nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Working nixops config for russell, begun migration to standard systemd service.

Browse Source
This commit is contained in:
Niten 2021-03-08 17:29:09 +00:00
parent bd63433ecc
commit 9c3d00c7d3
16 changed files with 228 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/hardware/clunk.nix
View File

@ -38,8 +38,6 @@
nix.maxJobs = lib.mkDefault 4; nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.bluetooth.enable = false; hardware.bluetooth.enable = false;
networking = { networking = {

29
config/hosts/clunk.nix
View File

@ -3,7 +3,8 @@
with lib; with lib;
let let
primary-ip = "10.0.0.1"; primary-ip = "10.0.0.1";
dns-proxy-ip = "10.0.0.2";
dns-proxy-port = 5335;
site-name = config.fudo.hosts.${config.instance.hostname}.site; site-name = config.fudo.hosts.${config.instance.hostname}.site;
site = config.fudo.site.${site-name}; site = config.fudo.site.${site-name};
@ -65,16 +66,10 @@ in {
intif0 = { intif0 = {
useDHCP = false; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [{
{ address = primary-ip;
address = primary-ip; prefixLength = 22;
prefixLength = 22; }];
}
{
address = dns-proxy-ip;
prefixLength = 32;
}
];
}; };
}; };
@ -93,11 +88,13 @@ in {
secure-dns-proxy = { secure-dns-proxy = {
enable = true; enable = true;
listen-port = 53; listen-port = dns-proxy-port;
upstream-dns = upstream-dns =
[ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ]; [ "https://1.1.1.1/dns-query" "https://1.0.0.1/dns-query" ];
bootstrap-dns = "1.1.1.1"; bootstrap-dns = "1.1.1.1";
listen-ips = [ dns-proxy-ip ]; allowed-networks =
[ "1.1.1.1/32" "1.0.0.1/32" "10.0.0.0/16" "localhost" "link-local" ];
listen-ips = [ primary-ip ];
}; };
}; };
@ -112,13 +109,13 @@ in {
backend = "docker"; backend = "docker";
containers = { containers = {
pihole = { pihole = {
image = "pihole/pihole:v5.1.2"; image = "pihole/pihole:v5.7";
autoStart = true; autoStart = true;
ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ]; ports = [ "5353:53/tcp" "5353:53/udp" "3080:80/tcp" ];
environment = { environment = {
ServerIP = primary-ip; # ServerIP = primary-ip;
VIRTUAL_HOST = "dns-hole.rus.selby.ca"; VIRTUAL_HOST = "dns-hole.rus.selby.ca";
DNS1 = dns-proxy-ip; DNS1 = "${primary-ip}#${toString dns-proxy-port}";
}; };
volumes = [ volumes = [
"/srv/pihole/etc-pihole/:/etc/pihole/" "/srv/pihole/etc-pihole/:/etc/pihole/"

9
config/profiles/server.nix
View File

@ -78,5 +78,14 @@ in {
sound.enable = false; sound.enable = false;
hardware.pulseaudio.enable = false; hardware.pulseaudio.enable = false;
powerManagement.enable = false;
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
}; };
} }

3
configuration.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, pkgs, ... }:
let let
local = import ../host-config.nix; local = import ../host-config.nix;
@ -15,6 +15,7 @@ in {
url = "https://github.com/nix-community/home-manager.git"; url = "https://github.com/nix-community/home-manager.git";
ref = "release-20.09"; ref = "release-20.09";
}; };
pkgs = pkgs;
}) })
]; ];
} }

2
initialize.nix
View File

@ -1,4 +1,4 @@
{ hostname, profile, domain, site, home-manager-package, ... }: { hostname, profile, domain, site, home-manager-package, pkgs, ... }:
{ {
imports = [ imports = [

3
lib/default.nix
View File

@ -1,9 +1,6 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
with lib; { with lib; {
lib = lib // { fudo = import ./lib/lib.nix { inherit lib; }; };
imports = [ imports = [
../config ../config
../packages ../packages

0
lib/lib/dns.nix → lib/dns.nix
View File

7
lib/fudo-lib.nix Normal file
View File

@ -0,0 +1,7 @@
{ lib, ... }:
{
ip = import ./ip.nix { inherit lib; };
dns = import ./dns.nix { inherit lib; };
system = import ./system.nix { inherit lib; };
}

2
lib/fudo/ldap.nix
View File

@ -297,7 +297,7 @@ in {
mode = "0400"; mode = "0400";
user = "openldap"; user = "openldap";
group = "openldap"; group = "openldap";
# FIXME: take arguments! # FIXME: take arguments!
text = '' text = ''
mech_list: gssapi external mech_list: gssapi external
keytab: /etc/ldap/ldap.keytab keytab: /etc/ldap/ldap.keytab

