Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config
This commit is contained in:
commit
e179dbe0f7
|
@ -0,0 +1,105 @@
|
|||
{
|
||||
"nodes": {
|
||||
"hydra": {
|
||||
"info": {
|
||||
"lastModified": 1587883324,
|
||||
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
|
||||
},
|
||||
"inputs": {
|
||||
"nix": "nix",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"owner": "ehmry",
|
||||
"repo": "hydra",
|
||||
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ehmry",
|
||||
"ref": "sotest",
|
||||
"repo": "hydra",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
"info": {
|
||||
"lastModified": 1586440843,
|
||||
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
|
||||
},
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nix",
|
||||
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nix",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"info": {
|
||||
"lastModified": 1585405475,
|
||||
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
|
||||
},
|
||||
"locked": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-20.03-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"info": {
|
||||
"lastModified": 1586219474,
|
||||
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
|
||||
},
|
||||
"locked": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "29eddfc36d720dcc4822581175217543b387b1e8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-20.03",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"info": {
|
||||
"lastModified": 1586724123,
|
||||
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
|
||||
},
|
||||
"locked": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs-channels",
|
||||
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-20.03",
|
||||
"repo": "nixpkgs-channels",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"hydra": "hydra",
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 5
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
{
|
||||
description = "C3D2 NixOS configurations";
|
||||
|
||||
edition = 201909;
|
||||
|
||||
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
|
||||
inputs.hydra.url = "github:ehmry/hydra/sotest";
|
||||
|
||||
outputs = { self, nixpkgs, hydra }: {
|
||||
|
||||
nixosConfigurations = {
|
||||
|
||||
server7 = nixpkgs.lib.nixosSystem {
|
||||
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
hydra = nixpkgs.lib.nixosSystem {
|
||||
modules = [ ./hosts/hydra/configuration.nix ];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
pulsebert = nixpkgs.lib.nixosSystem {
|
||||
modules = [ ./hosts/pulsebert/configuration.nix ];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
nixosModules.c3d2 = import ./lib;
|
||||
|
||||
};
|
||||
}
|
|
@ -13,6 +13,7 @@ rec {
|
|||
|
||||
hydra.publicKey =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";
|
||||
hydra7 = { };
|
||||
mpd-index = { };
|
||||
nfs = { };
|
||||
ncdc.publicKey =
|
||||
|
|
|
@ -70,6 +70,30 @@ in {
|
|||
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
||||
};
|
||||
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
interfaces =
|
||||
let
|
||||
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
||||
in
|
||||
builtins.mapAttrs (name: conf: {
|
||||
inherit (conf.wireguard) listenPort privateKey;
|
||||
ips = [ "${address4}/32" "${address6}/64" ];
|
||||
allowedIPsAsRoutes = false;
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
|
||||
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
||||
'';
|
||||
peers = [ ({
|
||||
inherit (conf.wireguard) publicKey;
|
||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||
persistentKeepalive = 30;
|
||||
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
||||
inherit (conf.wireguard) endpoint;
|
||||
})) ];
|
||||
}) wireguardNeighbors;
|
||||
};
|
||||
|
||||
services.bird2 = {
|
||||
enable = true;
|
||||
config =
|
||||
|
|
|
@ -19,7 +19,8 @@
|
|||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
networking.useNetworkd = true;
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
|
||||
networking.defaultGateway = "172.20.73.1";
|
||||
services.resolved.enable = false;
|
||||
|
||||
# Set your time zone.
|
||||
|
@ -39,7 +40,7 @@
|
|||
|
||||
# Create a few files early before packing tarball for Proxmox
|
||||
# architecture/OS detection.
|
||||
system.extraSystemBuilderCmds =
|
||||
system.extraSystemBuilderCmds =
|
||||
''
|
||||
mkdir -m 0755 -p $out/bin
|
||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||
|
@ -85,22 +86,25 @@
|
|||
"1.1.1.1@853" #cloudflare-dns.com
|
||||
"2606:4700:4700::1111@853" #cloudflare-dns.com
|
||||
"1.0.0.1@853" #cloudflare-dns.com
|
||||
"2606:4700:4700::1001@853" #cloudflare-dns.com
|
||||
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
|
||||
];
|
||||
extraConfig = ''
|
||||
server:
|
||||
ssl-upstream: yes
|
||||
domain-insecure: "dn42"
|
||||
domain-insecure: "20.172.in-addr.arpa"
|
||||
domain-insecure: "21.172.in-addr.arpa"
|
||||
domain-insecure: "22.172.in-addr.arpa"
|
||||
domain-insecure: "23.172.in-addr.arpa"
|
||||
domain-insecure: "d.f.ip6.arpa"
|
||||
domain-insecure: "ffdd"
|
||||
domain-insecure: "200.10.in-addr.arpa"
|
||||
local-zone: "20.172.in-addr.arpa." nodefault
|
||||
local-zone: "21.172.in-addr.arpa." nodefault
|
||||
local-zone: "22.172.in-addr.arpa." nodefault
|
||||
local-zone: "23.172.in-addr.arpa." nodefault
|
||||
local-zone: "d.f.ip6.arpa." nodefault
|
||||
local-zone: "ffdd." nodefault
|
||||
local-zone: "200.10.in-addr.arpa." nodefault
|
||||
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
|
@ -109,36 +113,71 @@
|
|||
control-key-file: /var/lib/unbound/unbound_control.key
|
||||
control-cert-file: /var/lib/unbound/unbound_control.pem
|
||||
|
||||
forward-zone:
|
||||
name: "99.22.172.in-addr.arpa"
|
||||
forward-host: "ns.c3d2.de"
|
||||
|
||||
