Merge branch 'master' of ssh://git.fudo.org:2222/fudosys/NixOS
This commit is contained in:
commit
f6976aab64
|
@ -134,15 +134,14 @@ in {
|
|||
listen-v6-addresses = mkOption {
|
||||
type = with types; listOf str;
|
||||
description = "IPv6 addresses on which to listen for dns requests.";
|
||||
example = [
|
||||
"[abcd::1]"
|
||||
];
|
||||
example = [ "[abcd::1]" ];
|
||||
default = [ ];
|
||||
};
|
||||
|
||||
required-services = mkOption {
|
||||
type = with types; listOf str;
|
||||
description = "A list of services required before the DNS server can start.";
|
||||
description =
|
||||
"A list of services required before the DNS server can start.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
|
@ -177,18 +176,12 @@ in {
|
|||
createHome = true;
|
||||
home = "/var/home/${cfg.user}";
|
||||
};
|
||||
backplane-powerdns = {
|
||||
isSystemUser = true;
|
||||
};
|
||||
backplane-powerdns = { isSystemUser = true; };
|
||||
};
|
||||
|
||||
groups = {
|
||||
"${cfg.group}" = {
|
||||
members = [cfg.user];
|
||||
};
|
||||
backplane-powerdns = {
|
||||
members = [ "backplane-powerdns" ];
|
||||
};
|
||||
"${cfg.group}" = { members = [ cfg.user ]; };
|
||||
backplane-powerdns = { members = [ "backplane-powerdns" ]; };
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -221,10 +214,7 @@ in {
|
|||
"backplane-dns-config-generator.service"
|
||||
"backplane-dns.target"
|
||||
];
|
||||
after = [
|
||||
"network.target"
|
||||
"postgresql.service"
|
||||
];
|
||||
after = [ "network.target" "postgresql.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = with pkgs; [ postgresql ];
|
||||
|
@ -237,7 +227,8 @@ in {
|
|||
# CapabilityBoundingSet="CAP_CHOWN CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT";
|
||||
# NoNewPrivileges=true;
|
||||
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${powerdns-home}";
|
||||
ExecStart = "${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
|
||||
ExecStart =
|
||||
"${pkgs.powerdns}/bin/pdns_server --setuid=backplane-powerdns --setgid=backplane-powerdns --chroot=${powerdns-home} --socket-dir=/ --daemon=no --guardian=no --disable-syslog --write-pid=no --config-dir=${configDir}";
|
||||
ProtectSystem = "full";
|
||||
# ProtectHome=true;
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||
|
@ -245,7 +236,8 @@ in {
|
|||
};
|
||||
|
||||
backplane-dns-config-generator = {
|
||||
description = "Generate postgres configuration for backplane DNS server.";
|
||||
description =
|
||||
"Generate postgres configuration for backplane DNS server.";
|
||||
requiredBy = [ "backplane-powerdns.service" ];
|
||||
requires = cfg.required-services;
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
@ -296,11 +288,13 @@ in {
|
|||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh";
|
||||
ExecStart =
|
||||
"${pkgs.backplane-dns-server}/bin/launch-backplane-dns.sh";
|
||||
Restart = "on-failure";
|
||||
PIDFile = "/run/backplane-dns.$USERNAME.pid";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StandardOutput = "journal";
|
||||
};
|
||||
|
||||
environment = {
|
||||
|
@ -311,13 +305,15 @@ in {
|
|||
FUDO_DNS_BACKPLANE_XMPP_PASSWORD_FILE = cfg.backplane.password-file;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_HOSTNAME = cfg.backplane.database.host;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_NAME = cfg.backplane.database.database;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_USERNAME = cfg.backplane.database.username;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE = cfg.backplane.database.password-file;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_USERNAME =
|
||||
cfg.backplane.database.username;
