diff --git a/host-registry.nix b/host-registry.nix index f8135a4f..779b8d8b 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -5,8 +5,8 @@ rec { adc = { }; grafana.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y"; - scrape = {}; - ledstripes = {}; + scrape = { }; + ledstripes = { }; glotzbert.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG"; @@ -59,7 +59,8 @@ rec { ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw= ''; }; - storage.publicKey = "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX"; + storage.publicKey = + "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX"; }; diff --git a/hosts/containers/deployer/configuration.nix b/hosts/containers/deployer/configuration.nix index 3f73d06a..760a3274 100644 --- a/hosts/containers/deployer/configuration.nix +++ b/hosts/containers/deployer/configuration.nix @@ -5,14 +5,14 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; environment.systemPackages = with pkgs; [ - nixops + nixops pass gnupg ansible @@ -25,7 +25,10 @@ htop ]; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.16"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; networking = { @@ -50,9 +53,7 @@ # address = "fe80::a800:42ff:fe7a:3246"; # interface = "ens18"; #}; - firewall.allowedTCPPorts = [ - 22 - ]; + firewall.allowedTCPPorts = [ 22 ]; }; services.openssh = { @@ -67,8 +68,8 @@ }; users.extraUsers.k-ot = { - isNormalUser = true; - uid = 1000; + isNormalUser = true; + uid = 1000; extraGroups = [ "wheel" ]; }; diff --git a/hosts/containers/dhcp/configuration.nix b/hosts/containers/dhcp/configuration.nix index 1aaa5400..9e46d63f 100644 --- a/hosts/containers/dhcp/configuration.nix +++ b/hosts/containers/dhcp/configuration.nix @@ -1,29 +1,28 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix - ../../../lib/shared.nix - ../../../lib/admins.nix - ]; + imports = [ + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + ]; networking.hostName = "dhcp"; networking.defaultGateway = "172.22.99.1"; - networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; + networking.nameservers = + [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.useDHCP = false; networking.interfaces.eth0 = { - ipv4.addresses = [ { + ipv4.addresses = [{ address = "172.22.99.254"; prefixLength = 24; - } ]; + }]; useDHCP = lib.mkForce false; }; # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - vim - ]; + environment.systemPackages = with pkgs; [ vim ]; # dhcp networking.firewall.allowedUDPPorts = [ 67 68 ]; diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index eb52ddf6..774c1a35 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -5,12 +5,12 @@ let address6 = "fe80::deca:fbad"; neighbors = import ../../../secrets/hosts/dn42/neighbors.nix; in { - imports = - [ ../../../lib/lxc-container.nix - ../../../lib/shared.nix - ../../../lib/admins.nix - ../../../lib/default-gateway.nix - ]; + imports = [ + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + ../../../lib/default-gateway.nix + ]; networking.hostName = "dn42"; # networking.defaultGateway6 = { @@ -19,18 +19,16 @@ in { # }; networking.nameservers = [ "172.20.72.6" "172.20.72.10" ]; networking.interfaces.eth0 = { - ipv4.addresses = [ { + ipv4.addresses = [{ address = address4; prefixLength = 24; - } ]; + }]; }; networking.useDHCP = false; networking.useNetworkd = true; services.resolved.enable = false; - environment.systemPackages = with pkgs; [ - vim - ]; + environment.systemPackages = with pkgs; [ vim ]; # SSH for nixops services.openssh.enable = true; @@ -45,161 +43,154 @@ in { mknod -m 666 /dev/net/tun c 10 200 fi ''; - services.openvpn = - let - openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; - keyfile = name: - builtins.toFile "${name}.key" - (builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key")); - mkServer = name: conf: { - config = '' - dev ${name} - dev-type tun - ifconfig ${address4} ${conf.address4} - user nobody - group nogroup - persist-tun - persist-key - ping 30 - ping-restart 45 - verb 1 - ${conf.openvpn} - secret ${keyfile name} - ''; - up = '' - ${pkgs.iproute}/bin/ip addr flush dev $1 - ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 - ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 - ''; - }; - in { - servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; + services.openvpn = let + openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; + keyfile = name: + builtins.toFile "${name}.key" (builtins.readFile + (../../../secrets/hosts/dn42/openvpn + "/${name}.key")); + mkServer = name: conf: { + config = '' + dev ${name} + dev-type tun + ifconfig ${address4} ${conf.address4} + user nobody + group nogroup + persist-tun + persist-key + ping 30 + ping-restart 45 + verb 1 + ${conf.openvpn} + secret ${keyfile name} + ''; + up = '' + ${pkgs.iproute}/bin/ip addr flush dev $1 + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 + ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 + ''; }; + in { + servers = + builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; + }; networking.wireguard = { enable = true; - interfaces = - let - wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; - in - builtins.mapAttrs (name: conf: { - inherit (conf.wireguard) listenPort privateKey; - ips = [ "${address4}/32" "${address6}/64" ]; - allowedIPsAsRoutes = false; - postSetup = '' - ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} - ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 - ''; - peers = [ ({ - inherit (conf.wireguard) publicKey; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - persistentKeepalive = 30; - } // (lib.optionalAttrs (conf.wireguard ? endpoint) { - inherit (conf.wireguard) endpoint; - })) ]; - }) wireguardNeighbors; + interfaces = let + wireguardNeighbors = + lib.filterAttrs (_: conf: conf ? wireguard) neighbors; + in builtins.mapAttrs (name: conf: { + inherit (conf.wireguard) listenPort privateKey; + ips = [ "${address4}/32" "${address6}/64" ]; + allowedIPsAsRoutes = false; + postSetup = '' + ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 + ''; + peers = [ + ({ + inherit (conf.wireguard) publicKey; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + persistentKeepalive = 30; + } // (lib.optionalAttrs (conf.wireguard ? endpoint) { + inherit (conf.wireguard) endpoint; + })) + ]; + }) wireguardNeighbors; }; services.bird2 = { enable = true; - config = - let - bgpNeighbors = - builtins.concatStringsSep "\n" - (builtins.attrValues (builtins.mapAttrs (name: conf: - let - neighbor4 = - if conf ? address4 - then '' - protocol bgp ${name}_4 from dnpeers { - neighbor ${conf.address4} as ${builtins.toString conf.asn}; - } - '' - else ""; - neighbor6 = - if conf ? address6 - then '' - protocol bgp ${name}_6 from dnpeers { - neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn}; - } - '' - else ""; - interface = - if conf ? interface - then conf.interface - else name; - in "${neighbor4}${neighbor6}" - ) neighbors)); - in '' - protocol kernel { - ipv4 { - export all; - }; - } - protocol kernel { - ipv6 { - export all; - }; - } - protocol device { - scan time 10; - } - - protocol static { - ipv4; - route 10.0.0.0/8 unreachable; - route 172.16.0.0/12 unreachable; - route 192.168.0.0/16 unreachable; - } - - protocol static { - ipv6; - route 2000::/3 via 2a02:8106:208:5201::c3d2:4; - route fd00::/8 unreachable; - } - - - protocol static hq4 { - ipv4; - route 172.22.99.0/24 via "eth0"; - } - - protocol static hq6 { - ipv6; - route fd23:42:c3d2:500::/56 unreachable; - } - - template bgp dnpeers { - local as 64699; - ipv4 { - import all; - export filter { - if source = RTS_BGP then { - accept; + config = let + bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues + (builtins.mapAttrs (name: conf: + let + neighbor4 = if conf ? address4 then '' + protocol bgp ${name}_4 from dnpeers { + neighbor ${conf.address4} as ${builtins.toString conf.asn}; } - if proto = "hq4" then { - accept; + '' else + ""; + neighbor6 = if conf ? address6 then '' + protocol bgp ${name}_6 from dnpeers { + neighbor ${conf.address6}%${interface} as ${ + builtins.toString conf.asn + }; } - reject; - }; - }; - ipv6 { - import all; - export filter { - if source = RTS_BGP then { - accept; - } - if proto = "hq6" then { - accept; - } - reject; - }; - }; - } - ${bgpNeighbors} + '' else + ""; + interface = if conf ? interface then conf.interface else name; + in "${neighbor4}${neighbor6}") neighbors)); + in '' + protocol kernel { + ipv4 { + export all; + }; + } + protocol kernel { + ipv6 { + export all; + }; + } + protocol device { + scan time 10; + } - router id ${address4}; - ''; + protocol static { + ipv4; + route 10.0.0.0/8 unreachable; + route 172.16.0.0/12 unreachable; + route 192.168.0.0/16 unreachable; + } + + protocol static { + ipv6; + route 2000::/3 via 2a02:8106:208:5201::c3d2:4; + route fd00::/8 unreachable; + } + + + protocol static hq4 { + ipv4; + route 172.22.99.0/24 via "eth0"; + } + + protocol static hq6 { + ipv6; + route fd23:42:c3d2:500::/56 unreachable; + } + + template bgp dnpeers { + local as 64699; + ipv4 { + import all; + export filter { + if source = RTS_BGP then { + accept; + } + if proto = "hq4" then { + accept; + } + reject; + }; + }; + ipv6 { + import all; + export filter { + if source = RTS_BGP then { + accept; + } + if proto = "hq6" then { + accept; + } + reject; + }; + }; + } + ${bgpNeighbors} + + router id ${address4}; + ''; }; # This value determines the NixOS release with which your system is to be diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 8986091d..bd449d45 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -1,9 +1,7 @@ { config, pkgs, lib, ... }: { - imports = - [ - ]; + imports = [ ]; nix.useSandbox = false; nix.maxJobs = lib.mkDefault 4; @@ -13,16 +11,23 @@ boot.loader.grub.enable = false; #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; - fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; + fileSystems."/" = { + fsType = "rootfs"; + device = "rootfs"; + }; networking.hostName = "dnscache"; # Define your hostname. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.useNetworkd = true; networking.useDHCP = false; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.8"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; services.resolved.enable = false; - networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; + networking.nameservers = + [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; @@ -34,20 +39,16 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - wget vim - traceroute tcpdump bind - ]; + environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ]; # Create a few files early before packing tarball for Proxmox # architecture/OS detection. - system.extraSystemBuilderCmds = - '' - mkdir -m 0755 -p $out/bin - ln -s ${pkgs.bash}/bin/bash $out/bin/sh - mkdir -m 0755 -p $out/sbin - ln -s ../init $out/sbin/init - ''; + system.extraSystemBuilderCmds = '' + mkdir -m 0755 -p $out/bin + ln -s ${pkgs.bash}/bin/bash $out/bin/sh + mkdir -m 0755 -p $out/sbin + ln -s ../init $out/sbin/init + ''; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database @@ -79,107 +80,109 @@ "127.0.0.0/8" ]; forwardAddresses = [ - # Quad9 - "9.9.9.9@853" #dns.quad9.net - "2620:fe::fe@853" #dns.quad9.net - "149.112.112.112@853" #dns.quad9.net - "2620:fe::9@853" #dns.quad9.net - # Cloudflare DNS - "1.1.1.1@853" #cloudflare-dns.com - "2606:4700:4700::1111@853" #cloudflare-dns.com - "1.0.0.1@853" #cloudflare-dns.com - "2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com + # Quad9 + "9.9.9.9@853" # dns.quad9.net + "2620:fe::fe@853" # dns.quad9.net + "149.112.112.112@853" # dns.quad9.net + "2620:fe::9@853" # dns.quad9.net + # Cloudflare DNS + "1.1.1.1@853" # cloudflare-dns.com + "2606:4700:4700::1111@853" # cloudflare-dns.com + "1.0.0.1@853" # cloudflare-dns.com + '' + 2606:4700:4700::1001@853 + forward-ssl-upstream: yes'' # cloudflare-dns.com ]; extraConfig = '' - server: - domain-insecure: "dn42" - domain-insecure: "20.172.in-addr.arpa" - domain-insecure: "21.172.in-addr.arpa" - domain-insecure: "22.172.in-addr.arpa" - domain-insecure: "23.172.in-addr.arpa" - domain-insecure: "d.f.ip6.arpa" - domain-insecure: "ffdd" - domain-insecure: "200.10.in-addr.arpa" - local-zone: "20.172.in-addr.arpa." nodefault - local-zone: "21.172.in-addr.arpa." nodefault - local-zone: "22.172.in-addr.arpa." nodefault - local-zone: "23.172.in-addr.arpa." nodefault - local-zone: "d.f.ip6.arpa." nodefault - local-zone: "ffdd." nodefault - local-zone: "200.10.in-addr.arpa." nodefault + server: + domain-insecure: "dn42" + domain-insecure: "20.172.in-addr.arpa" + domain-insecure: "21.172.in-addr.arpa" + domain-insecure: "22.172.in-addr.arpa" + domain-insecure: "23.172.in-addr.arpa" + domain-insecure: "d.f.ip6.arpa" + domain-insecure: "ffdd" + domain-insecure: "200.10.in-addr.arpa" + local-zone: "20.172.in-addr.arpa." nodefault + local-zone: "21.172.in-addr.arpa." nodefault + local-zone: "22.172.in-addr.arpa." nodefault + local-zone: "23.172.in-addr.arpa." nodefault + local-zone: "d.f.ip6.arpa." nodefault + local-zone: "ffdd." nodefault + local-zone: "200.10.in-addr.arpa." nodefault - remote-control: - control-enable: yes - server-key-file: /var/lib/unbound/unbound_server.key - server-cert-file: /var/lib/unbound/unbound_server.pem - control-key-file: /var/lib/unbound/unbound_control.key - control-cert-file: /var/lib/unbound/unbound_control.pem + remote-control: + control-enable: yes + server-key-file: /var/lib/unbound/unbound_server.key + server-cert-file: /var/lib/unbound/unbound_server.pem + control-key-file: /var/lib/unbound/unbound_control.key + control-cert-file: /var/lib/unbound/unbound_control.pem - forward-zone: - name: "99.22.172.in-addr.arpa" - forward-host: "ns.c3d2.de" + forward-zone: + name: "99.22.172.in-addr.arpa" + forward-host: "ns.c3d2.de" - forward-zone: - name: "zentralwerk.dn42" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "zentralwerk.dn42" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "72.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "72.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "73.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "73.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "74.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "74.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "75.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "75.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "76.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "76.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "77.20.172.in-addr.arpa" - forward-host: "dns.serv.zentralwerk.org" + forward-zone: + name: "77.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" - forward-zone: - name: "dn42" - forward-addr: 172.23.0.53 + forward-zone: + name: "dn42" + forward-addr: 172.23.0.53 - forward-zone: - name: "20.172.in-addr.arpa" - forward-addr: 172.23.0.53 + forward-zone: + name: "20.172.in-addr.arpa" + forward-addr: 172.23.0.53 - forward-zone: - name: "21.172.in-addr.arpa" - forward-addr: 172.23.0.53 + forward-zone: + name: "21.172.in-addr.arpa" + forward-addr: 172.23.0.53 - forward-zone: - name: "22.172.in-addr.arpa" - forward-addr: 172.23.0.53 + forward-zone: + name: "22.172.in-addr.arpa" + forward-addr: 172.23.0.53 - forward-zone: - name: "23.172.in-addr.arpa" - forward-addr: 172.23.0.53 + forward-zone: + name: "23.172.in-addr.arpa" + forward-addr: 172.23.0.53 - forward-zone: - name: "d.f.ip6.arpa" - forward-addr: 172.23.0.53 + forward-zone: + name: "d.f.ip6.arpa" + forward-addr: 172.23.0.53 - forward-zone: - name: "ffdd" - forward-addr: 10.200.0.4 - forward-addr: 10.200.0.16 + forward-zone: + name: "ffdd" + forward-addr: 10.200.0.4 + forward-addr: 10.200.0.16 - forward-zone: - name: "200.10.in-addr.arpa" - forward-addr: 10.200.0.4 - forward-addr: 10.200.0.16 + forward-zone: + name: "200.10.in-addr.arpa" + forward-addr: 10.200.0.4 + forward-addr: 10.200.0.16 ''; }; @@ -191,33 +194,32 @@ memory = ""; interface = ""; load = ""; - exec = - let - unboundScript = builtins.toFile "unbound.rb" '' - loop do - `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` - .lines - .filter { |l| l =~ /^total\./ } - .each { |l| - if l =~ /total\.