From 04159778a2ee8a2da0971be066020fefed1f339a Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Thu, 28 Nov 2019 11:38:03 +0100
Subject: [PATCH] Add Server7 host

---
 hosts/server7/configuration.nix               | 93 +++++++++++++++++++
 hosts/server7/containers/README               |  4 +
 hosts/server7/containers/adc/default.nix      | 19 ++++
 hosts/server7/containers/default.nix          | 38 ++++++++
 hosts/server7/hardware-configuration.nix      | 30 ++++++
 .../flakebert.nix => server7/hydra.nix}       | 63 +++++--------
 hosts/server7/ssh_host_ed25519_key.pub        |  1 +
 hosts/server7/ssh_host_rsa_key.pub            |  1 +
 hosts/server7/yggaddr.nix                     |  4 +
 hosts/server7/yggdrasil-prefix.nix            | 26 ++++++
 10 files changed, 239 insertions(+), 40 deletions(-)
 create mode 100644 hosts/server7/configuration.nix
 create mode 100644 hosts/server7/containers/README
 create mode 100644 hosts/server7/containers/adc/default.nix
 create mode 100644 hosts/server7/containers/default.nix
 create mode 100644 hosts/server7/hardware-configuration.nix
 rename hosts/{hydra/flakebert.nix => server7/hydra.nix} (78%)
 create mode 100644 hosts/server7/ssh_host_ed25519_key.pub
 create mode 100644 hosts/server7/ssh_host_rsa_key.pub
 create mode 100644 hosts/server7/yggaddr.nix
 create mode 100644 hosts/server7/yggdrasil-prefix.nix

diff --git a/hosts/server7/configuration.nix b/hosts/server7/configuration.nix
new file mode 100644
index 00000000..e1b97691
--- /dev/null
+++ b/hosts/server7/configuration.nix
@@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    <nixpkgs/nixos/modules/profiles/minimal.nix>
+    ../../lib/hq.nix
+    ../../lib/yggdrasil.nix
+    ../../lib/emery.nix
+    ./containers
+    ./hardware-configuration.nix
+    ./yggdrasil-prefix.nix
+    ./hydra.nix
+  ];
+
+  security.sudo.wheelNeedsPassword = false;
+  services.openssh = {
+    enable = true;
+    passwordAuthentication = false;
+    permitRootLogin = "no";
+    # DO NOT CHANGE, KINDERGARTEN IS OVER
+  };
+
+  services.yggdrasil = {
+    openMulticastPort = true;
+    configFile = "/var/lib/yggdrasil/keys";
+    config.Peers = [
+      "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
+      "tcp://ygg.thingylabs.io:443" # Nürnberg
+      "tcp://176.223.130.120:22632" # Wrocław
+      "tcp://[2a05:9403::8b]:7743" # Praha
+    ];
+  };
+
+  programs.mosh.enable = true;
+
+  nix = {
+    package = pkgs.nixFlakes;
+    gc.automatic = true;
+    trustedUsers = [ "root" ];
+  };
+
+  networking = {
+    hostName = "nixbert";
+    useDHCP = false;
+    bridges.br0.interfaces = [ "enp2s0f1" ];
+    interfaces = {
+      enp2s0f0 = {
+        useDHCP = true;
+        preferTempAddress = true;
+        ipv4.addresses = [{
+          address = "172.22.99.245";
+          prefixLength = 24;
+        }];
+      };
+      enp2s0f1.useDHCP = false;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ];
+
+  services.collectd = {
+    enable = true;
+    autoLoadPlugin = true;
+    extraConfig = ''
+      Interval 10
+      <Plugin "cpu">
+      </Plugin>
+      <Plugin "memory">
+      </Plugin>
+      <Plugin "interface">
+      </Plugin>
+      <Plugin "load">
+      </Plugin>
+      <Plugin "swap">
+      </Plugin>
+      <Plugin "network">
+        Server "grafana.hq.c3d2.de" "25826"
+      </Plugin>
+    '';
+  };
+
+  boot.tmpOnTmpfs = true;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  system.stateVersion = "19.09"; # Did you read the comment?
+}
diff --git a/hosts/server7/containers/README b/hosts/server7/containers/README
new file mode 100644
index 00000000..2930672f
--- /dev/null
+++ b/hosts/server7/containers/README
@@ -0,0 +1,4 @@
+Each directory containing a file "default.nix" is
+evulated as a container guest configuration.
+
+See ./default.nix for the implementation.
diff --git a/hosts/server7/containers/adc/default.nix b/hosts/server7/containers/adc/default.nix
new file mode 100644
index 00000000..70b7c80f
--- /dev/null
+++ b/hosts/server7/containers/adc/default.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.uhub = {
+    enable = true;
+    enableTLS = false;
+    hubConfig = ''
+      hub_name=c3d2
+      hub_description=<<</>>
+    '';
+    plugins.history.enable = true;
+    plugins.welcome = {
+      enable = true;
+      motd = builtins.readFile ../../../../lib/motd;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
+}
diff --git a/hosts/server7/containers/default.nix b/hosts/server7/containers/default.nix
new file mode 100644
index 00000000..f1b83f0a
--- /dev/null
+++ b/hosts/server7/containers/default.nix
@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+
+let
+  yggaddr = import ../yggaddr.nix;
+
+  containerFunc = name:
+    # Generate a container expression from the directory at `name`.
+    with builtins;
+    let
+      hash = hashString "sha256" name;
+      hextet0 = substring 0 4 hash;
+      hextet1 = substring 4 4 hash;
+    in {
+      inherit name;
+      value = {
+        # These are attributes common to each container
+        # from the perspective of the host.
+        autoStart = true;
+        privateNetwork = true;
+        hostBridge = "br0";
+        localAddress6 = "${yggaddr.prefix}:c3d2:${hextet0}:${hextet1}/64";
+        # Generate a deterministic IPv6 address for the container.
+        # This address is accessible within HQ and Yggdrasil but not from ARPANET.
+        config = import (./. + "/${name}");
+      };
+    };
+
+  containerDir = builtins.readDir ../containers;
+  containerSubdirs =
+    lib.filterAttrs (_: kind: kind == "directory") containerDir;
+  containerNames = builtins.attrNames containerSubdirs;
+
+  containers = builtins.listToAttrs (map containerFunc containerNames);
+
+in {
+  boot.enableContainers = true;
+  inherit containers;
+}
diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix
new file mode 100644
index 00000000..b5bf6419
--- /dev/null
+++ b/hosts/server7/hardware-configuration.nix
@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/9812-00B2";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 20;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/hosts/hydra/flakebert.nix b/hosts/server7/hydra.nix
similarity index 78%
rename from hosts/hydra/flakebert.nix
rename to hosts/server7/hydra.nix
index dbe2ef9b..61bef0d5 100644
--- a/hosts/hydra/flakebert.nix
+++ b/hosts/server7/hydra.nix
@@ -157,49 +157,32 @@ let
       meta.description = "Build of Hydra on ${system}";
       passthru.perlDeps = perlDeps;
     };
-in { ... }:
+in { config, pkgs, ... }: {
 
-{
-  boot.enableContainers = true;
+  users.users.root.password = "k-ot";
+  services.hydra = {
+    enable = true;
+    hydraURL = "https://flakes.hq.c3d2.de";
+    logo = ../../hosts/hydra/c3d2.svg;
+    notificationSender = "hydra@spam.works";
+    package = hydraFlakes pkgs;
+    listenHost = "127.0.0.1";
+  };
 
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [ "ve-+" ];
-  networking.nat.externalInterface = "eth0";
-
-  containers.flakebert = {
-    autoStart = false;
-    privateNetwork = true;
-    enableTun = true;
-
-    config = { config, pkgs, ... }: {
-
-      imports = [ ../../lib/yggdrasil.nix ];
-
-      users.users.root.password = "k-ot";
-      services.hydra = {
-        enable = true;
-        hydraURL = "https://hydra.hq.c3d2.de";
-        logo = ./c3d2.svg;
-        notificationSender = "hydra@spam.works";
-        useSubstitutes = false;
-        package = hydraFlakes pkgs;
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    virtualHosts = {
+      "flakes.hq.c3d2.de" = {
+        default = true;
+        forceSSL = false;
+        enableACME = false;
+        locations."/".proxyPass =
+          "http://127.0.0.1:${toString config.services.hydra.port}";
       };
-
-      services.nginx = {
-        enable = true;
-        recommendedProxySettings = true;
-        recommendedGzipSettings = true;
-        virtualHosts = {
-          "flakes.hq.c3d2.de" = {
-            forceSSL = true;
-            enableACME = true;
-            locations."/".proxyPass =
-              "http://localhost:${toString config.services.hydra.port}";
-          };
-        };
-      };
-
-      networking.firewall.allowedTCPPorts = [ 80 443 ];
     };
   };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
diff --git a/hosts/server7/ssh_host_ed25519_key.pub b/hosts/server7/ssh_host_ed25519_key.pub
new file mode 100644
index 00000000..23f9e73f
--- /dev/null
+++ b/hosts/server7/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiDm1b0NubTtcE9NuKrIpEOea5oS/yCW0Ncoaf/w3uy root@nixbert
diff --git a/hosts/server7/ssh_host_rsa_key.pub b/hosts/server7/ssh_host_rsa_key.pub
new file mode 100644
index 00000000..fe52fc7a
--- /dev/null
+++ b/hosts/server7/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmCgVZbItFsh+hwfbX5EefNF4+LgSSQw20JmqZ7UOHMtTcmoJlykr82go1L6/Qd/rOoLClEmZ4Dr+6m6LrYpys2EhRX9XNA8JXqaohMvmroYMPR3ttBkxWQq939K2hiZ67vICTYeESrqVf7B5Cj8oLnef6mKLsjQ03EAUEhFWaowUDDceH4+/M5WRwhaqTvYo78Q2lJ2971rng3tbkKdk2hQnjTK4RLsIUgm2HTkoE81kQva+7NhB1S+fNc9pfg7bDDd1CV6H1xLMYPNYgT/ivFGtf+C2JZHGmWFkk1bk96OBD7tbjuXk4hlKDp5wPcQM+hM8jemqk6VHX2QL1JU3hlgbI+LttszzA4tPMeaaUKEs9QMrXlM/9l9meA0gUuFZL1biEXTHxL05t7vYom//PtBlLKtirZQZ2plVDAd37+f1ZCIHOT7goOeOJULhNqzLU7FTQ8Jx3JFVs9EPLqej3RTXDcP99Tc6OwwdcRUWFrRRU8071JkAw5uSKNnyRQxeh8otbXijPKqfw3Hc23E38wlVFoUI9IsohLQhaTTtdqnxAp3qJyONh3zIct+VN9uM87swsKGODEgsSfvb+46H/5pRPPHMJ4DHoG+8yF0Ohu4/fV68M6nIxcl7b3z4mzkQH8mm8kydCw46x7lwQMNon7bVF1dRW0bjRW/4b7od5aQ== root@nixbert
diff --git a/hosts/server7/yggaddr.nix b/hosts/server7/yggaddr.nix
new file mode 100644
index 00000000..e8b77704
--- /dev/null
+++ b/hosts/server7/yggaddr.nix
@@ -0,0 +1,4 @@
+{
+  address = "21d:5658:8cee:eb54:d9b6:84e6:9ed8:f07c";
+  prefix = "31d:5658:8cee:eb54:";
+}
diff --git a/hosts/server7/yggdrasil-prefix.nix b/hosts/server7/yggdrasil-prefix.nix
new file mode 100644
index 00000000..3aa7271d
--- /dev/null
+++ b/hosts/server7/yggdrasil-prefix.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+
+let yggaddr = import ./yggaddr.nix;
+in {
+  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+
+  networking.interfaces.br0.ipv6.addresses = [{
+    address = yggaddr.prefix + ":1";
+    prefixLength = 24;
+  }];
+
+  services.radvd = {
+    enable = true;
+    config = ''
+      interface enp2s0f1
+      {
+      	AdvSendAdvert on;
+      	prefix ${yggaddr.prefix}:/64 {
+      		AdvOnLink on;
+      		AdvAutonomous on;
+      		};
+      	route 200::/7 {};
+      };
+    '';
+  };
+}