nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'nixops' of ssh://git.fudo.org:2222/fudosys/NixOS into nixops

This commit is contained in:
Niten 2021-04-12 15:33:48 -07:00
parent 7da8090eeb 71d7fcd7a4
commit 99578075a9
7 changed files with 47 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/host-config/clunk.nix
View File

@ -6,9 +6,7 @@ let
dns-proxy-port = 5335; dns-proxy-port = 5335;
host-packages = with pkgs; [ host-packages = with pkgs; [ nixops ];
nixops
];
site-name = config.fudo.hosts.${config.instance.hostname}.site; site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name}; site = config.fudo.site.${site-name};
@ -53,13 +51,9 @@ in {
network-definition = config.fudo.networks."rus.selby.ca"; network-definition = config.fudo.networks."rus.selby.ca";
}; };
networking = { fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "docker0" ];
allowedTCPPorts = [ 22 ];
};
networking = {
interfaces = { interfaces = {
enp1s0.useDHCP = true; enp1s0.useDHCP = true;

8
config/host-config/limina.nix
View File

@ -20,13 +20,9 @@ in {
"openssh-with-gssapi-8.4p1" # CVE-2021-28041 "openssh-with-gssapi-8.4p1" # CVE-2021-28041
]; ];
networking = { fudo.hosts.limina.external-interfaces = [ "enp1s0" ];
firewall = {
enable = true;
trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
allowedTCPPorts = [ 22 ];
};
networking = {
interfaces = { interfaces = {
enp1s0 = { useDHCP = true; }; enp1s0 = { useDHCP = true; };

1
config/hosts/limina.nix
View File

@ -13,4 +13,5 @@
profile = "server"; profile = "server";
ssh-pubkey = ssh-pubkey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI";
tmp-on-tmpfs = false;
} }

1
config/hosts/plato.nix
View File

@ -16,4 +16,5 @@
build-pubkeys = [ build-pubkeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs="
]; ];
tmp-on-tmpfs = false;
} }

2
config/profile-config/common.nix
View File

@ -31,7 +31,7 @@ in {
}; };
libdefaults = { libdefaults = {
allow_weak_crypto = false; allow_weak_crypto = true;
dns_lookup_kdc = true; dns_lookup_kdc = true;
dns_lookup_realm = true; dns_lookup_realm = true;
forwardable = true; forwardable = true;

12
config/profile-config/server.nix
View File

@ -2,11 +2,7 @@
with lib; with lib;
let let
serverPackages = with pkgs; [ serverPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ];
emacs-nox
reboot-if-necessary
test-config
];
reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" '' reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" ''
if [ $# -ne 1 ]; then if [ $# -ne 1 ]; then
@ -50,9 +46,7 @@ in {
imports = [ ./common.nix ]; imports = [ ./common.nix ];
config = { config = {
environment = { environment = { systemPackages = serverPackages; };
systemPackages = serverPackages;
};
system.autoUpgrade.enable = false; system.autoUpgrade.enable = false;
@ -60,8 +54,6 @@ in {
networking.networkmanager.enable = mkForce false; networking.networkmanager.enable = mkForce false;
boot.tmpOnTmpfs = true;
services = { services = {
xserver.enable = false; xserver.enable = false;

38
lib/fudo/hosts.nix
View File

@ -89,6 +89,13 @@ let
default = null; default = null;
}; };
tmp-on-tmpfs = mkOption {
type = bool;
description =
"Use tmpfs for /tmp. Great if you've got enough (>16G) RAM.";
default = true;
};
enable-gui = mkEnableOption "Install desktop GUI software."; enable-gui = mkEnableOption "Install desktop GUI software.";
docker-server = mkEnableOption "Enable Docker on the current host."; docker-server = mkEnableOption "Enable Docker on the current host.";
@ -112,6 +119,12 @@ let
description = "SSH public keys used to access the build server."; description = "SSH public keys used to access the build server.";
default = [ ]; default = [ ];
}; };
external-interfaces = mkOption {
type = listOf str;
description = "A list of interfaces on which to enable the firewall.";
default = [ ];
};
}; };
}; };
@ -136,6 +149,7 @@ in {
in { in {
networking = { networking = {
hostName = config.instance.hostname; hostName = config.instance.hostname;
domain = domain-name;
nameservers = site.nameservers; nameservers = site.nameservers;
# This will cause a loop on the gateway itself # This will cause a loop on the gateway itself
#defaultGateway = site.gateway-v4; #defaultGateway = site.gateway-v4;
@ -143,7 +157,27 @@ in {
# Necessary to ensure that Kerberos and Avahi both work. Kerberos needs # Necessary to ensure that Kerberos and Avahi both work. Kerberos needs
# the fqdn of the host, whereas Avahi wants just the simple hostname.` # the fqdn of the host, whereas Avahi wants just the simple hostname.`
hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; hosts = {
"127.0.0.2" = [ "${hostname}.${domain-name}" "${hostname}" ];
"127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
"::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
};
firewall = {
enable = (length host-cfg.external-interfaces) > 0;
allowedTCPPorts = [ 22 ];
};
};
environment.etc.hosts = mkForce {
text = ''
127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost
127.0.0.2 ${hostname} localhost
::1 ${hostname}.${domain-name} ${hostname} localhost
'';
user = "root";
group = "root";
mode = "0444";
}; };
nix = mkIf nix = mkIf
@ -172,6 +206,8 @@ in {
autoPrune.enable = true; autoPrune.enable = true;
}; };
boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs;
programs.ssh.knownHosts = let programs.ssh.knownHosts = let
keyed-hosts = keyed-hosts =
filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts; filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts;