Updated for procul

2020-06-22 15:29:33 -05:00 · 2020-06-22 15:29:33 -05:00 · acac0ef720
parent 318579ff8a
commit acac0ef720
3 changed files with 147 additions and 0 deletions
--- a/fudo/sites/default.nix
+++ b/fudo/sites/default.nix
@ -2,6 +2,7 @@

 {
  imports = [
+    ./joes.nix
    ./portage.nix
    ./seattle.nix
  ];
--- a/fudo/sites/joes.nix
+++ b/fudo/sites/joes.nix
@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  admin = "admin@fudo.org";
+
+  nameservers = [
+    "1.1.1.1"
+    "2606:4700:4700::1111"
+  ];
+
+  hostname = config.networking.hostName;
+
+  gateway = "172.86.179.17";
+
+in {
+  config = mkIf (config.fudo.common.site == "joes") {
+    time.timeZone = "America/Winnipeg";
+
+    services.cron = {
+      mailto = admin;
+    };
+
+    networking = {
+      domain = "fudo.org";
+      search = ["fudo.org"];
+      firewall.enable = false;
+      nameservers = nameservers;
+
+      defaultGateway = gateway;
+      # defaultGateway6 = gateway6;
+    };
+
+    fudo.node-exporter = {
+      enable = true;
+      hostname = hostname;
+    };
+
+    security.acme.certs.${hostname} = {
+      email = "admin@fudo.org";
+      # plugins = [
+      #   "fullchain.pem"
+      #   "full.pem"
+      #   "key.pem"
+      #   "chain.pem"
+      #   "cert.pem"
+      # ];
+    };
+    
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+    };
+  };
+}
--- a/hosts/procul.nix
+++ b/hosts/procul.nix
@ -0,0 +1,89 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  hostname = "procul";
+  mail-hostname = hostname;
+  host_ipv4 = "172.86.179.18";
+  all-hostnames = [];
+
+  acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
+  acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
+  acme-ca = "/etc/nixos/static/letsencryptauthorityx3.pem";
+
+  fudo-ca = "/etc/nixos/static/fudo_ca.pem";
+
+in {
+
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/sdb";
+  };
+
+  imports = [
+    ../hardware-configuration.nix
+
+    ../defaults.nix
+  ];
+
+  fudo.common = {
+    # Sets some server-common settings. See /etc/nixos/fudo/profiles/...
+    profile = "server";
+
+    # Sets some common site-specific settings: gateway, monitoring, etc. See /etc/nixos/fudo/sites/...
+    site = "joes";
+
+    local-networks = [
+      "172.86.179.18/29"
+      "208.81.1.128/28"
+      "208.81.3.112/28"
+      "172.17.0.0/16"
+      "127.0.0.0/8"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    multipath-tools
+  ];
+
+  # Not all users need access to procul; don't allow LDAP-user access.
+  fudo.authentication.enable = false;
+
+  # TODO: not used yet
+  fudo.acme.hostnames = all-hostnames;
+
+  networking = {
+    hostName = hostname;
+
+    dhcpcd.enable = false;
+    useDHCP = false;
+
+    # TODO: fix IPv6
+    enableIPv6 = true;
+
+    # Create a bridge for VMs to use
+    macvlans = {
+      extif0 = {
+        interface = "enp0s25";
+        mode = "bridge";
+      };
+    };
+
+    interfaces = {
+      extif0 = {
+        # result of:
+        # echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
+        macAddress = "02:e2:b7:db:e8:af";
+        ipv4.addresses = [
+          {
+            address = host_ipv4;
+            prefixLength = 29;
+          }
+        ];
+      };
+    };
+  };
+
+  hardware.bluetooth.enable = false;
+}