nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS

This commit is contained in:
Niten 2020-12-17 21:28:43 -06:00
parent 7a53ae0d7d eeea25a648
commit f6976aab64
9 changed files with 179 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
config/fudo/backplane/dns.nix
View File

@ -134,15 +134,14 @@ in {
listen-v6-addresses = mkOption {
type = with types; listOf str;
description = "IPv6 addresses on which to listen for dns requests.";
example = [
"[abcd::1]"
];
default = [];
example = [ "[abcd::1]" ];
default = [ ];
};
required-services = mkOption {
type = with types; listOf str;
description = "A list of services required before the DNS server can start.";
description =
"A list of services required before the DNS server can start.";
};
user = mkOption {
@ -177,18 +176,12 @@ in {
createHome = true;
home = "/var/home/${cfg.user}";
};
backplane-powerdns = {
isSystemUser = true;
};
backplane-powerdns = { isSystemUser = true; };
};
groups = {
"${cfg.group}" = {
members = [cfg.user];
};
backplane-powerdns = {
members = [ "backplane-powerdns" ];
};
"${cfg.group}" = { members = [ cfg.user ]; };
backplane-powerdns = { members = [ "backplane-powerdns" ]; };
};
};
@ -221,31 +214,30 @@ in {
"backplane-dns-config-generator.service"
"backplane-dns.target"
];
after = [
"network.target"
"postgresql.service"
];
after = [ "network.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ postgresql ];
serviceConfig = {
Restart="on-failure";
RestartSec="10";
StartLimitInterval="0";
PrivateDevices=true;
Restart = "on-failure";
RestartSec = "10";
StartLimitInterval = "0";
PrivateDevices = true;
# CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
# NoNewPrivileges=true;
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${powerdns-home}";
ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
ProtectSystem="full";
ExecStart =
"${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
ProtectSystem = "full";
# ProtectHome=true;
RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
};
};
backplane-dns-config-generator = {
description = "Generate postgres configuration for backplane DNS server.";
description =
"Generate postgres configuration for backplane DNS server.";
requiredBy = [ "backplane-powerdns.service" ];
requires = cfg.required-services;
serviceConfig.Type = "oneshot";
@ -260,35 +252,35 @@ in {
# This builds the config in a bash script, to avoid storing the password
# in the nix store at any point
script = ''
if [ ! -d ${powerdns-conf-dir} ]; then
mkdir ${powerdns-conf-dir}
fi
if [ ! -d ${powerdns-conf-dir} ]; then
mkdir ${powerdns-conf-dir}
fi
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX)
TMPCONF=$TMPDIR/pdns.local.gpgsql.conf
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d -t pdns-XXXXXXXXXX)
TMPCONF=$TMPDIR/pdns.local.gpgsql.conf
if [ ! -f ${cfg.database.password-file} ]; then
echo "${cfg.database.password-file} does not exist!"
exit 1
fi
if [ ! -f ${cfg.database.password-file} ]; then
echo "${cfg.database.password-file} does not exist!"
exit 1
fi
touch $TMPCONF
chown backplane-powerdns:backplane-powerdns $TMPCONF
chmod go-rwx $TMPCONF
PASSWORD=$(cat ${cfg.database.password-file})
echo "launch+=gpgsql" >> $TMPCONF
echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF
echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF
echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF
echo "gpgsql-password=$PASSWORD" >> $TMPCONF
echo "gpgsql-dnssec=yes" >> $TMPCONF
touch $TMPCONF
chown backplane-powerdns:backplane-powerdns $TMPCONF
chmod go-rwx $TMPCONF
PASSWORD=$(cat ${cfg.database.password-file})
echo "launch+=gpgsql" >> $TMPCONF
echo "gpgsql-host=${cfg.database.host}" >> $TMPCONF
echo "gpgsql-dbname=${cfg.database.database}" >> $TMPCONF
echo "gpgsql-user=${cfg.database.username}" >> $TMPCONF
echo "gpgsql-password=$PASSWORD" >> $TMPCONF
echo "gpgsql-dnssec=yes" >> $TMPCONF
mv $TMPCONF ${powerdns-conf-dir}/pdns.local.gpgsql.conf
mv $TMPCONF ${powerdns-conf-dir}/pdns.local.gpgsql.conf
rm -rf $TMPDIR
rm -rf $TMPDIR
exit 0
'';
exit 0
'';
};
backplane-dns = {
@ -296,11 +288,13 @@ in {
restartIfChanged = true;
serviceConfig = {
ExecStart = "${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh";
ExecStart =
"${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh";
Restart = "on-failure";
PIDFile = "/run/backplane-dns.$USERNAME.pid";
User = cfg.user;
Group = cfg.group;
StandardOutput = "journal";
};
environment = {
@ -311,13 +305,15 @@ in {
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file;
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host;
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database;
FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.backplane.database.username;
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = cfg.backplane.database.password-file;
FUDO_DNS_BACKPLANE_DATABASE_USERNAME =
cfg.backplane.database.username;
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
cfg.backplane.database.password-file;
# CL_SOURCE_REGISTRY = "${pkgs.localLispPackages.backplane-dns}//";
CL_SOURCE_REGISTRY = lib.concatStringsSep ":" (map (pkg: "${pkg}//")
lisp-pkgs);
CL_SOURCE_REGISTRY =
lib.concatStringsSep ":" (map (pkg: "${pkg}//") lisp-pkgs);
};
requires = cfg.required-services;

