c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Nixfmt everything

This commit is contained in:
Ehmry - 2021-02-22 11:45:12 +01:00
parent 211106cf53
commit 6170a9c4e0
39 changed files with 858 additions and 882 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
host-registry.nix
View File

@ -5,8 +5,8 @@ rec {
adc = { }; adc = { };
grafana.publicKey = grafana.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
scrape = {}; scrape = { };
ledstripes = {}; ledstripes = { };
glotzbert.publicKey = glotzbert.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
@ -59,7 +59,8 @@ rec {
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw=
''; '';
}; };
storage.publicKey = "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX"; storage.publicKey =
"storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
}; };

19
hosts/containers/deployer/configuration.nix
View File

@ -5,14 +5,14 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
nixops nixops
pass pass
gnupg gnupg
ansible ansible
@ -25,7 +25,10 @@
htop htop
]; ];
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.16";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
networking = { networking = {
@ -50,9 +53,7 @@
# address = "fe80::a800:42ff:fe7a:3246"; # address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18"; # interface = "ens18";
#}; #};
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [ 22 ];
22
];
}; };
services.openssh = { services.openssh = {
@ -67,8 +68,8 @@
}; };
users.extraUsers.k-ot = { users.extraUsers.k-ot = {
isNormalUser = true; isNormalUser = true;
uid = 1000; uid = 1000;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
}; };

21
hosts/containers/dhcp/configuration.nix
View File

@ -1,29 +1,28 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
networking.hostName = "dhcp"; networking.hostName = "dhcp";
networking.defaultGateway = "172.22.99.1"; networking.defaultGateway = "172.22.99.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.eth0 = { networking.interfaces.eth0 = {
ipv4.addresses = [ { ipv4.addresses = [{
address = "172.22.99.254"; address = "172.22.99.254";
prefixLength = 24; prefixLength = 24;
} ]; }];
useDHCP = lib.mkForce false; useDHCP = lib.mkForce false;
}; };
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim ];
vim
];
# dhcp # dhcp
networking.firewall.allowedUDPPorts = [ 67 68 ]; networking.firewall.allowedUDPPorts = [ 67 68 ];

301
hosts/containers/dn42/configuration.nix
View File

@ -5,12 +5,12 @@ let
address6 = "fe80::deca:fbad"; address6 = "fe80::deca:fbad";
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix; neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
in { in {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
../../../lib/default-gateway.nix ../../../lib/default-gateway.nix
]; ];
networking.hostName = "dn42"; networking.hostName = "dn42";
# networking.defaultGateway6 = { # networking.defaultGateway6 = {
@ -19,18 +19,16 @@ in {
# }; # };
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ]; networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
networking.interfaces.eth0 = { networking.interfaces.eth0 = {
ipv4.addresses = [ { ipv4.addresses = [{
address = address4; address = address4;
prefixLength = 24; prefixLength = 24;
} ]; }];
}; };
networking.useDHCP = false; networking.useDHCP = false;
networking.useNetworkd = true; networking.useNetworkd = true;
services.resolved.enable = false; services.resolved.enable = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim ];
vim
];
# SSH for nixops # SSH for nixops
services.openssh.enable = true; services.openssh.enable = true;
@ -45,161 +43,154 @@ in {
mknod -m 666 /dev/net/tun c 10 200 mknod -m 666 /dev/net/tun c 10 200
fi fi
''; '';
services.openvpn = services.openvpn = let
let openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors; keyfile = name:
keyfile = name: builtins.toFile "${name}.key" (builtins.readFile
builtins.toFile "${name}.key" (../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
(builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key")); mkServer = name: conf: {
mkServer = name: conf: { config = ''
config = '' dev ${name}
dev ${name} dev-type tun
dev-type tun ifconfig ${address4} ${conf.address4}
ifconfig ${address4} ${conf.address4} user nobody
user nobody group nogroup
group nogroup persist-tun
persist-tun persist-key
persist-key ping 30
ping 30 ping-restart 45
ping-restart 45 verb 1
verb 1 ${conf.openvpn}
${conf.openvpn} secret ${keyfile name}
secret ${keyfile name} '';
''; up = ''
up = '' ${pkgs.iproute}/bin/ip addr flush dev $1
${pkgs.iproute}/bin/ip addr flush dev $1 ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 ${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1 '';
'';
};
in {
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
}; };
in {
servers =
builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
};
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
interfaces = interfaces = let
let wireguardNeighbors =
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
in in builtins.mapAttrs (name: conf: {
builtins.mapAttrs (name: conf: { inherit (conf.wireguard) listenPort privateKey;
inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/64" ];
ips = [ "${address4}/32" "${address6}/64" ]; allowedIPsAsRoutes = false;
allowedIPsAsRoutes = false; postSetup = ''
postSetup = '' ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 '';
''; peers = [
peers = [ ({ ({
inherit (conf.wireguard) publicKey; inherit (conf.wireguard) publicKey;
allowedIPs = [ "0.0.0.0/0" "::0/0" ]; allowedIPs = [ "0.0.0.0/0" "::0/0" ];
persistentKeepalive = 30; persistentKeepalive = 30;
} // (lib.optionalAttrs (conf.wireguard ? endpoint) { } // (lib.optionalAttrs (conf.wireguard ? endpoint) {
inherit (conf.wireguard) endpoint; inherit (conf.wireguard) endpoint;
})) ]; }))
}) wireguardNeighbors; ];
}) wireguardNeighbors;
}; };
services.bird2 = { services.bird2 = {
enable = true; enable = true;
config = config = let
let bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
bgpNeighbors = (builtins.mapAttrs (name: conf:
builtins.concatStringsSep "\n" let
(builtins.attrValues (builtins.mapAttrs (name: conf: neighbor4 = if conf ? address4 then ''
let protocol bgp ${name}_4 from dnpeers {
neighbor4 = neighbor ${conf.address4} as ${builtins.toString conf.asn};
if conf ? address4
then ''
protocol bgp ${name}_4 from dnpeers {
neighbor ${conf.address4} as ${builtins.toString conf.asn};
}
''
else "";
neighbor6 =
if conf ? address6
then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
}
''
else "";
interface =
if conf ? interface
then conf.interface
else name;
in "${neighbor4}${neighbor6}"
) neighbors));
in ''
protocol kernel {
ipv4 {
export all;
};
}
protocol kernel {
ipv6 {
export all;
};
}
protocol device {
scan time 10;
}
protocol static {
ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "eth0";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import all;
export filter {
if source = RTS_BGP then {
accept;
} }
if proto = "hq4" then { '' else
accept; "";
neighbor6 = if conf ? address6 then ''
protocol bgp ${name}_6 from dnpeers {
neighbor ${conf.address6}%${interface} as ${
builtins.toString conf.asn
};
} }
reject; '' else
}; "";
}; interface = if conf ? interface then conf.interface else name;
ipv6 { in "${neighbor4}${neighbor6}") neighbors));
import all; in ''
export filter { protocol kernel {
if source = RTS_BGP then { ipv4 {
accept; export all;
} };
if proto = "hq6" then { }
accept; protocol kernel {
} ipv6 {
reject; export all;
}; };
}; }
} protocol device {
${bgpNeighbors} scan time 10;
}
router id ${address4}; protocol static {
''; ipv4;
route 10.0.0.0/8 unreachable;
route 172.16.0.0/12 unreachable;
route 192.168.0.0/16 unreachable;
}
protocol static {
ipv6;
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
route fd00::/8 unreachable;
}
protocol static hq4 {
ipv4;
route 172.22.99.0/24 via "eth0";
}
protocol static hq6 {
ipv6;
route fd23:42:c3d2:500::/56 unreachable;
}
template bgp dnpeers {
local as 64699;
ipv4 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq4" then {
accept;
}
reject;
};
};
ipv6 {
import all;
export filter {
if source = RTS_BGP then {
accept;
}
if proto = "hq6" then {
accept;
}
reject;
};
};
}
${bgpNeighbors}
router id ${address4};
'';
}; };
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be