19
lib/fudo/local-network.nix
View File

@ -5,13 +5,12 @@ with lib;
let let
cfg = config.fudo.local-network; cfg = config.fudo.local-network;
dns = import ../lib/dns.nix { inherit lib; };
ip = import ../lib/ip.nix { inherit lib; };
join-lines = concatStringsSep "\n"; join-lines = concatStringsSep "\n";
traceout = out: builtins.trace out out; traceout = out: builtins.trace out out;
fudo-lib = import ../fudo-lib.nix { inherit lib; };
in { in {
options.fudo.local-network = with types; { options.fudo.local-network = with types; {
@ -103,20 +102,20 @@ in {
interfaces = cfg.dhcp-interfaces; interfaces = cfg.dhcp-interfaces;
extraConfig = '' extraConfig = ''
subnet ${ip.getNetworkBase cfg.network} netmask ${ subnet ${fudo-lib.ip.getNetworkBase cfg.network} netmask ${
ip.maskFromV32Network cfg.network fudo-lib.ip.maskFromV32Network cfg.network
} { } {
authoritative; authoritative;
option subnet-mask ${ip.maskFromV32Network cfg.network}; option subnet-mask ${fudo-lib.ip.maskFromV32Network cfg.network};
option broadcast-address ${ip.networkMaxIp cfg.network}; option broadcast-address ${fudo-lib.ip.networkMaxIp cfg.network};
option routers ${cfg.gateway}; option routers ${cfg.gateway};
option domain-name-servers ${concatStringsSep " " cfg.dns-servers}; option domain-name-servers ${concatStringsSep " " cfg.dns-servers};
option domain-name "${cfg.domain}"; option domain-name "${cfg.domain}";
option domain-search "${ option domain-search "${
concatStringsSep " " ([ cfg.domain ] ++ cfg.search-domains) concatStringsSep " " ([ cfg.domain ] ++ cfg.search-domains)
}"; }";
range ${ip.networkMinIp cfg.dhcp-dynamic-network} ${ range ${fudo-lib.ip.networkMinIp cfg.dhcp-dynamic-network} ${
ip.networkMaxButOneIp cfg.dhcp-dynamic-network fudo-lib.ip.networkMaxButOneIp cfg.dhcp-dynamic-network
}; };
} }
''; '';
@ -218,7 +217,7 @@ in {
${join-lines (mapAttrsToList hostSshFpRecords network.hosts)} ${join-lines (mapAttrsToList hostSshFpRecords network.hosts)}
${join-lines (mapAttrsToList cnameRecord network.aliases)} ${join-lines (mapAttrsToList cnameRecord network.aliases)}
${join-lines network.verbatim-dns-records} ${join-lines network.verbatim-dns-records}
${dns.srvRecordsToBindZone network.srv-records} ${fudo-lib.dns.srvRecordsToBindZone network.srv-records}
''; '';
}] ++ blockZones; }] ++ blockZones;
}; };

