Nixfmt everything
This commit is contained in:
parent
211106cf53
commit
6170a9c4e0
|
@ -5,8 +5,8 @@ rec {
|
||||||
adc = { };
|
adc = { };
|
||||||
grafana.publicKey =
|
grafana.publicKey =
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPFB9fo01jzr2upEBEXiR7sSmeQoq9ll5Cf5/hjq5e4Y";
|
||||||
scrape = {};
|
scrape = { };
|
||||||
ledstripes = {};
|
ledstripes = { };
|
||||||
|
|
||||||
glotzbert.publicKey =
|
glotzbert.publicKey =
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAnEWn/8CKIiCtehh6Ha3XUQqjODj0ygyo3aGAsFWgfG";
|
||||||
|
@ -59,7 +59,8 @@ rec {
|
||||||
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw=
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw=
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
storage.publicKey = "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
|
storage.publicKey =
|
||||||
|
"storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -5,14 +5,14 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
nixops
|
nixops
|
||||||
pass
|
pass
|
||||||
gnupg
|
gnupg
|
||||||
ansible
|
ansible
|
||||||
|
@ -25,7 +25,10 @@
|
||||||
htop
|
htop
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.16"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.16";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
@ -50,9 +53,7 @@
|
||||||
# address = "fe80::a800:42ff:fe7a:3246";
|
# address = "fe80::a800:42ff:fe7a:3246";
|
||||||
# interface = "ens18";
|
# interface = "ens18";
|
||||||
#};
|
#};
|
||||||
firewall.allowedTCPPorts = [
|
firewall.allowedTCPPorts = [ 22 ];
|
||||||
22
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
|
@ -67,8 +68,8 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
users.extraUsers.k-ot = {
|
users.extraUsers.k-ot = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
extraGroups = [ "wheel" ];
|
extraGroups = [ "wheel" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,29 +1,28 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "dhcp";
|
networking.hostName = "dhcp";
|
||||||
networking.defaultGateway = "172.22.99.1";
|
networking.defaultGateway = "172.22.99.1";
|
||||||
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
networking.nameservers =
|
||||||
|
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
networking.interfaces.eth0 = {
|
networking.interfaces.eth0 = {
|
||||||
ipv4.addresses = [ {
|
ipv4.addresses = [{
|
||||||
address = "172.22.99.254";
|
address = "172.22.99.254";
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
} ];
|
}];
|
||||||
useDHCP = lib.mkForce false;
|
useDHCP = lib.mkForce false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim ];
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
# dhcp
|
# dhcp
|
||||||
networking.firewall.allowedUDPPorts = [ 67 68 ];
|
networking.firewall.allowedUDPPorts = [ 67 68 ];
|
||||||
|
|
|
@ -5,12 +5,12 @@ let
|
||||||
address6 = "fe80::deca:fbad";
|
address6 = "fe80::deca:fbad";
|
||||||
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
|
neighbors = import ../../../secrets/hosts/dn42/neighbors.nix;
|
||||||
in {
|
in {
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
../../../lib/default-gateway.nix
|
../../../lib/default-gateway.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "dn42";
|
networking.hostName = "dn42";
|
||||||
# networking.defaultGateway6 = {
|
# networking.defaultGateway6 = {
|
||||||
|
@ -19,18 +19,16 @@ in {
|
||||||
# };
|
# };
|
||||||
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
networking.nameservers = [ "172.20.72.6" "172.20.72.10" ];
|
||||||
networking.interfaces.eth0 = {
|
networking.interfaces.eth0 = {
|
||||||
ipv4.addresses = [ {
|
ipv4.addresses = [{
|
||||||
address = address4;
|
address = address4;
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
} ];
|
}];
|
||||||
};
|
};
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim ];
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
# SSH for nixops
|
# SSH for nixops
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
@ -45,161 +43,154 @@ in {
|
||||||
mknod -m 666 /dev/net/tun c 10 200
|
mknod -m 666 /dev/net/tun c 10 200
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
services.openvpn =
|
services.openvpn = let
|
||||||
let
|
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
|
||||||
openvpnNeighbors = lib.filterAttrs (_: conf: conf ? openvpn) neighbors;
|
keyfile = name:
|
||||||
keyfile = name:
|
builtins.toFile "${name}.key" (builtins.readFile
|
||||||
builtins.toFile "${name}.key"
|
(../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
|
||||||
(builtins.readFile (../../../secrets/hosts/dn42/openvpn + "/${name}.key"));
|
mkServer = name: conf: {
|
||||||
mkServer = name: conf: {
|
config = ''
|
||||||
config = ''
|
dev ${name}
|
||||||
dev ${name}
|
dev-type tun
|
||||||
dev-type tun
|
ifconfig ${address4} ${conf.address4}
|
||||||
ifconfig ${address4} ${conf.address4}
|
user nobody
|
||||||
user nobody
|
group nogroup
|
||||||
group nogroup
|
persist-tun
|
||||||
persist-tun
|
persist-key
|
||||||
persist-key
|
ping 30
|
||||||
ping 30
|
ping-restart 45
|
||||||
ping-restart 45
|
verb 1
|
||||||
verb 1
|
${conf.openvpn}
|
||||||
${conf.openvpn}
|
secret ${keyfile name}
|
||||||
secret ${keyfile name}
|
'';
|
||||||
'';
|
up = ''
|
||||||
up = ''
|
${pkgs.iproute}/bin/ip addr flush dev $1
|
||||||
${pkgs.iproute}/bin/ip addr flush dev $1
|
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
||||||
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
|
||||||
${pkgs.iproute}/bin/ip addr add ${address6}/64 dev $1
|
'';
|
||||||
'';
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
|
||||||
};
|
};
|
||||||
|
in {
|
||||||
|
servers =
|
||||||
|
builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
|
||||||
|
};
|
||||||
|
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
interfaces =
|
interfaces = let
|
||||||
let
|
wireguardNeighbors =
|
||||||
wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
||||||
in
|
in builtins.mapAttrs (name: conf: {
|
||||||
builtins.mapAttrs (name: conf: {
|
inherit (conf.wireguard) listenPort privateKey;
|
||||||
inherit (conf.wireguard) listenPort privateKey;
|
ips = [ "${address4}/32" "${address6}/64" ];
|
||||||
ips = [ "${address4}/32" "${address6}/64" ];
|
allowedIPsAsRoutes = false;
|
||||||
allowedIPsAsRoutes = false;
|
postSetup = ''
|
||||||
postSetup = ''
|
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
|
||||||
${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
|
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
||||||
${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
|
'';
|
||||||
'';
|
peers = [
|
||||||
peers = [ ({
|
({
|
||||||
inherit (conf.wireguard) publicKey;
|
inherit (conf.wireguard) publicKey;
|
||||||
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
allowedIPs = [ "0.0.0.0/0" "::0/0" ];
|
||||||
persistentKeepalive = 30;
|
persistentKeepalive = 30;
|
||||||
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
} // (lib.optionalAttrs (conf.wireguard ? endpoint) {
|
||||||
inherit (conf.wireguard) endpoint;
|
inherit (conf.wireguard) endpoint;
|
||||||
})) ];
|
}))
|
||||||
}) wireguardNeighbors;
|
];
|
||||||
|
}) wireguardNeighbors;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.bird2 = {
|
services.bird2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config =
|
config = let
|
||||||
let
|
bgpNeighbors = builtins.concatStringsSep "\n" (builtins.attrValues
|
||||||
bgpNeighbors =
|
(builtins.mapAttrs (name: conf:
|
||||||
builtins.concatStringsSep "\n"
|
let
|
||||||
(builtins.attrValues (builtins.mapAttrs (name: conf:
|
neighbor4 = if conf ? address4 then ''
|
||||||
let
|
protocol bgp ${name}_4 from dnpeers {
|
||||||
neighbor4 =
|
neighbor ${conf.address4} as ${builtins.toString conf.asn};
|
||||||
if conf ? address4
|
|
||||||
then ''
|
|
||||||
protocol bgp ${name}_4 from dnpeers {
|
|
||||||
neighbor ${conf.address4} as ${builtins.toString conf.asn};
|
|
||||||
}
|
|
||||||
''
|
|
||||||
else "";
|
|
||||||
neighbor6 =
|
|
||||||
if conf ? address6
|
|
||||||
then ''
|
|
||||||
protocol bgp ${name}_6 from dnpeers {
|
|
||||||
neighbor ${conf.address6}%${interface} as ${builtins.toString conf.asn};
|
|
||||||
}
|
|
||||||
''
|
|
||||||
else "";
|
|
||||||
interface =
|
|
||||||
if conf ? interface
|
|
||||||
then conf.interface
|
|
||||||
else name;
|
|
||||||
in "${neighbor4}${neighbor6}"
|
|
||||||
) neighbors));
|
|
||||||
in ''
|
|
||||||
protocol kernel {
|
|
||||||
ipv4 {
|
|
||||||
export all;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
protocol kernel {
|
|
||||||
ipv6 {
|
|
||||||
export all;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
protocol device {
|
|
||||||
scan time 10;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol static {
|
|
||||||
ipv4;
|
|
||||||
route 10.0.0.0/8 unreachable;
|
|
||||||
route 172.16.0.0/12 unreachable;
|
|
||||||
route 192.168.0.0/16 unreachable;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol static {
|
|
||||||
ipv6;
|
|
||||||
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
|
|
||||||
route fd00::/8 unreachable;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
protocol static hq4 {
|
|
||||||
ipv4;
|
|
||||||
route 172.22.99.0/24 via "eth0";
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol static hq6 {
|
|
||||||
ipv6;
|
|
||||||
route fd23:42:c3d2:500::/56 unreachable;
|
|
||||||
}
|
|
||||||
|
|
||||||
template bgp dnpeers {
|
|
||||||
local as 64699;
|
|
||||||
ipv4 {
|
|
||||||
import all;
|
|
||||||
export filter {
|
|
||||||
if source = RTS_BGP then {
|
|
||||||
accept;
|
|
||||||
}
|
}
|
||||||
if proto = "hq4" then {
|
'' else
|
||||||
accept;
|
"";
|
||||||
|
neighbor6 = if conf ? address6 then ''
|
||||||
|
protocol bgp ${name}_6 from dnpeers {
|
||||||
|
neighbor ${conf.address6}%${interface} as ${
|
||||||
|
builtins.toString conf.asn
|
||||||
|
};
|
||||||
}
|
}
|
||||||
reject;
|
'' else
|
||||||
};
|
"";
|
||||||
};
|
interface = if conf ? interface then conf.interface else name;
|
||||||
ipv6 {
|
in "${neighbor4}${neighbor6}") neighbors));
|
||||||
import all;
|
in ''
|
||||||
export filter {
|
protocol kernel {
|
||||||
if source = RTS_BGP then {
|
ipv4 {
|
||||||
accept;
|
export all;
|
||||||
}
|
};
|
||||||
if proto = "hq6" then {
|
}
|
||||||
accept;
|
protocol kernel {
|
||||||
}
|
ipv6 {
|
||||||
reject;
|
export all;
|
||||||
};
|
};
|
||||||
};
|
}
|
||||||
}
|
protocol device {
|
||||||
${bgpNeighbors}
|
scan time 10;
|
||||||
|
}
|
||||||
|
|
||||||
router id ${address4};
|
protocol static {
|
||||||
'';
|
ipv4;
|
||||||
|
route 10.0.0.0/8 unreachable;
|
||||||
|
route 172.16.0.0/12 unreachable;
|
||||||
|
route 192.168.0.0/16 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol static {
|
||||||
|
ipv6;
|
||||||
|
route 2000::/3 via 2a02:8106:208:5201::c3d2:4;
|
||||||
|
route fd00::/8 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
protocol static hq4 {
|
||||||
|
ipv4;
|
||||||
|
route 172.22.99.0/24 via "eth0";
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol static hq6 {
|
||||||
|
ipv6;
|
||||||
|
route fd23:42:c3d2:500::/56 unreachable;
|
||||||
|
}
|
||||||
|
|
||||||
|
template bgp dnpeers {
|
||||||
|
local as 64699;
|
||||||
|
ipv4 {
|
||||||
|
import all;
|
||||||
|
export filter {
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if proto = "hq4" then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ipv6 {
|
||||||
|
import all;
|
||||||
|
export filter {
|
||||||
|
if source = RTS_BGP then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
if proto = "hq6" then {
|
||||||
|
accept;
|
||||||
|
}
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
${bgpNeighbors}
|
||||||
|
|
||||||
|
router id ${address4};
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
|
|
@ -1,9 +1,7 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [ <nixpkgs/nixos/modules/profiles/minimal.nix> ];
|
||||||
[ <nixpkgs/nixos/modules/profiles/minimal.nix>
|
|
||||||
];
|
|
||||||
nix.useSandbox = false;
|
nix.useSandbox = false;
|
||||||
nix.maxJobs = lib.mkDefault 4;
|
nix.maxJobs = lib.mkDefault 4;
|
||||||
|
|
||||||
|
@ -13,16 +11,23 @@
|
||||||
boot.loader.grub.enable = false;
|
boot.loader.grub.enable = false;
|
||||||
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
|
#boot.supportedFilesystems = ["zfs" "ext2" "ext3" "vfat" "fat32" "bcache" "bcachefs"];
|
||||||
|
|
||||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
fileSystems."/" = {
|
||||||
|
fsType = "rootfs";
|
||||||
|
device = "rootfs";
|
||||||
|
};
|
||||||
|
|
||||||
networking.hostName = "dnscache"; # Define your hostname.
|
networking.hostName = "dnscache"; # Define your hostname.
|
||||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.8";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
networking.nameservers =
|
||||||
|
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
@ -34,20 +39,16 @@
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ wget vim traceroute tcpdump bind ];
|
||||||
wget vim
|
|
||||||
traceroute tcpdump bind
|
|
||||||
];
|
|
||||||
|
|
||||||
# Create a few files early before packing tarball for Proxmox
|
# Create a few files early before packing tarball for Proxmox
|
||||||
# architecture/OS detection.
|
# architecture/OS detection.
|
||||||
system.extraSystemBuilderCmds =
|
system.extraSystemBuilderCmds = ''
|
||||||
''
|
mkdir -m 0755 -p $out/bin
|
||||||
mkdir -m 0755 -p $out/bin
|
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
mkdir -m 0755 -p $out/sbin
|
||||||
mkdir -m 0755 -p $out/sbin
|
ln -s ../init $out/sbin/init
|
||||||
ln -s ../init $out/sbin/init
|
'';
|
||||||
'';
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
@ -79,107 +80,109 @@
|
||||||
"127.0.0.0/8"
|
"127.0.0.0/8"
|
||||||
];
|
];
|
||||||
forwardAddresses = [
|
forwardAddresses = [
|
||||||
# Quad9
|
# Quad9
|
||||||
"9.9.9.9@853" #dns.quad9.net
|
"9.9.9.9@853" # dns.quad9.net
|
||||||
"2620:fe::fe@853" #dns.quad9.net
|
"2620:fe::fe@853" # dns.quad9.net
|
||||||
"149.112.112.112@853" #dns.quad9.net
|
"149.112.112.112@853" # dns.quad9.net
|
||||||
"2620:fe::9@853" #dns.quad9.net
|
"2620:fe::9@853" # dns.quad9.net
|
||||||
# Cloudflare DNS
|
# Cloudflare DNS
|
||||||
"1.1.1.1@853" #cloudflare-dns.com
|
"1.1.1.1@853" # cloudflare-dns.com
|
||||||
"2606:4700:4700::1111@853" #cloudflare-dns.com
|
"2606:4700:4700::1111@853" # cloudflare-dns.com
|
||||||
"1.0.0.1@853" #cloudflare-dns.com
|
"1.0.0.1@853" # cloudflare-dns.com
|
||||||
"2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
|
''
|
||||||
|
2606:4700:4700::1001@853
|
||||||
|
forward-ssl-upstream: yes'' # cloudflare-dns.com
|
||||||
];
|
];
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
server:
|
server:
|
||||||
domain-insecure: "dn42"
|
domain-insecure: "dn42"
|
||||||
domain-insecure: "20.172.in-addr.arpa"
|
domain-insecure: "20.172.in-addr.arpa"
|
||||||
domain-insecure: "21.172.in-addr.arpa"
|
domain-insecure: "21.172.in-addr.arpa"
|
||||||
domain-insecure: "22.172.in-addr.arpa"
|
domain-insecure: "22.172.in-addr.arpa"
|
||||||
domain-insecure: "23.172.in-addr.arpa"
|
domain-insecure: "23.172.in-addr.arpa"
|
||||||
domain-insecure: "d.f.ip6.arpa"
|
domain-insecure: "d.f.ip6.arpa"
|
||||||
domain-insecure: "ffdd"
|
domain-insecure: "ffdd"
|
||||||
domain-insecure: "200.10.in-addr.arpa"
|
domain-insecure: "200.10.in-addr.arpa"
|
||||||
local-zone: "20.172.in-addr.arpa." nodefault
|
local-zone: "20.172.in-addr.arpa." nodefault
|
||||||
local-zone: "21.172.in-addr.arpa." nodefault
|
local-zone: "21.172.in-addr.arpa." nodefault
|
||||||
local-zone: "22.172.in-addr.arpa." nodefault
|
local-zone: "22.172.in-addr.arpa." nodefault
|
||||||
