c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config

This commit is contained in:
Daniel Poelzleithner 2020-05-15 10:46:58 +02:00
parent 202efe3a07 f60b14a9f7
commit e179dbe0f7
35 changed files with 716 additions and 592 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
flake.lock Normal file
View File

@ -0,0 +1,105 @@
{
"nodes": {
"hydra": {
"info": {
"lastModified": 1587883324,
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
},
"inputs": {
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"owner": "ehmry",
"repo": "hydra",
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
"type": "github"
},
"original": {
"owner": "ehmry",
"ref": "sotest",
"repo": "hydra",
"type": "github"
}
},
"nix": {
"info": {
"lastModified": 1586440843,
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
},
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"owner": "NixOS",
"repo": "nix",
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
"type": "github"
},
"original": {
"id": "nix",
"type": "indirect"
}
},
"nixpkgs": {
"info": {
"lastModified": 1585405475,
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
},
"locked": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-20.03-small",
"type": "indirect"
}
},
"nixpkgs_2": {
"info": {
"lastModified": 1586219474,
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
},
"locked": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "29eddfc36d720dcc4822581175217543b387b1e8",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-20.03",
"type": "indirect"
}
},
"nixpkgs_3": {
"info": {
"lastModified": 1586724123,
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
},
"locked": {
"owner": "nixos",
"repo": "nixpkgs-channels",
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-20.03",
"repo": "nixpkgs-channels",
"type": "github"
}
},
"root": {
"inputs": {
"hydra": "hydra",
"nixpkgs": "nixpkgs_3"
}
}
},
"root": "root",
"version": 5
}

33
flake.nix Normal file
View File

@ -0,0 +1,33 @@
{
description = "C3D2 NixOS configurations";
edition = 201909;
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
inputs.hydra.url = "github:ehmry/hydra/sotest";
outputs = { self, nixpkgs, hydra }: {
nixosConfigurations = {
server7 = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
system = "x86_64-linux";
};
hydra = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/hydra/configuration.nix ];
system = "x86_64-linux";
};
pulsebert = nixpkgs.lib.nixosSystem {
modules = [ ./hosts/pulsebert/configuration.nix ];
system = "x86_64-linux";
};
};
nixosModules.c3d2 = import ./lib;
};
}

1
host-registry.nix
View File

@ -13,6 +13,7 @@ rec {
hydra.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";
hydra7 = { };
mpd-index = { };
nfs = { };
ncdc.publicKey =

24
hosts/containers/dn42/configuration.nix
View File

@ -70,6 +70,30 @@ in {
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
};
networking.wireguard = {
enable = true;
interfaces =
let
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in
builtins.mapAttrs (name: conf: {
inherit (conf.wireguard) listenPort privateKey;
ips = [ "${address4}/32" "${address6}/64" ];
allowedIPsAsRoutes = false;
postSetup = ''
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
'';
peers = [ ({
inherit (conf.wireguard) publicKey;
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
persistentKeepalive = 30;
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
inherit (conf.wireguard) endpoint;
})) ];
}) wireguardNeighbors;
};
services.bird2 = {
enable = true;
config =

71
hosts/containers/dnscache/configuration.nix
View File

@ -19,7 +19,8 @@
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
# Set your time zone.
@ -39,7 +40,7 @@
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
@ -85,22 +86,25 @@
"1.1.1.1@853" #cloudflare-dns.com
"2606:4700:4700::1111@853" #cloudflare-dns.com
"1.0.0.1@853" #cloudflare-dns.com
"2606:4700:4700::1001@853" #cloudflare-dns.com
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
];
extraConfig = ''
server:
ssl-upstream: yes
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "ffdd." nodefault
local-zone: "200.10.in-addr.arpa." nodefault
remote-control:
control-enable: yes
@ -109,36 +113,71 @@
control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem
forward-zone:
name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de"
forward-zone:
forward-zone:
name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "dn42"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
forward-zone:
name: "20.172.in-addr.arpa"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
forward-zone:
name: "21.172.in-addr.arpa"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
forward-zone:
name: "22.172.in-addr.arpa"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
forward-zone:
name: "23.172.in-addr.arpa"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
name: "d.f.ip6.arpa"
forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
name: "ffdd"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
'';
};
@ -150,7 +189,7 @@
memory = "";
interface = "";
load = "";
exec =
exec =
let
unboundScript = builtins.toFile "unbound.rb" ''
loop do

18
hosts/containers/freifunk/assets/index.html Normal file
View File

@ -0,0 +1,18 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>http://c3d2.ffdd</title>
</head>
<body>
<h1>Chaos Computer Club Dresden</h1>
<h2>Router zu Freifunk Dresden</h2>
<ul>
<li><a href="https://www.c3d2.de/">Homepage</a></li>
<li><a href="https://www.c3d2.de/space.html">Räumlichkeiten</a></li>
<li><a href="https://gitea.c3d2.de/C3D2/nix-config/src/branch/master/hosts/containers/freifunk/configuration.nix">Konfiguration dieses Servers</a></li>
<li><a href="http://grafana.hq.c3d2.ffdd/">Lokales Grafana über Freifunk</a></li>
</ul>
</body>
</html>

60
hosts/containers/freifunk/configuration.nix
View File

@ -1,60 +0,0 @@
{ config, pkgs, lib, ... }:
let
meshInterface = "bmx";
in {
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
<lib>
<lib/lxc-container.nix>
<lib/shared.nix>
];
c3d2 = {
isInHq = false;
enableHail = false;
};
networking.hostName = "freifunk";
networking.useNetworkd = true;
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
# Required for krops
services.openssh.enable = true;
environment.systemPackages = with pkgs; [ git tcpdump ];
systemd.network.networks = {
"10-bmx" = {
enable = true;
matchConfig = { Name = meshInterface; };
networkConfig = {
Address = "10.200.0.15/16";
};
};
"20-core" = {
enable = true;
matchConfig = { Name = "core"; };
networkConfig = {
Address = "172.20.72.40/26";
Gateway = "172.20.72.7";
};
};
};
systemd.services.bmxd =
let
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
in {
after = [ "systemd-networkd.service" ];
wantedBy = [ "network.target" ];
serviceConfig = {
ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
Restart = "always";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
}

70
hosts/containers/freifunk/sysinfo-json.nix Normal file
View File

@ -0,0 +1,70 @@
{ pkgs ? import <nixpkgs> {},
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
bmxd,
ddmeshNode,
... }:
with pkgs;
let
nvram = {
ddmesh_node = toString ddmeshNode;
city = "Dresden";
autoupdate = "0";
contact_name = "C3D2";
contact_location = "Zentralwerk";
contact_email = "astro@spaceboyz.net";
contact_note = "http://www.c3d2.ffdd/";
gps_latitude = "51.0810624";
gps_longitude = "13.7285866";
gps_altitude = "100";
};
in
stdenv.mkDerivation {
name = "sysinfo-json";
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
buildPhase = ''
cat > bmxddump.sh <<EOF
#!${bash}/bin/bash
DB_PATH=/var/lib/freifunk/bmxd
mkdir -p \$DB_PATH
${bmxd}/sbin/bmxd -c --gateways > \$DB_PATH/gateways
${bmxd}/sbin/bmxd -c --links > \$DB_PATH/links
${bmxd}/sbin/bmxd -c --originators > \$DB_PATH/originators
${bmxd}/sbin/bmxd -c --status > \$DB_PATH/status
#${bmxd}/sbin/bmxd -c --networks > \$DB_PATH/networks
${bmxd}/sbin/bmxd -ci > \$DB_PATH/info
EOF
cat > lsb_release <<EOF
#!${bash}/bin/bash
${lsb-release}/bin/lsb_release \$@ | \
${gnused}/bin/sed -e 's/"//g'
EOF
substitute usr/local/bin/ddmesh-ipcalc.sh ddmesh-ipcalc.sh \
--replace awk ${gawk}/bin/awk
substitute var/www_freifunk/sysinfo-json.cgi sysinfo-json.cgi \
--replace "echo 'Content-Type: application/json;charset=UTF-8'" "" \
--replace '"node_type":"server"' '"node_type":"node"' \
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
--replace lsb_release $out/bin/lsb_release \
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \
--replace 'nettype_lookup[$2]' '"lan"' \
--replace awk ${gawk}/bin/awk
'' +
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
) nvram);
installPhase = ''
pwd
mkdir -p $out/bin
ls -la
install -m 0755 sysinfo-json.cgi $out/bin/
install -m 0755 ddmesh-ipcalc.sh $out/bin/
install -m 0755 bmxddump.sh $out/bin/
install -m 0755 lsb_release $out/bin/
'';
}

1
hosts/containers/lxc-template.nix
View File

@ -9,7 +9,6 @@
[ ../../lib/lxc-container.nix
../../lib/shared.nix
../../lib/admins.nix
../../lib/hq.nix
<nixpkgs/nixos/modules/profiles/minimal.nix>
];