43
lib/fudo/secure-dns-proxy.nix
View File

@ -1,21 +1,24 @@
{ lib, pkgs, config, ... }: { lib, pkgs, config, ... }:
with lib; with lib;
let cfg = config.fudo.secure-dns-proxy; let
cfg = config.fudo.secure-dns-proxy;
fudo-lib = import ../fudo-lib.nix { lib = lib; };
in { in {
options.fudo.secure-dns-proxy = { options.fudo.secure-dns-proxy = with types; {
enable = enable =
mkEnableOption "Enable a DNS server using an encrypted upstream source."; mkEnableOption "Enable a DNS server using an encrypted upstream source.";
listen-port = mkOption { listen-port = mkOption {
type = types.port; type = port;
description = "Port on which to listen for DNS queries."; description = "Port on which to listen for DNS queries.";
default = 53; default = 53;
}; };
upstream-dns = mkOption { upstream-dns = mkOption {
type = with types; listOf str; type = listOf str;
description = '' description = ''
The upstream DNS services to use, in a format useable by dnsproxy. The upstream DNS services to use, in a format useable by dnsproxy.
@ -25,37 +28,47 @@ in {
}; };
bootstrap-dns = mkOption { bootstrap-dns = mkOption {
type = types.str; type = str;
description = description =
"A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary."; "A simple DNS server from which HTTPS DNS can be bootstrapped, if necessary.";
default = "1.1.1.1"; default = "1.1.1.1";
}; };
listen-ips = mkOption { listen-ips = mkOption {
type = with types; listOf str; type = listOf str;
description = "A list of local IP addresses on which to listen."; description = "A list of local IP addresses on which to listen.";
default = [ "0.0.0.0" ]; default = [ "0.0.0.0" ];
}; };
allowed-networks = mkOption {
type = nullOr (listOf str);
description =
"List of networks with which this job is allowed to communicate.";
default = null;
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ dnsproxy ]; environment.systemPackages = with pkgs; [ dnsproxy ];
systemd.services.secure-dns-proxy = { systemd.services.secure-dns-proxy = fudo-lib.system.default-service {
enable = true;
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
description = "DNS Proxy for secure DNS lookups"; description = "DNS Proxy for secure DNS-over-HTTPS lookups.";
serviceConfig = let privateNetwork = false;
requiredCapabilities = [ ];
restartWhen = "always";
addressFamilies = [ "AF_INET" "AF_INET6" ];
networkWhitelist = cfg.allowed-networks;
execStart = let
upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns; upstreams = map (upstream: "-u ${upstream}") cfg.upstream-dns;
upstream-line = concatStringsSep " " upstreams; upstream-line = concatStringsSep " " upstreams;
listen-line = listen-line =
concatStringsSep " " (map (listen: "-l ${listen}") cfg.listen-ips); concatStringsSep " " (map (listen: "-l ${listen}") cfg.listen-ips);
cmd = "${pkgs.dnsproxy}/bin/dnsproxy -p ${ in "${pkgs.dnsproxy}/bin/dnsproxy -p ${
toString cfg.listen-port toString cfg.listen-port
} ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}"; } ${upstream-line} ${listen-line} -b ${cfg.bootstrap-dns}";
in { ExecStart = cmd; };
}; };
}; };
} }

0
lib/lib/ip.nix → lib/ip.nix
View File

125
lib/system.nix Normal file
View File

@ -0,0 +1,125 @@
{ lib, ... }:
with lib;
let
# See: man capabilities(7)
capabilities = [
"CAP_AUDIT_CONTROL"
"CAP_AUDIT_READ"
"CAP_AUDIT_WRITE"
"CAP_BLOCK_SUSPEND"
"CAP_BPF"
"CAP_CHECKPOINT_RESTORE"
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_DAC_READ_SEARCH"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_IPC_LOCK"
"CAP_IPC_OWNER"
"CAP_KILL"
"CAP_LEASE"
"CAP_LINUX_IMMUTABLE"
"CAP_MAC_ADMIN"
"CAP_MAC_OVERRIDE"
"CAP_MKNOD"
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_BROADCAST"
"CAP_NET_RAW"
"CAP_PERFMON"
"CAP_SETGID"
"CAP_SETFCAP"
"CAP_SETPCAP"
"CAP_SETUID"
"CAP_SYS_ADMIN"
"CAP_SYS_BOOT"
"CAP_SYS_CHROOT"
"CAP_SYS_MODULE"
"CAP_SYS_NICE"
"CAP_SYS_PACCT"
"CAP_SYS_PTRACE"
"CAP_SYS_RAWIO"
"CAP_SYS_RESOURCE"
"CAP_SYS_TIME"
"CAP_SYS_TTY_CONFIG"
"CAP_SYSLOG"
"CAP_WAKE_ALARM"
];
restrict-capabilities = allowed:
if (allowed == [ ]) then
"~${concatStringsSep " " capabilities}"
else
concatStringsSep " " allowed;
in {
timed-service = { ... }: false;
default-service = { after ? [ ], script ? null, reloadScript ? null
, before ? [ ], requires ? [ ], preStart ? null, postStop ? null
, preStop ? null, postStart ? null, requiredBy ? [ ], environment ? { }
, description, restartIfChanged ? true, confine ? false, path ? [ ]
, privateNetwork ? true, dynamicUser ? true, privateUsers ? true
, privateDevices ? true, privateTmp ? true, protectControlGroups ? true
, restrictSuidSgid ? true, protectKernelTunables ? true
, privateMounts ? true, protectKernelModules ? true, protectHome ? true
, protectHostname ? true, keyringMode ? "private"
, requiredCapabilities ? [ ], restartWhen ? "on-failure", restartSec ? "10"
, execStart ? null, protectSystem ? "full", addressFamilies ? null
, wantedBy ? [ ], workingDirectory ? null, user ? null, group ? null
, type ? "simple", partOf ? [ ], standardOutput ? "journal", pidFile ? null
, lockPersonality ? true, restrictRealtime ? true, networkWhitelist ? null
, memoryDenyWriteExecute ? true, ... }: {
enable = true;
script = mkIf (script != null) script;
reload = mkIf (reloadScript != null) reloadScript;
after = after;
before = before;
requires = requires;
wantedBy = wantedBy;
preStart = mkIf (preStart != null) preStart;
postStart = mkIf (postStart != null) postStart;
postStop = mkIf (postStop != null) postStop;
preStop = mkIf (preStop != null) preStop;
partOf = partOf;
requiredBy = requiredBy;
environment = environment;
description = description;
restartIfChanged = restartIfChanged;
confinement = mkIf confine { enable = true; };
path = path;
serviceConfig = {
PrivateNetwork = privateNetwork;
PrivateUsers = privateUsers;
PrivateDevices = privateDevices;
PrivateTmp = privateTmp;
PrivateMounts = privateMounts;
ProtectControlGroups = protectControlGroups;
ProtectKernelTunables = protectKernelTunables;
ProtectKernelModules = protectKernelModules;
ProtectSystem = protectSystem;
ProtectHostname = protectHostname;
ProtectHome = protectHome;
KeyringMode = keyringMode;
# This is more complicated than it looks...
CapabilityBoundingSet = restrict-capabilities requiredCapabilities;
DynamicUser = dynamicUser;
Restart = restartWhen;
WorkingDirectory = mkIf (workingDirectory != null) workingDirectory;
RestrictAddressFamilies =
mkIf (addressFamilies != null) (concatStringsSep " " addressFamilies);
User = mkIf (user != null) user;
Group = mkIf (group != null) group;
Type = type;
StandardOutput = standardOutput;
PIDFile = mkIf (pidFile != null) pidFile;
LockPersonality = lockPersonality;
RestrictRealtime = restrictRealtime;
IpAddressAllow = mkIf (networkWhitelist != null) networkWhitelist;
IpAddressDeny = mkIf (networkWhitelist != null) "any";
ExecStart = mkIf (execStart != null) execStart;
MemoryDenyWriteExecute = memoryDenyWriteExecute;
};
};
}

9
nixops/common.nix → nixops/lib/hosts.nix
View File

@ -1,15 +1,17 @@
{ nixos-version, ... }:
let let
home-manager-package = builtins.fetchGit { home-manager-package = builtins.fetchGit {
url = "https://github.com/nix-community/home-manager.git"; url = "https://github.com/nix-community/home-manager.git";
ref = "release-20.09"; ref = "release-${nixos-version}";
}; };
pkgs = builtins.fetchGit { pkgs = builtins.fetchGit {
url = "https://github.com/NixOS/nixpkgs.git"; url = "https://github.com/NixOS/nixpkgs.git";
ref = "release-20.09"; ref = "release-${nixos-version}";
}; };
initialize = import ../initialize.nix; initialize = import ../../initialize.nix;
host-config = ip: config: host-config = ip: config:
{ ... }: { { ... }: {
@ -20,6 +22,7 @@ let
site = config.site; site = config.site;
domain = config.domain; domain = config.domain;
home-manager-package = home-manager-package; home-manager-package = home-manager-package;
pkgs = pkgs;
}) })
]; ];

21
nixops/russell.nix
View File

@ -1,19 +1,16 @@
let let
common = import ./common.nix; nixos-version = "20.09";
domain = "rus.selby.ca";
site = "russell";
russell-host-config = ip: hostname: profile: hosts = import ./lib/hosts.nix { inherit nixos-version; };
common.host-config ip { russell-host = ip: hostname: profile:
hostname = hostname; let
profile = profile; site = "russell";
domain = domain; domain = "rus.selby.ca";
site = site; in hosts.host-config ip { inherit hostname profile domain site; };
};
in { in {
network.description = "Russell home network."; network.description = "Russell home network.";
clunk = russell-host-config "10.0.0.1" "clunk" "server"; clunk = russell-host "10.0.0.1" "clunk" "server";
plato = russell-host-config "10.0.0.102" "plato" "server"; plato = russell-host "10.0.0.102" "plato" "server";
} }

18
nixops/seattle.nix Normal file
View File

@ -0,0 +1,18 @@
let
nixos-version = "20.09";
hosts = import ./lib/hosts.nix { inherit nix-version; };
seattle-host = ip: hostname: profile:
let
site = "seattle";
domain = "sea.fudo.org";
in hosts.host-config ip { inherit hostname profile domain site; };
in {
network.description = "Seattle home network.";
nostromo = seattle-host "10.0.0.1" "nostromo" "server";
lambda = seattle-host "10.0.0.3" "lambda" "server";
spark = seattle-host "10.0.0.108" "spark" "desktop";
zbox = seattle-host "10.0.0.110" "zbox" "desktop";
}