248
hosts/containers/dnscache/configuration.nix
View File

@ -1,9 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [ <nixpkgs/nixos/modules/profiles/minimal.nix> ];
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
];
nix.useSandbox = false; nix.useSandbox = false;
nix.maxJobs = lib.mkDefault 4; nix.maxJobs = lib.mkDefault 4;
@ -13,16 +11,23 @@
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"]; #boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
};
networking.hostName = "dnscache"; # Define your hostname. networking.hostName = "dnscache"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true; networking.useNetworkd = true;
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.8";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false; services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -34,20 +39,16 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ];
wget vim
traceroute tcpdump bind
];
# Create a few files early before packing tarball for Proxmox # Create a few files early before packing tarball for Proxmox
# architecture/OS detection. # architecture/OS detection.
system.extraSystemBuilderCmds = system.extraSystemBuilderCmds = ''
'' mkdir -m 0755 -p $out/bin
mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh
ln -s ${pkgs.bash}/bin/bash $out/bin/sh mkdir -m 0755 -p $out/sbin
mkdir -m 0755 -p $out/sbin ln -s ../init $out/sbin/init
ln -s ../init $out/sbin/init '';
'';
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
@ -79,107 +80,109 @@
"127.0.0.0/8" "127.0.0.0/8"
]; ];
forwardAddresses = [ forwardAddresses = [
# Quad9 # Quad9
"9.9.9.9@853" #dns.quad9.net "9.9.9.9@853" # dns.quad9.net
"2620:fe::fe@853" #dns.quad9.net "2620:fe::fe@853" # dns.quad9.net
"149.112.112.112@853" #dns.quad9.net "149.112.112.112@853" # dns.quad9.net
"2620:fe::9@853" #dns.quad9.net "2620:fe::9@853" # dns.quad9.net
# Cloudflare DNS # Cloudflare DNS
"1.1.1.1@853" #cloudflare-dns.com "1.1.1.1@853" # cloudflare-dns.com
"2606:4700:4700::1111@853" #cloudflare-dns.com "2606:4700:4700::1111@853" # cloudflare-dns.com
"1.0.0.1@853" #cloudflare-dns.com "1.0.0.1@853" # cloudflare-dns.com
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com ''
2606:4700:4700::1001@853
forward-ssl-upstream: yes'' # cloudflare-dns.com
]; ];
extraConfig = '' extraConfig = ''
server: server:
domain-insecure: "dn42" domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa" domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa" domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa" domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa" domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa" domain-insecure: "d.f.ip6.arpa"
domain-insecure: "ffdd" domain-insecure: "ffdd"
domain-insecure: "200.10.in-addr.arpa" domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault
local-zone: "ffdd." nodefault local-zone: "ffdd." nodefault
local-zone: "200.10.in-addr.arpa." nodefault local-zone: "200.10.in-addr.arpa." nodefault
remote-control: remote-control:
control-enable: yes control-enable: yes
server-key-file: /var/lib/unbound/unbound_server.key server-key-file: /var/lib/unbound/unbound_server.key
server-cert-file: /var/lib/unbound/unbound_server.pem server-cert-file: /var/lib/unbound/unbound_server.pem
control-key-file: /var/lib/unbound/unbound_control.key control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem control-cert-file: /var/lib/unbound/unbound_control.pem
forward-zone: forward-zone:
name: "99.22.172.in-addr.arpa" name: "99.22.172.in-addr.arpa"
forward-host: "ns.c3d2.de" forward-host: "ns.c3d2.de"
forward-zone: forward-zone:
name: "zentralwerk.dn42" name: "zentralwerk.dn42"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "72.20.172.in-addr.arpa" name: "72.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "73.20.172.in-addr.arpa" name: "73.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "74.20.172.in-addr.arpa" name: "74.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "75.20.172.in-addr.arpa" name: "75.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "76.20.172.in-addr.arpa" name: "76.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "77.20.172.in-addr.arpa" name: "77.20.172.in-addr.arpa"
forward-host: "dns.serv.zentralwerk.org" forward-host: "dns.serv.zentralwerk.org"
forward-zone: forward-zone:
name: "dn42" name: "dn42"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "20.172.in-addr.arpa" name: "20.172.in-addr.arpa"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "21.172.in-addr.arpa" name: "21.172.in-addr.arpa"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "22.172.in-addr.arpa" name: "22.172.in-addr.arpa"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "23.172.in-addr.arpa" name: "23.172.in-addr.arpa"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "d.f.ip6.arpa" name: "d.f.ip6.arpa"
forward-addr: 172.23.0.53 forward-addr: 172.23.0.53
forward-zone: forward-zone:
name: "ffdd" name: "ffdd"
forward-addr: 10.200.0.4 forward-addr: 10.200.0.4
forward-addr: 10.200.0.16 forward-addr: 10.200.0.16
forward-zone: forward-zone:
name: "200.10.in-addr.arpa" name: "200.10.in-addr.arpa"
forward-addr: 10.200.0.4 forward-addr: 10.200.0.4
forward-addr: 10.200.0.16 forward-addr: 10.200.0.16
''; '';
}; };
@ -191,33 +194,32 @@
memory = ""; memory = "";
interface = ""; interface = "";
load = ""; load = "";
exec = exec = let
let unboundScript = builtins.toFile "unbound.rb" ''
unboundScript = builtins.toFile "unbound.rb" '' loop do
loop do `/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset` .lines
.lines .filter { |l| l =~ /^total\./ }
.filter { |l| l =~ /^total\./ } .each { |l|
.each { |l| if l =~ /total\.(.+?)=([\d\.]+)/
if l =~ /total\.(.+?)=([\d\.]+)/ name = $1
name = $1 value = $2.to_f
value = $2.to_f if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/ ty = "gauge"
ty = "gauge" else
else ty = "derive"
ty = "derive" value = value.to_i
value = value.to_i
end
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
end end
} puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
end
}
sleep 10 sleep 10
end end
'';
in ''
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
''; '';
in ''
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
'';
network = '' network = ''
Server "grafana.serv.zentralwerk.dn42" "25826" Server "grafana.serv.zentralwerk.dn42" "25826"
''; '';