63
hosts/containers/scrape/configuration.nix
View File

@ -45,10 +45,6 @@
script = "xerox";
host = "roxi.hq.c3d2.de";
};
scrape-luftdaten = makeService {
script = "luftdaten";
host = "";
};
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
@ -59,6 +55,30 @@
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
scrape-node1139 = makeService {
script = "freifunk_node";
host = "10.200.4.120";
};
scrape-node1487 = makeService {
script = "freifunk_node";
host = "10.200.5.213";
};
scrape-node1884 = makeService {
script = "freifunk_node";
host = "10.200.7.100";
};
scrape-node1891 = makeService {
script = "freifunk_node";
host = "10.200.7.107";
};
scrape-node1768 = makeService {
script = "freifunk_node";
host = "10.200.6.239";
};
scrape-node1176 = makeService {
script = "freifunk_node";
host = "10.200.7.80";
};
};
systemd.timers.scrape-xeri = {
partOf = [ "scrape-xeri.service" ];
@ -70,11 +90,6 @@
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-luftdaten = {
partOf = [ "scrape-luftdaten.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-fhem = {
partOf = [ "scrape-fhem.service" ];
wantedBy = [ "timers.target" ];
@ -85,6 +100,36 @@
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1139 = {
partOf = [ "scrape-node1139.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1487 = {
partOf = [ "scrape-node1487.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1884 = {
partOf = [ "scrape-node1884.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1891 = {
partOf = [ "scrape-node1894.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1768 = {
partOf = [ "scrape-node1768.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.timers.scrape-node1176 = {
partOf = [ "scrape-node1176.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

22
hosts/hydra/configuration.nix
View File

@ -2,12 +2,9 @@
{
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
./hydra.nix
./cache.nix
../../lib
../../lib/hq.nix
../../lib/yggdrasil.nix
];
c3d2 = {
@ -18,26 +15,17 @@
isInHq = true;
mapHqHosts = true;
hq.interface = "eth0";
hq.yggdrasil.enableGateway = true;
};
networking.interfaces.eth0.preferTempAddress = false;
systemd.services.yggdrasil.preStart = ''
mkdir -p /dev/net
mknod /dev/net/tun c 10 200 || true
chmod 0666 /dev/net/tun
'';
services.yggdrasil = {
configFile = "/var/lib/yggdrasil/keys";
config.Peers = [
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
"tcp://ygg.thingylabs.io:443" # Nürnberg
"tcp://176.223.130.120:22632" # Wrocław
"tcp://[2a05:9403::8b]:7743" # Praha
];
};
nixpkgs.config.allowUnfree = true;
security.acme = {
email = "mail@c3d2.de";
acceptTerms = true;
};
security.pam.enableSSHAgentAuth = true;
services.openssh = {

6
hosts/hydra/hydra.nix
View File

@ -15,8 +15,11 @@
allowed-uris = http:// https://
'';
buildMachines = [{
hostName = "localhost";
hostName = "server7.hq";
sshUser = "hydra";
sshKey = "/var/lib/hydra/queue-runner/id_rsa";
system = "x86_64-linux";
speedFactor = 2;
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 8;
}];
@ -27,6 +30,7 @@
hydraURL = "https://hydra.hq.c3d2.de";
logo = ./c3d2.svg;
notificationSender = "hydra@spam.works";
package = pkgs.hydra-unstable;
useSubstitutes = false;
};

2
hosts/pulsebert/configuration.nix
View File

@ -13,7 +13,6 @@ in {
../../lib
../../lib/admins.nix
../../lib/hq.nix
../../lib/yggdrasil.nix
./mpdConsole.nix
];
@ -27,6 +26,7 @@ in {
hq = {
interface = "eno1";
enableMpdProxy = true;
yggdrasi.enableGateway = true;
};
enableHail = true;
};

10
hosts/server7/borgbackup.nix Normal file
View File

@ -0,0 +1,10 @@
{ config, ... }:
{
services.borgbackup.repos.emery = {
allowSubRepos = true;
authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys;
path = "/srv/ceph/c3d2/backups/emery";
quota = "200G";
};
}

13
hosts/server7/containers/adc/default.nix
View File

@ -2,7 +2,16 @@ name:
(import ../outer-defaults.nix name) // {
config = { config, pkgs, lib, ... }: {
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
imports = [ ../inner-defaults.nix ];
c3d2.hq.yggdrasil.enableGateway = true;
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
networking.interfaces.eth0.ipv6.addresses = [{
address = "310:5217:69c0:9afc:0:576d:1184:c3d2";
prefixLength = 64;
}]; # Old address used by some clients
services.uhub = {
enable = true;
@ -18,8 +27,6 @@ name:
};
};
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
hq.yggdrasil.enable = true;
};
}

2
hosts/server7/containers/default.nix
View File

@ -1,8 +1,6 @@
{ lib, ... }:
let
yggaddr = import ../yggaddr.nix;
containerFunc = name:
# Generate a container expression from the directory at `name`.
{

35
hosts/server7/containers/hydra7/default.nix Normal file
View File

@ -0,0 +1,35 @@
name:
(import ../outer-defaults.nix name) // {
ephemeral = true;
config = { config, pkgs, lib, ... }: {
imports = [ ../inner-defaults.nix ];
c3d2.hq.yggdrasil.enableGateway = true;
networking.firewall.enable = false;
networking.interfaces.eth0.useDHCP = true;
security.acme = {
acceptTerms = true;
email = "mail@c3d2.de";
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"hydra7.hq.c3d2.de" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://172.22.99.245:3000";
};
"hydra7.y.c3d2.de" = {
default = true;
addSSL = false;
locations."/".proxyPass = "http://172.22.99.245:3000";
};
};
};
};
}

4
hosts/server7/containers/ncdc/default.nix
View File

@ -10,11 +10,12 @@ name:
config = { config, pkgs, lib, ... }:
let ncdcPort = 1512;
in {
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
imports = [ ../inner-defaults.nix ];
c3d2 = {
users.k-ot = true;
hq.statistics.enable = true;
hq.yggdrasil.enableGateway = true;
};
services.openssh.enable = true;
@ -23,7 +24,6 @@ name:
environment.systemPackages = with pkgs; [ tmux ncdc ];
networking.firewall.enable = false;
hq.yggdrasil.enable = true;
};
}

8
hosts/server7/containers/outer-defaults.nix
View File

@ -7,12 +7,4 @@ in {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
localAddress6 = with builtins; let
hash = hashString "sha256" name;
hextet0 = substring 0 4 hash;
hextet1 = substring 4 4 hash;
in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64";
# Generate a deterministic IPv6 address for the container.
# This address is accessible within HQ and Yggdrasil but not from ARPANET.
}

5
hosts/server7/containers/storage/default.nix
View File

@ -13,6 +13,7 @@ name:
c3d2 = {
users.k-ot = true;
hq.statistics.enable = true;
hq.yggdrasil.enableGateway = true;
};
services.openssh = {
@ -20,6 +21,8 @@ name:
allowSFTP = true;
};
environment.systemPackages = with pkgs; [ git borgbackup ];
services.nginx = {
enable = true;
package = pkgs.nginx.override {
@ -45,7 +48,7 @@ name:
fancyindex on;
# autoindex on;
dav_access all:r;
'';
'';
};
};
};

58
hosts/server7/configuration.nix → hosts/server7/default.nix
View File

@ -3,16 +3,21 @@
let yggaddr = import ./yggaddr.nix;
in {
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
# <nixpkgs/nixos/modules/profiles/minimal.nix>
../../lib
../../lib/default-gateway.nix
../../lib/yggdrasil.nix
./borgbackup.nix
./containers
./hardware-configuration.nix
./hydra.nix
./nix-serve.nix
];
security.acme = {
email = " mail@c3d2.de";
acceptTerms = true;
};
c3d2 = {
users = {
emery = true;
@ -40,20 +45,13 @@ in {
];
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
statusPage = true;
};
# Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
services.yggdrasil = {
enable = true;
configFile = "/var/lib/yggdrasil/keys";
config.Peers = [
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
@ -74,28 +72,43 @@ in {
nix = {
package = pkgs.nixFlakes;
extraOptions = "experimental-features = nix-command flakes ca-references";
gc.automatic = true;
optimise.automatic = true;
extraOptions = ''
experimental-features = nix-command flakes ca-references
post-build-hook = ${
pkgs.writeScript "post-build-sign-paths" ''
#!${pkgs.runtimeShell}
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
''
}
'';
};
nixpkgs.overlays = [
(self: super: {
nix = super.nix // { meta.platforms = lib.platforms.linux; };
})
];
virtualisation.docker.enable = true;
networking = {
firewall.enable = false;
firewall.trustedInterfaces = [ "br0" ];
hostName = "server7";
hostId = "454fe12c";
useDHCP = false;
bridges.br0.interfaces = [ "enp2s0f0" ];
interfaces = {
br0 = {
useDHCP = true;
preferTempAddress = false;
tempAddress = "disabled";
ipv4.addresses = [{
address = "172.22.99.245";
prefixLength = 24;
}];
ipv6.addresses = [{
address = yggaddr.prefix + ":1";
address = yggaddr.prefix64 + "::1";
prefixLength = 64;
}];
};
@ -107,19 +120,21 @@ in {
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ];
environment.systemPackages = with pkgs; [
tmux
htop
vim
gitMinimal
nixfmt
zfsStable
];
services.collectd.extraConfig = ''
LoadPlugin sensors
LoadPlugin memory
LoadPlugin irq
LoadPlugin thermal
LoadPlugin processes
LoadPlugin disk
LoadPlugin hddtemp
LoadPlugin df
LoadPlugin cpu
LoadPlugin cpufreq
LoadPlugin entropy
LoadPlugin load
LoadPlugin swap
@ -139,4 +154,9 @@ in {
time.timeZone = "Europe/Berlin";
system.stateVersion = "19.09"; # Did you read the comment?
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
# allow the old hydra to build here
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
];
}

174
hosts/server7/hardware-configuration.nix
View File

@ -4,27 +4,173 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
# imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/9812-00B2";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/9812-00B2";
fsType = "vfat";
};
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1" = {
device = "nvme0n1";
fsType = "zfs";
};
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
fileSystems."/zones/archive" = {
device = "nvme0n1/archive";
fsType = "zfs";
};
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/zones/global/cores" = {
device = "nvme0n1/cores/global";
fsType = "zfs";
};
fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs";
};
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
fsType = "zfs";
};
fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = {
device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de" = {
device = "nvme0n1/c3d2.de";
fsType = "zfs";
};
fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
fsType = "zfs";
};
fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = {
device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f";
fsType = "zfs";
};
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
fsType = "zfs";
};
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/admin" = {
device = "nvme0n1/c3d2.de/admin";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/templates" = {
device = "nvme0n1/c3d2.de/templates";
fsType = "zfs";
};
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
fsType = "zfs";
};
fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
fsType = "zfs";
};
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
fsType = "zfs";
};
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
fsType = "zfs";
};
fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = {
device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
fsType = "zfs";
};
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
fsType = "zfs";
};
fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = {
device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3";
fsType = "zfs";
};
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
fsType = "zfs";
};
fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = {
device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43";
fsType = "zfs";
};
fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
fsType = "zfs";
};
fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
fsType = "zfs";
};
fileSystems."/nvme0n1/c3d2.de/iso" = {
device = "nvme0n1/c3d2.de/iso";
fsType = "zfs";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 20;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
nix.maxJobs = lib.mkDefault 10;
nix.buildCores = lib.mkDefault 40;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}

191
hosts/server7/hydra.nix
View File

@ -1,173 +1,28 @@
let
hydraFlakes = pkgs:
with pkgs;
let
perlDeps = buildEnv {
name = "hydra-perl-deps";
paths = with perlPackages; [
ModulePluggable
CatalystActionREST
CatalystAuthenticationStoreDBIxClass
CatalystDevel
CatalystDispatchTypeRegex
CatalystPluginAccessLog
CatalystPluginAuthorizationRoles
CatalystPluginCaptcha
CatalystPluginSessionStateCookie
CatalystPluginSessionStoreFastMmap
CatalystPluginStackTrace
CatalystPluginUnicodeEncoding
CatalystTraitForRequestProxyBase
CatalystViewDownload
CatalystViewJSON
CatalystViewTT
CatalystXScriptServerStarman
CatalystXRoleApplicator
CryptRandPasswd
DBDPg
DBDSQLite
DataDump
DateTime
DigestSHA1
EmailMIME
EmailSender
FileSlurp
IOCompress
IPCRun
JSON
JSONAny
JSONXS
LWP
LWPProtocolHttps
NetAmazonS3
NetPrometheus
NetStatsd
PadWalker
Readonly
SQLSplitStatement
SetScalar
Starman
SysHostnameLong
TermSizeAny
TestMore
TextDiff
TextTable
XMLSimple
pkgs.nixFlakes
pkgs.nixFlakes.perl-bindings
git
boehmgc
];
};
{ config, lib, pkgs, ... }:
in stdenv.mkDerivation {
name = "hydra-flake";
src = pkgs.fetchFromGitHub {
owner = "NixOS";
repo = "hydra";
rev = "47797576838974c8209536b67bb45e953a50900f";
sha256 = "1vqib99d7wgnl3c6ccx0xx2q88qmdkpydkb6gd0pik9wg2nn3jng";
};
buildInputs = [
makeWrapper
autoconf
automake
libtool
unzip
nukeReferences
pkgconfig
sqlite
libpqxx
gitAndTools.topGit
mercurial
darcs
subversion
bazaar
openssl
bzip2
libxslt
guile # optional, for Guile + Guix support
perlDeps
perl
pkgs.nixFlakes
postgresql95 # for running the tests
boost
(nlohmann_json.override { multipleHeaders = true; })
];
hydraPath = lib.makeBinPath ([
sqlite
subversion
openssh
pkgs.nixFlakes
coreutils
findutils
pixz
gzip
bzip2
lzma
gnutar
unzip
git
gitAndTools.topGit
mercurial
darcs
gnused
bazaar
] ++ lib.optionals stdenv.isLinux [ rpm dpkg cdrkit ]);
configureFlags = [ "--with-docbook-xsl=${docbook_xsl}/xml/xsl/docbook" ];
shellHook = ''
PATH=$(pwd)/src/hydra-evaluator:$(pwd)/src/script:$(pwd)/src/hydra-eval-jobs:$(pwd)/src/hydra-queue-runner:$PATH
PERL5LIB=$(pwd)/src/lib:$PERL5LIB
'';
preConfigure = "autoreconf -vfi";
NIX_LDFLAGS = [ "-lpthread" ];
enableParallelBuilding = true;
preCheck = ''
patchShebangs .
export LOGNAME=''${LOGNAME:-foo}
'';
postInstall = ''
mkdir -p $out/nix-support
for i in $out/bin/*; do
read -n 4 chars < $i
if [[ $chars =~ ELF ]]; then continue; fi
wrapProgram $i \
--prefix PERL5LIB ':' $out/libexec/hydra/lib:$PERL5LIB \
--prefix PATH ':' $out/bin:$hydraPath \
--set HYDRA_RELEASE 0.1 \
--set HYDRA_HOME $out/libexec/hydra \
--set NIX_RELEASE ${pkgs.nixFlakes.name or "unknown"}
done
'';
dontStrip = true;
meta.description = "Build of Hydra on ${system}";
passthru.perlDeps = perlDeps;
};
in { config, pkgs, ... }: {
services.hydra = {
{
services.hydra-dev = {
enable = true;
debugServer = true;
extraEnv.HYDRA_DEBUG = "1";
hydraURL = "https://server7.hq.c3d2.de";
logo = ./hydra.svg;
notificationSender = "hydra@spam.works";
package = hydraFlakes pkgs;
listenHost = "127.0.0.1";
# package = pkgs.hydra-unstable;
listenHost = "172.22.99.245";
# listenHost = "*";
useSubstitutes = true;
minimumDiskFree = 2;
minimumDiskFreeEvaluator = 2;
extraConfig = ''
<sotest>
authfile = /var/lib/hydra/sotest.auth
</sotest>
'';
};
nix.trustedUsers = [ "hydra" ];
nix.buildMachines = [{
hostName = "localhost";
system = "x86_64-linux";
@ -175,18 +30,20 @@ in { config, pkgs, ... }: {
maxJobs = 8;
}];
nix.binaryCachePublicKeys =
[ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ];
nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ];
services.nginx = {
enable = true;
virtualHosts = {
"server7.hq.c3d2.de" = {
default = true;
addSSL = true;
enableACME = true;
locations."/".proxyPass =
"http://127.0.0.1:${toString config.services.hydra.port}";
globalRedirect = "hydra7.hq.c3d2.de";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

4
hosts/server7/nix-serve.nix
View File

@ -15,7 +15,9 @@
addSSL = true;
enableACME = true;
locations."/".proxyPass =
"http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
"http://${config.services.nix-serve.bindAddress}:${
toString config.services.nix-serve.port
}";
};
};
};

2
hosts/server7/yggaddr.nix
View File

@ -1,4 +1,4 @@
{
address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2";
prefix = "310:5217:69c0:9afc:";
prefix64 = "310:5217:69c0:9afc";
}

1
krops.nix
View File

@ -16,6 +16,7 @@ let
url = "https://github.com/NixOS/nixpkgs.git";
};
nixos-config.file = toString (./hosts + "/${path}/configuration.nix");
this-host.file = toString (./hosts + "/${path}");
lib.file = toString ./lib;
secrets.file = toString ./secrets;
"host-registry.nix".file = toString ./host-registry.nix;

69
lib/default.nix
View File

@ -8,6 +8,8 @@ let
hqPrefix64 = "fd23:42:c3d2:523";
# TODO: Is this stable? Is there a better place to specifiy this?
server7Ygg = import ../hosts/server7/yggaddr.nix;
# Generate a deterministic IPv6 address for a 64 bit prefix
# and seed string. Prefix must not contain trailing ':'.
toIpv6Address = prefix64: seed:
@ -21,14 +23,9 @@ let
# for the HQ networking using a seed string.
toHqPrivateAddress = toIpv6Address hqPrefix64;
/* # Generate a deterministic public IPv6 addresses
# for the HQ networking using a seed string.
toHqPublicAddress = toIpv6Address publicPrefix64;
toServer7Address = toIpv6Address server7Ygg.prefix64;
# Generate a deterministic public IPv6 addresses
# for the HQ networking using a seed string.
toserver7YggdrasilAddress = toIpv6Address server7YggrasilPrefix64;
*/
# toHqPublicAddress = toIpv6Address publicPrefix64;
cfg = config.c3d2;
@ -106,6 +103,8 @@ in {
description = "Whether to proxy the local MPD database";
};
yggdrasil.enableGateway = mkEnableOption
"Whether to join the host to the Yggdrasil network via a gateway";
};
};
@ -118,7 +117,8 @@ in {
# Configuration specific to this machine
assertions = [
{ assertion = cfg.isInHq -> (config.users.users.root.password == null);
{
assertion = cfg.isInHq -> (config.users.users.root.password == null);
message = "Root passwords not allowed in HQ";
}
{
@ -166,10 +166,16 @@ in {
host.ip6
else
toHqPrivateAddress hostName;
in [{
name = ip6;
value = [ "${hostName}.hq" hostName ];
}] ++ lib.optional (hasAttr "ip4" host) {
in [
{
name = ip6;
value = [ "${hostName}.hq" hostName ];
}
{
name = toServer7Address hostName;
value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ];
}
] ++ lib.optional (hasAttr "ip4" host) {
name = host.ip4;
value = [ "${hostName}.hq" hostName ];
};
@ -196,7 +202,16 @@ in {
ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
}];
}] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) {
address = toServer7Address config.networking.hostName;
prefixLength = 64;
};
ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) {
address = "200::";
options.pref = "low";
prefixLength = 7;
via = server7Ygg.prefix64 + "::1";
};
};
});
@ -231,17 +246,31 @@ in {
services.collectd = lib.mkIf cfg.hq.statistics.enable {
enable = true;
autoLoadPlugin = true;
extraConfig = ''
HostName "${config.networking.hostName}"
FQDNLookup false
Interval 10
LoadPlugin network
<Plugin "network">
Server "grafana.hq" "25826"
</Plugin>
'';
buildMinimalPackage = true;
plugins = {
logfile = ''
LogLevel info
File STDOUT
'';
network = ''
Server "grafana.hq.c3d2.de" "25826"
'';
memory = "";
processes = "";
disk = "";
df = "";
cpu = "";
entropy = "";
load = "";
swap = "";
cgroups = "";
vmem = "";
interface = "";
};
};
services.hail = lib.mkIf cfg.enableHail {

7
lib/hq.nix
View File

@ -1,7 +0,0 @@
{ config, lib, ... }:
{
# Please import only things that are configurable and OFF BY DEFAULT!
imports = [ ./yggdrasil-hq.nix ];
}

1
lib/lxc-container.nix
View File

@ -4,7 +4,6 @@
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
<nixpkgs/nixos/modules/profiles/docker-container.nix>
./hq.nix
];
networking.networkmanager.dns = "unbound";

7
lib/lxc/default.nix
View File

@ -3,8 +3,11 @@
with lib;
let
nixcloud-webservices = builtins.fetchGit {
url = "https://github.com/nixcloud/nixcloud-webservices.git";
nixcloud-webservices = pkgs.fetchFromGitHub {
owner = "nixcloud";
repo = "nixcloud-webservices";
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
};
nixcloud = (
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }

1
lib/users/emery.nix
View File

@ -4,6 +4,7 @@ let
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC55d1lIbI00AyDnlfig3znWKPToGUcM8TKj5s8EHQm5SkUn0DeG1+h5/wciyu7NonIxykgtx2nfnLAewgNjKDk1Q7bqNTxvIkb5dtpuEvGWuuLmm5VCQUszPSNmQAMocFAc+A0ALDTdR0pS+DFuKPx4DncYLQxDFwdV+1vw0PYCXNHfS6umJW/bsQ2jLc2+H3bnXqhcoQX6EVvlQS3QNpWOY3qhK9Yy58NJywmcSSzamc4Fyd1Jz/R67/4hYDfB65f7bs6l0BjFj+yciiVYyZuILPb6CZicXcNTjnW6YFGHDQt3owsr/pQuuPxUWiP8rfrrrwnyi1SFeYrmCKSQ6WOZMA5mHZ6091LbspwrlGiGBXKPoZhHHUW/dDmojy1XAIK/XFg/5+DiG+2Rc61l1AnRaP4IRiFViV9VlPBYBG5TFmAfxCz6iiwuDQY1cSX4+duqL7sIkZTPMkQP0Bf3ek1hTK1U8nbSOP6sILt7e5ApRCoAu9S+fFtbpI+l1GCy90= root@bigpad"
];
in {

40
lib/yggdrasil-hq.nix
View File

@ -1,40 +0,0 @@
{ config, lib, ... }:
with lib;
let
cfg = config.hq.yggdrasil;
hostNameHash = builtins.hashString "sha256" config.networking.hostName;
hextets = map (i: substring (4 * i) 4 hostNameHash) [ 0 1 2 3 ];
hostAddr = concatStringsSep ":" hextets;
in {
options = with types; {
hq.yggdrasil = {
enable =
mkEnableOption "Configure Yggdrasil access via the Yggdrasil router";
interface = mkOption {
type = nullOr str;
default = "eth0";
description = "Network interface to the C3D2 HQ ethernet";
};
};
};
config = mkIf cfg.enable {
networking.interfaces = {
"${cfg.interface}" = {
"ipv6" = {
addresses = [{
address = "310:5217:69c0:9afc:${hostAddr}";
prefixLength = 64;
}];
routes = [{
address = "200::";
prefixLength = 7;
via = "310:5217:69c0:9afc::1";
}];
};
};
};
};
}