9
fudo/user-aliases.nix
View File

@ -7,6 +7,7 @@
"peter@fudo.link"
"pselby@fudo.org"
"yiliu@fudo.org"
"forum@selby.ca"
"peter@selby.ca"
];
@ -26,11 +27,7 @@
"reaper@fudo.link"
];
"swaff@fudo.org" = [
"mark@fudo.org"
];
"swaff@fudo.org" = [ "mark@fudo.org" ];
"ken@selby.ca" = [
"kselby@selby.ca"
];
"ken@selby.ca" = [ "kselby@selby.ca" ];
}

4
fudo/users.nix
View File

@ -75,7 +75,7 @@
uid = 10035;
group = "selby";
common-name = "Ken Selby";
hashed-password = "{SSHA}wUGV/9dr8inz/HyqSF/OWKxy0DCy5AI3";
hashed-password = "{SSHA}flr48Sao0/fUp8yl9zFpm8ERnI7qYTds";
# hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
};
@ -272,7 +272,7 @@
uid = 10086;
group = "selby";
common-name = "Helen Selby";
hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ==";
hashed-password = "{SSHA}uckUXX09MjYq9++sF3f9b2IY8a9UBIxm";
};
vee = {

129
hosts/france.nix
View File

@ -8,7 +8,7 @@ let
host_ipv4 = "208.81.3.117";
# Use a special IP for git.fudo.org, since it needs to be SSH-able
link_ipv4 = "208.81.3.126";
all-hostnames = [];
all-hostnames = [ ];
acme-private-key = hostname: "/var/lib/acme/${hostname}/key.pem";
acme-certificate = hostname: "/var/lib/acme/${hostname}/fullchain.pem";
@ -33,6 +33,7 @@ in {
../defaults.nix
./france/jabber.nix
./france/backplane.nix
./france/selby-forum.nix
];
environment.systemPackages = with pkgs; [
@ -55,22 +56,18 @@ in {
www-root = /srv/www;
local-networks = [
"208.81.1.128/28"
"208.81.3.112/28"
"172.17.0.0/16"
"127.0.0.0/8"
];
local-networks =
[ "208.81.1.128/28" "208.81.3.112/28" "172.17.0.0/16" "127.0.0.0/8" ];
};
fudo.prometheus = {
enable = true;
hostname = "metrics.fudo.org";
service-discovery-dns = {
node = [ "node._metrics._tcp.fudo.org" ];
node = [ "node._metrics._tcp.fudo.org" ];
postfix = [ "postfix._metrics._tcp.fudo.org" ];
dovecot = [ "dovecot._metrics._tcp.fudo.org" ];
rspamd = [ "rspamd._metrics._tcp.fudo.org" ];
rspamd = [ "rspamd._metrics._tcp.fudo.org" ];
};
};
@ -91,9 +88,7 @@ in {
};
# So that grafana waits for postgresql
systemd.services.grafana.after = [
"postgresql.service"
];
systemd.services.grafana.after = [ "postgresql.service" ];
fudo.postgresql = {
enable = true;
@ -162,27 +157,16 @@ in {
};
};
};
niten = {};
niten = { };
};
local-users = [
"niten"
"fudo_git"
];
local-users = [ "niten" "fudo_git" ];
databases = {
fudo_git = {
users = ["niten"];
};
grafana = {
users = ["niten"];
};
mattermost = {
users = ["niten"];
};
webmail = {
users = ["niten"];
};
fudo_git = { users = [ "niten" ]; };
grafana = { users = [ "niten" ]; };
mattermost = { users = [ "niten" ]; };
webmail = { users = [ "niten" ]; };
};
};
@ -207,7 +191,8 @@ in {
ns3 = {
ip-addresses = [ "104.131.53.95" ];
ipv6-addresses = [ "2604:a880:800:10::8:7001" ];
description = "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
description =
"Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
rp = "reaper reaper.rp";
};
ns4 = {
@ -218,11 +203,9 @@ in {
};
};
listen-ips = [host_ipv4];
listen-ips = [ host_ipv4 ];
domains = {
"fudo.org" = import ../fudo/fudo.org.nix { inherit config; };
};
domains = { "fudo.org" = import ../fudo/fudo.org.nix { inherit config; }; };
};
# Not all users need access to france; don't allow LDAP-user access.
@ -251,11 +234,7 @@ in {
# sslKey = (acme-private-key hostname);
# sslCACert = acme-ca;
listen-uris = [
"ldap:///"
"ldaps:///"
"ldapi:///"
];
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
users = import ../fudo/users.nix;
@ -271,11 +250,7 @@ in {
realm = "FUDO.ORG";
mkey-file = "/var/heimdal/m-key";
acl-file = "/etc/heimdal/kdc.acl";
bind-addresses = [
host_ipv4
"127.0.0.1"
"127.0.1.1"
];
bind-addresses = [ host_ipv4 "127.0.0.1" "127.0.1.1" ];
};
};
@ -293,7 +268,7 @@ in {
fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
enableContainer = true;
debug = true;
debug = false;
monitoring = true;
hostname = mail-hostname;
@ -459,32 +434,26 @@ in {
# result of:
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:d4:e8:3b:10:2f";
ipv4.addresses = [
{
address = host_ipv4;
prefixLength = 28;
}
];
ipv4.addresses = [{
address = host_ipv4;
prefixLength = 28;
}];
};
extif1 = {
macAddress = "02:6d:e2:e1:ad:ca";
ipv4.addresses = [
{
address = link_ipv4;
prefixLength = 28;
}
];
ipv4.addresses = [{
address = link_ipv4;
prefixLength = 28;
}];
};
intif0 = {
# result of:
# echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
macAddress = "02:ba:ba:e9:08:21";
ipv4.addresses = [
{
address = "192.168.11.1";
prefixLength = 24;
}
];
ipv4.addresses = [{
address = "192.168.11.1";
prefixLength = 24;
}];
};
};
};
@ -496,35 +465,31 @@ in {
enable = true;
enableOnBoot = true;
autoPrune = {
enable = true;
};
autoPrune = { enable = true; };
};
lxd = {
enable = true;
};
lxd = { enable = true; };
};
fileSystems = {
"/srv/archiva" = {
fsType = "btrfs";
options = ["subvol=archiva"];
options = [ "subvol=archiva" ];
label = "pool0";
};
"/srv/grafana" = {
fsType = "btrfs";
options = ["subvol=grafana"];
options = [ "subvol=grafana" ];
label = "pool0";
};
"${system-mail-directory}" = {
fsType = "btrfs";
options = ["subvol=mail"];
options = [ "subvol=mail" ];
label = "pool0";
};
"/srv/gitlab" = {
fsType = "btrfs";
options = ["subvol=gitlab"];
options = [ "subvol=gitlab" ];
label = "pool0";
};
"/var/lib/lxd/storage-pools/pool0" = {
@ -576,12 +541,12 @@ in {
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
@ -600,12 +565,10 @@ in {
docker-containers = {
archiva = {
image = "xetusoss/archiva";
ports = ["127.0.0.1:8001:8080"];
ports = [ "127.0.0.1:8001:8080" ];
# Ugly: name-to-uid lookup fails.
user = toString config.users.users.archiva.uid;
volumes = [
"/srv/archiva:/archiva-data"
];
volumes = [ "/srv/archiva:/archiva-data" ];
environment = {
# Not directly connected to the world anyway
SSL_ENABLED = "false";

68
hosts/france/selby-forum.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
hostname = "forum.test.selby.ca";
postgres-host = "france.fudo.org";
config-path = "/srv/selby-forum/conf";
redis-data-path = "/srv/selby-forum/redis-data";
sidekiq-data-path = "/srv/selby-forum/sidekiq-data";
discourse-data-path = "/srv/selby-forum/discourse-data";
in {
config = {
users.users = {
selby-discourse = { isSystemUser = true; };
selby-discourse-redis = { isSystemUser = true; };
selby-discourse-sidekiq = { isSystemUser = true; };
};
docker-containers = {
selby-discourse = {
image = "bitnami/discourse";
ports = [ ];
user = toString config.users.users.selby-discourse.uid;
volumes = [
"${config-path}:/opt/bitnami/discourse/mounted-conf"
"${discourse-data-path}:/bitnami"
];
extraDockerOptions = [ "--network=selby-discourse" ];
environment = {
DISCOURSE_SITENAME = "Selby Forum";
DISCOURSE_EMAIL = "forum@selby.ca";
DISCOURSE_HOSTNAME = hostname;
};
};
selby-discourse-redis = {
image = "bitnami/redis";
user = toString config.users.users.selby-discourse-redis.uid;
volumes = [ "${redis-data-path}:/bitnami" ];
extraDockerOptions = [ "--network=selby-discourse" ];
environment = { ALLOW_EMPTY_PASSWORD = "yes"; };
};
selby-discourse-sidekiq = {
image = "bitnami/discourse";
user = toString config.users.users.selby-discourse-sidekiq.uid;
volumes = [ "${sidekiq-data-path}:/bitnami" ];
entrypoint = "nami";
cmd = [ "start" "discourse-sidekiq" ];
extraDockerOptions = [ "--network=selby-discourse" ];
};
};
systemd = {
services = {
# selby-discourse-config = {
# description = "Generate configuration for Selby discourse server.";
# requiredBy = [ "docker-selby-discourse.service" ];
# requires = [ "fudo-passwords.target" ];
# serviceConfig.Type = "oneshot";
# restartIfChanged = true;
# script = "";
# };
};
};
};
}

24
packages/backplane-dns.nix
View File

@ -1,24 +0,0 @@
{ stdenv, fetchgit, pkgs }:
let
url = "https://git.fudo.org/fudo-public/backplane-dns.git";
version = "0.1";
in stdenv.mkDerivation {
name = "backplane-dns-${version}";
src = fetchgit {
url = url;
rev = "c552394e55816541a9426974c5f8e6f1f83bf195";
sha256 = "0r61bwj5a2dvzl41cwdf2pdnhdsmp3kzfyxa5x5hsg67al6s7vi8";
fetchSubmodules = false;
};
phases = ["installPhase"];
installPhase = ''
mkdir -p "$out/lib/common-lisp/backplane-dns"
cp "$src/backplane-dns.asd" "$out/lib/common-lisp/backplane-dns"
cp -R $src/*.lisp "$out/lib/common-lisp/backplane-dns"
'';
}

7
packages/lisp/backplane-dns.nix
View File

@ -14,13 +14,14 @@ pkgs.lispPackages.buildLispPackage {
cl-ppcre
ip-utils
postmodern
prove
trivia
];
src = pkgs.fetchgit {
url = "https://git.fudo.org/fudo-public/backplane-dns.git";
rev = "d9e13bae165b08976fd025053bb2dde44bb4278d";
sha256 = "0b4y75hq5753v8pk47c4pwpyc95igpjl7md7f29jjvqaviys66xh";
url = "https://git.fudo.org/fudo-public/backplane-dns.git";
rev = "3075453a8ccc8bf285bfc83d84317044590ae060";
sha256 = "1sdgr9zxqam4c8f7nlkgm77si45j0qvvgj6rav9kd6jz6vqgcbi5";
fetchSubmodules = false;
};

13
packages/lisp/backplane-server.nix
View File

@ -7,17 +7,12 @@ pkgs.lispPackages.buildLispPackage {
buildSystems = [ "backplane-server" ];
deps = with pkgs.lispPackages; [
alexandria
arrows
cl-json
cl-xmpp
];
deps = with pkgs.lispPackages; [ alexandria arrows cl-json cl-xmpp prove ];
src = pkgs.fetchgit {
url = "https://git.fudo.org/fudo-public/backplane-server.git";
rev = "665f362ce1a0a22bc10d3bbe95d5a8adec2df653";
sha256 = "0lzq0vlqjymcwxbc80x6wp5mij80am12w9fi7abs5wnqcs68lwnf";
url = "https://git.fudo.org/fudo-public/backplane-server.git";
rev = "5b50dd8badf5b5460e9cc7e76e191d274712a3bd";
sha256 = "18fysksmrbfk131fgazbw1cpaxz47015ashap9y4rswd904dzzss";
fetchSubmodules = false;
};

4
packages/local.nix
View File

@ -148,8 +148,8 @@ in {
doom-emacs-config = pkgs.fetchgit {
url = "https://git.fudo.org/niten/doom-emacs.git";
rev = "ed65ca4881d0cc3cfe308f5fc66ccbf15f560043";
sha256 = "17z4scl4p84hin6yzx69a707s5ibjk3jrxszy07cg8zijrg1744a";
rev = "467c45705c73ee39acbfabc04c5aaa4099408dc4";
sha256 = "172ah7ymlwymb4rx719nhsfvsxwmq14nlisba84kw34cmhdcsjh7";
};
};
}