Merged with upstream

2021-04-13 05:30:35 +00:00 · 2021-04-13 05:30:35 +00:00 · 7e6c08b1ec
parent f846cf2bb9 f99759d5cb
commit 7e6c08b1ec
14 changed files with 78 additions and 39 deletions
--- a/config/host-config/clunk.nix
+++ b/config/host-config/clunk.nix
@ -6,9 +6,7 @@ let

  dns-proxy-port = 5335;

-  host-packages = with pkgs; [
-    nixops
-  ];
+  host-packages = with pkgs; [ nixops ];

  site-name = config.fudo.hosts.${config.instance.hostname}.site;
  site = config.fudo.site.${site-name};
@ -53,13 +51,9 @@ in {
    network-definition = config.fudo.networks."rus.selby.ca";
  };

-  networking = {
-    firewall = {
-      enable = true;
-      trustedInterfaces = [ "intif0" "docker0" ];
-      allowedTCPPorts = [ 22 ];
-    };
+  fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];

+  networking = {
    interfaces = {
      enp1s0.useDHCP = true;

--- a/config/host-config/lambda.nix
+++ b/config/host-config/lambda.nix
@ -15,9 +15,7 @@
      enp4s0f0.useDHCP = false;
      enp4s0f1.useDHCP = false;

-      intif0 = {
-        useDHCP = true;
-      };
+      intif0 = { useDHCP = true; };
    };
  };

--- a/config/host-config/limina.nix
+++ b/config/host-config/limina.nix
@ -21,12 +21,6 @@ in {
    ];

    networking = {
-      firewall = {
-        enable = true;
-        trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
-        allowedTCPPorts = [ 22 ];
-      };
-
      interfaces = {
        enp1s0 = { useDHCP = true; };

@ -41,14 +35,20 @@ in {
        intif2 = { useDHCP = false; };
      };

+      # FIXME: this should be automatic
+      firewall.trustedInterfaces =
+        [ "intif0" "intif1" "intif2" "lo" "docker0" ];
+
      nat = {
        enable = true;
        externalInterface = "enp1s0";
-        internalInterfaces = [ "intif0" ];
+        internalInterfaces = [ "intif0" "intif1" "intif2" ];
      };
    };

    fudo = {
+      hosts.limina.external-interfaces = [ "enp1s0" ];
+
      local-network = {
        enable = true;
        domain = domain-name;
--- a/config/hosts/limina.nix
+++ b/config/hosts/limina.nix
@ -13,4 +13,5 @@
  profile = "server";
  ssh-pubkey =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
+  tmp-on-tmpfs = false;
 }
--- a/config/hosts/plato.nix
+++ b/config/hosts/plato.nix
@ -16,4 +16,5 @@
  build-pubkeys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
  ];
+  tmp-on-tmpfs = false;
 }
--- a/config/hosts/pselby-work.nix
+++ b/config/hosts/pselby-work.nix
@ -1,3 +1,6 @@
 {
  description = "Google Lenovo work laptop.";
+  site = "seattle";
+  profile = "laptop";
+  domain = "sea.fudo.org";
 }
--- a/config/hosts/upstairs-desktop.nix
+++ b/config/hosts/upstairs-desktop.nix
@ -10,4 +10,7 @@
  ];
  rp = "niten";
  admin-email = "niten@fudo.org";
+  site = "russell";
+  domain = "rus.selby.ca";
+  profile = "desktop";
 }
--- a/config/networks/sea.fudo.org.nix
+++ b/config/networks/sea.fudo.org.nix
@ -80,7 +80,7 @@ in {
    };
    lambda = {
      ipv4-address = "10.0.0.11";
-      mac-address = "e8:39:35:2c:38:08";
+      mac-address = "02:f5:fe:8c:22:fe";
    };
    plato = { ipv4-address = "10.0.0.21"; };
    cam-entrance = {
--- a/config/profile-config/common.nix
+++ b/config/profile-config/common.nix
@ -31,7 +31,7 @@ in {
    };

    libdefaults = {
-      allow_weak_crypto = false;
+      allow_weak_crypto = true;
      dns_lookup_kdc = true;
      dns_lookup_realm = true;
      forwardable = true;
@ -45,7 +45,7 @@ in {
    openssh = {
      enable = true;
      startWhenNeeded = true;
-      # useDns = true;
+      useDns = true;
      permitRootLogin = "prohibit-password";
      extraConfig = ''
        GSSAPIAuthentication yes
@ -55,9 +55,12 @@ in {
      '';
    };

