c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Nixfmt everything

This commit is contained in:
Ehmry - 2021-02-22 11:45:12 +01:00
parent 211106cf53
commit 6170a9c4e0
39 changed files with 858 additions and 882 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
host-registry.nix
View File

@ -5,8 +5,8 @@ rec {
adc = { };
grafana.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
scrape = {};
ledstripes = {};
scrape = { };
ledstripes = { };
glotzbert.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
@ -59,7 +59,8 @@ rec {
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw=
'';
};
storage.publicKey = "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
storage.publicKey =
"storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
};

19
hosts/containers/deployer/configuration.nix
View File

@ -5,14 +5,14 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
nixops
nixops
pass
gnupg
ansible
@ -25,7 +25,10 @@
htop
];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.16";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking = {
@ -50,9 +53,7 @@
# address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18";
#};
firewall.allowedTCPPorts = [
22
];
firewall.allowedTCPPorts = [ 22 ];
};
services.openssh = {
@ -67,8 +68,8 @@
};
users.extraUsers.k-ot = {
isNormalUser = true;
uid = 1000;
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" ];
};

21
hosts/containers/dhcp/configuration.nix
View File

@ -1,29 +1,28 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
networking.hostName = "dhcp";
networking.defaultGateway = "172.22.99.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.useDHCP = false;
networking.interfaces.eth0 = {
ipv4.addresses = [ {
ipv4.addresses = [{
address = "172.22.99.254";
prefixLength = 24;
} ];
}];
useDHCP = lib.mkForce false;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
];
environment.systemPackages = with pkgs; [ vim ];
# dhcp
networking.firewall.allowedUDPPorts = [ 67 68 ];

301
hosts/containers/dn42/configuration.nix
View File

@ -5,12 +5,12 @@ let
address6 = "fe80::deca:fbad";
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
in {
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
];
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
../../../lib/default-gateway.nix
];
networking.hostName = "dn42";
# networking.defaultGateway6 = {
@ -19,18 +19,16 @@ in {
# };
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
networking.interfaces.eth0 = {
ipv4.addresses = [ {
ipv4.addresses = [{
address = address4;
prefixLength = 24;
} ];
}];
};
networking.useDHCP = false;
networking.useNetworkd = true;
services.resolved.enable = false;
environment.systemPackages = with pkgs; [
vim
];
environment.systemPackages = with pkgs; [ vim ];
# SSH for nixops
services.openssh.enable = true;
@ -45,161 +43,154 @@ in {
mknod -m 666 /dev/net/tun c 10 200
fi
'';
services.openvpn =
let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
keyfile = name:
builtins.toFile "${name}.key"
(builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
mkServer = name: conf: {
config = ''
dev ${name}
dev-type tun
ifconfig ${address4} ${conf.address4}
user nobody
group nogroup
persist-tun
persist-key
ping 30
ping-restart 45
verb 1
${conf.openvpn}
secret ${keyfile name}
'';
up = ''
${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
services.openvpn = let
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
keyfile = name:
builtins.toFile "${name}.key" (builtins.readFile
(../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
mkServer = name: conf: {
config = ''
dev ${name}
dev-type tun
ifconfig ${address4} ${conf.address4}
user nobody
group nogroup
persist-tun
persist-key
ping 30
ping-restart 45
verb 1
${conf.openvpn}
secret ${keyfile name}
'';
up = ''
${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
'';
};
in {
servers =
builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
};
networking.wireguard = {
enable = true;
interfaces =
let
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in
builtins.mapAttrs (name: conf: {
inherit (conf.wireguard) listenPort privateKey;
ips = [ "${address4}/32" "${address6}/64" ];
allowedIPsAsRoutes = false;
postSetup = ''
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
'';
peers = [ ({
inherit (conf.wireguard) publicKey;
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
persistentKeepalive = 30;
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
inherit (conf.wireguard) endpoint;
})) ];
}) wireguardNeighbors;
interfaces = let
wireguardNeighbors =
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in builtins.mapAttrs (name: conf: {
inherit (conf.wireguard) listenPort privateKey;
ips = [ "${address4}/32" "${address6}/64" ];
allowedIPsAsRoutes = false;
postSetup = ''
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
'';
peers = [
({
inherit (conf.wireguard) publicKey;
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
persistentKeepalive = 30;
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
inherit (conf.wireguard) endpoint;
}))
];
}) wireguardNeighbors;
};
services.bird2 = {
enable = true;
config =
let
bgpNeighbors =
builtins.concatStringsSep "\n"
(builtins.attrValues (builtins.mapAttrs (name: conf:
let
neighbor4 =
if conf ? address4
then ''
protocol bgp ${name}_4 from dnpeers {
neighbor ${conf.address4} as ${builtins.toString conf.asn};
}
''
else "";
neighbor6 =
if conf ? address6
then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
}
''
else "";
interface =
if conf ? interface
then conf.interface
else name;
in "${neighbor4}${neighbor6}"
) neighbors));
in ''
protocol kernel {
ipv4 {
export all;
};
}
protocol kernel {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
protocol static {
ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "eth0";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import all;
export filter {
if source = RTS_BGP then {
accept;
config = let
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
(builtins.mapAttrs (name: conf:
let
neighbor4 = if conf ? address4 then ''
protocol bgp ${name}_4 from dnpeers {
neighbor ${conf.address4} as ${builtins.toString conf.asn};
}
if proto = "hq4" then {
accept;
'' else
"";
neighbor6 = if conf ? address6 then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${
builtins.toString conf.asn
};
}
reject;
};
};
ipv6 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq6" then {
accept;
}
reject;
};
};
}
${bgpNeighbors}
'' else
"";
interface = if conf ? interface then conf.interface else name;
in "${neighbor4}${neighbor6}") neighbors));
in ''
protocol kernel {
ipv4 {
export all;
};
}
protocol kernel {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
router id ${address4};
'';
protocol static {
ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "eth0";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq4" then {
accept;
}
reject;
};
};
ipv6 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq6" then {
accept;
}
reject;
};
};
}
${bgpNeighbors}
router id ${address4};
'';
};
# This value determines the NixOS release with which your system is to be

248
hosts/containers/dnscache/configuration.nix
View File

@ -1,9 +1,7 @@
{ config, pkgs, lib, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
imports = [ <nixpkgs/nixos/modules/profiles/minimal.nix> ];
nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4;
@ -13,16 +11,23 @@
boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
};
networking.hostName = "dnscache"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
networking.useDHCP = false;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.8";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -34,20 +39,16 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
traceroute tcpdump bind
];
environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ];
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
system.extraSystemBuilderCmds = ''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
@ -79,107 +80,109 @@
"127.0.0.0/8"
];
forwardAddresses = [
# Quad9
"9.9.9.9@853" #dns.quad9.net
"2620:fe::fe@853" #dns.quad9.net
"149.112.112.112@853" #dns.quad9.net
"2620:fe::9@853" #dns.quad9.net
# Cloudflare DNS
"1.1.1.1@853" #cloudflare-dns.com
"2606:4700:4700::1111@853" #cloudflare-dns.com
"1.0.0.1@853" #cloudflare-dns.com
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
# Quad9
"9.9.9.9@853" # dns.quad9.net
"2620:fe::fe@853" # dns.quad9.net
"149.112.112.112@853" # dns.quad9.net
"2620:fe::9@853" # dns.quad9.net
# Cloudflare DNS
"1.1.1.1@853" # cloudflare-dns.com
"2606:4700:4700::1111@853" # cloudflare-dns.com
"1.0.0.1@853" # cloudflare-dns.com
''
2606:4700:4700::1001@853
forward-ssl-upstream: yes'' # cloudflare-dns.com
];
extraConfig = ''
server:
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "ffdd." nodefault
local-zone: "200.10.in-addr.arpa." nodefault
server:
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
local-zone: "ffdd." nodefault
local-zone: "200.10.in-addr.arpa." nodefault
remote-control:
control-enable: yes
server-key-file: /var/lib/unbound/unbound_server.key
server-cert-file: /var/lib/unbound/unbound_server.pem
control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem
remote-control:
control-enable: yes
server-key-file: /var/lib/unbound/unbound_server.key
server-cert-file: /var/lib/unbound/unbound_server.pem
control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem
forward-zone:
name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de"
forward-zone:
name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de"
forward-zone:
name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org"
forward-zone:
name: "dn42"
forward-addr: 172.23.0.53
forward-zone:
name: "dn42"
forward-addr: 172.23.0.53
forward-zone:
name: "20.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "20.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "21.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "21.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "22.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "22.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "23.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "23.172.in-addr.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "d.f.ip6.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "d.f.ip6.arpa"
forward-addr: 172.23.0.53
forward-zone:
name: "ffdd"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "ffdd"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
forward-zone:
name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4
forward-addr: 10.200.0.16
'';
};
@ -191,33 +194,32 @@
memory = "";
interface = "";
load = "";
exec =
let
unboundScript = builtins.toFile "unbound.rb" ''
loop do
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
.lines
.filter { |l| l =~ /^total\./ }
.each { |l|
if l =~ /total\.(.+?)=([\d\.]+)/
name = $1
value = $2.to_f
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
ty = "gauge"
else
ty = "derive"
value = value.to_i
end
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
exec = let
unboundScript = builtins.toFile "unbound.rb" ''
loop do
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
.lines
.filter { |l| l =~ /^total\./ }
.each { |l|
if l =~ /total\.(.+?)=([\d\.]+)/
name = $1
value = $2.to_f
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
ty = "gauge"
else
ty = "derive"
value = value.to_i
end
}
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
end
}
sleep 10
end
'';
in ''
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
sleep 10
end
'';
in ''
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
'';
network = ''
Server "grafana.serv.zentralwerk.dn42" "25826"
'';

69
hosts/containers/elastic/configuration.nix
View File

@ -5,31 +5,28 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
vim
];
environment.systemPackages = with pkgs; [ vim ];
networking = {
hostName = "elastic1";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.15";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22
9200
9300
];
allowedTCPPorts = [ 22 9200 9300 ];
enable = true;
};
};
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfree = true;
services.openssh = {
enable = true;
@ -46,35 +43,33 @@
systemd.services.elasticsearch.serviceConfig.Restart = "always";
# does not work, needs to be set on hv (done through ansible)
boot.kernel.sysctl = {
"vm.max_map_count"="262144";
};
boot.kernel.sysctl = { "vm.max_map_count" = "262144"; };
services.elasticsearch-curator = {
enable = true;
actionYAML = ''
---
actions:
1:
action: delete_indices
description: >-
Delete indices older than 45 days (based on index name), for logstash-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: logstash-
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 45
'';
---
actions:
1:
action: delete_indices
description: >-
Delete indices older than 45 days (based on index name), for logstash-
prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: prefix
value: logstash-
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: 45
'';
};
system.stateVersion = "20.09"; # Did you read the comment?

148
hosts/containers/freifunk/configuration.nix
View File

@ -12,9 +12,8 @@ let
ddmeshAddrPart = "200.74";
rt_table = 7;
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
sysinfo-json = import <this-host/sysinfo-json.nix> {
inherit pkgs bmxd ddmeshNode;
};
sysinfo-json =
import <this-host/sysinfo-json.nix> { inherit pkgs bmxd ddmeshNode; };
in {
imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix>
@ -78,23 +77,23 @@ in {
"10-bmx" = {
enable = true;
matchConfig = { Name = meshInterface; };
addresses = [ {
addresses = [{
addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = "10.255.255.255";
};
} ];
}];
};
# Dummy interface for primary (10.200) address
"11-bmx-loopback" = {
enable = true;
matchConfig = { Name = meshLoopback; };
addresses = [ {
addresses = [{
addressConfig = {
Address = "10.200.${ddmeshAddrPart}/32";
Broadcast = "10.255.255.255";
};
} ];
}];
};
# ZW
"20-core" = {
@ -131,7 +130,7 @@ in {
-g 500000/50000 \
dev=bmx_prime /linklayer 0 \
dev=${meshInterface} /linklayer 1
'';
'';
Restart = "always";
};
};
@ -141,7 +140,9 @@ in {
script = ''
${pkgs.curl}/bin/curl \
-o /tmp/ddmesh-registration.json \
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
toString ddmeshNode
}'
'';
serviceConfig = {
User = "nobody";
@ -149,8 +150,8 @@ in {
};
};
systemd.timers.ddmesh-register-node = {
partOf = [ "ddmesh-register-node.service" ];
wantedBy = [ "timers.target" ];
partOf = [ "ddmesh-register-node.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily";
};
@ -162,8 +163,8 @@ in {
'';
};
systemd.timers.sysinfo-json = {
partOf = [ "sysinfo-json.service" ];
wantedBy = [ "timers.target" ];
partOf = [ "sysinfo-json.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
@ -171,49 +172,49 @@ in {
services.bird2 = {
enable = true;
config = ''
protocol kernel K4 {
ipv4 {
export all;
};
}
protocol kernel K6 {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
protocol kernel K4 {
ipv4 {
export all;
};
}
protocol kernel K6 {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
protocol ospf v2 ZW4 {
area 0 {
networks {
172.20.72.0/21;
};
stubnet 10.200.0.0/15;
interface "core" {
authentication cryptographic;
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
protocol ospf v2 ZW4 {
area 0 {
networks {
172.20.72.0/21;
};
}
protocol ospf v3 ZW6 {
area 0 {
networks {
fd23:42:c3d2:500::/56;
2a02:8106:208:5200::/56;
2a02:8106:211:e900::/56;
};
interface "core" {
#authentication cryptographic;
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
stubnet 10.200.0.0/15;
interface "core" {
authentication cryptographic;
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
}
};
}
router id ${coreAddress};
'';
protocol ospf v3 ZW6 {
area 0 {
networks {
fd23:42:c3d2:500::/56;
2a02:8106:208:5200::/56;
2a02:8106:211:e900::/56;
};
interface "core" {
#authentication cryptographic;
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
};
}
router id ${coreAddress};
'';
};
# HTTP Reverse Proxy to provide services into Freifunk
@ -229,34 +230,37 @@ in {
"c3d2.ffdd" = {
default = true;
root = <this-host/assets>;
locations =
let
sysinfo-json = {
alias = "/run/nginx/sysinfo.json";
extraConfig = ''
add_header Content-Type "application/json;charset=UTF-8";
'';
};
in {
"/" = {
index = "index.html";
extraConfig = ''
etag off;
add_header etag "\"${builtins.substring 11 32 (<this-host> + "/assets")}\"";
'';
};
"=/sysinfo-json.cgi" = sysinfo-json;
"=/sysinfo.json" = sysinfo-json;
locations = let
sysinfo-json = {
alias = "/run/nginx/sysinfo.json";
extraConfig = ''
add_header Content-Type "application/json;charset=UTF-8";
'';
};
in {
"/" = {
index = "index.html";
extraConfig = ''
etag off;
add_header etag "\"${
builtins.substring 11 32 (<this-host> + "/assets")
}\"";
'';
};
"=/sysinfo-json.cgi" = sysinfo-json;
"=/sysinfo.json" = sysinfo-json;
};
};
"storage.hq.c3d2.ffdd".locations."/".proxyPass = "http://storage.hq.c3d2.de/";
"storage.hq.c3d2.ffdd".locations."/".proxyPass =
"http://storage.hq.c3d2.de/";
"grafana.hq.c3d2.ffdd".locations."/" = {
proxyPass = "https://grafana.hq.c3d2.de/";
extraConfig = ''
proxy_ssl_server_name on;
'';
};
"influxdb.hq.c3d2.ffdd".locations."/".proxyPass = "http://grafana.hq.c3d2.de:8086/";
"influxdb.hq.c3d2.ffdd".locations."/".proxyPass =
"http://grafana.hq.c3d2.de:8086/";
};
};

30
hosts/containers/freifunk/sysinfo-json.nix
View File

@ -1,8 +1,6 @@
{ pkgs ? import <nixpkgs> {},
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
bmxd,
ddmeshNode,
... }:
{ pkgs ? import <nixpkgs> { }, ffdd-server ?
builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", bmxd
, ddmeshNode, ... }:
with pkgs;
let
@ -18,8 +16,7 @@ let
gps_longitude = "13.7285866";
gps_altitude = "100";
};
in
stdenv.mkDerivation {
in stdenv.mkDerivation {
name = "sysinfo-json";
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
buildPhase = ''
@ -50,14 +47,21 @@ stdenv.mkDerivation {
--replace '"node_type":"server"' '"node_type":"node"' \
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
--replace lsb_release $out/bin/lsb_release \
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \
--replace ${
lib.strings.escapeShellArg
"$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"
} 0 \
--replace ${
lib.strings.escapeShellArg
"$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"
} 0 \
--replace 'nettype_lookup[$2]' '"lan"' \
--replace awk ${gawk}/bin/awk
'' +
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
) nvram);
'' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList (var: value: ''
substituteInPlace sysinfo-json.cgi --replace ${
lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"
} '${value}'
'') nvram);
installPhase = ''
pwd
mkdir -p $out/bin

5
hosts/containers/grafana/configuration.nix
View File

@ -15,7 +15,10 @@
networking.hostName = "grafana";
networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.43";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
# http https influxdb

51
hosts/containers/kibana/configuration.nix
View File

@ -9,7 +9,10 @@
];
networking.hostName = "kibana";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.44";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -31,32 +34,30 @@
acceptTerms = true;
email = "mail@c3d2.de";
};
services.nginx =
let
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
vhost = url: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = url;
extraConfig = ''
auth_basic "Chaos";
auth_basic_user_file ${authFile};
'';
};
};
in
{
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
services.nginx = let
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
vhost = url: {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = url;
extraConfig = ''
auth_basic "Chaos";
auth_basic_user_file ${authFile};
'';
};
};
in {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
};
};
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

49
hosts/containers/logging/configuration.nix
View File

@ -5,33 +5,24 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
vim
];
environment.systemPackages = with pkgs; [ vim ];
networking = {
hostName = "logging";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.13";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22
9000
80
443
5044
12201
514
];
allowedUDPPorts = [
514
];
allowedTCPPorts = [ 22 9000 80 443 5044 12201 514 ];
allowedUDPPorts = [ 514 ];
enable = false;
};
dhcpcd.denyInterfaces = [ "eth1" ];
@ -53,28 +44,26 @@
services.nginx = {
enable = true;
virtualHosts = {
default = {
locations = {
"/".proxyPass = "http://127.0.0.1:9000/";
};
};
default = { locations = { "/".proxyPass = "http://127.0.0.1:9000/"; }; };
};
};
services.graylog = {
enable = true;
passwordSecret = "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
passwordSecret =
"SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
# mongo.serv.zentralwerk. ?
elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ];
rootPasswordSha2 = "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
rootPasswordSha2 =
"3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
# mongo.serv.zentralwerk. ?
mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog";
extraConfig = ''
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://logging.serv.zentralwerk.org/
elasticsearch_shards = 1
allow_highlighting = true
allow_leading_wildcard_searches = true
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://logging.serv.zentralwerk.org/
elasticsearch_shards = 1
allow_highlighting = true
allow_leading_wildcard_searches = true
'';
user = "root";
};

4
hosts/containers/lxc-template.nix
View File

@ -22,9 +22,7 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim
];
environment.systemPackages = with pkgs; [ wget vim ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

19
hosts/containers/mongo/configuration.nix
View File

@ -5,26 +5,23 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
vim
mongodb-tools
];
environment.systemPackages = with pkgs; [ vim mongodb-tools ];
networking = {
hostName = "mongo";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.21";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1";
firewall = {
allowedTCPPorts = [
22
27017
];
allowedTCPPorts = [ 22 27017 ];
enable = true;
};
};

31
hosts/containers/mucbot/configuration.nix
View File

@ -1,34 +1,39 @@
{ config, pkgs, lib, ... }:
let
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
in
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${tiggerGit}/module.nix"
];
tiggerGit = builtins.fetchTarball
"https://github.com/astro/tigger/archive/master.tar.gz";
in {
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${tiggerGit}/module.nix"
];
networking.hostName = "mucbot";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.27";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
users.users.tigger = {
createHome = true;
isNormalUser = true;
group = "tigger";
};
users.groups.tigger = {};
users.groups.tigger = { };
services.tigger = {
enable = true;
user = "tigger";
group = "tigger";
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
mucs =
[ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
};
# This value determines the NixOS release with which your system is to be