69
hosts/containers/elastic/configuration.nix
View File

@ -5,31 +5,28 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim ];
vim
];
networking = { networking = {
hostName = "elastic1"; hostName = "elastic1";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ]; interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.15";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1"; defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ 22 9200 9300 ];
22
9200
9300
];
enable = true; enable = true;
}; };
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -46,35 +43,33 @@
systemd.services.elasticsearch.serviceConfig.Restart = "always"; systemd.services.elasticsearch.serviceConfig.Restart = "always";
# does not work, needs to be set on hv (done through ansible) # does not work, needs to be set on hv (done through ansible)
boot.kernel.sysctl = { boot.kernel.sysctl = { "vm.max_map_count" = "262144"; };
"vm.max_map_count"="262144";
};
services.elasticsearch-curator = { services.elasticsearch-curator = {
enable = true; enable = true;
actionYAML = '' actionYAML = ''
--- ---
actions: actions:
1: 1:
action: delete_indices action: delete_indices
description: >- description: >-
Delete indices older than 45 days (based on index name), for logstash- Delete indices older than 45 days (based on index name), for logstash-
prefixed indices. Ignore the error if the filter does not result in an prefixed indices. Ignore the error if the filter does not result in an
actionable list of indices (ignore_empty_list) and exit cleanly. actionable list of indices (ignore_empty_list) and exit cleanly.
options: options:
ignore_empty_list: True ignore_empty_list: True
disable_action: False disable_action: False
filters: filters:
- filtertype: pattern - filtertype: pattern
kind: prefix kind: prefix
value: logstash- value: logstash-
- filtertype: age - filtertype: age
source: name source: name
direction: older direction: older
timestring: '%Y.%m.%d' timestring: '%Y.%m.%d'
unit: days unit: days
unit_count: 45 unit_count: 45
''; '';
}; };
system.stateVersion = "20.09"; # Did you read the comment? system.stateVersion = "20.09"; # Did you read the comment?

148
hosts/containers/freifunk/configuration.nix
View File

@ -12,9 +12,8 @@ let
ddmeshAddrPart = "200.74"; ddmeshAddrPart = "200.74";
rt_table = 7; rt_table = 7;
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; }; bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
sysinfo-json = import <this-host/sysinfo-json.nix> { sysinfo-json =
inherit pkgs bmxd ddmeshNode; import <this-host/sysinfo-json.nix> { inherit pkgs bmxd ddmeshNode; };
};
in { in {
imports = [ imports = [
<nixpkgs/nixos/modules/profiles/minimal.nix> <nixpkgs/nixos/modules/profiles/minimal.nix>
@ -78,23 +77,23 @@ in {
"10-bmx" = { "10-bmx" = {
enable = true; enable = true;
matchConfig = { Name = meshInterface; }; matchConfig = { Name = meshInterface; };
addresses = [ { addresses = [{
addressConfig = { addressConfig = {
Address = "10.201.${ddmeshAddrPart}/16"; Address = "10.201.${ddmeshAddrPart}/16";
Broadcast = "10.255.255.255"; Broadcast = "10.255.255.255";
}; };
} ]; }];
}; };
# Dummy interface for primary (10.200) address # Dummy interface for primary (10.200) address
"11-bmx-loopback" = { "11-bmx-loopback" = {
enable = true; enable = true;
matchConfig = { Name = meshLoopback; }; matchConfig = { Name = meshLoopback; };
addresses = [ { addresses = [{
addressConfig = { addressConfig = {
Address = "10.200.${ddmeshAddrPart}/32"; Address = "10.200.${ddmeshAddrPart}/32";
Broadcast = "10.255.255.255"; Broadcast = "10.255.255.255";
}; };
} ]; }];
}; };
# ZW # ZW
"20-core" = { "20-core" = {
@ -131,7 +130,7 @@ in {
-g 500000/50000 \ -g 500000/50000 \
dev=bmx_prime /linklayer 0 \ dev=bmx_prime /linklayer 0 \
dev=${meshInterface} /linklayer 1 dev=${meshInterface} /linklayer 1
''; '';
Restart = "always"; Restart = "always";
}; };
}; };
@ -141,7 +140,9 @@ in {
script = '' script = ''
${pkgs.curl}/bin/curl \ ${pkgs.curl}/bin/curl \
-o /tmp/ddmesh-registration.json \ -o /tmp/ddmesh-registration.json \
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}' '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
toString ddmeshNode
}'
''; '';
serviceConfig = { serviceConfig = {
User = "nobody"; User = "nobody";
@ -149,8 +150,8 @@ in {
}; };
}; };
systemd.timers.ddmesh-register-node = { systemd.timers.ddmesh-register-node = {
partOf = [ "ddmesh-register-node.service" ]; partOf = [ "ddmesh-register-node.service" ];
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily"; timerConfig.OnCalendar = "daily";
}; };
@ -162,8 +163,8 @@ in {
''; '';
}; };
systemd.timers.sysinfo-json = { systemd.timers.sysinfo-json = {
partOf = [ "sysinfo-json.service" ]; partOf = [ "sysinfo-json.service" ];
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely"; timerConfig.OnCalendar = "minutely";
}; };
@ -171,49 +172,49 @@ in {
services.bird2 = { services.bird2 = {
enable = true; enable = true;
config = '' config = ''
protocol kernel K4 { protocol kernel K4 {
ipv4 { ipv4 {
export all; export all;
}; };
} }
protocol kernel K6 { protocol kernel K6 {
ipv6 { ipv6 {
export all; export all;
}; };
} }
protocol device { protocol device {
scan time 10; scan time 10;
} }
protocol ospf v2 ZW4 { protocol ospf v2 ZW4 {
area 0 { area 0 {
networks { networks {
172.20.72.0/21; 172.20.72.0/21;
};
stubnet 10.200.0.0/15;
interface "core" {
authentication cryptographic;
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
}; };
} stubnet 10.200.0.0/15;
interface "core" {
protocol ospf v3 ZW6 { authentication cryptographic;
area 0 { password "${import <secrets/shared/ospf/message-digest-key.nix>}";
networks {
fd23:42:c3d2:500::/56;
2a02:8106:208:5200::/56;
2a02:8106:211:e900::/56;
};
interface "core" {
#authentication cryptographic;
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
}; };
} };
}
router id ${coreAddress}; protocol ospf v3 ZW6 {
''; area 0 {
networks {
fd23:42:c3d2:500::/56;
2a02:8106:208:5200::/56;
2a02:8106:211:e900::/56;
};
interface "core" {
#authentication cryptographic;
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
};
};
}
router id ${coreAddress};
'';
}; };
# HTTP Reverse Proxy to provide services into Freifunk # HTTP Reverse Proxy to provide services into Freifunk
@ -229,34 +230,37 @@ in {
"c3d2.ffdd" = { "c3d2.ffdd" = {
default = true; default = true;
root = <this-host/assets>; root = <this-host/assets>;
locations = locations = let
let sysinfo-json = {
sysinfo-json = { alias = "/run/nginx/sysinfo.json";
alias = "/run/nginx/sysinfo.json"; extraConfig = ''
extraConfig = '' add_header Content-Type "application/json;charset=UTF-8";
add_header Content-Type "application/json;charset=UTF-8"; '';
'';
};
in {
"/" = {
index = "index.html";
extraConfig = ''
etag off;
add_header etag "\"${builtins.substring 11 32 (<this-host> + "/assets")}\"";
'';
};
"=/sysinfo-json.cgi" = sysinfo-json;
"=/sysinfo.json" = sysinfo-json;
}; };
in {
"/" = {
index = "index.html";
extraConfig = ''
etag off;
add_header etag "\"${
builtins.substring 11 32 (<this-host> + "/assets")
}\"";
'';
};
"=/sysinfo-json.cgi" = sysinfo-json;
"=/sysinfo.json" = sysinfo-json;
};
}; };
"storage.hq.c3d2.ffdd".locations."/".proxyPass = "http://storage.hq.c3d2.de/"; "storage.hq.c3d2.ffdd".locations."/".proxyPass =
"http://storage.hq.c3d2.de/";
"grafana.hq.c3d2.ffdd".locations."/" = { "grafana.hq.c3d2.ffdd".locations."/" = {
proxyPass = "https://grafana.hq.c3d2.de/"; proxyPass = "https://grafana.hq.c3d2.de/";
extraConfig = '' extraConfig = ''
proxy_ssl_server_name on; proxy_ssl_server_name on;
''; '';
}; };
"influxdb.hq.c3d2.ffdd".locations."/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; "influxdb.hq.c3d2.ffdd".locations."/".proxyPass =
"http://grafana.hq.c3d2.de:8086/";
}; };
}; };

30
hosts/containers/freifunk/sysinfo-json.nix
View File

@ -1,8 +1,6 @@
{ pkgs ? import <nixpkgs> {}, { pkgs ? import <nixpkgs> { }, ffdd-server ?
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", bmxd
bmxd, , ddmeshNode, ... }:
ddmeshNode,
... }:
with pkgs; with pkgs;
let let
@ -18,8 +16,7 @@ let
gps_longitude = "13.7285866"; gps_longitude = "13.7285866";
gps_altitude = "100"; gps_altitude = "100";
}; };
in in stdenv.mkDerivation {
stdenv.mkDerivation {
name = "sysinfo-json"; name = "sysinfo-json";
src = "${ffdd-server}/salt/freifunk/base/ddmesh/"; src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
buildPhase = '' buildPhase = ''
@ -50,14 +47,21 @@ stdenv.mkDerivation {
--replace '"node_type":"server"' '"node_type":"node"' \ --replace '"node_type":"server"' '"node_type":"node"' \
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \ --replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
--replace lsb_release $out/bin/lsb_release \ --replace lsb_release $out/bin/lsb_release \
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \ --replace ${
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \ lib.strings.escapeShellArg
"$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"
} 0 \
--replace ${
lib.strings.escapeShellArg
"$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"
} 0 \
--replace 'nettype_lookup[$2]' '"lan"' \ --replace 'nettype_lookup[$2]' '"lan"' \
--replace awk ${gawk}/bin/awk --replace awk ${gawk}/bin/awk
'' + '' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList (var: value: ''
lib.strings.concatStrings (lib.attrsets.mapAttrsToList ( substituteInPlace sysinfo-json.cgi --replace ${
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n" lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"
) nvram); } '${value}'
'') nvram);
installPhase = '' installPhase = ''
pwd pwd
mkdir -p $out/bin mkdir -p $out/bin

5
hosts/containers/grafana/configuration.nix
View File

@ -15,7 +15,10 @@
networking.hostName = "grafana"; networking.hostName = "grafana";
networking.useNetworkd = true; networking.useNetworkd = true;
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.43";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
# http https influxdb # http https influxdb

51
hosts/containers/kibana/configuration.nix
View File

@ -9,7 +9,10 @@
]; ];
networking.hostName = "kibana"; networking.hostName = "kibana";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.44";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -31,32 +34,30 @@
acceptTerms = true; acceptTerms = true;
email = "mail@c3d2.de"; email = "mail@c3d2.de";
}; };
services.nginx = services.nginx = let
let authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY"; vhost = url: {
vhost = url: { forceSSL = true;
forceSSL = true; enableACME = true;
enableACME = true; locations."/" = {
locations."/" = { proxyPass = url;
proxyPass = url; extraConfig = ''
extraConfig = '' auth_basic "Chaos";
auth_basic "Chaos"; auth_basic_user_file ${authFile};
auth_basic_user_file ${authFile}; '';
'';
};
};
in
{
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
}; };
}; };
in {
enable = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"kibana.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
"kibana-es.hq.c3d2.de" =
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
};
};
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

49
hosts/containers/logging/configuration.nix
View File

@ -5,33 +5,24 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim ];
vim
];
networking = { networking = {
hostName = "logging"; hostName = "logging";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ]; interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.13";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1"; defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ 22 9000 80 443 5044 12201 514 ];
22 allowedUDPPorts = [ 514 ];
9000
80
443
5044
12201
514
];
allowedUDPPorts = [
514
];
enable = false; enable = false;
}; };
dhcpcd.denyInterfaces = [ "eth1" ]; dhcpcd.denyInterfaces = [ "eth1" ];
@ -53,28 +44,26 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
default = { default = { locations = { "/".proxyPass = "http://127.0.0.1:9000/"; }; };
locations = {
"/".proxyPass = "http://127.0.0.1:9000/";
};
};
}; };
}; };
services.graylog = { services.graylog = {
enable = true; enable = true;
passwordSecret = "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V"; passwordSecret =
"SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
# mongo.serv.zentralwerk. ? # mongo.serv.zentralwerk. ?
elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ]; elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ];
rootPasswordSha2 = "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd"; rootPasswordSha2 =
"3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
# mongo.serv.zentralwerk. ? # mongo.serv.zentralwerk. ?
mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog"; mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog";
extraConfig = '' extraConfig = ''
http_bind_address = 0.0.0.0:9000 http_bind_address = 0.0.0.0:9000
http_publish_uri = http://logging.serv.zentralwerk.org/ http_publish_uri = http://logging.serv.zentralwerk.org/
elasticsearch_shards = 1 elasticsearch_shards = 1
allow_highlighting = true allow_highlighting = true
allow_leading_wildcard_searches = true allow_leading_wildcard_searches = true
''; '';
user = "root"; user = "root";
}; };

4
hosts/containers/lxc-template.nix
View File

@ -22,9 +22,7 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ wget vim ];
wget vim
];
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

19
hosts/containers/mongo/configuration.nix
View File

@ -5,26 +5,23 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim mongodb-tools ];
vim
mongodb-tools
];
networking = { networking = {
hostName = "mongo"; hostName = "mongo";
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ]; interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.21";
prefixLength = 26;
}];
defaultGateway = "172.20.73.1"; defaultGateway = "172.20.73.1";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ 22 27017 ];
22
27017
];
enable = true; enable = true;
}; };
}; };

31
hosts/containers/mucbot/configuration.nix
View File

@ -1,34 +1,39 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz; tiggerGit = builtins.fetchTarball
in "https://github.com/astro/tigger/archive/master.tar.gz";
{ in {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
"${tiggerGit}/module.nix" "${tiggerGit}/module.nix"
]; ];
networking.hostName = "mucbot"; networking.hostName = "mucbot";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.27";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
users.users.tigger = { users.users.tigger = {
createHome = true; createHome = true;
isNormalUser = true; isNormalUser = true;
group = "tigger"; group = "tigger";
}; };
users.groups.tigger = {}; users.groups.tigger = { };
services.tigger = { services.tigger = {
enable = true; enable = true;
user = "tigger"; user = "tigger";
group = "tigger"; group = "tigger";
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix; jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
password = import ../../../secrets/hosts/mucbot/jabber-password.nix; password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ]; mucs =
[ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
}; };
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be

54
hosts/containers/prometheus/configuration.nix
View File

@ -5,28 +5,18 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ vim ];
vim
];
networking = { networking = {
hostName = "prometheus"; hostName = "prometheus";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ];
22
80
443
9090
9091
9093
9094
];
enable = true; enable = true;
}; };
}; };
@ -51,23 +41,21 @@
"repeat_interval" = "4h"; "repeat_interval" = "4h";
"receiver" = "team-admins"; "receiver" = "team-admins";
}; };
"receivers" = [ "receivers" = [{
{ "name" = "team-admins";
"name" = "team-admins"; # "email_configs" = [
# "email_configs" = [ # {
# { # "to" = "devnull@example.com";
# "to" = "devnull@example.com"; # "send_resolved" = true;
# "send_resolved" = true; # }
# } # ];
# ]; # "webhook_configs" = [
# "webhook_configs" = [ # {
# { # "url" = "https://example.com/prometheus-alerts";
# "url" = "https://example.com/prometheus-alerts"; # "send_resolved" = true;
# "send_resolved" = true; # }
# } # ];
# ]; }];
}
];
}; };
}; };
@ -75,12 +63,12 @@
pushgateway = { pushgateway = {
enable = true; enable = true;
web.external-url = "http://prometheus.serv.zentralwerk.org/push/"; web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
}; };
exporters.collectd.enable = true; exporters.collectd.enable = true;
exporters.collectd.openFirewall = true; exporters.collectd.openFirewall = true;
exporters.nginx.enable = true; exporters.nginx.enable = true;
exporters.nginx.openFirewall = true; exporters.nginx.openFirewall = true;

57
hosts/containers/public-access-proxy/configuration.nix
View File

@ -5,17 +5,20 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
./proxy.nix ./proxy.nix
]; ];
networking.hostName = "public-access-proxy"; networking.hostName = "public-access-proxy";
networking.useNetworkd = true; networking.useNetworkd = true;
networking.interfaces.eth0 = { networking.interfaces.eth0 = {
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ]; ipv4.addresses = [{
address = "172.20.73.45";
prefixLength = 26;
}];
}; };
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
@ -24,35 +27,55 @@
proxyHosts = [ proxyHosts = [
{ {
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ]; hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; }; proxyTo = {
host = "172.22.99.192";
httpPort = 80;
httpsPort = 443;
};
} }
{ {
hostNames = [ "grafana.hq.c3d2.de" ]; hostNames = [ "grafana.hq.c3d2.de" ];
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; proxyTo = {
host = "grafana.serv.zentralwerk.dn42";
httpPort = 80;
httpsPort = 443;
};
} }
{ {
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ]; hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; }; proxyTo = {
host = "kibana.serv.zentralwerk.dn42";
httpPort = 80;
httpsPort = 443;
};
} }
{ {
hostNames = [ "robo1.hq.c3d2.de" ]; hostNames = [ "robo1.hq.c3d2.de" ];
proxyTo = { host = "172.20.79.62"; httpPort = 80; }; proxyTo = {
host = "172.20.79.62";
httpPort = 80;
};
} }
{ {
hostNames = [ "robots.datenspuren.de" ]; hostNames = [ "robots.datenspuren.de" ];
proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; }; proxyTo = {
host = "172.22.99.170";
httpPort = 80;
httpsPort = 443;
};
} }
{ {
hostNames = [ "error.hq.c3d2.de" ]; hostNames = [ "error.hq.c3d2.de" ];
proxyTo = { host = "172.20.73.47"; httpPort = 80; httpsPort = 443; }; proxyTo = {
host = "172.20.73.47";
httpPort = 80;
httpsPort = 443;
};
} }
]; ];
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [ 80 443 ];
80
443
];
system.stateVersion = "18.09"; # Did you read the comment? system.stateVersion = "18.09"; # Did you read the comment?

140
hosts/containers/public-access-proxy/proxy.nix
View File

@ -1,8 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let cfg = config.my.services.proxy;
cfg = config.my.services.proxy;
in { in {
@ -15,58 +14,59 @@ in {
}; };
proxyHosts = mkOption { proxyHosts = mkOption {
type = types.listOf (types.submodule ( type = types.listOf (types.submodule ({
{ options = {
options = { hostNames = mkOption {
hostNames = mkOption { type = types.listOf types.str;
type = types.listOf types.str; default = [ ];
default = []; description = ''
description = '' Proxy these hostNames.
Proxy these hostNames. '';
'';
};
proxyTo = mkOption {
type = types.submodule (
{
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = {};
};
}; };
proxyTo = mkOption {
type = types.submodule ({
options = {
host = mkOption {
type = types.nullOr types.string;
default = null;
description = ''
Host to forward traffic to.
Any hostname may only be used once
'';
};
httpPort = mkOption {
type = types.int;
default = 80;
description = ''
Port to forward http to.
'';
};
httpsPort = mkOption {
type = types.int;
default = 443;
description = ''
Port to forward http to.
'';
};
};
});
description = ''
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
'';
default = { };
};
};
})); }));
default = []; default = [ ];
example = [ example = [{
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ]; hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; }; proxyTo = {
} host = "172.22.99.99";
]; httpPort = 80;
httpsPort = 443;
};
}];
}; };
}; };
@ -81,7 +81,7 @@ in {
timeout client 30000 timeout client 30000
option http-keep-alive option http-keep-alive
default_backend proxy-backend-http default_backend proxy-backend-http
backend proxy-backend-http backend proxy-backend-http
timeout connect 5000 timeout connect 5000
timeout check 5000 timeout check 5000
@ -91,15 +91,16 @@ in {
option forwardfor option forwardfor
http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Proto http
http-request set-header X-Forwarded-Port 80 http-request set-header X-Forwarded-Port 80
${concatMapStringsSep "\n" (proxyHost: ${
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (proxyHost:
concatMapStringsSep "\n" (hostname: '' optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} } use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort} server ${hostname}-http ${proxyHost.proxyTo.host}:${
'' toString proxyHost.proxyTo.httpPort
) (proxyHost.hostNames) }
) '') (proxyHost.hostNames))) (cfg.proxyHosts)
) (cfg.proxyHosts)
} }
frontend https-in frontend https-in
@ -114,15 +115,16 @@ in {
option http-server-close option http-server-close
http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443 http-request set-header X-Forwarded-Port 443
${concatMapStringsSep "\n" (proxyHost: ${
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) ( concatMapStringsSep "\n" (proxyHost:
concatMapStringsSep "\n" (hostname: '' optionalString
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
(concatMapStringsSep "\n" (hostname: ''
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} } use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort} server ${hostname}-https ${proxyHost.proxyTo.host}:${
'' toString proxyHost.proxyTo.httpsPort
) (proxyHost.hostNames) }
) '') (proxyHost.hostNames))) (cfg.proxyHosts)
) (cfg.proxyHosts)
} }
''; '';
}; };

36
hosts/containers/registry/configuration.nix
View File

@ -5,8 +5,8 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports = [
[ ../../../lib/lxc-container.nix ../../../lib/lxc-container.nix
../../../lib/shared.nix ../../../lib/shared.nix
../../../lib/admins.nix ../../../lib/admins.nix
]; ];
@ -15,43 +15,34 @@
hostName = "registry"; hostName = "registry";
# usePredictableInterfacenames = false; # usePredictableInterfacenames = false;
interfaces.eth0.ipv4.addresses = [{ interfaces.eth0.ipv4.addresses = [{
address = "172.22.99.34"; address = "172.22.99.34";
prefixLength = 24; prefixLength = 24;
}]; }];
interfaces.eth0.ipv6.addresses = [{ interfaces.eth0.ipv6.addresses = [{
address= "2a02:8106:208:5201::34"; address = "2a02:8106:208:5201::34";
prefixLength = 64; prefixLength = 64;
}]; }];
dhcpcd.denyInterfaces = [ "eth0" ]; dhcpcd.denyInterfaces = [ "eth0" ];
defaultGateway = { defaultGateway = {
address = "172.22.99.1"; address = "172.22.99.1";
interface = "eth0"; interface = "eth0";
metric = 10; metric = 10;
}; };
#defaultGateway6 = { #defaultGateway6 = {
# address = "fe80::a800:42ff:fe7a:3246"; # address = "fe80::a800:42ff:fe7a:3246";
# interface = "ens18"; # interface = "ens18";
#}; #};
}; };
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [
22
80
443
5000
];
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 80 443 5000 ];
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ wget vim ];
wget
vim
];
services.dockerRegistry = { services.dockerRegistry = {
enable = true; enable = true;
storagePath = "/srv/docker-registry"; storagePath = "/srv/docker-registry";
@ -81,4 +72,3 @@
system.stateVersion = "19.03"; # Did you read the comment? system.stateVersion = "19.03"; # Did you read the comment?
} }

122
hosts/containers/scrape/configuration.nix
View File

@ -24,77 +24,77 @@ in {
enableHail = false; enableHail = false;
}; };
networking.hostName = "scrape"; networking.hostName = "scrape";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.32";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
# Required for krops # Required for krops
services.openssh.enable = true; services.openssh.enable = true;
environment.systemPackages = [ pkgs.git ]; environment.systemPackages = [ pkgs.git ];
systemd.services = systemd.services = let
let scrapers = import (builtins.fetchGit {
scrapers = import ( url = "https://gitea.c3d2.de/astro/scrapers.git";
builtins.fetchGit { url = "https://gitea.c3d2.de/astro/scrapers.git"; } }) { inherit pkgs; };
) { makeService = { script, host, user ? "", password ? "" }: {
inherit pkgs; script =
"${scrapers.${script}}/bin/${script} ${host} ${user} ${password}";
};
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
makeNodeScraper = nodeId: {
name = "scrape-node${nodeId}";
value = makeService {
script = "freifunk_node";
host = freifunkNodes.${nodeId};
}; };
makeService = { script, host, user ? "", password ? "" }: { };
script = "${scrapers.${script}}/bin/${script} ${host} ${user} ${password}"; in {
}; scrape-xeri = makeService {
xeriLogin = import <secrets/hosts/scrape/xeri.nix>; script = "xerox";
fhemLogin = import <secrets/hosts/scrape/fhem.nix>; host = "xeri.hq.c3d2.de";
matematLogin = import <secrets/hosts/scrape/matemat.nix>; inherit (xeriLogin) user password;
makeNodeScraper = nodeId: { };
name = "scrape-node${nodeId}"; scrape-roxi = makeService {
value = makeService { script = "xerox";
script = "freifunk_node"; host = "roxi.hq.c3d2.de";
host = freifunkNodes.${nodeId}; };
}; scrape-fhem = makeService {
}; script = "fhem";
in { host = "fhem.hq.c3d2.de";
scrape-xeri = makeService { inherit (fhemLogin) user password;
script = "xerox"; };
host = "xeri.hq.c3d2.de"; scrape-matemat = makeService {
inherit (xeriLogin) user password; script = "matemat";
}; host = "matemat.hq.c3d2.de";
scrape-roxi = makeService { inherit (matematLogin) user password;
script = "xerox"; };
host = "roxi.hq.c3d2.de"; } // builtins.listToAttrs
}; (map makeNodeScraper (builtins.attrNames freifunkNodes));
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
inherit (fhemLogin) user password;
};
scrape-matemat = makeService {
script = "matemat";
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
} // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
systemd.timers = systemd.timers = let
let makeTimer = service: interval: {
makeTimer = service: interval: { partOf = [ "${service}.service" ];
partOf = [ "${service}.service" ]; wantedBy = [ "timers.target" ];
wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = interval;
timerConfig.OnCalendar = interval; };
makeNodeScraperTimer = nodeId:
let name = "scrape-node${nodeId}";
in {
inherit name;
value = makeTimer name "minutely";
}; };
makeNodeScraperTimer = nodeId: in {
let scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
name = "scrape-node${nodeId}"; scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
in { scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
inherit name; scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
value = makeTimer name "minutely"; } // builtins.listToAttrs
}; (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
in {
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
} // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

27
hosts/containers/spaceapi/configuration.nix
View File

@ -1,24 +1,23 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let spacemsgGit = builtins.fetchGit "https://github.com/astro/spacemsg.git";
spacemsgGit = builtins.fetchGit https://github.com/astro/spacemsg.git; in {
in imports = [
{ ../../../lib/lxc-container.nix
imports = ../../../lib/shared.nix
[ ../../../lib/lxc-container.nix ../../../lib/admins.nix
../../../lib/shared.nix "${spacemsgGit}/spaceapi/module.nix"
../../../lib/admins.nix ];
"${spacemsgGit}/spaceapi/module.nix"
];
networking.hostName = "spaceapi"; networking.hostName = "spaceapi";
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ]; networking.interfaces.eth0.ipv4.addresses = [{
address = "172.20.73.25";
prefixLength = 26;
}];
networking.defaultGateway = "172.20.73.1"; networking.defaultGateway = "172.20.73.1";
networking.firewall.enable = false; networking.firewall.enable = false;
services.spaceapi = { services.spaceapi = { enable = true; };
enable = true;
};
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

16
hosts/glotzbert/configuration.nix
View File

@ -44,9 +44,15 @@
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git tmux screen wget
chromium firefox vim
mpv kodi git
tmux
screen
chromium
firefox
mpv
kodi
]; ];
systemd.user.services.x11vnc = { systemd.user.services.x11vnc = {
@ -108,9 +114,7 @@
services.xserver.xkbOptions = "eurosign:e"; services.xserver.xkbOptions = "eurosign:e";
services.xserver.displayManager = { services.xserver.displayManager = {
lightdm = { lightdm = { enable = true; };
enable = true;
};
autoLogin = { autoLogin = {
enable = true; enable = true;
user = "k-ot"; user = "k-ot";

19
hosts/glotzbert/hardware-configuration.nix
View File

@ -6,19 +6,20 @@
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4"; device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/6490-45A0"; device = "/dev/disk/by-uuid/6490-45A0";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];

6
hosts/hydra/configuration.nix
View File

@ -1,11 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = [ imports = [ ./hydra.nix ./cache.nix ../../lib ];
./hydra.nix
./cache.nix
../../lib
];
c3d2 = { c3d2 = {
users = { users = {

6
hosts/hydra/hydra.nix
View File

@ -2,10 +2,8 @@
{ {
nix = { nix = {
binaryCaches = [ binaryCaches =
"https://cache.nixos.org" [ "https://cache.nixos.org" "https://genodepkgs.cachix.org" ];
"https://genodepkgs.cachix.org"
];
binaryCachePublicKeys = [ binaryCachePublicKeys = [
"genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw=" "genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw="
]; ];