|
||||
FUDO_DNS_BACKPLANE_DATABASE_PASSWORD_FILE =
|
||||
cfg.backplane.database.password-file;
|
||||
|
||||
# CL_SOURCE_REGISTRY = "${pkgs.localLispPackages.backplane-dns}//";
|
||||
|
||||
CL_SOURCE_REGISTRY = lib.concatStringsSep ":" (map (pkg: "${pkg}//")
|
||||
lisp-pkgs);
|
||||
CL_SOURCE_REGISTRY =
|
||||
lib.concatStringsSep ":" (map (pkg: "${pkg}//") lisp-pkgs);
|
||||
};
|
||||
|
||||
requires = cfg.required-services;
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
"peter@fudo.link"
|
||||
"pselby@fudo.org"
|
||||
"yiliu@fudo.org"
|
||||
"forum@selby.ca"
|
||||
|
||||
"peter@selby.ca"
|
||||
];
|
||||
|
@ -26,11 +27,7 @@
|
|||
"reaper@fudo.link"
|
||||
];
|
||||
|
||||
"swaff@fudo.org" = [
|
||||
"mark@fudo.org"
|
||||
];
|
||||
"swaff@fudo.org" = [ "mark@fudo.org" ];
|
||||
|
||||
"ken@selby.ca" = [
|
||||
"kselby@selby.ca"
|
||||
];
|
||||
"ken@selby.ca" = [ "kselby@selby.ca" ];
|
||||
}
|
||||
|
|
|
@ -75,7 +75,7 @@
|
|||
uid = 10035;
|
||||
group = "selby";
|
||||
common-name = "Ken Selby";
|
||||
hashed-password = "{SSHA}wUGV/9dr8inz/HyqSF/OWKxy0DCy5AI3";
|
||||
hashed-password = "{SSHA}flr48Sao0/fUp8yl9zFpm8ERnI7qYTds";
|
||||
# hashed-password = "{SSHA}X8DxUcwH2Fzel5UKbGVNhC5B2vg0Prsc";
|
||||
};
|
||||
|
||||
|
@ -272,7 +272,7 @@
|
|||
uid = 10086;
|
||||
group = "selby";
|
||||
common-name = "Helen Selby";
|
||||
hashed-password = "{MD5}cT8gLj4MDWqeP/GnzPfgHQ==";
|
||||
hashed-password = "{SSHA}uckUXX09MjYq9++sF3f9b2IY8a9UBIxm";
|
||||
};
|
||||
|
||||
vee = {
|
||||
|
|
|
@ -33,6 +33,7 @@ in {
|
|||
../defaults.nix
|
||||
./france/jabber.nix
|
||||
./france/backplane.nix
|
||||
./france/selby-forum.nix
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
@ -55,12 +56,8 @@ in {
|
|||
|
||||
www-root = /srv/www;
|
||||
|
||||
local-networks = [
|
||||
"208.81.1.128/28"
|
||||
"208.81.3.112/28"
|
||||
"172.17.0.0/16"
|
||||
"127.0.0.0/8"
|
||||
];
|
||||
local-networks =
|
||||
[ "208.81.1.128/28" "208.81.3.112/28" "172.17.0.0/16" "127.0.0.0/8" ];
|
||||
};
|
||||
|
||||
fudo.prometheus = {
|
||||
|
@ -91,9 +88,7 @@ in {
|
|||
};
|
||||
|
||||
# So that grafana waits for postgresql
|
||||
systemd.services.grafana.after = [
|
||||
"postgresql.service"
|
||||
];
|
||||
systemd.services.grafana.after = [ "postgresql.service" ];
|
||||
|
||||
fudo.postgresql = {
|
||||
enable = true;
|
||||
|
@ -165,24 +160,13 @@ in {
|
|||
niten = { };
|
||||
};
|
||||
|
||||
local-users = [
|
||||
"niten"
|
||||
"fudo_git"
|
||||
];
|
||||
local-users = [ "niten" "fudo_git" ];
|
||||
|
||||
databases = {
|
||||
fudo_git = {
|
||||
users = ["niten"];
|
||||
};
|
||||
grafana = {
|
||||
users = ["niten"];
|
||||
};
|
||||
mattermost = {
|
||||
users = ["niten"];
|
||||
};
|
||||
webmail = {
|
||||
users = ["niten"];
|
||||
};
|
||||
fudo_git = { users = [ "niten" ]; };
|
||||
grafana = { users = [ "niten" ]; };
|
||||
mattermost = { users = [ "niten" ]; };
|
||||
webmail = { users = [ "niten" ]; };
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -207,7 +191,8 @@ in {
|
|||
ns3 = {
|
||||
ip-addresses = [ "104.131.53.95" ];
|
||||
ipv6-addresses = [ "2604:a880:800:10::8:7001" ];
|
||||
description = "Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
|
||||
description =
|
||||
"Nameserver 3, ns2.henchmman21.net, in New York City, NY, US";
|
||||
rp = "reaper reaper.rp";
|
||||
};
|
||||
ns4 = {
|
||||
|
@ -220,9 +205,7 @@ in {
|
|||
|
||||
listen-ips = [ host_ipv4 ];
|
||||
|
||||
domains = {
|
||||
"fudo.org" = import ../fudo/fudo.org.nix { inherit config; };
|
||||
};
|
||||
domains = { "fudo.org" = import ../fudo/fudo.org.nix { inherit config; }; };
|
||||
};
|
||||
|
||||
# Not all users need access to france; don't allow LDAP-user access.
|
||||
|
@ -251,11 +234,7 @@ in {
|
|||
# sslKey = (acme-private-key hostname);
|
||||
# sslCACert = acme-ca;
|
||||
|
||||
listen-uris = [
|
||||
"ldap:///"
|
||||
"ldaps:///"
|
||||
"ldapi:///"
|
||||
];
|
||||
listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];
|
||||
|
||||
users = import ../fudo/users.nix;
|
||||
|
||||
|
@ -271,11 +250,7 @@ in {
|
|||
realm = "FUDO.ORG";
|
||||
mkey-file = "/var/heimdal/m-key";
|
||||
acl-file = "/etc/heimdal/kdc.acl";
|
||||
bind-addresses = [
|
||||
host_ipv4
|
||||
"127.0.0.1"
|
||||
"127.0.1.1"
|
||||
];
|
||||
bind-addresses = [ host_ipv4 "127.0.0.1" "127.0.1.1" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -293,7 +268,7 @@ in {
|
|||
|
||||
fudo.mail-server = import ../fudo/email.nix { inherit config; } // {
|
||||
enableContainer = true;
|
||||
debug = true;
|
||||
debug = false;
|
||||
monitoring = true;
|
||||
|
||||
hostname = mail-hostname;
|
||||
|
@ -459,32 +434,26 @@ in {
|
|||
# result of:
|
||||
# echo $FQDN-extif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
macAddress = "02:d4:e8:3b:10:2f";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
ipv4.addresses = [{
|
||||
address = host_ipv4;
|
||||
prefixLength = 28;
|
||||
}
|
||||
];
|
||||
}];
|
||||
};
|
||||
extif1 = {
|
||||
macAddress = "02:6d:e2:e1:ad:ca";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
ipv4.addresses = [{
|
||||
address = link_ipv4;
|
||||
prefixLength = 28;
|
||||
}
|
||||
];
|
||||
}];
|
||||
};
|
||||
intif0 = {
|
||||
# result of:
|
||||
# echo $FQDN-intif|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
|
||||
macAddress = "02:ba:ba:e9:08:21";
|
||||
ipv4.addresses = [
|
||||
{
|
||||
ipv4.addresses = [{
|
||||
address = "192.168.11.1";
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -496,14 +465,10 @@ in {
|
|||
enable = true;
|
||||
enableOnBoot = true;
|
||||
|
||||
autoPrune = {
|
||||
enable = true;
|
||||
};
|
||||
autoPrune = { enable = true; };
|
||||
};
|
||||
|
||||
lxd = {
|
||||
enable = true;
|
||||
};
|
||||
lxd = { enable = true; };
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
|
@ -603,9 +568,7 @@ in {
|
|||
ports = [ "127.0.0.1:8001:8080" ];
|
||||
# Ugly: name-to-uid lookup fails.
|
||||
user = toString config.users.users.archiva.uid;
|
||||
volumes = [
|
||||
"/srv/archiva:/archiva-data"
|
||||
];
|
||||
volumes = [ "/srv/archiva:/archiva-data" ];
|
||||
environment = {
|
||||
# Not directly connected to the world anyway
|
||||
SSL_ENABLED = "false";
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
hostname = "forum.test.selby.ca";
|
||||
postgres-host = "france.fudo.org";
|
||||
config-path = "/srv/selby-forum/conf";
|
||||
redis-data-path = "/srv/selby-forum/redis-data";
|
||||
sidekiq-data-path = "/srv/selby-forum/sidekiq-data";
|
||||
discourse-data-path = "/srv/selby-forum/discourse-data";
|
||||
|
||||
in {
|
||||
config = {
|
||||
users.users = {
|
||||
selby-discourse = { isSystemUser = true; };
|
||||
selby-discourse-redis = { isSystemUser = true; };
|
||||
selby-discourse-sidekiq = { isSystemUser = true; };
|
||||
};
|
||||
|
||||
docker-containers = {
|
||||
selby-discourse = {
|
||||
image = "bitnami/discourse";
|
||||
ports = [ ];
|
||||
user = toString config.users.users.selby-discourse.uid;
|
||||
volumes = [
|
||||
"${config-path}:/opt/bitnami/discourse/mounted-conf"
|
||||
"${discourse-data-path}:/bitnami"
|
||||
];
|
||||
extraDockerOptions = [ "--network=selby-discourse" ];
|
||||
environment = {
|
||||
DISCOURSE_SITENAME = "Selby Forum";
|
||||
DISCOURSE_EMAIL = "forum@selby.ca";
|
||||
DISCOURSE_HOSTNAME = hostname;
|
||||
};
|
||||
};
|
||||
|
||||
selby-discourse-redis = {
|
||||
image = "bitnami/redis";
|
||||
user = toString config.users.users.selby-discourse-redis.uid;
|
||||
volumes = [ "${redis-data-path}:/bitnami" ];
|
||||
extraDockerOptions = [ "--network=selby-discourse" ];
|
||||
environment = { ALLOW_EMPTY_PASSWORD = "yes"; };
|
||||
};
|
||||
|
||||
selby-discourse-sidekiq = {
|
||||
image = "bitnami/discourse";
|
||||
user = toString config.users.users.selby-discourse-sidekiq.uid;
|
||||
volumes = [ "${sidekiq-data-path}:/bitnami" ];
|
||||
entrypoint = "nami";
|
||||
cmd = [ "start" "discourse-sidekiq" ];
|
||||
extraDockerOptions = [ "--network=selby-discourse" ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
# selby-discourse-config = {
|
||||
# description = "Generate configuration for Selby discourse server.";
|
||||
# requiredBy = [ "docker-selby-discourse.service" ];
|
||||
# requires = [ "fudo-passwords.target" ];
|
||||
# serviceConfig.Type = "oneshot";
|
||||
# restartIfChanged = true;
|
||||
|
||||
# script = "";
|
||||
# };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
{ stdenv, fetchgit, pkgs }:
|
||||
|
||||
let
|
||||
url = "https://git.fudo.org/fudo-public/backplane-dns.git";
|
||||
version = "0.1";
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
name = "backplane-dns-${version}";
|
||||
|
||||
src = fetchgit {
|
||||
url = url;
|
||||
rev = "c552394e55816541a9426974c5f8e6f1f83bf195";
|
||||
sha256 = "0r61bwj5a2dvzl41cwdf2pdnhdsmp3kzfyxa5x5hsg67al6s7vi8";
|
||||
fetchSubmodules = false;
|
||||
};
|
||||
|
||||
phases = ["installPhase"];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p "$out/lib/common-lisp/backplane-dns"
|
||||
cp "$src/backplane-dns.asd" "$out/lib/common-lisp/backplane-dns"
|
||||
cp -R $src/*.lisp "$out/lib/common-lisp/backplane-dns"
|
||||
'';
|
||||
}
|
|
@ -14,13 +14,14 @@ pkgs.lispPackages.buildLispPackage {
|
|||
cl-ppcre
|
||||
ip-utils
|
||||
postmodern
|
||||
prove
|
||||
trivia
|
||||
];
|
||||
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://git.fudo.org/fudo-public/backplane-dns.git";
|
||||
rev = "d9e13bae165b08976fd025053bb2dde44bb4278d";
|
||||
sha256 = "0b4y75hq5753v8pk47c4pwpyc95igpjl7md7f29jjvqaviys66xh";
|
||||
rev = "3075453a8ccc8bf285bfc83d84317044590ae060";
|
||||
sha256 = "1sdgr9zxqam4c8f7nlkgm77si45j0qvvgj6rav9kd6jz6vqgcbi5";
|
||||
fetchSubmodules = false;
|
||||
};
|
||||
|
||||
|
|
|
@ -7,17 +7,12 @@ pkgs.lispPackages.buildLispPackage {
|
|||
|
||||
buildSystems = [ "backplane-server" ];
|
||||
|
||||
deps = with pkgs.lispPackages; [
|
||||
alexandria
|
||||
arrows
|
||||
cl-json
|
||||
cl-xmpp
|
||||
];
|
||||
deps = with pkgs.lispPackages; [ alexandria arrows cl-json cl-xmpp prove ];
|
||||
|
||||
src = pkgs.fetchgit {
|
||||
url = "https://git.fudo.org/fudo-public/backplane-server.git";
|
||||
rev = "665f362ce1a0a22bc10d3bbe95d5a8adec2df653";
|
||||
sha256 = "0lzq0vlqjymcwxbc80x6wp5mij80am12w9fi7abs5wnqcs68lwnf";
|
||||
rev = "5b50dd8badf5b5460e9cc7e76e191d274712a3bd";
|
||||
sha256 = "18fysksmrbfk131fgazbw1cpaxz47015ashap9y4rswd904dzzss";
|
||||
fetchSubmodules = false;
|
||||
};
|
||||
|
||||
|
|
|
@ -148,8 +148,8 @@ in {
|
|||
|
||||
doom-emacs-config = pkgs.fetchgit {
|
||||
url = "https://git.fudo.org/niten/doom-emacs.git";
|
||||
rev = "ed65ca4881d0cc3cfe308f5fc66ccbf15f560043";
|
||||
sha256 = "17z4scl4p84hin6yzx69a707s5ibjk3jrxszy07cg8zijrg1744a";
|
||||
rev = "467c45705c73ee39acbfabc04c5aaa4099408dc4";
|
||||
sha256 = "172ah7ymlwymb4rx719nhsfvsxwmq14nlisba84kw34cmhdcsjh7";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue