Merge branch 'master' of ssh://gitea.c3d2.de:2222/C3D2/nix-config
This commit is contained in:
commit
e179dbe0f7
|
@ -0,0 +1,105 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"hydra": {
|
||||||
|
"info": {
|
||||||
|
"lastModified": 1587883324,
|
||||||
|
"narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
|
||||||
|
},
|
||||||
|
"inputs": {
|
||||||
|
"nix": "nix",
|
||||||
|
"nixpkgs": "nixpkgs_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"owner": "ehmry",
|
||||||
|
"repo": "hydra",
|
||||||
|
"rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ehmry",
|
||||||
|
"ref": "sotest",
|
||||||
|
"repo": "hydra",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix": {
|
||||||
|
"info": {
|
||||||
|
"lastModified": 1586440843,
|
||||||
|
"narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
|
||||||
|
},
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nix",
|
||||||
|
"rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nix",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"info": {
|
||||||
|
"lastModified": 1585405475,
|
||||||
|
"narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixpkgs",
|
||||||
|
"ref": "nixos-20.03-small",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"info": {
|
||||||
|
"lastModified": 1586219474,
|
||||||
|
"narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "29eddfc36d720dcc4822581175217543b387b1e8",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixpkgs",
|
||||||
|
"ref": "nixos-20.03",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_3": {
|
||||||
|
"info": {
|
||||||
|
"lastModified": 1586724123,
|
||||||
|
"narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs-channels",
|
||||||
|
"rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-20.03",
|
||||||
|
"repo": "nixpkgs-channels",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"hydra": "hydra",
|
||||||
|
"nixpkgs": "nixpkgs_3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 5
|
||||||
|
}
|
|
@ -0,0 +1,33 @@
|
||||||
|
{
|
||||||
|
description = "C3D2 NixOS configurations";
|
||||||
|
|
||||||
|
edition = 201909;
|
||||||
|
|
||||||
|
inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
|
||||||
|
inputs.hydra.url = "github:ehmry/hydra/sotest";
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs, hydra }: {
|
||||||
|
|
||||||
|
nixosConfigurations = {
|
||||||
|
|
||||||
|
server7 = nixpkgs.lib.nixosSystem {
|
||||||
|
modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
|
||||||
|
hydra = nixpkgs.lib.nixosSystem {
|
||||||
|
modules = [ ./hosts/hydra/configuration.nix ];
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
|
||||||
|
pulsebert = nixpkgs.lib.nixosSystem {
|
||||||
|
modules = [ ./hosts/pulsebert/configuration.nix ];
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
nixosModules.c3d2 = import ./lib;
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
|
@ -13,6 +13,7 @@ rec {
|
||||||
|
|
||||||
hydra.publicKey =
|
hydra.publicKey =
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";
|
||||||
|
hydra7 = { };
|
||||||
mpd-index = { };
|
mpd-index = { };
|
||||||
nfs = { };
|
nfs = { };
|
||||||
ncdc.publicKey =
|
ncdc.publicKey =
|
||||||
|
|
|
@ -70,6 +70,30 @@ in {
|
||||||
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces =
|
||||||
|
let
|
||||||
|
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
||||||
|
in
|
||||||
|
builtins.mapAttrs (name: conf: {
|
||||||
|
inherit (conf.wireguard) listenPort privateKey;
|
||||||
|
ips = [ "${address4}/32" "${address6}/64" ];
|
||||||
|
allowedIPsAsRoutes = false;
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
|
||||||
|
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
||||||
|
'';
|
||||||
|
peers = [ ({
|
||||||
|
inherit (conf.wireguard) publicKey;
|
||||||
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||||
|
persistentKeepalive = 30;
|
||||||
|
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
||||||
|
inherit (conf.wireguard) endpoint;
|
||||||
|
})) ];
|
||||||
|
}) wireguardNeighbors;
|
||||||
|
};
|
||||||
|
|
||||||
services.bird2 = {
|
services.bird2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config =
|
config =
|
||||||
|
|
|
@ -19,7 +19,8 @@
|
||||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
networking.interfaces.eth0.useDHCP = true;
|
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
|
||||||
|
networking.defaultGateway = "172.20.73.1";
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
|
@ -39,7 +40,7 @@
|
||||||
|
|
||||||
# Create a few files early before packing tarball for Proxmox
|
# Create a few files early before packing tarball for Proxmox
|
||||||
# architecture/OS detection.
|
# architecture/OS detection.
|
||||||
system.extraSystemBuilderCmds =
|
system.extraSystemBuilderCmds =
|
||||||
''
|
''
|
||||||
mkdir -m 0755 -p $out/bin
|
mkdir -m 0755 -p $out/bin
|
||||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||||
|
@ -85,22 +86,25 @@
|
||||||
"1.1.1.1@853" #cloudflare-dns.com
|
"1.1.1.1@853" #cloudflare-dns.com
|
||||||
"2606:4700:4700::1111@853" #cloudflare-dns.com
|
"2606:4700:4700::1111@853" #cloudflare-dns.com
|
||||||
"1.0.0.1@853" #cloudflare-dns.com
|
"1.0.0.1@853" #cloudflare-dns.com
|
||||||
"2606:4700:4700::1001@853" #cloudflare-dns.com
|
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
|
||||||
];
|
];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
server:
|
server:
|
||||||
ssl-upstream: yes
|
|
||||||
domain-insecure: "dn42"
|
domain-insecure: "dn42"
|
||||||
domain-insecure: "20.172.in-addr.arpa"
|
domain-insecure: "20.172.in-addr.arpa"
|
||||||
domain-insecure: "21.172.in-addr.arpa"
|
domain-insecure: "21.172.in-addr.arpa"
|
||||||
domain-insecure: "22.172.in-addr.arpa"
|
domain-insecure: "22.172.in-addr.arpa"
|
||||||
domain-insecure: "23.172.in-addr.arpa"
|
domain-insecure: "23.172.in-addr.arpa"
|
||||||
domain-insecure: "d.f.ip6.arpa"
|
domain-insecure: "d.f.ip6.arpa"
|
||||||
|
domain-insecure: "ffdd"
|
||||||
|
domain-insecure: "200.10.in-addr.arpa"
|
||||||
local-zone: "20.172.in-addr.arpa." nodefault
|
local-zone: "20.172.in-addr.arpa." nodefault
|
||||||
local-zone: "21.172.in-addr.arpa." nodefault
|
local-zone: "21.172.in-addr.arpa." nodefault
|
||||||
local-zone: "22.172.in-addr.arpa." nodefault
|
local-zone: "22.172.in-addr.arpa." nodefault
|
||||||
local-zone: "23.172.in-addr.arpa." nodefault
|
local-zone: "23.172.in-addr.arpa." nodefault
|
||||||
local-zone: "d.f.ip6.arpa." nodefault
|
local-zone: "d.f.ip6.arpa." nodefault
|
||||||
|
local-zone: "ffdd." nodefault
|
||||||
|
local-zone: "200.10.in-addr.arpa." nodefault
|
||||||
|
|
||||||
remote-control:
|
remote-control:
|
||||||
control-enable: yes
|
control-enable: yes
|
||||||
|
@ -109,36 +113,71 @@
|
||||||
control-key-file: /var/lib/unbound/unbound_control.key
|
control-key-file: /var/lib/unbound/unbound_control.key
|
||||||
control-cert-file: /var/lib/unbound/unbound_control.pem
|
control-cert-file: /var/lib/unbound/unbound_control.pem
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "99.22.172.in-addr.arpa"
|
||||||
|
forward-host: "ns.c3d2.de"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
|
name: "zentralwerk.dn42"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "72.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "73.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "74.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "75.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "76.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "77.20.172.in-addr.arpa"
|
||||||
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
name: "dn42"
|
name: "dn42"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "20.172.in-addr.arpa"
|
name: "20.172.in-addr.arpa"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "21.172.in-addr.arpa"
|
name: "21.172.in-addr.arpa"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "22.172.in-addr.arpa"
|
name: "22.172.in-addr.arpa"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "23.172.in-addr.arpa"
|
name: "23.172.in-addr.arpa"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "d.f.ip6.arpa"
|
name: "d.f.ip6.arpa"
|
||||||
forward-addr: fd42:d42:d42:53::1
|
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "ffdd"
|
||||||
|
forward-addr: 10.200.0.4
|
||||||
|
forward-addr: 10.200.0.16
|
||||||
|
|
||||||
|
forward-zone:
|
||||||
|
name: "200.10.in-addr.arpa"
|
||||||
|
forward-addr: 10.200.0.4
|
||||||
|
forward-addr: 10.200.0.16
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -150,7 +189,7 @@
|
||||||
memory = "";
|
memory = "";
|
||||||
interface = "";
|
interface = "";
|
||||||
load = "";
|
load = "";
|
||||||
exec =
|
exec =
|
||||||
let
|
let
|
||||||
unboundScript = builtins.toFile "unbound.rb" ''
|
unboundScript = builtins.toFile "unbound.rb" ''
|
||||||
loop do
|
loop do
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||||
|
<title>http://c3d2.ffdd</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<h1>Chaos Computer Club Dresden</h1>
|
||||||
|
<h2>Router zu Freifunk Dresden</h2>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li><a href="https://www.c3d2.de/">Homepage</a></li>
|
||||||
|
<li><a href="https://www.c3d2.de/space.html">Räumlichkeiten</a></li>
|
||||||
|
<li><a href="https://gitea.c3d2.de/C3D2/nix-config/src/branch/master/hosts/containers/freifunk/configuration.nix">Konfiguration dieses Servers</a></li>
|
||||||
|
<li><a href="http://grafana.hq.c3d2.ffdd/">Lokales Grafana über Freifunk</a></li>
|
||||||
|
</ul>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -1,60 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
meshInterface = "bmx";
|
|
||||||
in {
|
|
||||||
imports = [
|
|
||||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
|
||||||
<lib>
|
|
||||||
<lib/lxc-container.nix>
|
|
||||||
<lib/shared.nix>
|
|
||||||
];
|
|
||||||
|
|
||||||
c3d2 = {
|
|
||||||
isInHq = false;
|
|
||||||
enableHail = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.hostName = "freifunk";
|
|
||||||
networking.useNetworkd = true;
|
|
||||||
networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
|
|
||||||
|
|
||||||
# Required for krops
|
|
||||||
services.openssh.enable = true;
|
|
||||||
environment.systemPackages = with pkgs; [ git tcpdump ];
|
|
||||||
|
|
||||||
systemd.network.networks = {
|
|
||||||
"10-bmx" = {
|
|
||||||
enable = true;
|
|
||||||
matchConfig = { Name = meshInterface; };
|
|
||||||
networkConfig = {
|
|
||||||
Address = "10.200.0.15/16";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
"20-core" = {
|
|
||||||
enable = true;
|
|
||||||
matchConfig = { Name = "core"; };
|
|
||||||
networkConfig = {
|
|
||||||
Address = "172.20.72.40/26";
|
|
||||||
Gateway = "172.20.72.7";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.bmxd =
|
|
||||||
let
|
|
||||||
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
|
|
||||||
in {
|
|
||||||
after = [ "systemd-networkd.service" ];
|
|
||||||
wantedBy = [ "network.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
|
|
||||||
Restart = "always";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
|
||||||
# compatible, in order to avoid breaking some software such as database
|
|
||||||
# servers. You should change this only after NixOS release notes say you
|
|
||||||
# should.
|
|
||||||
system.stateVersion = "20.03"; # Did you read the comment?
|
|
||||||
}
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
{ pkgs ? import <nixpkgs> {},
|
||||||
|
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
|
||||||
|
bmxd,
|
||||||
|
ddmeshNode,
|
||||||
|
... }:
|
||||||
|
|
||||||
|
with pkgs;
|
||||||
|
let
|
||||||
|
nvram = {
|
||||||
|
ddmesh_node = toString ddmeshNode;
|
||||||
|
city = "Dresden";
|
||||||
|
autoupdate = "0";
|
||||||
|
contact_name = "C3D2";
|
||||||
|
contact_location = "Zentralwerk";
|
||||||
|
contact_email = "astro@spaceboyz.net";
|
||||||
|
contact_note = "http://www.c3d2.ffdd/";
|
||||||
|
gps_latitude = "51.0810624";
|
||||||
|
gps_longitude = "13.7285866";
|
||||||
|
gps_altitude = "100";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "sysinfo-json";
|
||||||
|
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
|
||||||
|
buildPhase = ''
|
||||||
|
cat > bmxddump.sh <<EOF
|
||||||
|
#!${bash}/bin/bash
|
||||||
|
|
||||||
|
DB_PATH=/var/lib/freifunk/bmxd
|
||||||
|
mkdir -p \$DB_PATH
|
||||||
|
${bmxd}/sbin/bmxd -c --gateways > \$DB_PATH/gateways
|
||||||
|
${bmxd}/sbin/bmxd -c --links > \$DB_PATH/links
|
||||||
|
${bmxd}/sbin/bmxd -c --originators > \$DB_PATH/originators
|
||||||
|
${bmxd}/sbin/bmxd -c --status > \$DB_PATH/status
|
||||||
|
#${bmxd}/sbin/bmxd -c --networks > \$DB_PATH/networks
|
||||||
|
${bmxd}/sbin/bmxd -ci > \$DB_PATH/info
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat > lsb_release <<EOF
|
||||||
|
#!${bash}/bin/bash
|
||||||
|
|
||||||
|
${lsb-release}/bin/lsb_release \$@ | \
|
||||||
|
${gnused}/bin/sed -e 's/"//g'
|
||||||
|
EOF
|
||||||
|
|
||||||
|
substitute usr/local/bin/ddmesh-ipcalc.sh ddmesh-ipcalc.sh \
|
||||||
|
--replace awk ${gawk}/bin/awk
|
||||||
|
substitute var/www_freifunk/sysinfo-json.cgi sysinfo-json.cgi \
|
||||||
|
--replace "echo 'Content-Type: application/json;charset=UTF-8'" "" \
|
||||||
|
--replace '"node_type":"server"' '"node_type":"node"' \
|
||||||
|
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
|
||||||
|
--replace lsb_release $out/bin/lsb_release \
|
||||||
|
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
||||||
|
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
||||||
|
--replace 'nettype_lookup[$2]' '"lan"' \
|
||||||
|
--replace awk ${gawk}/bin/awk
|
||||||
|
'' +
|
||||||
|
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
|
||||||
|
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(nvram get ${var})"} '${value}'\n"
|
||||||
|
) nvram);
|
||||||
|
installPhase = ''
|
||||||
|
pwd
|
||||||
|
mkdir -p $out/bin
|
||||||
|
ls -la
|
||||||
|
install -m 0755 sysinfo-json.cgi $out/bin/
|
||||||
|
install -m 0755 ddmesh-ipcalc.sh $out/bin/
|
||||||
|
install -m 0755 bmxddump.sh $out/bin/
|
||||||
|
install -m 0755 lsb_release $out/bin/
|
||||||
|
'';
|
||||||
|
}
|
|
@ -9,7 +9,6 @@
|
||||||
[ ../../lib/lxc-container.nix
|
[ ../../lib/lxc-container.nix
|
||||||
../../lib/shared.nix
|
../../lib/shared.nix
|
||||||
../../lib/admins.nix
|
../../lib/admins.nix
|
||||||
../../lib/hq.nix
|
|
||||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -45,10 +45,6 @@
|
||||||
script = "xerox";
|
script = "xerox";
|
||||||
host = "roxi.hq.c3d2.de";
|
host = "roxi.hq.c3d2.de";
|
||||||
};
|
};
|
||||||
scrape-luftdaten = makeService {
|
|
||||||
script = "luftdaten";
|
|
||||||
host = "";
|
|
||||||
};
|
|
||||||
scrape-fhem = makeService {
|
scrape-fhem = makeService {
|
||||||
script = "fhem";
|
script = "fhem";
|
||||||
host = "fhem.hq.c3d2.de";
|
host = "fhem.hq.c3d2.de";
|
||||||
|
@ -59,6 +55,30 @@
|
||||||
host = "matemat.hq.c3d2.de";
|
host = "matemat.hq.c3d2.de";
|
||||||
inherit (matematLogin) user password;
|
inherit (matematLogin) user password;
|
||||||
};
|
};
|
||||||
|
scrape-node1139 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.4.120";
|
||||||
|
};
|
||||||
|
scrape-node1487 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.5.213";
|
||||||
|
};
|
||||||
|
scrape-node1884 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.7.100";
|
||||||
|
};
|
||||||
|
scrape-node1891 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.7.107";
|
||||||
|
};
|
||||||
|
scrape-node1768 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.6.239";
|
||||||
|
};
|
||||||
|
scrape-node1176 = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = "10.200.7.80";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
systemd.timers.scrape-xeri = {
|
systemd.timers.scrape-xeri = {
|
||||||
partOf = [ "scrape-xeri.service" ];
|
partOf = [ "scrape-xeri.service" ];
|
||||||
|
@ -70,11 +90,6 @@
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
timerConfig.OnCalendar = "minutely";
|
timerConfig.OnCalendar = "minutely";
|
||||||
};
|
};
|
||||||
systemd.timers.scrape-luftdaten = {
|
|
||||||
partOf = [ "scrape-luftdaten.service" ];
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
timerConfig.OnCalendar = "minutely";
|
|
||||||
};
|
|
||||||
systemd.timers.scrape-fhem = {
|
systemd.timers.scrape-fhem = {
|
||||||
partOf = [ "scrape-fhem.service" ];
|
partOf = [ "scrape-fhem.service" ];
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
|
@ -85,6 +100,36 @@
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
timerConfig.OnCalendar = "minutely";
|
timerConfig.OnCalendar = "minutely";
|
||||||
};
|
};
|
||||||
|
systemd.timers.scrape-node1139 = {
|
||||||
|
partOf = [ "scrape-node1139.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
systemd.timers.scrape-node1487 = {
|
||||||
|
partOf = [ "scrape-node1487.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
systemd.timers.scrape-node1884 = {
|
||||||
|
partOf = [ "scrape-node1884.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
systemd.timers.scrape-node1891 = {
|
||||||
|
partOf = [ "scrape-node1894.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
systemd.timers.scrape-node1768 = {
|
||||||
|
partOf = [ "scrape-node1768.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
systemd.timers.scrape-node1176 = {
|
||||||
|
partOf = [ "scrape-node1176.service" ];
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig.OnCalendar = "minutely";
|
||||||
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
|
|
@ -2,12 +2,9 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
|
||||||
./hydra.nix
|
./hydra.nix
|
||||||
./cache.nix
|
./cache.nix
|
||||||
../../lib
|
../../lib
|
||||||
../../lib/hq.nix
|
|
||||||
../../lib/yggdrasil.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
|
@ -18,26 +15,17 @@
|
||||||
isInHq = true;
|
isInHq = true;
|
||||||
mapHqHosts = true;
|
mapHqHosts = true;
|
||||||
hq.interface = "eth0";
|
hq.interface = "eth0";
|
||||||
|
hq.yggdrasil.enableGateway = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.interfaces.eth0.preferTempAddress = false;
|
networking.interfaces.eth0.preferTempAddress = false;
|
||||||
systemd.services.yggdrasil.preStart = ''
|
|
||||||
mkdir -p /dev/net
|
|
||||||
mknod /dev/net/tun c 10 200 || true
|
|
||||||
chmod 0666 /dev/net/tun
|
|
||||||
'';
|
|
||||||
services.yggdrasil = {
|
|
||||||
configFile = "/var/lib/yggdrasil/keys";
|
|
||||||
config.Peers = [
|
|
||||||
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
|
||||||
"tcp://ygg.thingylabs.io:443" # Nürnberg
|
|
||||||
"tcp://176.223.130.120:22632" # Wrocław
|
|
||||||
"tcp://[2a05:9403::8b]:7743" # Praha
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
email = "mail@c3d2.de";
|
||||||
|
acceptTerms = true;
|
||||||
|
};
|
||||||
security.pam.enableSSHAgentAuth = true;
|
security.pam.enableSSHAgentAuth = true;
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
|
|
|
@ -15,8 +15,11 @@
|
||||||
allowed-uris = http:// https://
|
allowed-uris = http:// https://
|
||||||
'';
|
'';
|
||||||
buildMachines = [{
|
buildMachines = [{
|
||||||
hostName = "localhost";
|
hostName = "server7.hq";
|
||||||
|
sshUser = "hydra";
|
||||||
|
sshKey = "/var/lib/hydra/queue-runner/id_rsa";
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
speedFactor = 2;
|
||||||
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
|
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
|
||||||
maxJobs = 8;
|
maxJobs = 8;
|
||||||
}];
|
}];
|
||||||
|
@ -27,6 +30,7 @@
|
||||||
hydraURL = "https://hydra.hq.c3d2.de";
|
hydraURL = "https://hydra.hq.c3d2.de";
|
||||||
logo = ./c3d2.svg;
|
logo = ./c3d2.svg;
|
||||||
notificationSender = "hydra@spam.works";
|
notificationSender = "hydra@spam.works";
|
||||||
|
package = pkgs.hydra-unstable;
|
||||||
useSubstitutes = false;
|
useSubstitutes = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,6 @@ in {
|
||||||
../../lib
|
../../lib
|
||||||
../../lib/admins.nix
|
../../lib/admins.nix
|
||||||
../../lib/hq.nix
|
../../lib/hq.nix
|
||||||
../../lib/yggdrasil.nix
|
|
||||||
./mpdConsole.nix
|
./mpdConsole.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -27,6 +26,7 @@ in {
|
||||||
hq = {
|
hq = {
|
||||||
interface = "eno1";
|
interface = "eno1";
|
||||||
enableMpdProxy = true;
|
enableMpdProxy = true;
|
||||||
|
yggdrasi.enableGateway = true;
|
||||||
};
|
};
|
||||||
enableHail = true;
|
enableHail = true;
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.borgbackup.repos.emery = {
|
||||||
|
allowSubRepos = true;
|
||||||
|
authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys;
|
||||||
|
path = "/srv/ceph/c3d2/backups/emery";
|
||||||
|
quota = "200G";
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,7 +2,16 @@ name:
|
||||||
|
|
||||||
(import ../outer-defaults.nix name) // {
|
(import ../outer-defaults.nix name) // {
|
||||||
config = { config, pkgs, lib, ... }: {
|
config = { config, pkgs, lib, ... }: {
|
||||||
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
|
imports = [ ../inner-defaults.nix ];
|
||||||
|
|
||||||
|
c3d2.hq.yggdrasil.enableGateway = true;
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
|
||||||
|
|
||||||
|
networking.interfaces.eth0.ipv6.addresses = [{
|
||||||
|
address = "310:5217:69c0:9afc:0:576d:1184:c3d2";
|
||||||
|
prefixLength = 64;
|
||||||
|
}]; # Old address used by some clients
|
||||||
|
|
||||||
services.uhub = {
|
services.uhub = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -18,8 +27,6 @@ name:
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
|
|
||||||
hq.yggdrasil.enable = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
yggaddr = import ../yggaddr.nix;
|
|
||||||
|
|
||||||
containerFunc = name:
|
containerFunc = name:
|
||||||
# Generate a container expression from the directory at `name`.
|
# Generate a container expression from the directory at `name`.
|
||||||
{
|
{
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
name:
|
||||||
|
|
||||||
|
(import ../outer-defaults.nix name) // {
|
||||||
|
|
||||||
|
ephemeral = true;
|
||||||
|
|
||||||
|
config = { config, pkgs, lib, ... }: {
|
||||||
|
imports = [ ../inner-defaults.nix ];
|
||||||
|
c3d2.hq.yggdrasil.enableGateway = true;
|
||||||
|
networking.firewall.enable = false;
|
||||||
|
networking.interfaces.eth0.useDHCP = true;
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
email = "mail@c3d2.de";
|
||||||
|
};
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"hydra7.hq.c3d2.de" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/".proxyPass = "http://172.22.99.245:3000";
|
||||||
|
};
|
||||||
|
"hydra7.y.c3d2.de" = {
|
||||||
|
default = true;
|
||||||
|
addSSL = false;
|
||||||
|
locations."/".proxyPass = "http://172.22.99.245:3000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -10,11 +10,12 @@ name:
|
||||||
config = { config, pkgs, lib, ... }:
|
config = { config, pkgs, lib, ... }:
|
||||||
let ncdcPort = 1512;
|
let ncdcPort = 1512;
|
||||||
in {
|
in {
|
||||||
imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
|
imports = [ ../inner-defaults.nix ];
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
users.k-ot = true;
|
users.k-ot = true;
|
||||||
hq.statistics.enable = true;
|
hq.statistics.enable = true;
|
||||||
|
hq.yggdrasil.enableGateway = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
@ -23,7 +24,6 @@ name:
|
||||||
environment.systemPackages = with pkgs; [ tmux ncdc ];
|
environment.systemPackages = with pkgs; [ tmux ncdc ];
|
||||||
|
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
hq.yggdrasil.enable = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,12 +7,4 @@ in {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostBridge = "br0";
|
hostBridge = "br0";
|
||||||
|
|
||||||
localAddress6 = with builtins; let
|
|
||||||
hash = hashString "sha256" name;
|
|
||||||
hextet0 = substring 0 4 hash;
|
|
||||||
hextet1 = substring 4 4 hash;
|
|
||||||
in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64";
|
|
||||||
# Generate a deterministic IPv6 address for the container.
|
|
||||||
# This address is accessible within HQ and Yggdrasil but not from ARPANET.
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,6 +13,7 @@ name:
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
users.k-ot = true;
|
users.k-ot = true;
|
||||||
hq.statistics.enable = true;
|
hq.statistics.enable = true;
|
||||||
|
hq.yggdrasil.enableGateway = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
|
@ -20,6 +21,8 @@ name:
|
||||||
allowSFTP = true;
|
allowSFTP = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [ git borgbackup ];
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nginx.override {
|
package = pkgs.nginx.override {
|
||||||
|
@ -45,7 +48,7 @@ name:
|
||||||
fancyindex on;
|
fancyindex on;
|
||||||
# autoindex on;
|
# autoindex on;
|
||||||
dav_access all:r;
|
dav_access all:r;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -3,16 +3,21 @@
|
||||||
let yggaddr = import ./yggaddr.nix;
|
let yggaddr = import ./yggaddr.nix;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
# <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||||
../../lib
|
../../lib
|
||||||
../../lib/default-gateway.nix
|
../../lib/default-gateway.nix
|
||||||
../../lib/yggdrasil.nix
|
./borgbackup.nix
|
||||||
./containers
|
./containers
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./hydra.nix
|
./hydra.nix
|
||||||
./nix-serve.nix
|
./nix-serve.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
email = " mail@c3d2.de";
|
||||||
|
acceptTerms = true;
|
||||||
|
};
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
users = {
|
users = {
|
||||||
emery = true;
|
emery = true;
|
||||||
|
@ -40,20 +45,13 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
statusPage = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Route IPv6
|
# Route IPv6
|
||||||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
|
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
|
||||||
# Obtain global IPv6 despite being a router myself
|
# Obtain global IPv6 despite being a router myself
|
||||||
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
|
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
|
||||||
|
|
||||||
services.yggdrasil = {
|
services.yggdrasil = {
|
||||||
|
enable = true;
|
||||||
configFile = "/var/lib/yggdrasil/keys";
|
configFile = "/var/lib/yggdrasil/keys";
|
||||||
config.Peers = [
|
config.Peers = [
|
||||||
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
|
||||||
|
@ -74,28 +72,43 @@ in {
|
||||||
|
|
||||||
nix = {
|
nix = {
|
||||||
package = pkgs.nixFlakes;
|
package = pkgs.nixFlakes;
|
||||||
extraOptions = "experimental-features = nix-command flakes ca-references";
|
|
||||||
gc.automatic = true;
|
gc.automatic = true;
|
||||||
optimise.automatic = true;
|
optimise.automatic = true;
|
||||||
|
extraOptions = ''
|
||||||
|
experimental-features = nix-command flakes ca-references
|
||||||
|
post-build-hook = ${
|
||||||
|
pkgs.writeScript "post-build-sign-paths" ''
|
||||||
|
#!${pkgs.runtimeShell}
|
||||||
|
nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
|
||||||
|
''
|
||||||
|
}
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
nixpkgs.overlays = [
|
||||||
|
(self: super: {
|
||||||
|
nix = super.nix // { meta.platforms = lib.platforms.linux; };
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
virtualisation.docker.enable = true;
|
virtualisation.docker.enable = true;
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
firewall.enable = false;
|
firewall.enable = false;
|
||||||
|
firewall.trustedInterfaces = [ "br0" ];
|
||||||
hostName = "server7";
|
hostName = "server7";
|
||||||
|
hostId = "454fe12c";
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
bridges.br0.interfaces = [ "enp2s0f0" ];
|
bridges.br0.interfaces = [ "enp2s0f0" ];
|
||||||
interfaces = {
|
interfaces = {
|
||||||
br0 = {
|
br0 = {
|
||||||
useDHCP = true;
|
useDHCP = true;
|
||||||
preferTempAddress = false;
|
tempAddress = "disabled";
|
||||||
ipv4.addresses = [{
|
ipv4.addresses = [{
|
||||||
address = "172.22.99.245";
|
address = "172.22.99.245";
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
}];
|
}];
|
||||||
ipv6.addresses = [{
|
ipv6.addresses = [{
|
||||||
address = yggaddr.prefix + ":1";
|
address = yggaddr.prefix64 + "::1";
|
||||||
prefixLength = 64;
|
prefixLength = 64;
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
@ -107,19 +120,21 @@ in {
|
||||||
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
|
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
|
||||||
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
|
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ];
|
environment.systemPackages = with pkgs; [
|
||||||
|
tmux
|
||||||
|
htop
|
||||||
|
vim
|
||||||
|
gitMinimal
|
||||||
|
nixfmt
|
||||||
|
zfsStable
|
||||||
|
];
|
||||||
|
|
||||||
services.collectd.extraConfig = ''
|
services.collectd.extraConfig = ''
|
||||||
LoadPlugin sensors
|
|
||||||
LoadPlugin memory
|
LoadPlugin memory
|
||||||
LoadPlugin irq
|
|
||||||
LoadPlugin thermal
|
|
||||||
LoadPlugin processes
|
LoadPlugin processes
|
||||||
LoadPlugin disk
|
LoadPlugin disk
|
||||||
LoadPlugin hddtemp
|
|
||||||
LoadPlugin df
|
LoadPlugin df
|
||||||
LoadPlugin cpu
|
LoadPlugin cpu
|
||||||
LoadPlugin cpufreq
|
|
||||||
LoadPlugin entropy
|
LoadPlugin entropy
|
||||||
LoadPlugin load
|
LoadPlugin load
|
||||||
LoadPlugin swap
|
LoadPlugin swap
|
||||||
|
@ -139,4 +154,9 @@ in {
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
system.stateVersion = "19.09"; # Did you read the comment?
|
system.stateVersion = "19.09"; # Did you read the comment?
|
||||||
|
|
||||||
|
users.extraUsers.hydra.openssh.authorizedKeys.keys = [
|
||||||
|
# allow the old hydra to build here
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
|
||||||
|
];
|
||||||
}
|
}
|
|
@ -4,27 +4,173 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
# imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
|
||||||
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
boot.initrd.availableKernelModules =
|
||||||
|
[ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
|
device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-uuid/9812-00B2";
|
device = "/dev/disk/by-uuid/9812-00B2";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
|
||||||
|
device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1" = {
|
||||||
|
device = "nvme0n1";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
|
||||||
|
device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/archive" = {
|
||||||
|
device = "nvme0n1/archive";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
|
||||||
|
device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
|
||||||
|
device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/global/cores" = {
|
||||||
|
device = "nvme0n1/cores/global";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
|
||||||
|
device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
|
||||||
|
device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = {
|
||||||
|
device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/c3d2.de" = {
|
||||||
|
device = "nvme0n1/c3d2.de";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
|
||||||
|
device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = {
|
||||||
|
device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
|
||||||
|
device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
|
||||||
|
device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/c3d2.de/admin" = {
|
||||||
|
device = "nvme0n1/c3d2.de/admin";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/c3d2.de/templates" = {
|
||||||
|
device = "nvme0n1/c3d2.de/templates";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
|
||||||
|
device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
|
||||||
|
device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
|
||||||
|
device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
|
||||||
|
device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = {
|
||||||
|
device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
|
||||||
|
device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = {
|
||||||
|
device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
|
||||||
|
device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = {
|
||||||
|
device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
|
||||||
|
device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
|
||||||
|
device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nvme0n1/c3d2.de/iso" = {
|
||||||
|
device = "nvme0n1/c3d2.de/iso";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
nix.maxJobs = lib.mkDefault 20;
|
nix.maxJobs = lib.mkDefault 10;
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
nix.buildCores = lib.mkDefault 40;
|
||||||
|
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,173 +1,28 @@
|
||||||
let
|
{ config, lib, pkgs, ... }:
|
||||||
hydraFlakes = pkgs:
|
|
||||||
with pkgs;
|
|
||||||
let
|
|
||||||
perlDeps = buildEnv {
|
|
||||||
name = "hydra-perl-deps";
|
|
||||||
paths = with perlPackages; [
|
|
||||||
ModulePluggable
|
|
||||||
CatalystActionREST
|
|
||||||
CatalystAuthenticationStoreDBIxClass
|
|
||||||
CatalystDevel
|
|
||||||
CatalystDispatchTypeRegex
|
|
||||||
CatalystPluginAccessLog
|
|
||||||
CatalystPluginAuthorizationRoles
|
|
||||||
CatalystPluginCaptcha
|
|
||||||
CatalystPluginSessionStateCookie
|
|
||||||
CatalystPluginSessionStoreFastMmap
|
|
||||||
CatalystPluginStackTrace
|
|
||||||
CatalystPluginUnicodeEncoding
|
|
||||||
CatalystTraitForRequestProxyBase
|
|
||||||
CatalystViewDownload
|
|
||||||
CatalystViewJSON
|
|
||||||
CatalystViewTT
|
|
||||||
CatalystXScriptServerStarman
|
|
||||||
CatalystXRoleApplicator
|
|
||||||
CryptRandPasswd
|
|
||||||
DBDPg
|
|
||||||
DBDSQLite
|
|
||||||
DataDump
|
|
||||||
DateTime
|
|
||||||
DigestSHA1
|
|
||||||
EmailMIME
|
|
||||||
EmailSender
|
|
||||||
FileSlurp
|
|
||||||
IOCompress
|
|
||||||
IPCRun
|
|
||||||
JSON
|
|
||||||
JSONAny
|
|
||||||
JSONXS
|
|
||||||
LWP
|
|
||||||
LWPProtocolHttps
|
|
||||||
NetAmazonS3
|
|
||||||
NetPrometheus
|
|
||||||
NetStatsd
|
|
||||||
PadWalker
|
|
||||||
Readonly
|
|
||||||
SQLSplitStatement
|
|
||||||
SetScalar
|
|
||||||
Starman
|
|
||||||
SysHostnameLong
|
|
||||||
TermSizeAny
|
|
||||||
TestMore
|
|
||||||
TextDiff
|
|
||||||
TextTable
|
|
||||||
XMLSimple
|
|
||||||
pkgs.nixFlakes
|
|
||||||
pkgs.nixFlakes.perl-bindings
|
|
||||||
git
|
|
||||||
boehmgc
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
in stdenv.mkDerivation {
|
{
|
||||||
|
services.hydra-dev = {
|
||||||
name = "hydra-flake";
|
|
||||||
|
|
||||||
src = pkgs.fetchFromGitHub {
|
|
||||||
owner = "NixOS";
|
|
||||||
repo = "hydra";
|
|
||||||
rev = "47797576838974c8209536b67bb45e953a50900f";
|
|
||||||
sha256 = "1vqib99d7wgnl3c6ccx0xx2q88qmdkpydkb6gd0pik9wg2nn3jng";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = [
|
|
||||||
makeWrapper
|
|
||||||
autoconf
|
|
||||||
automake
|
|
||||||
libtool
|
|
||||||
unzip
|
|
||||||
nukeReferences
|
|
||||||
pkgconfig
|
|
||||||
sqlite
|
|
||||||
libpqxx
|
|
||||||
gitAndTools.topGit
|
|
||||||
mercurial
|
|
||||||
darcs
|
|
||||||
subversion
|
|
||||||
bazaar
|
|
||||||
openssl
|
|
||||||
bzip2
|
|
||||||
libxslt
|
|
||||||
guile # optional, for Guile + Guix support
|
|
||||||
perlDeps
|
|
||||||
perl
|
|
||||||
pkgs.nixFlakes
|
|
||||||
postgresql95 # for running the tests
|
|
||||||
boost
|
|
||||||
(nlohmann_json.override { multipleHeaders = true; })
|
|
||||||
];
|
|
||||||
|
|
||||||
hydraPath = lib.makeBinPath ([
|
|
||||||
sqlite
|
|
||||||
subversion
|
|
||||||
openssh
|
|
||||||
pkgs.nixFlakes
|
|
||||||
coreutils
|
|
||||||
findutils
|
|
||||||
pixz
|
|
||||||
gzip
|
|
||||||
bzip2
|
|
||||||
lzma
|
|
||||||
gnutar
|
|
||||||
unzip
|
|
||||||
git
|
|
||||||
gitAndTools.topGit
|
|
||||||
mercurial
|
|
||||||
darcs
|
|
||||||
gnused
|
|
||||||
bazaar
|
|
||||||
] ++ lib.optionals stdenv.isLinux [ rpm dpkg cdrkit ]);
|
|
||||||
|
|
||||||
configureFlags = [ "--with-docbook-xsl=${docbook_xsl}/xml/xsl/docbook" ];
|
|
||||||
|
|
||||||
shellHook = ''
|
|
||||||
PATH=$(pwd)/src/hydra-evaluator:$(pwd)/src/script:$(pwd)/src/hydra-eval-jobs:$(pwd)/src/hydra-queue-runner:$PATH
|
|
||||||
PERL5LIB=$(pwd)/src/lib:$PERL5LIB
|
|
||||||
'';
|
|
||||||
|
|
||||||
preConfigure = "autoreconf -vfi";
|
|
||||||
|
|
||||||
NIX_LDFLAGS = [ "-lpthread" ];
|
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
|
||||||
|
|
||||||
preCheck = ''
|
|
||||||
patchShebangs .
|
|
||||||
export LOGNAME=''${LOGNAME:-foo}
|
|
||||||
'';
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
mkdir -p $out/nix-support
|
|
||||||
|
|
||||||
for i in $out/bin/*; do
|
|
||||||
read -n 4 chars < $i
|
|
||||||
if [[ $chars =~ ELF ]]; then continue; fi
|
|
||||||
wrapProgram $i \
|
|
||||||
--prefix PERL5LIB ':' $out/libexec/hydra/lib:$PERL5LIB \
|
|
||||||
--prefix PATH ':' $out/bin:$hydraPath \
|
|
||||||
--set HYDRA_RELEASE 0.1 \
|
|
||||||
--set HYDRA_HOME $out/libexec/hydra \
|
|
||||||
--set NIX_RELEASE ${pkgs.nixFlakes.name or "unknown"}
|
|
||||||
done
|
|
||||||
'';
|
|
||||||
|
|
||||||
dontStrip = true;
|
|
||||||
|
|
||||||
meta.description = "Build of Hydra on ${system}";
|
|
||||||
passthru.perlDeps = perlDeps;
|
|
||||||
};
|
|
||||||
in { config, pkgs, ... }: {
|
|
||||||
|
|
||||||
services.hydra = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
debugServer = true;
|
||||||
|
extraEnv.HYDRA_DEBUG = "1";
|
||||||
hydraURL = "https://server7.hq.c3d2.de";
|
hydraURL = "https://server7.hq.c3d2.de";
|
||||||
logo = ./hydra.svg;
|
logo = ./hydra.svg;
|
||||||
notificationSender = "hydra@spam.works";
|
notificationSender = "hydra@spam.works";
|
||||||
package = hydraFlakes pkgs;
|
# package = pkgs.hydra-unstable;
|
||||||
listenHost = "127.0.0.1";
|
listenHost = "172.22.99.245";
|
||||||
|
# listenHost = "*";
|
||||||
|
useSubstitutes = true;
|
||||||
|
minimumDiskFree = 2;
|
||||||
|
minimumDiskFreeEvaluator = 2;
|
||||||
|
extraConfig = ''
|
||||||
|
<sotest>
|
||||||
|
authfile = /var/lib/hydra/sotest.auth
|
||||||
|
</sotest>
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nix.trustedUsers = [ "hydra" ];
|
||||||
|
|
||||||
nix.buildMachines = [{
|
nix.buildMachines = [{
|
||||||
hostName = "localhost";
|
hostName = "localhost";
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
@ -175,18 +30,20 @@ in { config, pkgs, ... }: {
|
||||||
maxJobs = 8;
|
maxJobs = 8;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
nix.binaryCachePublicKeys =
|
||||||
|
[ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ];
|
||||||
|
nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ];
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"server7.hq.c3d2.de" = {
|
"server7.hq.c3d2.de" = {
|
||||||
default = true;
|
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/".proxyPass =
|
globalRedirect = "hydra7.hq.c3d2.de";
|
||||||
"http://127.0.0.1:${toString config.services.hydra.port}";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,9 @@
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/".proxyPass =
|
locations."/".proxyPass =
|
||||||
"http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
"http://${config.services.nix-serve.bindAddress}:${
|
||||||
|
toString config.services.nix-serve.port
|
||||||
|
}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{
|
{
|
||||||
address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2";
|
address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2";
|
||||||
prefix = "310:5217:69c0:9afc:";
|
prefix64 = "310:5217:69c0:9afc";
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@ let
|
||||||
url = "https://github.com/NixOS/nixpkgs.git";
|
url = "https://github.com/NixOS/nixpkgs.git";
|
||||||
};
|
};
|
||||||
nixos-config.file = toString (./hosts + "/${path}/configuration.nix");
|
nixos-config.file = toString (./hosts + "/${path}/configuration.nix");
|
||||||
|
this-host.file = toString (./hosts + "/${path}");
|
||||||
lib.file = toString ./lib;
|
lib.file = toString ./lib;
|
||||||
secrets.file = toString ./secrets;
|
secrets.file = toString ./secrets;
|
||||||
"host-registry.nix".file = toString ./host-registry.nix;
|
"host-registry.nix".file = toString ./host-registry.nix;
|
||||||
|
|
|
@ -8,6 +8,8 @@ let
|
||||||
hqPrefix64 = "fd23:42:c3d2:523";
|
hqPrefix64 = "fd23:42:c3d2:523";
|
||||||
# TODO: Is this stable? Is there a better place to specifiy this?
|
# TODO: Is this stable? Is there a better place to specifiy this?
|
||||||
|
|
||||||
|
server7Ygg = import ../hosts/server7/yggaddr.nix;
|
||||||
|
|
||||||
# Generate a deterministic IPv6 address for a 64 bit prefix
|
# Generate a deterministic IPv6 address for a 64 bit prefix
|
||||||
# and seed string. Prefix must not contain trailing ':'.
|
# and seed string. Prefix must not contain trailing ':'.
|
||||||
toIpv6Address = prefix64: seed:
|
toIpv6Address = prefix64: seed:
|
||||||
|
@ -21,14 +23,9 @@ let
|
||||||
# for the HQ networking using a seed string.
|
# for the HQ networking using a seed string.
|
||||||
toHqPrivateAddress = toIpv6Address hqPrefix64;
|
toHqPrivateAddress = toIpv6Address hqPrefix64;
|
||||||
|
|
||||||
/* # Generate a deterministic public IPv6 addresses
|
toServer7Address = toIpv6Address server7Ygg.prefix64;
|
||||||
# for the HQ networking using a seed string.
|
|
||||||
toHqPublicAddress = toIpv6Address publicPrefix64;
|
|
||||||
|
|
||||||
# Generate a deterministic public IPv6 addresses
|
# toHqPublicAddress = toIpv6Address publicPrefix64;
|
||||||
# for the HQ networking using a seed string.
|
|
||||||
toserver7YggdrasilAddress = toIpv6Address server7YggrasilPrefix64;
|
|
||||||
*/
|
|
||||||
|
|
||||||
cfg = config.c3d2;
|
cfg = config.c3d2;
|
||||||
|
|
||||||
|
@ -106,6 +103,8 @@ in {
|
||||||
description = "Whether to proxy the local MPD database";
|
description = "Whether to proxy the local MPD database";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
yggdrasil.enableGateway = mkEnableOption
|
||||||
|
"Whether to join the host to the Yggdrasil network via a gateway";
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -118,7 +117,8 @@ in {
|
||||||
# Configuration specific to this machine
|
# Configuration specific to this machine
|
||||||
|
|
||||||
assertions = [
|
assertions = [
|
||||||
{ assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
{
|
||||||
|
assertion = cfg.isInHq -> (config.users.users.root.password == null);
|
||||||
message = "Root passwords not allowed in HQ";
|
message = "Root passwords not allowed in HQ";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -166,10 +166,16 @@ in {
|
||||||
host.ip6
|
host.ip6
|
||||||
else
|
else
|
||||||
toHqPrivateAddress hostName;
|
toHqPrivateAddress hostName;
|
||||||
in [{
|
in [
|
||||||
name = ip6;
|
{
|
||||||
value = [ "${hostName}.hq" hostName ];
|
name = ip6;
|
||||||
}] ++ lib.optional (hasAttr "ip4" host) {
|
value = [ "${hostName}.hq" hostName ];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = toServer7Address hostName;
|
||||||
|
value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ];
|
||||||
|
}
|
||||||
|
] ++ lib.optional (hasAttr "ip4" host) {
|
||||||
name = host.ip4;
|
name = host.ip4;
|
||||||
value = [ "${hostName}.hq" hostName ];
|
value = [ "${hostName}.hq" hostName ];
|
||||||
};
|
};
|
||||||
|
@ -196,7 +202,16 @@ in {
|
||||||
ipv6.addresses = [{
|
ipv6.addresses = [{
|
||||||
address = toHqPrivateAddress config.networking.hostName;
|
address = toHqPrivateAddress config.networking.hostName;
|
||||||
prefixLength = 64;
|
prefixLength = 64;
|
||||||
}];
|
}] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) {
|
||||||
|
address = toServer7Address config.networking.hostName;
|
||||||
|
prefixLength = 64;
|
||||||
|
};
|
||||||
|
ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) {
|
||||||
|
address = "200::";
|
||||||
|
options.pref = "low";
|
||||||
|
prefixLength = 7;
|
||||||
|
via = server7Ygg.prefix64 + "::1";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -231,17 +246,31 @@ in {
|
||||||
|
|
||||||
services.collectd = lib.mkIf cfg.hq.statistics.enable {
|
services.collectd = lib.mkIf cfg.hq.statistics.enable {
|
||||||
enable = true;
|
enable = true;
|
||||||
autoLoadPlugin = true;
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
HostName "${config.networking.hostName}"
|
|
||||||
FQDNLookup false
|
FQDNLookup false
|
||||||
Interval 10
|
Interval 10
|
||||||
|
|
||||||
LoadPlugin network
|
|
||||||
<Plugin "network">
|
|
||||||
Server "grafana.hq" "25826"
|
|
||||||
</Plugin>
|
|
||||||
'';
|
'';
|
||||||
|
buildMinimalPackage = true;
|
||||||
|
plugins = {
|
||||||
|
logfile = ''
|
||||||
|
LogLevel info
|
||||||
|
File STDOUT
|
||||||
|
'';
|
||||||
|
network = ''
|
||||||
|
Server "grafana.hq.c3d2.de" "25826"
|
||||||
|
'';
|
||||||
|
memory = "";
|
||||||
|
processes = "";
|
||||||
|
disk = "";
|
||||||
|
df = "";
|
||||||
|
cpu = "";
|
||||||
|
entropy = "";
|
||||||
|
load = "";
|
||||||
|
swap = "";
|
||||||
|
cgroups = "";
|
||||||
|
vmem = "";
|
||||||
|
interface = "";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.hail = lib.mkIf cfg.enableHail {
|
services.hail = lib.mkIf cfg.enableHail {
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
# Please import only things that are configurable and OFF BY DEFAULT!
|
|
||||||
imports = [ ./yggdrasil-hq.nix ];
|
|
||||||
|
|
||||||
}
|
|
|
@ -4,7 +4,6 @@
|
||||||
imports =
|
imports =
|
||||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||||
<nixpkgs/nixos/modules/profiles/docker-container.nix>
|
<nixpkgs/nixos/modules/profiles/docker-container.nix>
|
||||||
./hq.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.networkmanager.dns = "unbound";
|
networking.networkmanager.dns = "unbound";
|
||||||
|
|
|
@ -3,8 +3,11 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
nixcloud-webservices = builtins.fetchGit {
|
nixcloud-webservices = pkgs.fetchFromGitHub {
|
||||||
url = "https://github.com/nixcloud/nixcloud-webservices.git";
|
owner = "nixcloud";
|
||||||
|
repo = "nixcloud-webservices";
|
||||||
|
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
|
||||||
|
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
|
||||||
};
|
};
|
||||||
nixcloud = (
|
nixcloud = (
|
||||||
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
|
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
|
||||||
|
|
|
@ -4,6 +4,7 @@ let
|
||||||
keys = [
|
keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC55d1lIbI00AyDnlfig3znWKPToGUcM8TKj5s8EHQm5SkUn0DeG1+h5/wciyu7NonIxykgtx2nfnLAewgNjKDk1Q7bqNTxvIkb5dtpuEvGWuuLmm5VCQUszPSNmQAMocFAc+A0ALDTdR0pS+DFuKPx4DncYLQxDFwdV+1vw0PYCXNHfS6umJW/bsQ2jLc2+H3bnXqhcoQX6EVvlQS3QNpWOY3qhK9Yy58NJywmcSSzamc4Fyd1Jz/R67/4hYDfB65f7bs6l0BjFj+yciiVYyZuILPb6CZicXcNTjnW6YFGHDQt3owsr/pQuuPxUWiP8rfrrrwnyi1SFeYrmCKSQ6WOZMA5mHZ6091LbspwrlGiGBXKPoZhHHUW/dDmojy1XAIK/XFg/5+DiG+2Rc61l1AnRaP4IRiFViV9VlPBYBG5TFmAfxCz6iiwuDQY1cSX4+duqL7sIkZTPMkQP0Bf3ek1hTK1U8nbSOP6sILt7e5ApRCoAu9S+fFtbpI+l1GCy90= root@bigpad"
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
{ config, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.hq.yggdrasil;
|
|
||||||
hostNameHash = builtins.hashString "sha256" config.networking.hostName;
|
|
||||||
hextets = map (i: substring (4 * i) 4 hostNameHash) [ 0 1 2 3 ];
|
|
||||||
hostAddr = concatStringsSep ":" hextets;
|
|
||||||
in {
|
|
||||||
options = with types; {
|
|
||||||
hq.yggdrasil = {
|
|
||||||
enable =
|
|
||||||
mkEnableOption "Configure Yggdrasil access via the Yggdrasil router";
|
|
||||||
|
|
||||||
interface = mkOption {
|
|
||||||
type = nullOr str;
|
|
||||||
default = "eth0";
|
|
||||||
description = "Network interface to the C3D2 HQ ethernet";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
networking.interfaces = {
|
|
||||||
"${cfg.interface}" = {
|
|
||||||
"ipv6" = {
|
|
||||||
addresses = [{
|
|
||||||
address = "310:5217:69c0:9afc:${hostAddr}";
|
|
||||||
prefixLength = 64;
|
|
||||||
}];
|
|
||||||
routes = [{
|
|
||||||
address = "200::";
|
|
||||||
prefixLength = 7;
|
|
||||||
via = "310:5217:69c0:9afc::1";
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,185 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
cfg = config.services.yggdrasil;
|
|
||||||
configProvided = (cfg.config != { });
|
|
||||||
configAsFile = (if configProvided then
|
|
||||||
toString (pkgs.writeTextFile {
|
|
||||||
name = "yggdrasil-conf";
|
|
||||||
text = builtins.toJSON cfg.config;
|
|
||||||
})
|
|
||||||
else
|
|
||||||
null);
|
|
||||||
configFileProvided = (cfg.configFile != null);
|
|
||||||
generateConfig = (if configProvided && configFileProvided then
|
|
||||||
"${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}"
|
|
||||||
else if configProvided then
|
|
||||||
"cat ${configAsFile}"
|
|
||||||
else if configFileProvided then
|
|
||||||
"cat ${cfg.configFile}"
|
|
||||||
else
|
|
||||||
"${cfg.package}/bin/yggdrasil -genconf");
|
|
||||||
|
|
||||||
in {
|
|
||||||
options = with types; {
|
|
||||||
services.yggdrasil = {
|
|
||||||
enable = mkEnableOption "the yggdrasil system service";
|
|
||||||
|
|
||||||
configFile = mkOption {
|
|
||||||
type = nullOr str;
|
|
||||||
default = null;
|
|
||||||
example = "/run/keys/yggdrasil.conf";
|
|
||||||
description = ''
|
|
||||||
A file which contains JSON configuration for yggdrasil.
|
|
||||||
|
|
||||||
You do not have to supply a complete configuration, as
|
|
||||||
yggdrasil will use default values for anything which is
|
|
||||||
omitted. If the encryption and signing keys are omitted,
|
|
||||||
yggdrasil will generate new ones each time the service is
|
|
||||||
started, resulting in a random IPv6 address on the yggdrasil
|
|
||||||
network each time.
|
|
||||||
|
|
||||||
If both this option and <option>config</option> are
|
|
||||||
supplied, they will be combined, with values from
|
|
||||||
<option>config</option> taking precedence.
|
|
||||||
|
|
||||||
You can use the command <code>nix-shell -p yggdrasil --run
|
|
||||||
"yggdrasil -genconf -json"</code> to generate a default
|
|
||||||
JSON configuration.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkOption {
|
|
||||||
type = attrs;
|
|
||||||
default = { };
|
|
||||||
example = {
|
|
||||||
Peers = [
|
|
||||||
"tcp://aa.bb.cc.dd:eeeee"
|
|
||||||
"tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff"
|
|
||||||
];
|
|
||||||
Listen = [ "tcp://0.0.0.0:xxxxx" ];
|
|
||||||
};
|
|
||||||
description = ''
|
|
||||||
Configuration for yggdrasil, as a Nix attribute set.
|
|
||||||
|
|
||||||
Warning: this is stored in the WORLD-READABLE Nix store!
|
|
||||||
Therefore, it is not appropriate for private keys. If you
|
|
||||||
do not specify the keys, yggdrasil will generate a new set
|
|
||||||
each time the service is started, creating a random IPv6
|
|
||||||
address on the yggdrasil network each time.
|
|
||||||
|
|
||||||
If you wish to specify the keys, use
|
|
||||||
<option>configFile</option>. If both
|
|
||||||
<option>configFile</option> and <option>config</option> are
|
|
||||||
supplied, they will be combined, with values from
|
|
||||||
<option>config</option> taking precedence.
|
|
||||||
|
|
||||||
You can use the command <code>nix-shell -p yggdrasil --run
|
|
||||||
"yggdrasil -genconf"</code> to generate default
|
|
||||||
configuration values with documentation.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
openMulticastPort = mkOption {
|
|
||||||
type = bool;
|
|
||||||
default = false;
|
|
||||||
description = ''
|
|
||||||
Whether to open the UDP port used for multicast peer
|
|
||||||
discovery. The NixOS firewall blocks link-local
|
|
||||||
communication, so in order to make local peering work you
|
|
||||||
will also need to set <code>LinkLocalTCPPort</code> in your
|
|
||||||
yggdrasil configuration (<option>config</option> or
|
|
||||||
<option>configFile</option>) to a port number other than 0,
|
|
||||||
and then add that port to
|
|
||||||
<option>networking.firewall.allowedTCPPorts</option>.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
denyDhcpcdInterfaces = mkOption {
|
|
||||||
type = listOf str;
|
|
||||||
default = [ ];
|
|
||||||
example = [ "tap*" ];
|
|
||||||
description = ''
|
|
||||||
Disable the DHCP client for any interface whose name matches
|
|
||||||
any of the shell glob patterns in this list. Use this
|
|
||||||
option to prevent the DHCP client from broadcasting requests
|
|
||||||
on the yggdrasil network. It is only necessary to do so
|
|
||||||
when yggdrasil is running in TAP mode, because TUN
|
|
||||||
interfaces do not support broadcasting.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = package;
|
|
||||||
default = pkgs.yggdrasil;
|
|
||||||
defaultText = "pkgs.yggdrasil";
|
|
||||||
description = "Yggdrasil package to use.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
assertions = [{
|
|
||||||
assertion = config.networking.enableIPv6;
|
|
||||||
message = "networking.enableIPv6 must be true for yggdrasil to work";
|
|
||||||
}];
|
|
||||||
|
|
||||||
systemd.services.yggdrasil = {
|
|
||||||
description = "Yggdrasil Network Service";
|
|
||||||
path = [ cfg.package ]
|
|
||||||
++ optional (configProvided && configFileProvided) pkgs.jq;
|
|
||||||
bindsTo = [ "network-online.target" ];
|
|
||||||
after = [ "network-online.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
preStart = ''
|
|
||||||
${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf
|
|
||||||
'';
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart =
|
|
||||||
"${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf";
|
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
||||||
Restart = "always";
|
|
||||||
|
|
||||||
RuntimeDirectory = "yggdrasil";
|
|
||||||
RuntimeDirectoryMode = "0700";
|
|
||||||
BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ];
|
|
||||||
|
|
||||||
# TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
|
|
||||||
# to set up the network adapter when DynamicUser is set. See
|
|
||||||
# github.com/yggdrasil-network/yggdrasil-go/issues/557. The
|
|
||||||
# following options are implied by DynamicUser according to
|
|
||||||
# the systemd.exec documentation, and can be removed if the
|
|
||||||
# upstream issue is fixed and DynamicUser is set to true:
|
|
||||||
PrivateTmp = true;
|
|
||||||
RemoveIPC = true;
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
# End of list of options implied by DynamicUser.
|
|
||||||
|
|
||||||
AmbientCapabilities = "CAP_NET_ADMIN";
|
|
||||||
CapabilityBoundingSet = "CAP_NET_ADMIN";
|
|
||||||
MemoryDenyWriteExecute = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectHome = "tmpfs";
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
SystemCallFilter =
|
|
||||||
"~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;
|
|
||||||
networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ];
|
|
||||||
|
|
||||||
# Make yggdrasilctl available on the command line.
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
|
||||||
};
|
|
||||||
meta.maintainers = with lib.maintainers; [ gazally ];
|
|
||||||
}
|
|
|
@ -1,13 +0,0 @@
|
||||||
{ config, ... }: {
|
|
||||||
imports = [ ./yggdrasil-service.nix ];
|
|
||||||
|
|
||||||
services.yggdrasil = {
|
|
||||||
enable = true;
|
|
||||||
package = (import <nixpkgs-unstable> { }).yggdrasil;
|
|
||||||
openMulticastPort = true;
|
|
||||||
config.NodeInfo = {
|
|
||||||
name = config.networking.hostName + ".c3d2";
|
|
||||||
location = "Dresden";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
2
secrets
2
secrets
|
@ -1 +1 @@
|
||||||
Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
|
Subproject commit eb06c122762133b7831475615b1a3b039eaa389e
|
Loading…
Reference in New Issue