21
hosts/inbert-containers/ticker/configuration.nix
View File

@ -3,11 +3,10 @@
with lib; with lib;
let let
tickerSrc = builtins.fetchGit { tickerSrc =
url = "https://gitea.c3d2.de/astro/ticker.git"; builtins.fetchGit { url = "https://gitea.c3d2.de/astro/ticker.git"; };
}; in {
in boot.isContainer = true;
{ boot.isContainer = true;
#boot.loader.initScript.enable = true; #boot.loader.initScript.enable = true;
networking.hostName = mkDefault "ticker"; networking.hostName = mkDefault "ticker";
networking.useDHCP = false; networking.useDHCP = false;
@ -38,7 +37,8 @@ in
color = "#FF3F3F"; color = "#FF3F3F";
}; };
hicknhack = { hicknhack = {
url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics"; url =
"https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
color = "#A700A7"; color = "#A700A7";
}; };
palaissommer = { palaissommer = {
@ -58,15 +58,18 @@ in
color = "#FF7F00"; color = "#FF7F00";
}; };
rosenwerk-home = { rosenwerk-home = {
url = "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics"; url =
"https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics";
color = "#BF003F"; color = "#BF003F";
}; };
rosenwerk-extern = { rosenwerk-extern = {
url = "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics"; url =
"https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics";
color = "#BF002F"; color = "#BF002F";
}; };
rosenwerk-kultur = { rosenwerk-kultur = {
url = "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics"; url =
"https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics";
color = "#BF001F"; color = "#BF001F";
}; };
haengemathe = { haengemathe = {

30
hosts/pulsebert/configuration.nix
View File

@ -7,15 +7,18 @@
let let
octoprintPort = 8080; octoprintPort = 8080;
espCam = "http://172.20.78.164:81"; espCam = "http://172.20.78.164:81";
in in {
{
imports = [ # Include the results of the hardware scan. imports = [ # Include the results of the hardware scan.
<this-host/hardware-configuration.nix> <this-host/hardware-configuration.nix>
]; ];
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = false; boot.loader.generic-extlinux-compatible.enable = false;
boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; }; boot.loader.raspberryPi = {
enable = true;
version = 4;
uboot.enable = false;
};
#boot.kernelPackages = pkgs.linuxPackages_rpi4; #boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
@ -49,10 +52,7 @@ in
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ wget vim git raspberrypi-tools ];
wget vim git
raspberrypi-tools
];
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
# started in user sessions. # started in user sessions.
@ -83,7 +83,6 @@ in
extraGroups = [ "wheel" "audio" ]; extraGroups = [ "wheel" "audio" ];
}; };
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
@ -111,10 +110,13 @@ in
systemWide = true; systemWide = true;
tcp.enable = true; tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [ tcp.anonymousClients.allowedIpRanges = [
"127.0.0.0/8" "::1/128" "127.0.0.0/8"
"::1/128"
"fd23:42:c3d2:500::/56" "fd23:42:c3d2:500::/56"
"172.22.99.0/24" "2a02:8106:208:5200::/56" "172.22.99.0/24"
"172.20.72.0/21" "2a02:8106:211:e900::/56" "2a02:8106:208:5200::/56"
"172.20.72.0/21"
"2a02:8106:211:e900::/56"
]; ];
zeroconf.publish.enable = true; zeroconf.publish.enable = true;
package = pkgs.pulseaudioFull; package = pkgs.pulseaudioFull;
@ -190,11 +192,11 @@ in
}; };
# Allow access to printer serial port and GPIO # Allow access to printer serial port and GPIO
users.users.${config.services.octoprint.user}.extraGroups = [ "dialout" "gpio" ]; users.users.${config.services.octoprint.user}.extraGroups =
[ "dialout" "gpio" ];
systemd.services.mjpeg-stream = systemd.services.mjpeg-stream =
let let mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> { };
mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> {};
in { in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];

20
hosts/pulsebert/hardware-configuration.nix
View File

@ -12,19 +12,17 @@
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.kernelParams = [ boot.kernelParams = [ "snd_bcm2835.enable_headphones=1" ];
"snd_bcm2835.enable_headphones=1"
];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXOS_SD"; device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/FIRMWARE"; device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];

4
hosts/storage-ng/configuration.nix
View File

@ -100,8 +100,8 @@ in {
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh = { services.openssh = {
enable = true; enable = true;
allowSFTP = true; allowSFTP = true;
}; };
services.atftpd = { services.atftpd = {

27
hosts/storage-ng/hardware-configuration.nix
View File

@ -4,27 +4,24 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/vda1"; device = "/dev/vda1";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/vda3"; device = "/dev/vda3";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [{ device = "/dev/vda2"; }];
[ { device = "/dev/vda2"; }
];
nix.maxJobs = lib.mkDefault 4; nix.maxJobs = lib.mkDefault 4;
} }

18
krops.nix
View File

@ -1,12 +1,10 @@
let let
krops = builtins.fetchGit { krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
url = "https://cgit.krebsco.de/krops/";
};
lib = import "${krops}/lib"; lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {}; pkgs = import "${krops}/pkgs" { };
hostSource = path: nixos-branch: hostSource = path: nixos-branch:
lib.evalSource [ { lib.evalSource [{
nixpkgs.git = { nixpkgs.git = {
ref = "origin/${nixos-branch}"; ref = "origin/${nixos-branch}";
url = "https://github.com/NixOS/nixpkgs.git"; url = "https://github.com/NixOS/nixpkgs.git";
@ -16,7 +14,7 @@ let
lib.file = toString ./lib; lib.file = toString ./lib;
secrets.file = toString ./secrets; secrets.file = toString ./secrets;
"host-registry.nix".file = toString ./host-registry.nix; "host-registry.nix".file = toString ./host-registry.nix;
} ]; }];
deployContainer = containerName: host: deployContainer = containerName: host:
pkgs.krops.writeDeploy containerName { pkgs.krops.writeDeploy containerName {
@ -31,14 +29,10 @@ in {
glotzbert = pkgs.krops.writeDeploy "glotzbert" { glotzbert = pkgs.krops.writeDeploy "glotzbert" {
source = hostSource "glotzbert" "nixos-20.09"; source = hostSource "glotzbert" "nixos-20.09";
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { sudo = true; };
sudo = true;
};
}; };
pulsebert = pkgs.krops.writeDeploy "pulsebert" { pulsebert = pkgs.krops.writeDeploy "pulsebert" {
source = hostSource "pulsebert" "nixos-20.09"; source = hostSource "pulsebert" "nixos-20.09";
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { sudo = true; };
sudo = true;
};
}; };
} }

7
lib/admins.nix
View File

@ -1,6 +1 @@
{ config, ... }: { config, ... }: { imports = [ ../secrets/lib/authorized_keys ]; }
{
imports = [
../secrets/lib/authorized_keys
];
}

10
lib/default.nix
View File

@ -162,12 +162,10 @@ in {
host.ip6 host.ip6
else else
toHqPrivateAddress hostName; toHqPrivateAddress hostName;
in [ in [{
{ name = ip6;
name = ip6; value = [ "${hostName}.hq" hostName ];
value = [ "${hostName}.hq" hostName ]; }] ++ lib.optional (hasAttr "ip4" host) {
}
] ++ lib.optional (hasAttr "ip4" host) {
name = host.ip4; name = host.ip4;
value = [ "${hostName}.hq" hostName ]; value = [ "${hostName}.hq" hostName ];
}; };

