOpts.speed-factor;
supportedFeatures = buildOpts.supported-features;
@ -172,6 +206,8 @@ in {
autoPrune.enable = true;
};
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
programs.ssh.knownHosts = let
keyed-hosts =
filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts;

1
lib/fudo/hosts/local-network.nix
View File

@ -6,6 +6,7 @@ with lib;
let
cfg = config.fudo.hosts.local-network;
# FIXME: this isn't used, is it?
gatewayServerOpts = { ... }: {
options = {
enable = mkEnableOption "Turn this host into a network gateway.";

6
lib/fudo/sites.nix
View File

@ -133,6 +133,12 @@ let
description = "User as which to run builds.";
default = "nix-site-builder";
};
local-networks = mkOption {
type = listOf str;
description = "List of networks to consider local at this site.";
default = [ ];
};
};
};