forward-zone:
|
||||
forward-zone:
|
||||
name: "zentralwerk.dn42"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "72.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "73.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "74.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "75.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "76.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "77.20.172.in-addr.arpa"
|
||||
forward-host: "dns.serv.zentralwerk.org"
|
||||
|
||||
forward-zone:
|
||||
name: "dn42"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
forward-zone:
|
||||
name: "20.172.in-addr.arpa"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
forward-zone:
|
||||
name: "21.172.in-addr.arpa"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
forward-zone:
|
||||
name: "22.172.in-addr.arpa"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
forward-zone:
|
||||
name: "23.172.in-addr.arpa"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
name: "d.f.ip6.arpa"
|
||||
forward-addr: fd42:d42:d42:53::1
|
||||
forward-addr: 172.23.0.53
|
||||
|
||||
forward-zone:
|
||||
name: "ffdd"
|
||||
forward-addr: 10.200.0.4
|
||||
forward-addr: 10.200.0.16
|
||||
|
||||
forward-zone:
|
||||
name: "200.10.in-addr.arpa"
|
||||
forward-addr: 10.200.0.4
|
||||
forward-addr: 10.200.0.16
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -150,7 +189,7 @@
|
|||
memory = "";
|
||||
interface = "";
|
||||
load = "";
|
||||
exec =
|
||||
exec =
|
||||
let
|
||||
unboundScript = builtins.toFile "unbound.rb" ''
|
||||
loop do
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||
<title>http://c3d2.ffdd</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Chaos Computer Club Dresden</h1>
|
||||
<h2>Router zu Freifunk Dresden</h2>
|
||||
|
||||
<ul>
|
||||
<li><a href="https://www.c3d2.de/">Homepage</a></li>
|
||||
<li><a href="https://www.c3d2.de/space.html">Räumlichkeiten</a></li>
|
||||
<li><a href="https://gitea.c3d2.de/C3D2/nix-config/src/branch/master/hosts/containers/freifunk/configuration.nix">Konfiguration dieses Servers</a></li>
|
||||
<li><a href="http://grafana.hq.c3d2.ffdd/">Lokales Grafana über Freifunk</a></li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
|
@ -1,60 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
meshInterface = "bmx";
|
||||
in {
|
||||
imports = [
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
<lib>
|
||||
<lib/lxc-container.nix>
|
||||
<lib/shared.nix>
|
||||
];
|
||||
|
||||
c3d2 = {
|
||||
isInHq = false;
|
||||
enableHail = false;
|
||||
};
|
||||
|
||||
networking.hostName = "freifunk";
|
||||
networking.useNetworkd = true;
|
||||
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
||||
|
||||
# Required for krops
|
||||
services.openssh.enable = true;
|
||||
environment.systemPackages = with pkgs; [ git tcpdump ];
|
||||
|
||||
systemd.network.networks = {
|
||||
"10-bmx" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = meshInterface; };
|
||||
networkConfig = {
|
||||
Address = "10.200.0.15/16";
|
||||
};
|
||||
};
|
||||
"20-core" = {
|
||||
enable = true;
|
||||
matchConfig = { Name = "core"; };
|
||||
networkConfig = {
|
||||
Address = "172.20.72.40/26";
|
||||
Gateway = "172.20.72.7";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.bmxd =
|
||||
let
|
||||
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
|
||||
in {
|
||||
after = [ "systemd-networkd.service" ];
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "20.03"; # Did you read the comment?
|
||||
}
|
|
@ -0,0 +1,70 @@
|
|||
{ pkgs ? import <nixpkgs> {},
|
||||
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
|
||||
bmxd,
|
||||
ddmeshNode,
|
||||
... }:
|
||||
|
||||
with pkgs;
|
||||
let
|
||||
nvram = {
|
||||
ddmesh_node = toString ddmeshNode;
|
||||
city = "Dresden";
|
||||
autoupdate = "0";
|
||||
contact_name = "C3D2";
|
||||
contact_location = "Zentralwerk";
|
||||
contact_email = "astro@spaceboyz.net";
|
||||
contact_note = "http://www.c3d2.ffdd/";
|
||||
gps_latitude = "51.0810624";
|
||||
gps_longitude = "13.7285866";
|
||||
gps_altitude = "100";
|
||||
};
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "sysinfo-json";
|
||||
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
|
||||
buildPhase = ''
|
||||
cat > bmxddump.sh <<EOF
|
||||
#!${bash}/bin/bash
|
||||
|
||||
DB_PATH=/var/lib/freifunk/bmxd
|
||||
mkdir -p \$DB_PATH
|
||||
${bmxd}/sbin/bmxd -c --gateways > \$DB_PATH/gateways
|
||||
${bmxd}/sbin/bmxd -c --links > \$DB_PATH/links
|
||||
${bmxd}/sbin/bmxd -c --originators > \$DB_PATH/originators
|
||||
${bmxd}/sbin/bmxd -c --status > \$DB_PATH/status
|
||||
#${bmxd}/sbin/bmxd -c --networks > \$DB_PATH/networks
|
||||
${bmxd}/sbin/bmxd -ci > \$DB_PATH/info
|
||||
EOF
|
||||
|
||||
cat > lsb_release <<EOF
|
||||
#!${bash}/bin/bash
|
||||
|
||||
${lsb-release}/bin/lsb_release \$@ | \
|
||||
${gnused}/bin/sed -e 's/"//g'
|
||||
EOF
|
||||
|
||||
substitute usr/local/bin/ddmesh-ipcalc.sh ddmesh-ipcalc.sh \
|
||||
--replace awk ${gawk}/bin/awk
|
||||
substitute var/www_freifunk/sysinfo-json.cgi sysinfo-json.cgi \
|
||||
--replace "echo 'Content-Type: application/json;charset=UTF-8'" "" \
|
||||
--replace '"node_type":"server"' '"node_type":"node"' \
|
||||
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
|
||||
--replace lsb_release $out/bin/lsb_release \
|
||||
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
||||
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
||||
--replace 'nettype_lookup[$2]' '"lan"' \
|
||||
--replace awk ${gawk}/bin/awk
|
||||
'' +
|
||||
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
|
||||
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
|
||||
) nvram);
|
||||
installPhase = ''
|
||||
pwd
|
||||
mkdir -p $out/bin
|
||||
ls -la
|
||||
install -m 0755 sysinfo-json.cgi $out/bin/
|
||||
install -m 0755 ddmesh-ipcalc.sh $out/bin/
|
||||
install -m 0755 bmxddump.sh $out/bin/
|
||||
install -m 0755 lsb_release $out/bin/
|
||||
'';
|
||||
}
|
|
@ -9,7 +9,6 @@
|
|||
[ ../../lib/lxc-container.nix
|
||||
../../lib/shared.nix
|
||||
../../lib/admins.nix
|
||||
../../lib/hq.nix
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
];
|
||||
|
||||
|
|
|
@ -45,10 +45,6 @@
|
|||
script = "xerox";
|
||||
host = "roxi.hq.c3d2.de";
|
||||
};
|
||||
scrape-luftdaten = makeService {
|
||||
script = "luftdaten";
|
||||
host = "";
|
||||
};
|
||||
scrape-fhem = makeService {
|
||||
script = "fhem";
|
||||
host = "fhem.hq.c3d2.de";
|
||||
|
@ -59,6 +55,30 @@
|
|||
host = "matemat.hq.c3d2.de";
|
||||
inherit (matematLogin) user password;
|
||||
};
|
||||
scrape-node1139 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.4.120";
|
||||
};
|
||||
scrape-node1487 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.5.213";
|
||||
};
|
||||
scrape-node1884 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.7.100";
|
||||
};
|
||||
scrape-node1891 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.7.107";
|
||||
};
|
||||
scrape-node1768 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.6.239";
|
||||
};
|
||||
scrape-node1176 = makeService {
|
||||
script = "freifunk_node";
|
||||
host = "10.200.7.80";
|
||||
};
|
||||
};
|
||||
systemd.timers.scrape-xeri = {
|
||||
partOf = [ "scrape-xeri.service" ];
|
||||
|
@ -70,11 +90,6 @@
|
|||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-luftdaten = {
|
||||
partOf = [ "scrape-luftdaten.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-fhem = {
|
||||
partOf = [ "scrape-fhem.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
|
@ -85,6 +100,36 @@
|
|||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1139 = {
|
||||
partOf = [ "scrape-node1139.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1487 = {
|
||||
partOf = [ "scrape-node1487.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1884 = {
|
||||
partOf = [ "scrape-node1884.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1891 = {
|
||||
partOf = [ "scrape-node1894.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1768 = {
|
||||
partOf = [ "scrape-node1768.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
systemd.timers.scrape-node1176 = {
|
||||
partOf = [ "scrape-node1176.service" ];
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnCalendar = "minutely";
|
||||
};
|
||||
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
|
|
|
@ -2,12 +2,9 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
./hydra.nix
|
||||
./cache.nix
|
||||
../../lib
|
||||
../../lib/hq.nix
|
||||
../../lib/yggdrasil.nix
|
||||
];
|
||||
|
||||
c3d2 = {
|
||||
|
@ -18,26 +15,17 @@
|
|||
isInHq = true;
|
||||
mapHqHosts = true;
|
||||
hq.interface = "eth0";
|
||||
hq.yggdrasil.enableGateway = true;
|
||||
};
|
||||
|
||||
networking.interfaces.eth0.preferTempAddress = false;
|
||||
systemd.services.yggdrasil.preStart = ''
|
||||
mkdir -p /dev/net
|
||||
mknod /dev/net/tun c 10 200 || true
|
||||
chmod 0666 /dev/net/tun
|
||||
'';
|
||||
services.yggdrasil = {
|
||||
configFile = "/var/lib/yggdrasil/keys";
|
||||
config.Peers = [
|
||||
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
||||
"tcp://ygg.thingylabs.io:443" # Nürnberg
|
||||
"tcp://176.223.130.120:22632" # Wrocław
|
||||
"tcp://[2a05:9403::8b]:7743" # Praha
|
||||
];
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
security.acme = {
|
||||
email = "mail@c3d2.de";
|
||||
acceptTerms = true;
|
||||
};
|
||||
security.pam.enableSSHAgentAuth = true;
|
||||
|
||||
services.openssh = {
|
||||
|
|
|
@ -15,8 +15,11 @@
|
|||
allowed-uris = http:// https://
|
||||
'';
|
||||
buildMachines = [{
|
||||
hostName = "localhost";
|
||||
hostName = "server7.hq";
|
||||
sshUser = "hydra";
|
||||
sshKey = "/var/lib/hydra/queue-runner/id_rsa";
|
||||
system = "x86_64-linux";
|
||||
speedFactor = 2;
|
||||
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
|
||||
maxJobs = 8;
|
||||
}];
|
||||
|
@ -27,6 +30,7 @@
|
|||
hydraURL = "https://hydra.hq.c3d2.de";
|
||||
logo = ./c3d2.svg;
|
||||
notificationSender = "hydra@spam.works";
|
||||
package = pkgs.hydra-unstable;
|
||||
useSubstitutes = false;
|
||||
};
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@ in {
|
|||
../../lib
|
||||
../../lib/admins.nix
|
||||
../../lib/hq.nix
|
||||
../../lib/yggdrasil.nix
|
||||
./mpdConsole.nix
|
||||
];
|
||||
|
||||
|
@ -27,6 +26,7 @@ in {
|
|||
hq = {
|
||||
interface = "eno1";
|
||||
enableMpdProxy = true;
|
||||
yggdrasi.enableGateway = true;
|
||||
};
|
||||
enableHail = true;
|
||||
};
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
{ config, ... }:
|
||||
|
||||
{
|
||||
services.borgbackup.repos.emery = {
|
||||
allowSubRepos = true;
|
||||
authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys;
|
||||
path = "/srv/ceph/c3d2/backups/emery";
|
||||
quota = "200G";
|
||||
};
|
||||
}
|
|
@ -2,7 +2,16 @@ name:
|
|||
|
||||
(import ../outer-defaults.nix name) // {
|
||||
config = { config, pkgs, lib, ... }: {
|
||||
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
|
||||
imports = [ ../inner-defaults.nix ];
|
||||
|
||||
c3d2.hq.yggdrasil.enableGateway = true;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
|
||||
|
||||
networking.interfaces.eth0.ipv6.addresses = [{
|
||||
address = "310:5217:69c0:9afc:0:576d:1184:c3d2";
|
||||
prefixLength = 64;
|
||||
}]; # Old address used by some clients
|
||||
|
||||
services.uhub = {
|
||||
enable = true;
|
||||
|
@ -18,8 +27,6 @@ name:
|
|||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
|
||||
hq.yggdrasil.enable = true;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ lib, ... }:
|
||||
|
||||
let
|
||||
yggaddr = import ../yggaddr.nix;
|
||||
|
||||
containerFunc = name:
|
||||
# Generate a container expression from the directory at `name`.
|
||||
{
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
name:
|
||||
|
||||
(import ../outer-defaults.nix name) // {
|
||||
|
||||
ephemeral = true;
|
||||
|
||||
config = { config, pkgs, lib, ... }: {
|
||||
imports = [ ../inner-defaults.nix ];
|
||||
c3d2.hq.yggdrasil.enableGateway = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
email = "mail@c3d2.de";
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"hydra7.hq.c3d2.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://172.22.99.245:3000";
|
||||
};
|
||||
"hydra7.y.c3d2.de" = {
|
||||
default = true;
|
||||
addSSL = false;
|
||||
locations."/".proxyPass = "http://172.22.99.245:3000";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -10,11 +10,12 @@ name:
|
|||
config = { config, pkgs, lib, ... }:
|
||||
let ncdcPort = 1512;
|
||||
in {
|
||||
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
|
||||
imports = [ ../inner-defaults.nix ];
|
||||
|
||||
c3d2 = {
|
||||
users.k-ot = true;
|
||||
hq.statistics.enable = true;
|
||||
hq.yggdrasil.enableGateway = true;
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
@ -23,7 +24,6 @@ name:
|
|||
environment.systemPackages = with pkgs; [ tmux ncdc ];
|
||||
|
||||
networking.firewall.enable = false;
|
||||
hq.yggdrasil.enable = true;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -7,12 +7,4 @@ in {
|
|||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostBridge = "br0";
|
||||
|
||||
localAddress6 = with builtins; let
|
||||
hash = hashString "sha256" name;
|
||||
hextet0 = substring 0 4 hash;
|
||||
hextet1 = substring 4 4 hash;
|
||||
in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64";
|
||||
# Generate a deterministic IPv6 address for the container.
|
||||
# This address is accessible within HQ and Yggdrasil but not from ARPANET.
|
||||
}
|
||||
|
|
|
@ -13,6 +13,7 @@ name:
|
|||
c3d2 = {
|
||||
users.k-ot = true;
|
||||
hq.statistics.enable = true;
|
||||
hq.yggdrasil.enableGateway = true;
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
|
@ -20,6 +21,8 @@ name:
|
|||
allowSFTP = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ git borgbackup ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.nginx.override {
|
||||
|
@ -45,7 +48,7 @@ name:
|
|||
fancyindex on;
|
||||
# autoindex on;
|
||||
dav_access all:r;
|
||||
'';
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -3,16 +3,21 @@
|
|||
let yggaddr = import ./yggaddr.nix;
|
||||
in {
|
||||
imports = [
|
||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
# <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
../../lib
|
||||
../../lib/default-gateway.nix
|
||||
../../lib/yggdrasil.nix
|
||||
./borgbackup.nix
|
||||
./containers
|
||||
./hardware-configuration.nix
|
||||
./hydra.nix
|
||||
./nix-serve.nix
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
email = " mail@c3d2.de";
|
||||
acceptTerms = true;
|
||||
};
|
||||
|
||||
c3d2 = {
|
||||
users = {
|
||||
emery = true;
|
||||
|
@ -40,20 +45,13 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
statusPage = true;
|
||||
};
|
||||
|
||||
# Route IPv6
|
||||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
|
||||
# Obtain global IPv6 despite being a router myself
|
||||
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
|
||||
|
||||
services.yggdrasil = {
|
||||
enable = true;
|
||||
configFile = "/var/lib/yggdrasil/keys";
|
||||
config.Peers = [
|
||||
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
||||
|
@ -74,28 +72,43 @@ in {
|
|||
|
||||
nix = {
|
||||
package = pkgs.nixFlakes;
|
||||
extraOptions = "experimental-features = nix-command flakes ca-references";
|
||||
gc.automatic = true;
|
||||
optimise.automatic = true;
|
||||
extraOptions = ''
|
||||
experimental-features = nix-command flakes ca-references
|
||||
post-build-hook = ${
|
||||
pkgs.writeScript "post-build-sign-paths" ''
|
||||
#!${pkgs.runtimeShell}
|
||||
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
|
||||
''
|
||||
}
|
||||
'';
|
||||
};
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
nix = super.nix // { meta.platforms = lib.platforms.linux; };
|
||||
})
|
||||
];
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
networking = {
|
||||
firewall.enable = false;
|
||||
firewall.trustedInterfaces = [ "br0" ];
|
||||
hostName = "server7";
|
||||
hostId = "454fe12c";
|
||||
useDHCP = false;
|
||||
bridges.br0.interfaces = [ "enp2s0f0" ];
|
||||
interfaces = {
|
||||
br0 = {
|
||||
useDHCP = true;
|
||||
preferTempAddress = false;
|
||||
tempAddress = "disabled";
|
||||
ipv4.addresses = [{
|
||||
address = "172.22.99.245";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
ipv6.addresses = [{
|
||||
address = yggaddr.prefix + ":1";
|
||||
address = yggaddr.prefix64 + "::1";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
};
|
||||
|
@ -107,19 +120,21 @@ in {
|
|||
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
|
||||
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
|
||||
|
||||
environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ];
|
||||
environment.systemPackages = with pkgs; [
|
||||
tmux
|
||||
htop
|
||||
vim
|
||||
gitMinimal
|
||||
nixfmt
|
||||
zfsStable
|
||||
];
|
||||
|
||||
services.collectd.extraConfig = ''
|
||||
LoadPlugin sensors
|
||||
LoadPlugin memory
|
||||
LoadPlugin irq
|
||||
LoadPlugin thermal
|
||||
LoadPlugin processes
|
||||
LoadPlugin disk
|
||||
LoadPlugin hddtemp
|
||||
LoadPlugin df
|
||||
LoadPlugin cpu
|
||||
LoadPlugin cpufreq
|
||||
LoadPlugin entropy
|
||||
LoadPlugin load
|
||||
LoadPlugin swap
|
||||
|
@ -139,4 +154,9 @@ in {
|
|||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
system.stateVersion = "19.09"; # Did you read the comment?
|
||||
|
||||
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
|
||||
# allow the old hydra to build here
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
|
||||
];
|
||||
}
|
|
@ -4,27 +4,173 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||
];
|
||||
# imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
|
||||
fsType = "ext4";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/9812-00B2";
|
||||
fsType = "vfat";
|
||||
};
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/9812-00B2";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
|
||||
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1" = {
|
||||
device = "nvme0n1";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
|
||||
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/archive" = {
|
||||
device = "nvme0n1/archive";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
|
||||
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
|
||||
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/global/cores" = {
|
||||
device = "nvme0n1/cores/global";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
|
||||
device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
|
||||
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = {
|
||||
device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/c3d2.de" = {
|
||||
device = "nvme0n1/c3d2.de";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
|
||||
device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = {
|
||||
device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
|
||||
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
|
||||
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/c3d2.de/admin" = {
|
||||
device = "nvme0n1/c3d2.de/admin";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/c3d2.de/templates" = {
|
||||
device = "nvme0n1/c3d2.de/templates";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
|
||||
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
|
||||
device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
|
||||
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
|
||||
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = {
|
||||
device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
|
||||
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = {
|
||||
device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
|
||||
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = {
|
||||
device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
|
||||
device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
|
||||
device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nvme0n1/c3d2.de/iso" = {
|
||||
device = "nvme0n1/c3d2.de/iso";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix.maxJobs = lib.mkDefault 20;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
nix.maxJobs = lib.mkDefault 10;
|
||||
nix.buildCores = lib.mkDefault 40;
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
||||
}
|
||||
|
|
|
@ -1,173 +1,28 @@
|
|||
let
|
||||
hydraFlakes = pkgs:
|
||||
with pkgs;
|
||||
let
|
||||
perlDeps = buildEnv {
|
||||
name = "hydra-perl-deps";
|
||||
paths = with perlPackages; [
|
||||
ModulePluggable
|
||||
CatalystActionREST
|
||||
CatalystAuthenticationStoreDBIxClass
|
||||
CatalystDevel
|
||||
CatalystDispatchTypeRegex
|
||||
CatalystPluginAccessLog
|
||||
CatalystPluginAuthorizationRoles
|
||||
CatalystPluginCaptcha
|
||||
CatalystPluginSessionStateCookie
|
||||
CatalystPluginSessionStoreFastMmap
|
||||
CatalystPluginStackTrace
|
||||
CatalystPluginUnicodeEncoding
|
||||
CatalystTraitForRequestProxyBase
|
||||
CatalystViewDownload
|
||||
CatalystViewJSON
|
||||
CatalystViewTT
|
||||
CatalystXScriptServerStarman
|
||||
CatalystXRoleApplicator
|
||||
CryptRandPasswd
|
||||
DBDPg
|
||||
DBDSQLite
|
||||
DataDump
|
||||
DateTime
|
||||
DigestSHA1
|
||||
EmailMIME
|
||||
EmailSender
|
||||
FileSlurp
|
||||
IOCompress
|
||||
IPCRun
|
||||
JSON
|
||||
JSONAny
|
||||
JSONXS
|
||||
LWP
|
||||
LWPProtocolHttps
|
||||
NetAmazonS3
|
||||
NetPrometheus
|
||||
NetStatsd
|
||||
PadWalker
|
||||
Readonly
|
||||
SQLSplitStatement
|
||||
SetScalar
|
||||
Starman
|
||||
SysHostnameLong
|
||||
TermSizeAny
|
||||
TestMore
|
||||
TextDiff
|
||||
TextTable
|
||||
XMLSimple
|
||||
pkgs.nixFlakes
|
||||
pkgs.nixFlakes.perl-bindings
|
||||
git
|
||||
boehmgc
|
||||
];
|
||||
};
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
|
||||
name = "hydra-flake";
|
||||
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "NixOS";
|
||||
repo = "hydra";
|
||||
rev = "47797576838974c8209536b67bb45e953a50900f";
|
||||
sha256 = "1vqib99d7wgnl3c6ccx0xx2q88qmdkpydkb6gd0pik9wg2nn3jng";
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
makeWrapper
|
||||
autoconf
|
||||
automake
|
||||
libtool
|
||||
unzip
|
||||
nukeReferences
|
||||
pkgconfig
|
||||
sqlite
|
||||
libpqxx
|
||||
gitAndTools.topGit
|
||||
mercurial
|
||||
darcs
|
||||
subversion
|
||||
bazaar
|
||||
openssl
|
||||
bzip2
|
||||
libxslt
|
||||
guile # optional, for Guile + Guix support
|
||||
perlDeps
|
||||
perl
|
||||
pkgs.nixFlakes
|
||||
postgresql95 # for running the tests
|
||||
boost
|
||||
(nlohmann_json.override { multipleHeaders = true; })
|
||||
];
|
||||
|
||||
hydraPath = lib.makeBinPath ([
|
||||
sqlite
|
||||
subversion
|
||||
openssh
|
||||
pkgs.nixFlakes
|
||||
coreutils
|
||||
findutils
|
||||
pixz
|
||||
gzip
|
||||
bzip2
|
||||
lzma
|
||||
gnutar
|
||||
unzip
|
||||
git
|
||||
gitAndTools.topGit
|
||||
mercurial
|
||||
darcs
|
||||
gnused
|
||||
bazaar
|
||||
] ++ lib.optionals stdenv.isLinux [ rpm dpkg cdrkit ]);
|
||||
|
||||
configureFlags = [ "--with-docbook-xsl=${docbook_xsl}/xml/xsl/docbook" ];
|
||||
|
||||
shellHook = ''
|
||||
PATH=$(pwd)/src/hydra-evaluator:$(pwd)/src/script:$(pwd)/src/hydra-eval-jobs:$(pwd)/src/hydra-queue-runner:$PATH
|
||||
PERL5LIB=$(pwd)/src/lib:$PERL5LIB
|
||||
'';
|
||||
|
||||
preConfigure = "autoreconf -vfi";
|
||||
|
||||
NIX_LDFLAGS = [ "-lpthread" ];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
preCheck = ''
|
||||
patchShebangs .
|
||||
export LOGNAME=''${LOGNAME:-foo}
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p $out/nix-support
|
||||
|
||||
for i in $out/bin/*; do
|
||||
read -n 4 chars < $i
|
||||
if [[ $chars =~ ELF ]]; then continue; fi
|
||||
wrapProgram $i \
|
||||
--prefix PERL5LIB ':' $out/libexec/hydra/lib:$PERL5LIB \
|
||||
--prefix PATH ':' $out/bin:$hydraPath \
|
||||
--set HYDRA_RELEASE 0.1 \
|
||||
--set HYDRA_HOME $out/libexec/hydra \
|
||||
--set NIX_RELEASE ${pkgs.nixFlakes.name or "unknown"}
|
||||
done
|
||||
'';
|
||||
|
||||
dontStrip = true;
|
||||
|
||||
meta.description = "Build of Hydra on ${system}";
|
||||
passthru.perlDeps = perlDeps;
|
||||
};
|
||||
in { config, pkgs, ... }: {
|
||||
|
||||
services.hydra = {
|
||||
{
|
||||
services.hydra-dev = {
|
||||
enable = true;
|
||||
debugServer = true;
|
||||
extraEnv.HYDRA_DEBUG = "1";
|
||||
hydraURL = "https://server7.hq.c3d2.de";
|
||||
logo = ./hydra.svg;
|
||||
notificationSender = "hydra@spam.works";
|
||||
package = hydraFlakes pkgs;
|
||||
listenHost = "127.0.0.1";
|
||||
# package = pkgs.hydra-unstable;
|
||||
listenHost = "172.22.99.245";
|
||||
# listenHost = "*";
|
||||
useSubstitutes = true;
|
||||
minimumDiskFree = 2;
|
||||
minimumDiskFreeEvaluator = 2;
|
||||
extraConfig = ''
|
||||
<sotest>
|
||||
authfile = /var/lib/hydra/sotest.auth
|
||||
</sotest>
|
||||
'';
|
||||
};
|
||||
|
||||
nix.trustedUsers = [ "hydra" ];
|
||||
|
||||
nix.buildMachines = [{
|
||||
hostName = "localhost";
|
||||
system = "x86_64-linux";
|
||||
|
@ -175,18 +30,20 @@ in { config, pkgs, ... }: {
|
|||
maxJobs = 8;
|
||||
}];
|
||||
|
||||
nix.binaryCachePublicKeys =
|
||||
[ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ];
|
||||
nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"server7.hq.c3d2.de" = {
|
||||
default = true;
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass =
|
||||
"http://127.0.0.1:${toString config.services.hydra.port}";
|
||||
globalRedirect = "hydra7.hq.c3d2.de";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
}
|
||||
|
|
|
@ -15,7 +15,9 @@
|
|||
addSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass =
|
||||
"http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
||||
"http://${config.services.nix-serve.bindAddress}:${
|
||||
toString config.services.nix-serve.port
|
||||
}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2";
|
||||
prefix = "310:5217:69c0:9afc:";
|
||||
prefix64 = "310:5217:69c0:9afc";
|
||||
}
|
||||
|
|
|
@ -16,6 +16,7 @@ let
|
|||
url = "https://github.com/NixOS/nixpkgs.git";
|
||||
};
|
||||
nixos-config.file = toString (./hosts + "/${path}/configuration.nix");
|
||||
this-host.file = toString (./hosts + "/${path}");
|
||||
lib.file = toString ./lib;
|
||||
secrets.file = toString ./secrets;
|
||||
"host-registry.nix".file = toString ./host-registry.nix;
|
||||
|
|
|
@ -8,6 +8,8 @@ let
|
|||
hqPrefix64 = "fd23:42:c3d2:523";
|
||||
# TODO: Is this stable? Is there a better place to specifiy this?
|
||||
|
||||
server7Ygg = import ../hosts/server7/yggaddr.nix;
|
||||
|
||||
# Generate a deterministic IPv6 address for a 64 bit prefix
|
||||
# and seed string. Prefix must not contain trailing ':'.
|
||||
toIpv6Address = prefix64: seed:
|
||||
|
@ -21,14 +23,9 @@ let
|
|||
# for the HQ networking using a seed string.
|
||||
toHqPrivateAddress = toIpv6Address hqPrefix64;
|
||||
|
||||
/* # Generate a deterministic public IPv6 addresses
|
||||
# for the HQ networking using a seed string.
|
||||
toHqPublicAddress = toIpv6Address publicPrefix64;
|
||||
toServer7Address = toIpv6Address server7Ygg.prefix64;