54
hosts/containers/prometheus/configuration.nix
View File

@ -5,28 +5,18 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
environment.systemPackages = with pkgs; [
vim
];
environment.systemPackages = with pkgs; [ vim ];
networking = {
hostName = "prometheus";
firewall = {
allowedTCPPorts = [
22
80
443
9090
9091
9093
9094
];
allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ];
enable = true;
};
};
@ -51,23 +41,21 @@
"repeat_interval" = "4h";
"receiver" = "team-admins";
};
"receivers" = [
{
"name" = "team-admins";
# "email_configs" = [
# {
# "to" = "devnull@example.com";
# "send_resolved" = true;
# }
# ];
# "webhook_configs" = [
# {
# "url" = "https://example.com/prometheus-alerts";
# "send_resolved" = true;
# }
# ];
}
];
"receivers" = [{
"name" = "team-admins";
# "email_configs" = [
# {
# "to" = "devnull@example.com";
# "send_resolved" = true;
# }
# ];
# "webhook_configs" = [
# {
# "url" = "https://example.com/prometheus-alerts";
# "send_resolved" = true;
# }
# ];
}];
};
};
@ -75,12 +63,12 @@
pushgateway = {
enable = true;
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
};
exporters.collectd.enable = true;
exporters.collectd.openFirewall = true;
exporters.nginx.enable = true;
exporters.nginx.openFirewall = true;

57
hosts/containers/public-access-proxy/configuration.nix
View File

@ -5,17 +5,20 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
./proxy.nix
];
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
./proxy.nix
];
networking.hostName = "public-access-proxy";
networking.useNetworkd = true;
networking.interfaces.eth0 = {
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
ipv4.addresses = [{
address = "172.20.73.45";
prefixLength = 26;
}];
};
networking.defaultGateway = "172.20.73.1";
@ -24,35 +27,55 @@
proxyHosts = [
{
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
proxyTo = {
host = "172.22.99.192";
httpPort = 80;
httpsPort = 443;
};
}
{
hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
proxyTo = {
host = "grafana.serv.zentralwerk.dn42";
httpPort = 80;
httpsPort = 443;
};
}
{
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
proxyTo = {
host = "kibana.serv.zentralwerk.dn42";
httpPort = 80;
httpsPort = 443;
};
}
{
hostNames = [ "robo1.hq.c3d2.de" ];
proxyTo = { host = "172.20.79.62"; httpPort = 80; };
proxyTo = {
host = "172.20.79.62";
httpPort = 80;
};
}
{
hostNames = [ "robots.datenspuren.de" ];
proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; };
proxyTo = {
host = "172.22.99.170";
httpPort = 80;
httpsPort = 443;
};
}
{
hostNames = [ "error.hq.c3d2.de" ];
proxyTo = { host = "172.20.73.47"; httpPort = 80; httpsPort = 443; };
proxyTo = {
host = "172.20.73.47";
httpPort = 80;
httpsPort = 443;
};
}
];
};
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
system.stateVersion = "18.09"; # Did you read the comment?

140
hosts/containers/public-access-proxy/proxy.nix
View File

@ -1,8 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.proxy;
let cfg = config.my.services.proxy;
in {
@ -15,58 +14,59 @@ in {
};
proxyHosts = mkOption {
type = types.listOf (types.submodule (
{
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Proxy these hostNames.
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
type = types.listOf (types.submodule ({
options = {
hostNames = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Proxy these hostNames.
'';
};
proxyTo = mkOption {
type = types.submodule ({
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = { };
};
};
}));
default = [];
example = [
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
}
];
}));
default = [ ];
example = [{
hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = {
host = "172.22.99.99";
httpPort = 80;
httpsPort = 443;
};
}];
};
};
@ -81,7 +81,7 @@ in {
timeout client 30000
option http-keep-alive
default_backend proxy-backend-http
backend proxy-backend-http
timeout connect 5000
timeout check 5000
@ -91,15 +91,16 @@ in {
option forwardfor
http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
${
concatMapStringsSep "\n" (proxyHost:
optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort}
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
server ${hostname}-http ${proxyHost.proxyTo.host}:${
toString proxyHost.proxyTo.httpPort
}
'') (proxyHost.hostNames))) (cfg.proxyHosts)
}
frontend https-in
@ -114,15 +115,16 @@ in {
option http-server-close
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
${concatMapStringsSep "\n" (proxyHost:
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
concatMapStringsSep "\n" (hostname: ''
${
concatMapStringsSep "\n" (proxyHost:
optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort}
''
) (proxyHost.hostNames)
)
) (cfg.proxyHosts)
server ${hostname}-https ${proxyHost.proxyTo.host}:${
toString proxyHost.proxyTo.httpsPort
}
'') (proxyHost.hostNames))) (cfg.proxyHosts)
}
'';
};