7
lib/logging.nix
View File

@ -20,10 +20,9 @@ let
# replace the hostnames with the IP or hostname of your Graylog2 server # replace the hostnames with the IP or hostname of your Graylog2 server
access_log syslog:server=graylog.server.org:12301 graylog2_json; access_log syslog:server=graylog.server.org:12301 graylog2_json;
error_log syslog:server=graylog.server.org:12302; error_log syslog:server=graylog.server.org:12302;
''; '';
in in {
{
# add central logging # add central logging
services.journalbeat = { services.journalbeat = {

21
lib/lxc-container.nix
View File

@ -15,7 +15,8 @@
networking.useNetworkd = true; networking.useNetworkd = true;
networking.useDHCP = false; networking.useDHCP = false;
services.resolved.enable = false; services.resolved.enable = false;
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ]; networking.nameservers =
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
networking.interfaces.eth0 = { networking.interfaces.eth0 = {
useDHCP = false; useDHCP = false;
@ -36,15 +37,17 @@
# Create a few files early before packing tarball for Proxmox # Create a few files early before packing tarball for Proxmox
# architecture/OS detection. # architecture/OS detection.
system.extraSystemBuilderCmds = system.extraSystemBuilderCmds = ''
'' mkdir -m 0755 -p $out/bin
mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh
ln -s ${pkgs.bash}/bin/bash $out/bin/sh mkdir -m 0755 -p $out/sbin
mkdir -m 0755 -p $out/sbin ln -s ../init $out/sbin/init
ln -s ../init $out/sbin/init '';
'';
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; }; fileSystems."/" = {
fsType = "rootfs";
device = "rootfs";
};
# add central logging # add central logging
services.journalbeat = { services.journalbeat = {

69
lib/lxc/default.nix
View File

@ -1,5 +1,4 @@
{ config, lib, pkgs, { config, lib, pkgs, ... }:
... }:
with lib; with lib;
let let
@ -9,45 +8,39 @@ let
rev = "3a0767f0536fac811065eb87e6342f27eac085aa"; rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8="; sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
}; };
nixcloud = ( nixcloud = (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }).nixcloud;
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
).nixcloud;
profilesDir = "/nix/var/nix/profiles/lxc"; profilesDir = "/nix/var/nix/profiles/lxc";
containers = config.lxc.containers; containers = config.lxc.containers;
nixPath = config.nix.nixPath; nixPath = config.nix.nixPath;
toLxcConfig' = path: a: toLxcConfig' = path: a:
if builtins.isString a if builtins.isString a then ''
then "${path} = ${a}\n" ${path} = ${a}
else if builtins.isInt a '' else if builtins.isInt a then ''
then "${path} = ${toString a}\n" ${path} = ${toString a}
else if builtins.isAttrs a '' else if builtins.isAttrs a then
then lib.concatMapStrings (name: lib.concatMapStrings (name:
let let path' = if path == "" then name else "${path}.${name}";
path' = if path == "" in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a)
then name else if builtins.isList a then
else "${path}.${name}"; lib.concatMapStrings (toLxcConfig' path) a
in else
toLxcConfig' path' (builtins.getAttr name a) throw "Invalid LXC config value";
) (builtins.attrNames a)
else if builtins.isList a
then lib.concatMapStrings (toLxcConfig' path) a
else throw "Invalid LXC config value";
toLxcConfig = toLxcConfig' ""; toLxcConfig = toLxcConfig' "";
lxc-rootfs = pkgs.runCommand "lxc-rootfs" {} '' lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } ''
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp} mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
''; '';
in { in {
options = with types; { options = with types; {
lxc.containers = mkOption { lxc.containers = mkOption {
type = attrs; type = attrs;
default = {}; default = { };
}; };
}; };
config = mkIf (containers != {}) { config = mkIf (containers != { }) {
virtualisation.lxc.enable = true; virtualisation.lxc.enable = true;
environment.systemPackages = [ nixcloud.container ]; environment.systemPackages = [ nixcloud.container ];
@ -55,14 +48,18 @@ in {
lxc.id_map = u 0 100000 65536 lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536 lxc.id_map = g 0 100000 65536
''; '';
users.users.root.subGidRanges = [ users.users.root.subGidRanges = [{
{ count = 65536; startGid = 100000; } count = 65536;
]; startGid = 100000;
users.users.root.subUidRanges = [ }];
{ count = 65536; startUid = 100000; } users.users.root.subUidRanges = [{
]; count = 65536;
startUid = 100000;
}];
systemd.services = if true then {} else systemd.services = if true then
{ }
else
builtins.foldl' (services: name: builtins.foldl' (services: name:
let let
systemDir = "/${profilesDir}/${name}/system"; systemDir = "/${profilesDir}/${name}/system";
@ -94,9 +91,8 @@ in {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true; serviceConfig.RemainAfterExit = true;
serviceConfig.Environment = [ serviceConfig.Environment =
''NIX_PATH=${builtins.concatStringsSep ":" nixPath}'' [ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ];
];
script = '' script = ''
mkdir -p ${profilesDir}/${name} mkdir -p ${profilesDir}/${name}
@ -123,7 +119,6 @@ in {
in services // { in services // {
"lxc-container-${name}-builder" = builder; "lxc-container-${name}-builder" = builder;
"lxc-container-${name}" = starter; "lxc-container-${name}" = starter;
} }) { } (builtins.attrNames containers);
) {} (builtins.attrNames containers);
}; };
} }

12
lib/pkgs/bmxd.nix
View File

@ -1,18 +1,20 @@
{ pkgs ? import <nixpkgs> {}, { pkgs ? import <nixpkgs> { }, src ? builtins.fetchGit
src ? builtins.fetchGit "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", }:
}:
with pkgs; with pkgs;
let let
path = "feeds/19.07/feeds-own/bmxd"; path = "feeds/19.07/feeds-own/bmxd";
makefile = builtins.readFile "${src}/${path}/Makefile"; makefile = builtins.readFile "${src}/${path}/Makefile";
makeDef = name: makeDef = name:
builtins.elemAt (builtins.match ".*?${name}:=([^\n]+).*?" makefile) 0; builtins.elemAt (builtins.match ''
.*?${name}:=([^
]+).*?'' makefile) 0;
name = makeDef "PKG_NAME"; name = makeDef "PKG_NAME";
version = makeDef "PKG_VERSION"; version = makeDef "PKG_VERSION";
release = makeDef "PKG_RELEASE"; release = makeDef "PKG_RELEASE";
patch = fetchurl { patch = fetchurl {
url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch"; url =
"https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch";
sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75"; sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75";
}; };
in stdenv.mkDerivation { in stdenv.mkDerivation {

5
lib/pkgs/pile.nix
View File

@ -1,8 +1,7 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> { } }:
with pkgs; with pkgs;
let let pile = builtins.fetchGit "https://github.com/astro/pile.git";
pile = builtins.fetchGit "https://github.com/astro/pile.git";
in { in {
ledball = rustPlatform.buildRustPackage { ledball = rustPlatform.buildRustPackage {
name = "ledball"; name = "ledball";

2
lib/shared.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }: { lib, ... }:
{ {
imports = [./logging.nix]; imports = [ ./logging.nix ];
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# Select internationalisation properties. # Select internationalisation properties.

2
lib/users/poelzi.nix
View File

@ -2,7 +2,7 @@
let let
keys = [ keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
]; ];
in { in {