-    fail2ban = {
-      enable = true;
+    fail2ban =
+      let domain-name = config.fudo.hosts.${config.instance.hostname}.domain;
+      in {
+        enable = config.networking.firewall.enable;
        bantime-increment.enable = true;
+        ignoreIP = config.fudo.domains.${domain-name}.local-networks;
      };

    xserver = {
--- a/config/profile-config/server.nix
+++ b/config/profile-config/server.nix
@ -2,11 +2,7 @@

 with lib;
 let
-  serverPackages = with pkgs; [
-    emacs-nox
-    reboot-if-necessary
-    test-config
-  ];
+  serverPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ];

  reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
    if [ $# -ne 1 ]; then
@ -50,9 +46,7 @@ in {
  imports = [ ./common.nix ];

  config = {
-    environment = {
-      systemPackages = serverPackages;
-    };
+    environment = { systemPackages = serverPackages; };

    system.autoUpgrade.enable = false;

@ -60,8 +54,6 @@ in {

    networking.networkmanager.enable = mkForce false;

-    boot.tmpOnTmpfs = true;
-
    services = {
      xserver.enable = false;

--- a/config/sites.nix
+++ b/config/sites.nix
@ -21,6 +21,7 @@
          speed-factor = 2;
        };
      };
+      enable-distributed-builds = true;
      # FIXME: good idea?
      # network-mounts = {
      #   "/mnt/documents" = {
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@ -89,6 +89,13 @@ let
        default = null;
      };

+      tmp-on-tmpfs = mkOption {
+        type = bool;
+        description =
+          "Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
+        default = true;
+      };
+
      enable-gui = mkEnableOption "Install desktop GUI software.";

      docker-server = mkEnableOption "Enable Docker on the current host.";
@ -112,6 +119,12 @@ let
        description = "SSH public keys used to access the build server.";
        default = [ ];
      };
+
+      external-interfaces = mkOption {
+        type = listOf str;
+        description = "A list of interfaces on which to enable the firewall.";
+        default = [ ];
+      };
    };
  };

@ -136,6 +149,7 @@ in {
  in {
    networking = {
      hostName = config.instance.hostname;
+      domain = domain-name;
      nameservers = site.nameservers;
      # This will cause a loop on the gateway itself
      #defaultGateway = site.gateway-v4;
@ -143,13 +157,33 @@ in {

      # Necessary to ensure that Kerberos and Avahi both work. Kerberos needs
      # the fqdn of the host, whereas Avahi wants just the simple hostname.`
-      hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; };
+      hosts = {
+        "127.0.0.2" = [ "${hostname}.${domain-name}" "${hostname}" ];
+        "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
+        "::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
+      };
+
+      firewall = {
+        enable = (length host-cfg.external-interfaces) > 0;
+        allowedTCPPorts = [ 22 ];
+      };
+    };
+
+    environment.etc.hosts = mkForce {
+      text = ''
+        127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost
+        127.0.0.2 ${hostname} localhost
+        ::1 ${hostname}.${domain-name} ${hostname} localhost
+      '';
+      user = "root";
+      group = "root";
+      mode = "0444";
    };

    nix = mkIf
      (has-build-servers && has-build-keys && site.enable-distributed-builds) {
        buildMachines = mapAttrsToList (hostname: buildOpts: {
-          hostName = "${hostname}.${domain}";
+          hostName = "${hostname}.${domain-name}";
          maxJobs = buildOpts.max-jobs;
          speedFactor = buildOpts.speed-factor;
          supportedFeatures = buildOpts.supported-features;
@ -172,6 +206,8 @@ in {
      autoPrune.enable = true;
    };

+    boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
+
    programs.ssh.knownHosts = let
      keyed-hosts =
        filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts;
--- a/lib/fudo/hosts/local-network.nix
+++ b/lib/fudo/hosts/local-network.nix
@ -6,6 +6,7 @@ with lib;
 let
  cfg = config.fudo.hosts.local-network;

+  # FIXME: this isn't used, is it?
  gatewayServerOpts = { ... }: {
    options = {
      enable = mkEnableOption "Turn this host into a network gateway.";
--- a/lib/fudo/sites.nix
+++ b/lib/fudo/sites.nix
@ -133,6 +133,12 @@ let
        description = "User as which to run builds.";
        default = "nix-site-builder";
      };
+
+      local-networks = mkOption {
+        type = listOf str;
+        description = "List of networks to consider local at this site.";
+        default = [ ];
+      };
    };
  };