diff --git a/config/hosts/limina.nix b/config/hosts/limina.nix index 04fb8f6..a85eb41 100644 --- a/config/hosts/limina.nix +++ b/config/hosts/limina.nix @@ -13,4 +13,5 @@ profile = "server"; ssh-pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMqymGZ5dI6ChI1Qx1QfjBo/h0+xFwpRx/wQSDxWQprI"; + tmp-on-tmpfs = false; } diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 8fa9a6c..16187c2 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -16,4 +16,5 @@ build-pubkeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMPjwpcktL0Rhjc/D3ZmzwkSRqSJX5TGjMXVstpg8nNqQQrj9DxPq7gV4a+1LxMtQGPUv4gYx7De1a5LMVk8u6qJJnaLlt3TB1e1SUCBxxeh5sWIY5BMx8Q0/aRTkyTchyczX6FX0LXM7FP6yvxZVZSn2WHRp7REr8G1PUAwuIGy2a4bKOUSh5Uj4riXFXnROW2mp1vUfe5oH4X5HP3ACCXWRVUFdqDt1ldcrqqi+7/8x2G1eOHJcQ7B5FdL3uuq0nBrUzFQTt6KCHy0C2Jc3DFwOS1+ZdGKZpao+/arh/fH+LQfMUePx/AQOkYrJwvuRwbxg8XmlZ89u2gyDuqapzjBmsu+wyd5pF2QglyTRZW9Ijy1NTuzduPm6wgqN0Q09evFJvM9ZjShcIY3xTcCGDxpwTeYgMVXMF79sV9u+JwCSBpaIyteIJ7M/J/NWmaKoUF6Ia9mNts889Ba9TKzQFek19KYetOB2hfXV+7bvXrH+OBppzpdrztJFavBceQTs=" ]; + tmp-on-tmpfs = false; } diff --git a/config/hosts/procul.nix b/config/hosts/procul.nix index c9547fe..b5f3800 100644 --- a/config/hosts/procul.nix +++ b/config/hosts/procul.nix @@ -1,4 +1,17 @@ { description = "informis.land server."; docker-server = true; + ssh-fingerprints = [ + "1 1 d089902f60751b3d35b5329bf7b906df254d5fa7" + "1 2 8deebf42bbc40881a327f561bffd5d7bd328a4fc94d4e4ce8c502a9c6cbdfb92" + "4 1 2a8e086d3589ce50b58c55bc35638af8da23988e" + "4 2 55a9f7c0addf08bb24c62ced954574db6e95eff38ee56d6a2cff312d20eb910e" + ]; + rp = "niten"; + admin-email = "niten@fudo.org"; + domain = "informis.land"; + site = "joes-datacenter-0"; + profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEsvl1mTSWJJrqXbYrc8wYdlOiW5gNg4Nzf2QCxB6XW"; } diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index f27b7c4..e95e398 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -31,7 +31,7 @@ in { }; libdefaults = { - allow_weak_crypto = false; + allow_weak_crypto = true; dns_lookup_kdc = true; dns_lookup_realm = true; forwardable = true; diff --git a/config/profile-config/server.nix b/config/profile-config/server.nix index 1b0b130..9cc8bf0 100644 --- a/config/profile-config/server.nix +++ b/config/profile-config/server.nix @@ -2,11 +2,7 @@ with lib; let - serverPackages = with pkgs; [ - emacs-nox - reboot-if-necessary - test-config - ]; + serverPackages = with pkgs; [ emacs-nox reboot-if-necessary test-config ]; reboot-if-necessary = pkgs.writeShellScriptBin "reboot-if-necessary" '' if [ $# -ne 1 ]; then @@ -50,9 +46,7 @@ in { imports = [ ./common.nix ]; config = { - environment = { - systemPackages = serverPackages; - }; + environment = { systemPackages = serverPackages; }; system.autoUpgrade.enable = false; @@ -60,8 +54,6 @@ in { networking.networkmanager.enable = mkForce false; - boot.tmpOnTmpfs = true; - services = { xserver.enable = false; diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index b0993c8..4554651 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -89,6 +89,13 @@ let default = null; }; + tmp-on-tmpfs = mkOption { + type = bool; + description = + "Use tmpfs for /tmp. Great if you've got enough (>16G) RAM."; + default = true; + }; + enable-gui = mkEnableOption "Install desktop GUI software."; docker-server = mkEnableOption "Enable Docker on the current host."; @@ -112,6 +119,12 @@ let description = "SSH public keys used to access the build server."; default = [ ]; }; + + external-interfaces = mkOption { + type = listOf str; + description = "A list of interfaces on which to enable the firewall."; + default = [ ]; + }; }; }; @@ -136,6 +149,7 @@ in { in { networking = { hostName = config.instance.hostname; + domain = domain-name; nameservers = site.nameservers; # This will cause a loop on the gateway itself #defaultGateway = site.gateway-v4; @@ -143,7 +157,27 @@ in { # Necessary to ensure that Kerberos and Avahi both work. Kerberos needs # the fqdn of the host, whereas Avahi wants just the simple hostname.` - hosts = { "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; }; + hosts = { + "127.0.0.2" = [ "${hostname}.${domain-name}" "${hostname}" ]; + "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ]; + "::1" = [ "${hostname}.${domain-name}" "${hostname}" ]; + }; + + firewall = { + enable = (length host-cfg.external-interfaces) > 0; + allowedTCPPorts = [ 22 ]; + }; + }; + + environment.etc.hosts = mkForce { + text = '' + 127.0.0.1 ${hostname}.${domain-name} ${hostname} localhost + 127.0.0.2 ${hostname} localhost + ::1 ${hostname}.${domain-name} ${hostname} localhost + ''; + user = "root"; + group = "root"; + mode = "0444"; }; nix = mkIf @@ -172,6 +206,8 @@ in { autoPrune.enable = true; }; + boot.tmpOnTmpfs = host-cfg.tmp-on-tmpfs; + programs.ssh.knownHosts = let keyed-hosts = filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts; diff --git a/nixops/seattle.nix b/nixops/seattle.nix index ff6577a..ae4cfc3 100644 --- a/nixops/seattle.nix +++ b/nixops/seattle.nix @@ -15,6 +15,7 @@ let in { network.description = "Seattle home network."; + lambda = seattle-host "10.0.0.11" "lambda" "server"; liminia = seattle-host "10.0.0.1" "limina" "server"; plato = seattle-host "10.0.0.21" "plato" "server"; spark = seattle-host "10.0.0.108" "spark" "desktop";