(.+?)=([\d\.]+)/ - name = $1 - value = $2.to_f - if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/ - ty = "gauge" - else - ty = "derive" - value = value.to_i - end - puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}" + exec = let + unboundScript = builtins.toFile "unbound.rb" '' + loop do + `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` + .lines + .filter { |l| l =~ /^total\./ } + .each { |l| + if l =~ /total\.(.+?)=([\d\.]+)/ + name = $1 + value = $2.to_f + if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/ + ty = "gauge" + else + ty = "derive" + value = value.to_i end - } + puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}" + end + } - sleep 10 - end - ''; - in '' - Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" + sleep 10 + end ''; + in '' + Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}" + ''; network = '' Server "grafana.serv.zentralwerk.dn42" "25826" ''; diff --git a/hosts/containers/elastic/configuration.nix b/hosts/containers/elastic/configuration.nix index bb16f1d0..6b1195a0 100644 --- a/hosts/containers/elastic/configuration.nix +++ b/hosts/containers/elastic/configuration.nix @@ -5,31 +5,28 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; - environment.systemPackages = with pkgs; [ - vim - ]; + environment.systemPackages = with pkgs; [ vim ]; networking = { hostName = "elastic1"; - interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ]; + interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.15"; + prefixLength = 26; + }]; defaultGateway = "172.20.73.1"; firewall = { - allowedTCPPorts = [ - 22 - 9200 - 9300 - ]; + allowedTCPPorts = [ 22 9200 9300 ]; enable = true; }; }; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfree = true; services.openssh = { enable = true; @@ -46,35 +43,33 @@ systemd.services.elasticsearch.serviceConfig.Restart = "always"; # does not work, needs to be set on hv (done through ansible) - boot.kernel.sysctl = { - "vm.max_map_count"="262144"; - }; + boot.kernel.sysctl = { "vm.max_map_count" = "262144"; }; services.elasticsearch-curator = { enable = true; actionYAML = '' - --- - actions: - 1: - action: delete_indices - description: >- - Delete indices older than 45 days (based on index name), for logstash- - prefixed indices. Ignore the error if the filter does not result in an - actionable list of indices (ignore_empty_list) and exit cleanly. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: prefix - value: logstash- - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: 45 - ''; + --- + actions: + 1: + action: delete_indices + description: >- + Delete indices older than 45 days (based on index name), for logstash- + prefixed indices. Ignore the error if the filter does not result in an + actionable list of indices (ignore_empty_list) and exit cleanly. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: prefix + value: logstash- + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: 45 + ''; }; system.stateVersion = "20.09"; # Did you read the comment? diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index f526e6d5..8616691b 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -12,9 +12,8 @@ let ddmeshAddrPart = "200.74"; rt_table = 7; bmxd = import (toString ) { inherit pkgs; }; - sysinfo-json = import { - inherit pkgs bmxd ddmeshNode; - }; + sysinfo-json = + import { inherit pkgs bmxd ddmeshNode; }; in { imports = [ @@ -78,23 +77,23 @@ in { "10-bmx" = { enable = true; matchConfig = { Name = meshInterface; }; - addresses = [ { + addresses = [{ addressConfig = { Address = "10.201.${ddmeshAddrPart}/16"; Broadcast = "10.255.255.255"; }; - } ]; + }]; }; # Dummy interface for primary (10.200) address "11-bmx-loopback" = { enable = true; matchConfig = { Name = meshLoopback; }; - addresses = [ { + addresses = [{ addressConfig = { Address = "10.200.${ddmeshAddrPart}/32"; Broadcast = "10.255.255.255"; }; - } ]; + }]; }; # ZW "20-core" = { @@ -131,7 +130,7 @@ in { -g 500000/50000 \ dev=bmx_prime /linklayer 0 \ dev=${meshInterface} /linklayer 1 - ''; + ''; Restart = "always"; }; }; @@ -141,7 +140,9 @@ in { script = '' ${pkgs.curl}/bin/curl \ -o /tmp/ddmesh-registration.json \ - '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}' + '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${ + toString ddmeshNode + }' ''; serviceConfig = { User = "nobody"; @@ -149,8 +150,8 @@ in { }; }; systemd.timers.ddmesh-register-node = { - partOf = [ "ddmesh-register-node.service" ]; - wantedBy = [ "timers.target" ]; + partOf = [ "ddmesh-register-node.service" ]; + wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "daily"; }; @@ -162,8 +163,8 @@ in { ''; }; systemd.timers.sysinfo-json = { - partOf = [ "sysinfo-json.service" ]; - wantedBy = [ "timers.target" ]; + partOf = [ "sysinfo-json.service" ]; + wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; @@ -171,49 +172,49 @@ in { services.bird2 = { enable = true; config = '' - protocol kernel K4 { - ipv4 { - export all; - }; - } - protocol kernel K6 { - ipv6 { - export all; - }; - } - protocol device { - scan time 10; - } + protocol kernel K4 { + ipv4 { + export all; + }; + } + protocol kernel K6 { + ipv6 { + export all; + }; + } + protocol device { + scan time 10; + } - protocol ospf v2 ZW4 { - area 0 { - networks { - 172.20.72.0/21; - }; - stubnet 10.200.0.0/15; - interface "core" { - authentication cryptographic; - password "${import }"; - }; + protocol ospf v2 ZW4 { + area 0 { + networks { + 172.20.72.0/21; }; - } - - protocol ospf v3 ZW6 { - area 0 { - networks { - fd23:42:c3d2:500::/56; - 2a02:8106:208:5200::/56; - 2a02:8106:211:e900::/56; - }; - interface "core" { - #authentication cryptographic; - #password "${import }"; - }; + stubnet 10.200.0.0/15; + interface "core" { + authentication cryptographic; + password "${import }"; }; - } + }; + } - router id ${coreAddress}; - ''; + protocol ospf v3 ZW6 { + area 0 { + networks { + fd23:42:c3d2:500::/56; + 2a02:8106:208:5200::/56; + 2a02:8106:211:e900::/56; + }; + interface "core" { + #authentication cryptographic; + #password "${import }"; + }; + }; + } + + router id ${coreAddress}; + ''; }; # HTTP Reverse Proxy to provide services into Freifunk @@ -229,34 +230,37 @@ in { "c3d2.ffdd" = { default = true; root = ; - locations = - let - sysinfo-json = { - alias = "/run/nginx/sysinfo.json"; - extraConfig = '' - add_header Content-Type "application/json;charset=UTF-8"; - ''; - }; - in { - "/" = { - index = "index.html"; - extraConfig = '' - etag off; - add_header etag "\"${builtins.substring 11 32 ( + "/assets")}\""; - ''; - }; - "=/sysinfo-json.cgi" = sysinfo-json; - "=/sysinfo.json" = sysinfo-json; + locations = let + sysinfo-json = { + alias = "/run/nginx/sysinfo.json"; + extraConfig = '' + add_header Content-Type "application/json;charset=UTF-8"; + ''; }; + in { + "/" = { + index = "index.html"; + extraConfig = '' + etag off; + add_header etag "\"${ + builtins.substring 11 32 ( + "/assets") + }\""; + ''; + }; + "=/sysinfo-json.cgi" = sysinfo-json; + "=/sysinfo.json" = sysinfo-json; + }; }; - "storage.hq.c3d2.ffdd".locations."/".proxyPass = "http://storage.hq.c3d2.de/"; + "storage.hq.c3d2.ffdd".locations."/".proxyPass = + "http://storage.hq.c3d2.de/"; "grafana.hq.c3d2.ffdd".locations."/" = { proxyPass = "https://grafana.hq.c3d2.de/"; extraConfig = '' proxy_ssl_server_name on; ''; }; - "influxdb.hq.c3d2.ffdd".locations."/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; + "influxdb.hq.c3d2.ffdd".locations."/".proxyPass = + "http://grafana.hq.c3d2.de:8086/"; }; }; diff --git a/hosts/containers/freifunk/sysinfo-json.nix b/hosts/containers/freifunk/sysinfo-json.nix index d374b5a0..9b3bf94e 100644 --- a/hosts/containers/freifunk/sysinfo-json.nix +++ b/hosts/containers/freifunk/sysinfo-json.nix @@ -1,8 +1,6 @@ -{ pkgs ? import {}, - ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", - bmxd, - ddmeshNode, - ... }: +{ pkgs ? import { }, ffdd-server ? + builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", bmxd +, ddmeshNode, ... }: with pkgs; let @@ -18,8 +16,7 @@ let gps_longitude = "13.7285866"; gps_altitude = "100"; }; -in -stdenv.mkDerivation { +in stdenv.mkDerivation { name = "sysinfo-json"; src = "${ffdd-server}/salt/freifunk/base/ddmesh/"; buildPhase = '' @@ -50,14 +47,21 @@ stdenv.mkDerivation { --replace '"node_type":"server"' '"node_type":"node"' \ --replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \ --replace lsb_release $out/bin/lsb_release \ - --replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \ - --replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \ + --replace ${ + lib.strings.escapeShellArg + "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')" + } 0 \ + --replace ${ + lib.strings.escapeShellArg + "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')" + } 0 \ --replace 'nettype_lookup[$2]' '"lan"' \ --replace awk ${gawk}/bin/awk - '' + - lib.strings.concatStrings (lib.attrsets.mapAttrsToList ( - var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n" - ) nvram); + '' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList (var: value: '' + substituteInPlace sysinfo-json.cgi --replace ${ + lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})" + } '${value}' + '') nvram); installPhase = '' pwd mkdir -p $out/bin diff --git a/hosts/containers/grafana/configuration.nix b/hosts/containers/grafana/configuration.nix index ad061778..d6f3daf9 100644 --- a/hosts/containers/grafana/configuration.nix +++ b/hosts/containers/grafana/configuration.nix @@ -15,7 +15,10 @@ networking.hostName = "grafana"; networking.useNetworkd = true; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.43"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; # http https influxdb diff --git a/hosts/containers/kibana/configuration.nix b/hosts/containers/kibana/configuration.nix index ce543d4c..1a0e8150 100644 --- a/hosts/containers/kibana/configuration.nix +++ b/hosts/containers/kibana/configuration.nix @@ -9,7 +9,10 @@ ]; networking.hostName = "kibana"; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.44"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -31,32 +34,30 @@ acceptTerms = true; email = "mail@c3d2.de"; }; - services.nginx = - let - authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; - vhost = url: { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = url; - extraConfig = '' - auth_basic "Chaos"; - auth_basic_user_file ${authFile}; - ''; - }; - }; - in - { - enable = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - "kibana.hq.c3d2.de" = - vhost "http://127.0.0.1:${toString config.services.kibana.port}"; - "kibana-es.hq.c3d2.de" = - vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; + services.nginx = let + authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; + vhost = url: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = url; + extraConfig = '' + auth_basic "Chaos"; + auth_basic_user_file ${authFile}; + ''; }; }; + in { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "kibana.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.kibana.port}"; + "kibana-es.hq.c3d2.de" = + vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}"; + }; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/hosts/containers/logging/configuration.nix b/hosts/containers/logging/configuration.nix index badcdae2..3ba5599a 100644 --- a/hosts/containers/logging/configuration.nix +++ b/hosts/containers/logging/configuration.nix @@ -5,33 +5,24 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; - environment.systemPackages = with pkgs; [ - vim - ]; + environment.systemPackages = with pkgs; [ vim ]; networking = { hostName = "logging"; - interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ]; + interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.13"; + prefixLength = 26; + }]; defaultGateway = "172.20.73.1"; firewall = { - allowedTCPPorts = [ - 22 - 9000 - 80 - 443 - 5044 - 12201 - 514 - ]; - allowedUDPPorts = [ - 514 - ]; + allowedTCPPorts = [ 22 9000 80 443 5044 12201 514 ]; + allowedUDPPorts = [ 514 ]; enable = false; }; dhcpcd.denyInterfaces = [ "eth1" ]; @@ -53,28 +44,26 @@ services.nginx = { enable = true; virtualHosts = { - default = { - locations = { - "/".proxyPass = "http://127.0.0.1:9000/"; - }; - }; + default = { locations = { "/".proxyPass = "http://127.0.0.1:9000/"; }; }; }; }; services.graylog = { enable = true; - passwordSecret = "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V"; + passwordSecret = + "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V"; # mongo.serv.zentralwerk. ? elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ]; - rootPasswordSha2 = "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd"; + rootPasswordSha2 = + "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd"; # mongo.serv.zentralwerk. ? mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog"; extraConfig = '' - http_bind_address = 0.0.0.0:9000 - http_publish_uri = http://logging.serv.zentralwerk.org/ - elasticsearch_shards = 1 - allow_highlighting = true - allow_leading_wildcard_searches = true + http_bind_address = 0.0.0.0:9000 + http_publish_uri = http://logging.serv.zentralwerk.org/ + elasticsearch_shards = 1 + allow_highlighting = true + allow_leading_wildcard_searches = true ''; user = "root"; }; diff --git a/hosts/containers/lxc-template.nix b/hosts/containers/lxc-template.nix index dbb6ba58..e1c9f070 100644 --- a/hosts/containers/lxc-template.nix +++ b/hosts/containers/lxc-template.nix @@ -22,9 +22,7 @@ # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - wget vim - ]; + environment.systemPackages = with pkgs; [ wget vim ]; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/hosts/containers/mongo/configuration.nix b/hosts/containers/mongo/configuration.nix index 8a0e334e..1e69833e 100644 --- a/hosts/containers/mongo/configuration.nix +++ b/hosts/containers/mongo/configuration.nix @@ -5,26 +5,23 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; - environment.systemPackages = with pkgs; [ - vim - mongodb-tools - ]; + environment.systemPackages = with pkgs; [ vim mongodb-tools ]; networking = { hostName = "mongo"; - interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ]; + interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.21"; + prefixLength = 26; + }]; defaultGateway = "172.20.73.1"; firewall = { - allowedTCPPorts = [ - 22 - 27017 - ]; + allowedTCPPorts = [ 22 27017 ]; enable = true; }; }; diff --git a/hosts/containers/mucbot/configuration.nix b/hosts/containers/mucbot/configuration.nix index 32b073e0..0aa29266 100644 --- a/hosts/containers/mucbot/configuration.nix +++ b/hosts/containers/mucbot/configuration.nix @@ -1,34 +1,39 @@ { config, pkgs, lib, ... }: let - tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz; -in -{ - imports = - [ ../../../lib/lxc-container.nix - ../../../lib/shared.nix - ../../../lib/admins.nix - "${tiggerGit}/module.nix" - ]; + tiggerGit = builtins.fetchTarball + "https://github.com/astro/tigger/archive/master.tar.gz"; +in { + imports = [ + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + "${tiggerGit}/module.nix" + ]; networking.hostName = "mucbot"; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.27"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; - networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; + networking.nameservers = + [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; users.users.tigger = { createHome = true; isNormalUser = true; group = "tigger"; }; - users.groups.tigger = {}; + users.groups.tigger = { }; services.tigger = { enable = true; user = "tigger"; group = "tigger"; jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix; password = import ../../../secrets/hosts/mucbot/jabber-password.nix; - mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ]; + mucs = + [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ]; }; # This value determines the NixOS release with which your system is to be diff --git a/hosts/containers/prometheus/configuration.nix b/hosts/containers/prometheus/configuration.nix index bbf693a3..fd1f0068 100644 --- a/hosts/containers/prometheus/configuration.nix +++ b/hosts/containers/prometheus/configuration.nix @@ -5,28 +5,18 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; - environment.systemPackages = with pkgs; [ - vim - ]; + environment.systemPackages = with pkgs; [ vim ]; networking = { hostName = "prometheus"; firewall = { - allowedTCPPorts = [ - 22 - 80 - 443 - 9090 - 9091 - 9093 - 9094 - ]; + allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ]; enable = true; }; }; @@ -51,23 +41,21 @@ "repeat_interval" = "4h"; "receiver" = "team-admins"; }; - "receivers" = [ - { - "name" = "team-admins"; - # "email_configs" = [ - # { - # "to" = "devnull@example.com"; - # "send_resolved" = true; - # } - # ]; - # "webhook_configs" = [ - # { - # "url" = "https://example.com/prometheus-alerts"; - # "send_resolved" = true; - # } - # ]; - } - ]; + "receivers" = [{ + "name" = "team-admins"; + # "email_configs" = [ + # { + # "to" = "devnull@example.com"; + # "send_resolved" = true; + # } + # ]; + # "webhook_configs" = [ + # { + # "url" = "https://example.com/prometheus-alerts"; + # "send_resolved" = true; + # } + # ]; + }]; }; }; @@ -75,12 +63,12 @@ pushgateway = { enable = true; - web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; + web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; }; exporters.collectd.enable = true; exporters.collectd.openFirewall = true; - + exporters.nginx.enable = true; exporters.nginx.openFirewall = true; diff --git a/hosts/containers/public-access-proxy/configuration.nix b/hosts/containers/public-access-proxy/configuration.nix index 8d75a5c1..d99de8cb 100644 --- a/hosts/containers/public-access-proxy/configuration.nix +++ b/hosts/containers/public-access-proxy/configuration.nix @@ -5,17 +5,20 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix - ../../../lib/shared.nix - ../../../lib/admins.nix - ./proxy.nix - ]; + imports = [ + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + ./proxy.nix + ]; networking.hostName = "public-access-proxy"; networking.useNetworkd = true; networking.interfaces.eth0 = { - ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ]; + ipv4.addresses = [{ + address = "172.20.73.45"; + prefixLength = 26; + }]; }; networking.defaultGateway = "172.20.73.1"; @@ -24,35 +27,55 @@ proxyHosts = [ { hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ]; - proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; }; + proxyTo = { + host = "172.22.99.192"; + httpPort = 80; + httpsPort = 443; + }; } { hostNames = [ "grafana.hq.c3d2.de" ]; - proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; + proxyTo = { + host = "grafana.serv.zentralwerk.dn42"; + httpPort = 80; + httpsPort = 443; + }; } { hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ]; - proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; + proxyTo = { + host = "kibana.serv.zentralwerk.dn42"; + httpPort = 80; + httpsPort = 443; + }; } { hostNames = [ "robo1.hq.c3d2.de" ]; - proxyTo = { host = "172.20.79.62"; httpPort = 80; }; + proxyTo = { + host = "172.20.79.62"; + httpPort = 80; + }; } { hostNames = [ "robots.datenspuren.de" ]; - proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; }; + proxyTo = { + host = "172.22.99.170"; + httpPort = 80; + httpsPort = 443; + }; } { hostNames = [ "error.hq.c3d2.de" ]; - proxyTo = { host = "172.20.73.47"; httpPort = 80; httpsPort = 443; }; + proxyTo = { + host = "172.20.73.47"; + httpPort = 80; + httpsPort = 443; + }; } ]; }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; system.stateVersion = "18.09"; # Did you read the comment? diff --git a/hosts/containers/public-access-proxy/proxy.nix b/hosts/containers/public-access-proxy/proxy.nix index f0caa18a..8f035fc4 100644 --- a/hosts/containers/public-access-proxy/proxy.nix +++ b/hosts/containers/public-access-proxy/proxy.nix @@ -1,8 +1,7 @@ { config, lib, pkgs, ... }: with lib; -let - cfg = config.my.services.proxy; +let cfg = config.my.services.proxy; in { @@ -15,58 +14,59 @@ in { }; proxyHosts = mkOption { - type = types.listOf (types.submodule ( - { - options = { - hostNames = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Proxy these hostNames. - ''; - }; - proxyTo = mkOption { - type = types.submodule ( - { - options = { - host = mkOption { - type = types.nullOr types.string; - default = null; - description = '' - Host to forward traffic to. - Any hostname may only be used once - ''; - }; - httpPort = mkOption { - type = types.int; - default = 80; - description = '' - Port to forward http to. - ''; - }; - httpsPort = mkOption { - type = types.int; - default = 443; - description = '' - Port to forward http to. - ''; - }; - }; - }); - description = '' - { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to - ''; - default = {}; - }; + type = types.listOf (types.submodule ({ + options = { + hostNames = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + Proxy these hostNames. + ''; }; + proxyTo = mkOption { + type = types.submodule ({ + options = { + host = mkOption { + type = types.nullOr types.string; + default = null; + description = '' + Host to forward traffic to. + Any hostname may only be used once + ''; + }; + httpPort = mkOption { + type = types.int; + default = 80; + description = '' + Port to forward http to. + ''; + }; + httpsPort = mkOption { + type = types.int; + default = 443; + description = '' + Port to forward http to. + ''; + }; + }; + }); + description = '' + { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to + ''; + default = { }; + }; + }; - })); - default = []; - example = [ - { hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ]; - proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; }; - } - ]; + })); + default = [ ]; + example = [{ + hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ]; + proxyTo = { + host = "172.22.99.99"; + httpPort = 80; + httpsPort = 443; + }; + }]; }; }; @@ -81,7 +81,7 @@ in { timeout client 30000 option http-keep-alive default_backend proxy-backend-http - + backend proxy-backend-http timeout connect 5000 timeout check 5000 @@ -91,15 +91,16 @@ in { option forwardfor http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Port 80 - ${concatMapStringsSep "\n" (proxyHost: - optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( - concatMapStringsSep "\n" (hostname: '' + ${ + concatMapStringsSep "\n" (proxyHost: + optionalString + (proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) + (concatMapStringsSep "\n" (hostname: '' use-server ${hostname}-http if { req.hdr(host) -i ${hostname} } - server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} - '' - ) (proxyHost.hostNames) - ) - ) (cfg.proxyHosts) + server ${hostname}-http ${proxyHost.proxyTo.host}:${ + toString proxyHost.proxyTo.httpPort + } + '') (proxyHost.hostNames))) (cfg.proxyHosts) } frontend https-in @@ -114,15 +115,16 @@ in { option http-server-close http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Port 443 - ${concatMapStringsSep "\n" (proxyHost: - optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( - concatMapStringsSep "\n" (hostname: '' + ${ + concatMapStringsSep "\n" (proxyHost: + optionalString + (proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null) + (concatMapStringsSep "\n" (hostname: '' use-server ${hostname}-https if { req.ssl_sni -i ${hostname} } - server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} - '' - ) (proxyHost.hostNames) - ) - ) (cfg.proxyHosts) + server ${hostname}-https ${proxyHost.proxyTo.host}:${ + toString proxyHost.proxyTo.httpsPort + } + '') (proxyHost.hostNames))) (cfg.proxyHosts) } ''; }; diff --git a/hosts/containers/registry/configuration.nix b/hosts/containers/registry/configuration.nix index 650a4347..14d5bbf8 100644 --- a/hosts/containers/registry/configuration.nix +++ b/hosts/containers/registry/configuration.nix @@ -5,8 +5,8 @@ { config, pkgs, lib, ... }: { - imports = - [ ../../../lib/lxc-container.nix + imports = [ + ../../../lib/lxc-container.nix ../../../lib/shared.nix ../../../lib/admins.nix ]; @@ -15,43 +15,34 @@ hostName = "registry"; # usePredictableInterfacenames = false; interfaces.eth0.ipv4.addresses = [{ - address = "172.22.99.34"; - prefixLength = 24; + address = "172.22.99.34"; + prefixLength = 24; }]; interfaces.eth0.ipv6.addresses = [{ - address= "2a02:8106:208:5201::34"; - prefixLength = 64; + address = "2a02:8106:208:5201::34"; + prefixLength = 64; }]; dhcpcd.denyInterfaces = [ "eth0" ]; defaultGateway = { - address = "172.22.99.1"; - interface = "eth0"; - metric = 10; + address = "172.22.99.1"; + interface = "eth0"; + metric = 10; }; #defaultGateway6 = { # address = "fe80::a800:42ff:fe7a:3246"; # interface = "ens18"; #}; }; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 5000 - ]; + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 80 443 5000 ]; # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - wget - vim - ]; - + environment.systemPackages = with pkgs; [ wget vim ]; + services.dockerRegistry = { enable = true; storagePath = "/srv/docker-registry"; @@ -81,4 +72,3 @@ system.stateVersion = "19.03"; # Did you read the comment? } - diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index e1aa115e..f5d805c6 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -24,77 +24,77 @@ in { enableHail = false; }; - networking.hostName = "scrape"; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.32"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; # Required for krops services.openssh.enable = true; environment.systemPackages = [ pkgs.git ]; - systemd.services = - let - scrapers = import ( - builtins.fetchGit { url = "https://gitea.c3d2.de/astro/scrapers.git"; } - ) { - inherit pkgs; + systemd.services = let + scrapers = import (builtins.fetchGit { + url = "https://gitea.c3d2.de/astro/scrapers.git"; + }) { inherit pkgs; }; + makeService = { script, host, user ? "", password ? "" }: { + script = + "${scrapers.${script}}/bin/${script} ${host} ${user} ${password}"; + }; + xeriLogin = import ; + fhemLogin = import ; + matematLogin = import ; + makeNodeScraper = nodeId: { + name = "scrape-node${nodeId}"; + value = makeService { + script = "freifunk_node"; + host = freifunkNodes.${nodeId}; }; - makeService = { script, host, user ? "", password ? "" }: { - script = "${scrapers.${script}}/bin/${script} ${host} ${user} ${password}"; - }; - xeriLogin = import ; - fhemLogin = import ; - matematLogin = import ; - makeNodeScraper = nodeId: { - name = "scrape-node${nodeId}"; - value = makeService { - script = "freifunk_node"; - host = freifunkNodes.${nodeId}; - }; - }; - in { - scrape-xeri = makeService { - script = "xerox"; - host = "xeri.hq.c3d2.de"; - inherit (xeriLogin) user password; - }; - scrape-roxi = makeService { - script = "xerox"; - host = "roxi.hq.c3d2.de"; - }; - scrape-fhem = makeService { - script = "fhem"; - host = "fhem.hq.c3d2.de"; - inherit (fhemLogin) user password; - }; - scrape-matemat = makeService { - script = "matemat"; - host = "matemat.hq.c3d2.de"; - inherit (matematLogin) user password; - }; - } // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes)); + }; + in { + scrape-xeri = makeService { + script = "xerox"; + host = "xeri.hq.c3d2.de"; + inherit (xeriLogin) user password; + }; + scrape-roxi = makeService { + script = "xerox"; + host = "roxi.hq.c3d2.de"; + }; + scrape-fhem = makeService { + script = "fhem"; + host = "fhem.hq.c3d2.de"; + inherit (fhemLogin) user password; + }; + scrape-matemat = makeService { + script = "matemat"; + host = "matemat.hq.c3d2.de"; + inherit (matematLogin) user password; + }; + } // builtins.listToAttrs + (map makeNodeScraper (builtins.attrNames freifunkNodes)); - systemd.timers = - let - makeTimer = service: interval: { - partOf = [ "${service}.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = interval; + systemd.timers = let + makeTimer = service: interval: { + partOf = [ "${service}.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = interval; + }; + makeNodeScraperTimer = nodeId: + let name = "scrape-node${nodeId}"; + in { + inherit name; + value = makeTimer name "minutely"; }; - makeNodeScraperTimer = nodeId: - let - name = "scrape-node${nodeId}"; - in { - inherit name; - value = makeTimer name "minutely"; - }; - in { - scrape-xeri = makeTimer "scrape-xeri.service" "minutely"; - scrape-roxi = makeTimer "scrape-roxi.service" "minutely"; - scrape-fhem = makeTimer "scrape-fhem.service" "minutely"; - scrape-matemat = makeTimer "scrape-matemat.service" "minutely"; - } // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes)); + in { + scrape-xeri = makeTimer "scrape-xeri.service" "minutely"; + scrape-roxi = makeTimer "scrape-roxi.service" "minutely"; + scrape-fhem = makeTimer "scrape-fhem.service" "minutely"; + scrape-matemat = makeTimer "scrape-matemat.service" "minutely"; + } // builtins.listToAttrs + (map makeNodeScraperTimer (builtins.attrNames freifunkNodes)); # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/hosts/containers/spaceapi/configuration.nix b/hosts/containers/spaceapi/configuration.nix index 9aa7b5e1..053f6e65 100644 --- a/hosts/containers/spaceapi/configuration.nix +++ b/hosts/containers/spaceapi/configuration.nix @@ -1,24 +1,23 @@ { config, pkgs, lib, ... }: -let - spacemsgGit = builtins.fetchGit https://github.com/astro/spacemsg.git; -in -{ - imports = - [ ../../../lib/lxc-container.nix - ../../../lib/shared.nix - ../../../lib/admins.nix - "${spacemsgGit}/spaceapi/module.nix" - ]; +let spacemsgGit = builtins.fetchGit "https://github.com/astro/spacemsg.git"; +in { + imports = [ + ../../../lib/lxc-container.nix + ../../../lib/shared.nix + ../../../lib/admins.nix + "${spacemsgGit}/spaceapi/module.nix" + ]; networking.hostName = "spaceapi"; - networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ]; + networking.interfaces.eth0.ipv4.addresses = [{ + address = "172.20.73.25"; + prefixLength = 26; + }]; networking.defaultGateway = "172.20.73.1"; networking.firewall.enable = false; - services.spaceapi = { - enable = true; - }; + services.spaceapi = { enable = true; }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/hosts/glotzbert/configuration.nix b/hosts/glotzbert/configuration.nix index daad353e..9ad04245 100644 --- a/hosts/glotzbert/configuration.nix +++ b/hosts/glotzbert/configuration.nix @@ -44,9 +44,15 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - wget vim git tmux screen - chromium firefox - mpv kodi + wget + vim + git + tmux + screen + chromium + firefox + mpv + kodi ]; systemd.user.services.x11vnc = { @@ -108,9 +114,7 @@ services.xserver.xkbOptions = "eurosign:e"; services.xserver.displayManager = { - lightdm = { - enable = true; - }; + lightdm = { enable = true; }; autoLogin = { enable = true; user = "k-ot"; diff --git a/hosts/glotzbert/hardware-configuration.nix b/hosts/glotzbert/hardware-configuration.nix index c61b5897..36ef9b1e 100644 --- a/hosts/glotzbert/hardware-configuration.nix +++ b/hosts/glotzbert/hardware-configuration.nix @@ -6,19 +6,20 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = + [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6490-45A0"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6490-45A0"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 4b7116cd..149603e1 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -1,11 +1,7 @@ { config, pkgs, lib, ... }: { - imports = [ - ./hydra.nix - ./cache.nix - ../../lib - ]; + imports = [ ./hydra.nix ./cache.nix ../../lib ]; c3d2 = { users = { diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 7e4580bb..abb04a9d 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -2,10 +2,8 @@ { nix = { - binaryCaches = [ - "https://cache.nixos.org" - "https://genodepkgs.cachix.org" - ]; + binaryCaches = + [ "https://cache.nixos.org" "https://genodepkgs.cachix.org" ]; binaryCachePublicKeys = [ "genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw=" ]; diff --git a/hosts/inbert-containers/ticker/configuration.nix b/hosts/inbert-containers/ticker/configuration.nix index c9ff71f2..4f9b1a50 100644 --- a/hosts/inbert-containers/ticker/configuration.nix +++ b/hosts/inbert-containers/ticker/configuration.nix @@ -3,11 +3,10 @@ with lib; let - tickerSrc = builtins.fetchGit { - url = "https://gitea.c3d2.de/astro/ticker.git"; - }; -in -{ boot.isContainer = true; + tickerSrc = + builtins.fetchGit { url = "https://gitea.c3d2.de/astro/ticker.git"; }; +in { + boot.isContainer = true; #boot.loader.initScript.enable = true; networking.hostName = mkDefault "ticker"; networking.useDHCP = false; @@ -38,7 +37,8 @@ in color = "#FF3F3F"; }; hicknhack = { - url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics"; + url = + "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics"; color = "#A700A7"; }; palaissommer = { @@ -58,15 +58,18 @@ in color = "#FF7F00"; }; rosenwerk-home = { - url = "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics"; + url = + "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics"; color = "#BF003F"; }; rosenwerk-extern = { - url = "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics"; + url = + "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics"; color = "#BF002F"; }; rosenwerk-kultur = { - url = "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics"; + url = + "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics"; color = "#BF001F"; }; haengemathe = { diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index d43cd6cc..fc2afc4d 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -7,15 +7,18 @@ let octoprintPort = 8080; espCam = "http://172.20.78.164:81"; -in -{ +in { imports = [ # Include the results of the hardware scan. ]; boot.loader.grub.enable = false; boot.loader.generic-extlinux-compatible.enable = false; - boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; }; + boot.loader.raspberryPi = { + enable = true; + version = 4; + uboot.enable = false; + }; #boot.kernelPackages = pkgs.linuxPackages_rpi4; boot.kernelPackages = pkgs.linuxPackages_latest; @@ -49,10 +52,7 @@ in # List packages installed in system profile. To search, run: # $ nix search wget - environment.systemPackages = with pkgs; [ - wget vim git - raspberrypi-tools - ]; + environment.systemPackages = with pkgs; [ wget vim git raspberrypi-tools ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -83,7 +83,6 @@ in extraGroups = [ "wheel" "audio" ]; }; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; @@ -111,10 +110,13 @@ in systemWide = true; tcp.enable = true; tcp.anonymousClients.allowedIpRanges = [ - "127.0.0.0/8" "::1/128" + "127.0.0.0/8" + "::1/128" "fd23:42:c3d2:500::/56" - "172.22.99.0/24" "2a02:8106:208:5200::/56" - "172.20.72.0/21" "2a02:8106:211:e900::/56" + "172.22.99.0/24" + "2a02:8106:208:5200::/56" + "172.20.72.0/21" + "2a02:8106:211:e900::/56" ]; zeroconf.publish.enable = true; package = pkgs.pulseaudioFull; @@ -190,11 +192,11 @@ in }; # Allow access to printer serial port and GPIO - users.users.${config.services.octoprint.user}.extraGroups = [ "dialout" "gpio" ]; + users.users.${config.services.octoprint.user}.extraGroups = + [ "dialout" "gpio" ]; systemd.services.mjpeg-stream = - let - mjpeg-proxy = pkgs.callPackage {}; + let mjpeg-proxy = pkgs.callPackage { }; in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; diff --git a/hosts/pulsebert/hardware-configuration.nix b/hosts/pulsebert/hardware-configuration.nix index f6bbb311..f6c0d84f 100644 --- a/hosts/pulsebert/hardware-configuration.nix +++ b/hosts/pulsebert/hardware-configuration.nix @@ -12,19 +12,17 @@ boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - boot.kernelParams = [ - "snd_bcm2835.enable_headphones=1" - ]; + boot.kernelParams = [ "snd_bcm2835.enable_headphones=1" ]; - fileSystems."/" = - { device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-label/FIRMWARE"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/FIRMWARE"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/hosts/storage-ng/configuration.nix b/hosts/storage-ng/configuration.nix index a6c3c378..3e6a450a 100644 --- a/hosts/storage-ng/configuration.nix +++ b/hosts/storage-ng/configuration.nix @@ -100,8 +100,8 @@ in { # Enable the OpenSSH daemon. services.openssh = { - enable = true; - allowSFTP = true; + enable = true; + allowSFTP = true; }; services.atftpd = { diff --git a/hosts/storage-ng/hardware-configuration.nix b/hosts/storage-ng/hardware-configuration.nix index efaee99a..2ba0db25 100644 --- a/hosts/storage-ng/hardware-configuration.nix +++ b/hosts/storage-ng/hardware-configuration.nix @@ -4,27 +4,24 @@ { config, lib, pkgs, ... }: { - imports = - [ - ]; + imports = [ ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = + [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/vda1"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/vda3"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/vda3"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/vda2"; } - ]; + swapDevices = [{ device = "/dev/vda2"; }]; nix.maxJobs = lib.mkDefault 4; } diff --git a/krops.nix b/krops.nix index db02e845..c45ce457 100644 --- a/krops.nix +++ b/krops.nix @@ -1,12 +1,10 @@ let - krops = builtins.fetchGit { - url = "https://cgit.krebsco.de/krops/"; - }; + krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" {}; + pkgs = import "${krops}/pkgs" { }; hostSource = path: nixos-branch: - lib.evalSource [ { + lib.evalSource [{ nixpkgs.git = { ref = "origin/${nixos-branch}"; url = "https://github.com/NixOS/nixpkgs.git"; @@ -16,7 +14,7 @@ let lib.file = toString ./lib; secrets.file = toString ./secrets; "host-registry.nix".file = toString ./host-registry.nix; - } ]; + }]; deployContainer = containerName: host: pkgs.krops.writeDeploy containerName { @@ -31,14 +29,10 @@ in { glotzbert = pkgs.krops.writeDeploy "glotzbert" { source = hostSource "glotzbert" "nixos-20.09"; - target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { - sudo = true; - }; + target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { sudo = true; }; }; pulsebert = pkgs.krops.writeDeploy "pulsebert" { source = hostSource "pulsebert" "nixos-20.09"; - target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { - sudo = true; - }; + target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { sudo = true; }; }; } diff --git a/lib/admins.nix b/lib/admins.nix index 348fb947..d747e8e3 100644 --- a/lib/admins.nix +++ b/lib/admins.nix @@ -1,6 +1 @@ -{ config, ... }: -{ - imports = [ - ../secrets/lib/authorized_keys - ]; -} +{ config, ... }: { imports = [ ../secrets/lib/authorized_keys ]; } diff --git a/lib/default.nix b/lib/default.nix index 7b1b4961..6cdca427 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -162,12 +162,10 @@ in { host.ip6 else toHqPrivateAddress hostName; - in [ - { - name = ip6; - value = [ "${hostName}.hq" hostName ]; - } - ] ++ lib.optional (hasAttr "ip4" host) { + in [{ + name = ip6; + value = [ "${hostName}.hq" hostName ]; + }] ++ lib.optional (hasAttr "ip4" host) { name = host.ip4; value = [ "${hostName}.hq" hostName ]; }; diff --git a/lib/logging.nix b/lib/logging.nix index 8a3c29ca..3bfb7ce8 100644 --- a/lib/logging.nix +++ b/lib/logging.nix @@ -20,10 +20,9 @@ let # replace the hostnames with the IP or hostname of your Graylog2 server access_log syslog:server=graylog.server.org:12301 graylog2_json; error_log syslog:server=graylog.server.org:12302; -''; - -in -{ + ''; + +in { # add central logging services.journalbeat = { diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index a70daeda..c302876f 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -15,7 +15,8 @@ networking.useNetworkd = true; networking.useDHCP = false; services.resolved.enable = false; - networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; + networking.nameservers = + [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.interfaces.eth0 = { useDHCP = false; @@ -36,15 +37,17 @@ # Create a few files early before packing tarball for Proxmox # architecture/OS detection. - system.extraSystemBuilderCmds = - '' - mkdir -m 0755 -p $out/bin - ln -s ${pkgs.bash}/bin/bash $out/bin/sh - mkdir -m 0755 -p $out/sbin - ln -s ../init $out/sbin/init - ''; + system.extraSystemBuilderCmds = '' + mkdir -m 0755 -p $out/bin + ln -s ${pkgs.bash}/bin/bash $out/bin/sh + mkdir -m 0755 -p $out/sbin + ln -s ../init $out/sbin/init + ''; - fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; + fileSystems."/" = { + fsType = "rootfs"; + device = "rootfs"; + }; # add central logging services.journalbeat = { diff --git a/lib/lxc/default.nix b/lib/lxc/default.nix index 185058e6..a9eba31d 100644 --- a/lib/lxc/default.nix +++ b/lib/lxc/default.nix @@ -1,5 +1,4 @@ -{ config, lib, pkgs, - ... }: +{ config, lib, pkgs, ... }: with lib; let @@ -9,45 +8,39 @@ let rev = "3a0767f0536fac811065eb87e6342f27eac085aa"; sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8="; }; - nixcloud = ( - import "${nixcloud-webservices}/pkgs" { inherit pkgs; } - ).nixcloud; + nixcloud = (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }).nixcloud; profilesDir = "/nix/var/nix/profiles/lxc"; containers = config.lxc.containers; nixPath = config.nix.nixPath; toLxcConfig' = path: a: - if builtins.isString a - then "${path} = ${a}\n" - else if builtins.isInt a - then "${path} = ${toString a}\n" - else if builtins.isAttrs a - then lib.concatMapStrings (name: - let - path' = if path == "" - then name - else "${path}.${name}"; - in - toLxcConfig' path' (builtins.getAttr name a) - ) (builtins.attrNames a) - else if builtins.isList a - then lib.concatMapStrings (toLxcConfig' path) a - else throw "Invalid LXC config value"; + if builtins.isString a then '' + ${path} = ${a} + '' else if builtins.isInt a then '' + ${path} = ${toString a} + '' else if builtins.isAttrs a then + lib.concatMapStrings (name: + let path' = if path == "" then name else "${path}.${name}"; + in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a) + else if builtins.isList a then + lib.concatMapStrings (toLxcConfig' path) a + else + throw "Invalid LXC config value"; toLxcConfig = toLxcConfig' ""; - lxc-rootfs = pkgs.runCommand "lxc-rootfs" {} '' - mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp} + lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } '' + mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp} ''; in { options = with types; { lxc.containers = mkOption { type = attrs; - default = {}; + default = { }; }; }; - config = mkIf (containers != {}) { + config = mkIf (containers != { }) { virtualisation.lxc.enable = true; environment.systemPackages = [ nixcloud.container ]; @@ -55,14 +48,18 @@ in { lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536 ''; - users.users.root.subGidRanges = [ - { count = 65536; startGid = 100000; } - ]; - users.users.root.subUidRanges = [ - { count = 65536; startUid = 100000; } - ]; + users.users.root.subGidRanges = [{ + count = 65536; + startGid = 100000; + }]; + users.users.root.subUidRanges = [{ + count = 65536; + startUid = 100000; + }]; - systemd.services = if true then {} else + systemd.services = if true then + { } + else builtins.foldl' (services: name: let systemDir = "/${profilesDir}/${name}/system"; @@ -94,9 +91,8 @@ in { serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - serviceConfig.Environment = [ - ''NIX_PATH=${builtins.concatStringsSep ":" nixPath}'' - ]; + serviceConfig.Environment = + [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ]; script = '' mkdir -p ${profilesDir}/${name} @@ -123,7 +119,6 @@ in { in services // { "lxc-container-${name}-builder" = builder; "lxc-container-${name}" = starter; - } - ) {} (builtins.attrNames containers); + }) { } (builtins.attrNames containers); }; } diff --git a/lib/pkgs/bmxd.nix b/lib/pkgs/bmxd.nix index bf287e99..1308ac26 100644 --- a/lib/pkgs/bmxd.nix +++ b/lib/pkgs/bmxd.nix @@ -1,18 +1,20 @@ -{ pkgs ? import {}, - src ? builtins.fetchGit "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", -}: +{ pkgs ? import { }, src ? builtins.fetchGit + "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", }: with pkgs; let path = "feeds/19.07/feeds-own/bmxd"; makefile = builtins.readFile "${src}/${path}/Makefile"; makeDef = name: - builtins.elemAt (builtins.match ".*?${name}:=([^\n]+).*?" makefile) 0; + builtins.elemAt (builtins.match '' + .*?${name}:=([^ + ]+).*?'' makefile) 0; name = makeDef "PKG_NAME"; version = makeDef "PKG_VERSION"; release = makeDef "PKG_RELEASE"; patch = fetchurl { - url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch"; + url = + "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch"; sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75"; }; in stdenv.mkDerivation { diff --git a/lib/pkgs/pile.nix b/lib/pkgs/pile.nix index 7da6079e..0611652d 100644 --- a/lib/pkgs/pile.nix +++ b/lib/pkgs/pile.nix @@ -1,8 +1,7 @@ -{ pkgs ? import {} }: +{ pkgs ? import { } }: with pkgs; -let - pile = builtins.fetchGit "https://github.com/astro/pile.git"; +let pile = builtins.fetchGit "https://github.com/astro/pile.git"; in { ledball = rustPlatform.buildRustPackage { name = "ledball"; diff --git a/lib/shared.nix b/lib/shared.nix index b69d8d11..ef03fbcc 100644 --- a/lib/shared.nix +++ b/lib/shared.nix @@ -1,7 +1,7 @@ { lib, ... }: { - imports = [./logging.nix]; + imports = [ ./logging.nix ]; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. diff --git a/lib/users/poelzi.nix b/lib/users/poelzi.nix index 2ce0b4e5..763f4016 100644 --- a/lib/users/poelzi.nix +++ b/lib/users/poelzi.nix @@ -2,7 +2,7 @@ let keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org" + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org" ]; in {