diff --git a/fudo/sites/default.nix b/fudo/sites/default.nix index 6caa1b3..fd59359 100644 --- a/fudo/sites/default.nix +++ b/fudo/sites/default.nix @@ -2,6 +2,7 @@ { imports = [ + ./joes.nix ./portage.nix ./seattle.nix ]; diff --git a/fudo/sites/joes.nix b/fudo/sites/joes.nix new file mode 100644 index 0000000..ad2d576 --- /dev/null +++ b/fudo/sites/joes.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + admin = "admin@fudo.org"; + + nameservers = [ + "1.1.1.1" + "2606:4700:4700::1111" + ]; + + hostname = config.networking.hostName; + + gateway = "172.86.179.17"; + +in { + config = mkIf (config.fudo.common.site == "joes") { + time.timeZone = "America/Winnipeg"; + + services.cron = { + mailto = admin; + }; + + networking = { + domain = "fudo.org"; + search = ["fudo.org"]; + firewall.enable = false; + nameservers = nameservers; + + defaultGateway = gateway; + # defaultGateway6 = gateway6; + }; + + fudo.node-exporter = { + enable = true; + hostname = hostname; + }; + + security.acme.certs.${hostname} = { + email = "admin@fudo.org"; + # plugins = [ + # "fullchain.pem" + # "full.pem" + # "key.pem" + # "chain.pem" + # "cert.pem" + # ]; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + }; + }; +} diff --git a/hosts/procul.nix b/hosts/procul.nix new file mode 100644 index 0000000..ef15a4f --- /dev/null +++ b/hosts/procul.nix @@ -0,0 +1,89 @@ +{ config, pkgs, lib, ... }: + +with lib; +let + hostname = "procul"; + mail-hostname = hostname; + host_ipv4 = "172.86.179.18"; + all-hostnames = []; + + acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem"; + acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem"; + acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem"; + + fudo-ca = "/etc/nixos/static/fudo_ca.pem"; + +in { + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/sdb"; + }; + + imports = [ + ../hardware-configuration.nix + + ../defaults.nix + ]; + + fudo.common = { + # Sets some server-common settings. See /etc/nixos/fudo/profiles/... + profile = "server"; + + # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/... + site = "joes"; + + local-networks = [ + "172.86.179.18/29" + "208.81.1.128/28" + "208.81.3.112/28" + "172.17.0.0/16" + "127.0.0.0/8" + ]; + }; + + environment.systemPackages = with pkgs; [ + multipath-tools + ]; + + # Not all users need access to procul; don't allow LDAP-user access. + fudo.authentication.enable = false; + + # TODO: not used yet + fudo.acme.hostnames = all-hostnames; + + networking = { + hostName = hostname; + + dhcpcd.enable = false; + useDHCP = false; + + # TODO: fix IPv6 + enableIPv6 = true; + + # Create a bridge for VMs to use + macvlans = { + extif0 = { + interface = "enp0s25"; + mode = "bridge"; + }; + }; + + interfaces = { + extif0 = { + # result of: + # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/' + macAddress = "02:e2:b7:db:e8:af"; + ipv4.addresses = [ + { + address = host_ipv4; + prefixLength = 29; + } + ]; + }; + }; + }; + + hardware.bluetooth.enable = false; +}