36
hosts/containers/registry/configuration.nix
View File

@ -5,8 +5,8 @@
{ config, pkgs, lib, ... }:
{
imports =
[ ../../../lib/lxc-container.nix
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
];
@ -15,43 +15,34 @@
hostName = "registry";
# usePredictableInterfacenames = false;
interfaces.eth0.ipv4.addresses = [{
address = "172.22.99.34";
prefixLength = 24;
address = "172.22.99.34";
prefixLength = 24;
}];
interfaces.eth0.ipv6.addresses = [{
address= "2a02:8106:208:5201::34";
prefixLength = 64;
address = "2a02:8106:208:5201::34";
prefixLength = 64;
}];
dhcpcd.denyInterfaces = [ "eth0" ];
defaultGateway = {
address = "172.22.99.1";
interface = "eth0";
metric = 10;
address = "172.22.99.1";
interface = "eth0";
metric = 10;
};
#defaultGateway6 = {
# address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18";
#};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22
80
443
5000
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 80 443 5000 ];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
vim
];
environment.systemPackages = with pkgs; [ wget vim ];
services.dockerRegistry = {
enable = true;
storagePath = "/srv/docker-registry";
@ -81,4 +72,3 @@
system.stateVersion = "19.03"; # Did you read the comment?
}

122
hosts/containers/scrape/configuration.nix
View File

@ -24,77 +24,77 @@ in {
enableHail = false;
};
networking.hostName = "scrape";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.32";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
# Required for krops
services.openssh.enable = true;
environment.systemPackages = [ pkgs.git ];
systemd.services =
let
scrapers = import (
builtins.fetchGit { url = "https://gitea.c3d2.de/astro/scrapers.git"; }
) {
inherit pkgs;
systemd.services = let
scrapers = import (builtins.fetchGit {
url = "https://gitea.c3d2.de/astro/scrapers.git";
}) { inherit pkgs; };
makeService = { script, host, user ? "", password ? "" }: {
script =
"${scrapers.${script}}/bin/${script} ${host} ${user} ${password}";
};
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
};
makeService = { script, host, user ? "", password ? "" }: {
script = "${scrapers.${script}}/bin/${script} ${host} ${user} ${password}";
};
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
};
};
in {
scrape-xeri = makeService {
script = "xerox";
host = "xeri.hq.c3d2.de";
inherit (xeriLogin) user password;
};
scrape-roxi = makeService {
script = "xerox";
host = "roxi.hq.c3d2.de";
};
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
inherit (fhemLogin) user password;
};
scrape-matemat = makeService {
script = "matemat";
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
} // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
};
in {
scrape-xeri = makeService {
script = "xerox";
host = "xeri.hq.c3d2.de";
inherit (xeriLogin) user password;
};
scrape-roxi = makeService {
script = "xerox";
host = "roxi.hq.c3d2.de";
};
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
inherit (fhemLogin) user password;
};
scrape-matemat = makeService {
script = "matemat";
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
} // builtins.listToAttrs
(map makeNodeScraper (builtins.attrNames freifunkNodes));
systemd.timers =
let
makeTimer = service: interval: {
partOf = [ "${service}.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = interval;
systemd.timers = let
makeTimer = service: interval: {
partOf = [ "${service}.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = interval;
};
makeNodeScraperTimer = nodeId:
let name = "scrape-node${nodeId}";
in {
inherit name;
value = makeTimer name "minutely";
};
makeNodeScraperTimer = nodeId:
let
name = "scrape-node${nodeId}";
in {
inherit name;
value = makeTimer name "minutely";
};
in {
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
} // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
in {
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
} // builtins.listToAttrs
(map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

27
hosts/containers/spaceapi/configuration.nix
View File

@ -1,24 +1,23 @@
{ config, pkgs, lib, ... }:
let
spacemsgGit = builtins.fetchGit https://github.com/astro/spacemsg.git;
in
{
imports =
[ ../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${spacemsgGit}/spaceapi/module.nix"
];
let spacemsgGit = builtins.fetchGit "https://github.com/astro/spacemsg.git";
in {
imports = [
../../../lib/lxc-container.nix
../../../lib/shared.nix
../../../lib/admins.nix
"${spacemsgGit}/spaceapi/module.nix"
];
networking.hostName = "spaceapi";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.25";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1";
networking.firewall.enable = false;
services.spaceapi = {
enable = true;
};
services.spaceapi = { enable = true; };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database

16
hosts/glotzbert/configuration.nix
View File

@ -44,9 +44,15 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git tmux screen
chromium firefox
mpv kodi
wget
vim
git
tmux
screen
chromium
firefox
mpv
kodi
];
systemd.user.services.x11vnc = {
@ -108,9 +114,7 @@
services.xserver.xkbOptions = "eurosign:e";
services.xserver.displayManager = {
lightdm = {
enable = true;
};
lightdm = { enable = true; };
autoLogin = {
enable = true;
user = "k-ot";

19
hosts/glotzbert/hardware-configuration.nix
View File

@ -6,19 +6,20 @@
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat";
};
swapDevices = [ ];

6
hosts/hydra/configuration.nix
View File

@ -1,11 +1,7 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hydra.nix
./cache.nix
../../lib
];
imports = [ ./hydra.nix ./cache.nix ../../lib ];
c3d2 = {
users = {

6
hosts/hydra/hydra.nix
View File

@ -2,10 +2,8 @@
{
nix = {
binaryCaches = [
"https://cache.nixos.org"
"https://genodepkgs.cachix.org"
];
binaryCaches =
[ "https://cache.nixos.org" "https://genodepkgs.cachix.org" ];
binaryCachePublicKeys = [
"genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw="
];

21
hosts/inbert-containers/ticker/configuration.nix
View File

@ -3,11 +3,10 @@
with lib;
let
tickerSrc = builtins.fetchGit {
url = "https://gitea.c3d2.de/astro/ticker.git";
};
in
{ boot.isContainer = true;
tickerSrc =
builtins.fetchGit { url = "https://gitea.c3d2.de/astro/ticker.git"; };
in {
boot.isContainer = true;
#boot.loader.initScript.enable = true;
networking.hostName = mkDefault "ticker";
networking.useDHCP = false;
@ -38,7 +37,8 @@ in
color = "#FF3F3F";
};
hicknhack = {
url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
url =
"https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
color = "#A700A7";
};
palaissommer = {
@ -58,15 +58,18 @@ in
color = "#FF7F00";
};
rosenwerk-home = {
url = "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics";
url =
"https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics";
color = "#BF003F";
};
rosenwerk-extern = {
url = "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics";
url =
"https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics";
color = "#BF002F";
};
rosenwerk-kultur = {
url = "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics";
url =
"https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics";
color = "#BF001F";
};
haengemathe = {

30
hosts/pulsebert/configuration.nix
View File

@ -7,15 +7,18 @@
let
octoprintPort = 8080;
espCam = "http://172.20.78.164:81";
in
{
in {
imports = [ # Include the results of the hardware scan.
<this-host/hardware-configuration.nix>
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
boot.loader.raspberryPi = {
enable = true;
version = 4;
uboot.enable = false;
};
#boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelPackages = pkgs.linuxPackages_latest;
@ -49,10 +52,7 @@ in
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git
raspberrypi-tools
];
environment.systemPackages = with pkgs; [ wget vim git raspberrypi-tools ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
@ -83,7 +83,6 @@ in
extraGroups = [ "wheel" "audio" ];
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
@ -111,10 +110,13 @@ in
systemWide = true;
tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128"
"127.0.0.0/8"
"::1/128"
"fd23:42:c3d2:500::/56"
"172.22.99.0/24" "2a02:8106:208:5200::/56"
"172.20.72.0/21" "2a02:8106:211:e900::/56"
"172.22.99.0/24"
"2a02:8106:208:5200::/56"
"172.20.72.0/21"
"2a02:8106:211:e900::/56"
];
zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull;
@ -190,11 +192,11 @@ in
};
# Allow access to printer serial port and GPIO
users.users.${config.services.octoprint.user}.extraGroups = [ "dialout" "gpio" ];
users.users.${config.services.octoprint.user}.extraGroups =
[ "dialout" "gpio" ];
systemd.services.mjpeg-stream =
let
mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> {};
let mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> { };
in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];

20
hosts/pulsebert/hardware-configuration.nix
View File

@ -12,19 +12,17 @@
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.kernelParams = [
"snd_bcm2835.enable_headphones=1"
];
boot.kernelParams = [ "snd_bcm2835.enable_headphones=1" ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
swapDevices = [ ];

4
hosts/storage-ng/configuration.nix
View File

@ -100,8 +100,8 @@ in {
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
allowSFTP = true;
enable = true;
allowSFTP = true;
};
services.atftpd = {

27
hosts/storage-ng/hardware-configuration.nix
View File

@ -4,27 +4,24 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/vda1";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/vda1";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/vda3";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/vda3";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/vda2"; }
];
swapDevices = [{ device = "/dev/vda2"; }];
nix.maxJobs = lib.mkDefault 4;
}

18
krops.nix
View File

@ -1,12 +1,10 @@
let
krops = builtins.fetchGit {
url = "https://cgit.krebsco.de/krops/";
};
krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {};
pkgs = import "${krops}/pkgs" { };
hostSource = path: nixos-branch:
lib.evalSource [ {
lib.evalSource [{
nixpkgs.git = {
ref = "origin/${nixos-branch}";
url = "https://github.com/NixOS/nixpkgs.git";
@ -16,7 +14,7 @@ let
lib.file = toString ./lib;
secrets.file = toString ./secrets;
"host-registry.nix".file = toString ./host-registry.nix;
} ];
}];
deployContainer = containerName: host:
pkgs.krops.writeDeploy containerName {
@ -31,14 +29,10 @@ in {
glotzbert = pkgs.krops.writeDeploy "glotzbert" {
source = hostSource "glotzbert" "nixos-20.09";
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // {
sudo = true;
};
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { sudo = true; };
};
pulsebert = pkgs.krops.writeDeploy "pulsebert" {
source = hostSource "pulsebert" "nixos-20.09";
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // {
sudo = true;
};
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { sudo = true; };
};
}

7
lib/admins.nix
View File

@ -1,6 +1 @@
{ config, ... }:
{
imports = [
../secrets/lib/authorized_keys
];
}
{ config, ... }: { imports = [ ../secrets/lib/authorized_keys ]; }

10
lib/default.nix
View File

@ -162,12 +162,10 @@ in {
host.ip6
else
toHqPrivateAddress hostName;
in [
{
name = ip6;
value = [ "${hostName}.hq" hostName ];
}
] ++ lib.optional (hasAttr "ip4" host) {
in [{
name = ip6;
value = [ "${hostName}.hq" hostName ];
}] ++ lib.optional (hasAttr "ip4" host) {
name = host.ip4;
value = [ "${hostName}.hq" hostName ];
};

7
lib/logging.nix
View File

@ -20,10 +20,9 @@ let
# replace the hostnames with the IP or hostname of your Graylog2 server
access_log syslog:server=graylog.server.org:12301 graylog2_json;
error_log syslog:server=graylog.server.org:12302;
'';
in
{
'';
in {
# add central logging
services.journalbeat = {

21
lib/lxc-container.nix
View File

@ -15,7 +15,8 @@
networking.useNetworkd = true;
networking.useDHCP = false;
services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.interfaces.eth0 = {
useDHCP = false;
@ -36,15 +37,17 @@
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
system.extraSystemBuilderCmds = ''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
mkdir -m 0755 -p $out/sbin
ln -s ../init $out/sbin/init
'';
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
};
# add central logging
services.journalbeat = {

69
lib/lxc/default.nix
View File

@ -1,5 +1,4 @@
{ config, lib, pkgs,
... }:
{ config, lib, pkgs, ... }:
with lib;
let
@ -9,45 +8,39 @@ let
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
};
nixcloud = (
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
).nixcloud;
nixcloud = (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }).nixcloud;
profilesDir = "/nix/var/nix/profiles/lxc";
containers = config.lxc.containers;
nixPath = config.nix.nixPath;
toLxcConfig' = path: a:
if builtins.isString a
then "${path} = ${a}\n"
else if builtins.isInt a
then "${path} = ${toString a}\n"
else if builtins.isAttrs a
then lib.concatMapStrings (name:
let
path' = if path == ""
then name
else "${path}.${name}";
in
toLxcConfig' path' (builtins.getAttr name a)
) (builtins.attrNames a)
else if builtins.isList a
then lib.concatMapStrings (toLxcConfig' path) a
else throw "Invalid LXC config value";
if builtins.isString a then ''
${path} = ${a}
'' else if builtins.isInt a then ''
${path} = ${toString a}
'' else if builtins.isAttrs a then
lib.concatMapStrings (name:
let path' = if path == "" then name else "${path}.${name}";
in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a)
else if builtins.isList a then
lib.concatMapStrings (toLxcConfig' path) a
else
throw "Invalid LXC config value";
toLxcConfig = toLxcConfig' "";
lxc-rootfs = pkgs.runCommand "lxc-rootfs" {} ''
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } ''
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
'';
in {
options = with types; {
lxc.containers = mkOption {
type = attrs;
default = {};
default = { };
};
};
config = mkIf (containers != {}) {
config = mkIf (containers != { }) {
virtualisation.lxc.enable = true;
environment.systemPackages = [ nixcloud.container ];
@ -55,14 +48,18 @@ in {
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
'';
users.users.root.subGidRanges = [
{ count = 65536; startGid = 100000; }
];
users.users.root.subUidRanges = [
{ count = 65536; startUid = 100000; }
];
users.users.root.subGidRanges = [{
count = 65536;
startGid = 100000;
}];
users.users.root.subUidRanges = [{
count = 65536;
startUid = 100000;
}];
systemd.services = if true then {} else
systemd.services = if true then
{ }
else
builtins.foldl' (services: name:
let
systemDir = "/${profilesDir}/${name}/system";
@ -94,9 +91,8 @@ in {
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
serviceConfig.Environment = [
''NIX_PATH=${builtins.concatStringsSep ":" nixPath}''
];
serviceConfig.Environment =
[ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ];
script = ''
mkdir -p ${profilesDir}/${name}
@ -123,7 +119,6 @@ in {
in services // {
"lxc-container-${name}-builder" = builder;
"lxc-container-${name}" = starter;
}
) {} (builtins.attrNames containers);
}) { } (builtins.attrNames containers);
};
}

12
lib/pkgs/bmxd.nix
View File

@ -1,18 +1,20 @@
{ pkgs ? import <nixpkgs> {},
src ? builtins.fetchGit "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git",
}:
{ pkgs ? import <nixpkgs> { }, src ? builtins.fetchGit
"https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", }:
with pkgs;
let
path = "feeds/19.07/feeds-own/bmxd";
makefile = builtins.readFile "${src}/${path}/Makefile";
makeDef = name:
builtins.elemAt (builtins.match ".*?${name}:=([^\n]+).*?" makefile) 0;
builtins.elemAt (builtins.match ''
.*?${name}:=([^
]+).*?'' makefile) 0;
name = makeDef "PKG_NAME";
version = makeDef "PKG_VERSION";
release = makeDef "PKG_RELEASE";
patch = fetchurl {
url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch";
url =
"https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch";
sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75";
};
in stdenv.mkDerivation {

5
lib/pkgs/pile.nix
View File

@ -1,8 +1,7 @@
{ pkgs ? import <nixpkgs> {} }:
{ pkgs ? import <nixpkgs> { } }:
with pkgs;
let
pile = builtins.fetchGit "https://github.com/astro/pile.git";
let pile = builtins.fetchGit "https://github.com/astro/pile.git";
in {
ledball = rustPlatform.buildRustPackage {
name = "ledball";

2
lib/shared.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
{
imports = [./logging.nix];
imports = [ ./logging.nix ];
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.

2
lib/users/poelzi.nix
View File

@ -2,7 +2,7 @@
let
keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
];
in {