|
||||
|
||||
# Generate a deterministic public IPv6 addresses
|
||||
# for the HQ networking using a seed string.
|
||||
toserver7YggdrasilAddress = toIpv6Address server7YggrasilPrefix64;
|
||||
*/
|
||||
# toHqPublicAddress = toIpv6Address publicPrefix64;
|
||||
|
||||
cfg = config.c3d2;
|
||||
|
||||
|
@ -106,6 +103,8 @@ in {
|
|||
description = "Whether to proxy the local MPD database";
|
||||
};
|
||||
|
||||
yggdrasil.enableGateway = mkEnableOption
|
||||
"Whether to join the host to the Yggdrasil network via a gateway";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -118,7 +117,8 @@ in {
|
|||
# Configuration specific to this machine
|
||||
|
||||
assertions = [
|
||||
{ assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
||||
{
|
||||
assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
||||
message = "Root passwords not allowed in HQ";
|
||||
}
|
||||
{
|
||||
|
@ -166,10 +166,16 @@ in {
|
|||
host.ip6
|
||||
else
|
||||
toHqPrivateAddress hostName;
|
||||
in [{
|
||||
name = ip6;
|
||||
value = [ "${hostName}.hq" hostName ];
|
||||
}] ++ lib.optional (hasAttr "ip4" host) {
|
||||
in [
|
||||
{
|
||||
name = ip6;
|
||||
value = [ "${hostName}.hq" hostName ];
|
||||
}
|
||||
{
|
||||
name = toServer7Address hostName;
|
||||
value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ];
|
||||
}
|
||||
] ++ lib.optional (hasAttr "ip4" host) {
|
||||
name = host.ip4;
|
||||
value = [ "${hostName}.hq" hostName ];
|
||||
};
|
||||
|
@ -196,7 +202,16 @@ in {
|
|||
ipv6.addresses = [{
|
||||
address = toHqPrivateAddress config.networking.hostName;
|
||||
prefixLength = 64;
|
||||
}];
|
||||
}] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) {
|
||||
address = toServer7Address config.networking.hostName;
|
||||
prefixLength = 64;
|
||||
};
|
||||
ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) {
|
||||
address = "200::";
|
||||
options.pref = "low";
|
||||
prefixLength = 7;
|
||||
via = server7Ygg.prefix64 + "::1";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
|
@ -231,17 +246,31 @@ in {
|
|||
|
||||
services.collectd = lib.mkIf cfg.hq.statistics.enable {
|
||||
enable = true;
|
||||
autoLoadPlugin = true;
|
||||
extraConfig = ''
|
||||
HostName "${config.networking.hostName}"
|
||||
FQDNLookup false
|
||||
Interval 10
|
||||
|
||||
LoadPlugin network
|
||||
<Plugin "network">
|
||||
Server "grafana.hq" "25826"
|
||||
</Plugin>
|
||||
'';
|
||||
buildMinimalPackage = true;
|
||||
plugins = {
|
||||
logfile = ''
|
||||
LogLevel info
|
||||
File STDOUT
|
||||
'';
|
||||
network = ''
|
||||
Server "grafana.hq.c3d2.de" "25826"
|
||||
'';
|
||||
memory = "";
|
||||
processes = "";
|
||||
disk = "";
|
||||
df = "";
|
||||
cpu = "";
|
||||
entropy = "";
|
||||
load = "";
|
||||
swap = "";
|
||||
cgroups = "";
|
||||
vmem = "";
|
||||
interface = "";
|
||||
};
|
||||
};
|
||||
|
||||
services.hail = lib.mkIf cfg.enableHail {
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
# Please import only things that are configurable and OFF BY DEFAULT!
|
||||
imports = [ ./yggdrasil-hq.nix ];
|
||||
|
||||
}
|
|
@ -4,7 +4,6 @@
|
|||
imports =
|
||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||
<nixpkgs/nixos/modules/profiles/docker-container.nix>
|
||||
./hq.nix
|
||||
];
|
||||
|
||||
networking.networkmanager.dns = "unbound";
|
||||
|
|
|
@ -3,8 +3,11 @@
|
|||
with lib;
|
||||
|
||||
let
|
||||
nixcloud-webservices = builtins.fetchGit {
|
||||
url = "https://github.com/nixcloud/nixcloud-webservices.git";
|
||||
nixcloud-webservices = pkgs.fetchFromGitHub {
|
||||
owner = "nixcloud";
|
||||
repo = "nixcloud-webservices";
|
||||
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
|
||||
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
|
||||
};
|
||||
nixcloud = (
|
||||
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
|
||||
|
|
|
@ -4,6 +4,7 @@ let
|
|||
keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC55d1lIbI00AyDnlfig3znWKPToGUcM8TKj5s8EHQm5SkUn0DeG1+h5/wciyu7NonIxykgtx2nfnLAewgNjKDk1Q7bqNTxvIkb5dtpuEvGWuuLmm5VCQUszPSNmQAMocFAc+A0ALDTdR0pS+DFuKPx4DncYLQxDFwdV+1vw0PYCXNHfS6umJW/bsQ2jLc2+H3bnXqhcoQX6EVvlQS3QNpWOY3qhK9Yy58NJywmcSSzamc4Fyd1Jz/R67/4hYDfB65f7bs6l0BjFj+yciiVYyZuILPb6CZicXcNTjnW6YFGHDQt3owsr/pQuuPxUWiP8rfrrrwnyi1SFeYrmCKSQ6WOZMA5mHZ6091LbspwrlGiGBXKPoZhHHUW/dDmojy1XAIK/XFg/5+DiG+2Rc61l1AnRaP4IRiFViV9VlPBYBG5TFmAfxCz6iiwuDQY1cSX4+duqL7sIkZTPMkQP0Bf3ek1hTK1U8nbSOP6sILt7e5ApRCoAu9S+fFtbpI+l1GCy90= root@bigpad"
|
||||
];
|
||||
in {
|
||||
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.hq.yggdrasil;
|
||||
hostNameHash = builtins.hashString "sha256" config.networking.hostName;
|
||||
hextets = map (i: substring (4 * i) 4 hostNameHash) [ 0 1 2 3 ];
|
||||
hostAddr = concatStringsSep ":" hextets;
|
||||
in {
|
||||
options = with types; {
|
||||
hq.yggdrasil = {
|
||||
enable =
|
||||
mkEnableOption "Configure Yggdrasil access via the Yggdrasil router";
|
||||
|
||||
interface = mkOption {
|
||||
type = nullOr str;
|
||||
default = "eth0";
|
||||
description = "Network interface to the C3D2 HQ ethernet";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.interfaces = {
|
||||
"${cfg.interface}" = {
|
||||
"ipv6" = {
|
||||
addresses = [{
|
||||
address = "310:5217:69c0:9afc:${hostAddr}";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
routes = [{
|
||||
address = "200::";
|
||||
prefixLength = 7;
|
||||
via = "310:5217:69c0:9afc::1";
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,185 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.yggdrasil;
|
||||
configProvided = (cfg.config != { });
|
||||
configAsFile = (if configProvided then
|
||||
toString (pkgs.writeTextFile {
|
||||
name = "yggdrasil-conf";
|
||||
text = builtins.toJSON cfg.config;
|
||||
})
|
||||
else
|
||||
null);
|
||||
configFileProvided = (cfg.configFile != null);
|
||||
generateConfig = (if configProvided && configFileProvided then
|
||||
"${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}"
|
||||
else if configProvided then
|
||||
"cat ${configAsFile}"
|
||||
else if configFileProvided then
|
||||
"cat ${cfg.configFile}"
|
||||
else
|
||||
"${cfg.package}/bin/yggdrasil -genconf");
|
||||
|
||||
in {
|
||||
options = with types; {
|
||||
services.yggdrasil = {
|
||||
enable = mkEnableOption "the yggdrasil system service";
|
||||
|
||||
configFile = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
example = "/run/keys/yggdrasil.conf";
|
||||
description = ''
|
||||
A file which contains JSON configuration for yggdrasil.
|
||||
|
||||
You do not have to supply a complete configuration, as
|
||||
yggdrasil will use default values for anything which is
|
||||
omitted. If the encryption and signing keys are omitted,
|
||||
yggdrasil will generate new ones each time the service is
|
||||
started, resulting in a random IPv6 address on the yggdrasil
|
||||
network each time.
|
||||
|
||||
If both this option and <option>config</option> are
|
||||
supplied, they will be combined, with values from
|
||||
<option>config</option> taking precedence.
|
||||
|
||||
You can use the command <code>nix-shell -p yggdrasil --run
|
||||
"yggdrasil -genconf -json"</code> to generate a default
|
||||
JSON configuration.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = attrs;
|
||||
default = { };
|
||||
example = {
|
||||
Peers = [
|
||||
"tcp://aa.bb.cc.dd:eeeee"
|
||||
"tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff"
|
||||
];
|
||||
Listen = [ "tcp://0.0.0.0:xxxxx" ];
|
||||
};
|
||||
description = ''
|
||||
Configuration for yggdrasil, as a Nix attribute set.
|
||||
|
||||
Warning: this is stored in the WORLD-READABLE Nix store!
|
||||
Therefore, it is not appropriate for private keys. If you
|
||||
do not specify the keys, yggdrasil will generate a new set
|
||||
each time the service is started, creating a random IPv6
|
||||
address on the yggdrasil network each time.
|
||||
|
||||
If you wish to specify the keys, use
|
||||
<option>configFile</option>. If both
|
||||
<option>configFile</option> and <option>config</option> are
|
||||
supplied, they will be combined, with values from
|
||||
<option>config</option> taking precedence.
|
||||
|
||||
You can use the command <code>nix-shell -p yggdrasil --run
|
||||
"yggdrasil -genconf"</code> to generate default
|
||||
configuration values with documentation.
|
||||
'';
|
||||
};
|
||||
|
||||
openMulticastPort = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open the UDP port used for multicast peer
|
||||
discovery. The NixOS firewall blocks link-local
|
||||
communication, so in order to make local peering work you
|
||||
will also need to set <code>LinkLocalTCPPort</code> in your
|
||||
yggdrasil configuration (<option>config</option> or
|
||||
<option>configFile</option>) to a port number other than 0,
|
||||
and then add that port to
|
||||
<option>networking.firewall.allowedTCPPorts</option>.
|
||||
'';
|
||||
};
|
||||
|
||||
denyDhcpcdInterfaces = mkOption {
|
||||
type = listOf str;
|
||||
default = [ ];
|
||||
example = [ "tap*" ];
|
||||
description = ''
|
||||
Disable the DHCP client for any interface whose name matches
|
||||
any of the shell glob patterns in this list. Use this
|
||||
option to prevent the DHCP client from broadcasting requests
|
||||
on the yggdrasil network. It is only necessary to do so
|
||||
when yggdrasil is running in TAP mode, because TUN
|
||||
interfaces do not support broadcasting.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = package;
|
||||
default = pkgs.yggdrasil;
|
||||
defaultText = "pkgs.yggdrasil";
|
||||
description = "Yggdrasil package to use.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [{
|
||||
assertion = config.networking.enableIPv6;
|
||||
message = "networking.enableIPv6 must be true for yggdrasil to work";
|
||||
}];
|
||||
|
||||
systemd.services.yggdrasil = {
|
||||
description = "Yggdrasil Network Service";
|
||||
path = [ cfg.package ]
|
||||
++ optional (configProvided && configFileProvided) pkgs.jq;
|
||||
bindsTo = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = ''
|
||||
${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart =
|
||||
"${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "always";
|
||||
|
||||
RuntimeDirectory = "yggdrasil";
|
||||
RuntimeDirectoryMode = "0700";
|
||||
BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ];
|
||||
|
||||
# TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
|
||||
# to set up the network adapter when DynamicUser is set. See
|
||||
# github.com/yggdrasil-network/yggdrasil-go/issues/557. The
|
||||
# following options are implied by DynamicUser according to
|
||||
# the systemd.exec documentation, and can be removed if the
|
||||
# upstream issue is fixed and DynamicUser is set to true:
|
||||
PrivateTmp = true;
|
||||
RemoveIPC = true;
|
||||
NoNewPrivileges = true;
|
||||
ProtectSystem = "strict";
|
||||
RestrictSUIDSGID = true;
|
||||
# End of list of options implied by DynamicUser.
|
||||
|
||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
||||
MemoryDenyWriteExecute = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = "tmpfs";
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter =
|
||||
"~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
|
||||
};
|
||||
};
|
||||
|
||||
networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;
|
||||
networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ];
|
||||
|
||||
# Make yggdrasilctl available on the command line.
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
};
|
||||
meta.maintainers = with lib.maintainers; [ gazally ];
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
{ config, ... }: {
|
||||
imports = [ ./yggdrasil-service.nix ];
|
||||
|
||||
services.yggdrasil = {
|
||||
enable = true;
|
||||
package = (import <nixpkgs-unstable> { }).yggdrasil;
|
||||
openMulticastPort = true;
|
||||
config.NodeInfo = {
|
||||
name = config.networking.hostName + ".c3d2";
|
||||
location = "Dresden";
|
||||
};
|
||||
};
|
||||
}
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
|||
Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
|
||||
Subproject commit eb06c122762133b7831475615b1a3b039eaa389e
|
Loading…
Reference in New Issue