185
lib/yggdrasil-service.nix
View File

@ -1,185 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.yggdrasil;
configProvided = (cfg.config != { });
configAsFile = (if configProvided then
toString (pkgs.writeTextFile {
name = "yggdrasil-conf";
text = builtins.toJSON cfg.config;
})
else
null);
configFileProvided = (cfg.configFile != null);
generateConfig = (if configProvided && configFileProvided then
"${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}"
else if configProvided then
"cat ${configAsFile}"
else if configFileProvided then
"cat ${cfg.configFile}"
else
"${cfg.package}/bin/yggdrasil -genconf");
in {
options = with types; {
services.yggdrasil = {
enable = mkEnableOption "the yggdrasil system service";
configFile = mkOption {
type = nullOr str;
default = null;
example = "/run/keys/yggdrasil.conf";
description = ''
A file which contains JSON configuration for yggdrasil.
You do not have to supply a complete configuration, as
yggdrasil will use default values for anything which is
omitted. If the encryption and signing keys are omitted,
yggdrasil will generate new ones each time the service is
started, resulting in a random IPv6 address on the yggdrasil
network each time.
If both this option and <option>config</option> are
supplied, they will be combined, with values from
<option>config</option> taking precedence.
You can use the command <code>nix-shell -p yggdrasil --run
"yggdrasil -genconf -json"</code> to generate a default
JSON configuration.
'';
};
config = mkOption {
type = attrs;
default = { };
example = {
Peers = [
"tcp://aa.bb.cc.dd:eeeee"
"tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff"
];
Listen = [ "tcp://0.0.0.0:xxxxx" ];
};
description = ''
Configuration for yggdrasil, as a Nix attribute set.
Warning: this is stored in the WORLD-READABLE Nix store!
Therefore, it is not appropriate for private keys. If you
do not specify the keys, yggdrasil will generate a new set
each time the service is started, creating a random IPv6
address on the yggdrasil network each time.
If you wish to specify the keys, use
<option>configFile</option>. If both
<option>configFile</option> and <option>config</option> are
supplied, they will be combined, with values from
<option>config</option> taking precedence.
You can use the command <code>nix-shell -p yggdrasil --run
"yggdrasil -genconf"</code> to generate default
configuration values with documentation.
'';
};
openMulticastPort = mkOption {
type = bool;
default = false;
description = ''
Whether to open the UDP port used for multicast peer
discovery. The NixOS firewall blocks link-local
communication, so in order to make local peering work you
will also need to set <code>LinkLocalTCPPort</code> in your
yggdrasil configuration (<option>config</option> or
<option>configFile</option>) to a port number other than 0,
and then add that port to
<option>networking.firewall.allowedTCPPorts</option>.
'';
};
denyDhcpcdInterfaces = mkOption {
type = listOf str;
default = [ ];
example = [ "tap*" ];
description = ''
Disable the DHCP client for any interface whose name matches
any of the shell glob patterns in this list. Use this
option to prevent the DHCP client from broadcasting requests
on the yggdrasil network. It is only necessary to do so
when yggdrasil is running in TAP mode, because TUN
interfaces do not support broadcasting.
'';
};
package = mkOption {
type = package;
default = pkgs.yggdrasil;
defaultText = "pkgs.yggdrasil";
description = "Yggdrasil package to use.";
};
};
};
config = mkIf cfg.enable {
assertions = [{
assertion = config.networking.enableIPv6;
message = "networking.enableIPv6 must be true for yggdrasil to work";
}];
systemd.services.yggdrasil = {
description = "Yggdrasil Network Service";
path = [ cfg.package ]
++ optional (configProvided && configFileProvided) pkgs.jq;
bindsTo = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf
'';
serviceConfig = {
ExecStart =
"${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RuntimeDirectory = "yggdrasil";
RuntimeDirectoryMode = "0700";
BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ];
# TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
# to set up the network adapter when DynamicUser is set. See
# github.com/yggdrasil-network/yggdrasil-go/issues/557. The
# following options are implied by DynamicUser according to
# the systemd.exec documentation, and can be removed if the
# upstream issue is fixed and DynamicUser is set to true:
PrivateTmp = true;
RemoveIPC = true;
NoNewPrivileges = true;
ProtectSystem = "strict";
RestrictSUIDSGID = true;
# End of list of options implied by DynamicUser.
AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN";
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectHome = "tmpfs";
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter =
"~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
};
};
networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;
networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ];
# Make yggdrasilctl available on the command line.
environment.systemPackages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ gazally ];
}

13
lib/yggdrasil.nix
View File

@ -1,13 +0,0 @@
{ config, ... }: {
imports = [ ./yggdrasil-service.nix ];
services.yggdrasil = {
enable = true;
package = (import <nixpkgs-unstable> { }).yggdrasil;
openMulticastPort = true;
config.NodeInfo = {
name = config.networking.hostName + ".c3d2";
location = "Dresden";
};
};
}

2
secrets

@ -1 +1 @@
Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
Subproject commit eb06c122762133b7831475615b1a3b039eaa389e