local-zone: "23.172.in-addr.arpa." nodefault
|
local-zone: "23.172.in-addr.arpa." nodefault
|
||||||
local-zone: "d.f.ip6.arpa." nodefault
|
local-zone: "d.f.ip6.arpa." nodefault
|
||||||
local-zone: "ffdd." nodefault
|
local-zone: "ffdd." nodefault
|
||||||
local-zone: "200.10.in-addr.arpa." nodefault
|
local-zone: "200.10.in-addr.arpa." nodefault
|
||||||
|
|
||||||
remote-control:
|
remote-control:
|
||||||
control-enable: yes
|
control-enable: yes
|
||||||
server-key-file: /var/lib/unbound/unbound_server.key
|
server-key-file: /var/lib/unbound/unbound_server.key
|
||||||
server-cert-file: /var/lib/unbound/unbound_server.pem
|
server-cert-file: /var/lib/unbound/unbound_server.pem
|
||||||
control-key-file: /var/lib/unbound/unbound_control.key
|
control-key-file: /var/lib/unbound/unbound_control.key
|
||||||
control-cert-file: /var/lib/unbound/unbound_control.pem
|
control-cert-file: /var/lib/unbound/unbound_control.pem
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "99.22.172.in-addr.arpa"
|
name: "99.22.172.in-addr.arpa"
|
||||||
forward-host: "ns.c3d2.de"
|
forward-host: "ns.c3d2.de"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "zentralwerk.dn42"
|
name: "zentralwerk.dn42"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "72.20.172.in-addr.arpa"
|
name: "72.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "73.20.172.in-addr.arpa"
|
name: "73.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "74.20.172.in-addr.arpa"
|
name: "74.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "75.20.172.in-addr.arpa"
|
name: "75.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "76.20.172.in-addr.arpa"
|
name: "76.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "77.20.172.in-addr.arpa"
|
name: "77.20.172.in-addr.arpa"
|
||||||
forward-host: "dns.serv.zentralwerk.org"
|
forward-host: "dns.serv.zentralwerk.org"
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "dn42"
|
name: "dn42"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "20.172.in-addr.arpa"
|
name: "20.172.in-addr.arpa"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "21.172.in-addr.arpa"
|
name: "21.172.in-addr.arpa"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "22.172.in-addr.arpa"
|
name: "22.172.in-addr.arpa"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "23.172.in-addr.arpa"
|
name: "23.172.in-addr.arpa"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "d.f.ip6.arpa"
|
name: "d.f.ip6.arpa"
|
||||||
forward-addr: 172.23.0.53
|
forward-addr: 172.23.0.53
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "ffdd"
|
name: "ffdd"
|
||||||
forward-addr: 10.200.0.4
|
forward-addr: 10.200.0.4
|
||||||
forward-addr: 10.200.0.16
|
forward-addr: 10.200.0.16
|
||||||
|
|
||||||
forward-zone:
|
forward-zone:
|
||||||
name: "200.10.in-addr.arpa"
|
name: "200.10.in-addr.arpa"
|
||||||
forward-addr: 10.200.0.4
|
forward-addr: 10.200.0.4
|
||||||
forward-addr: 10.200.0.16
|
forward-addr: 10.200.0.16
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -191,33 +194,32 @@
|
||||||
memory = "";
|
memory = "";
|
||||||
interface = "";
|
interface = "";
|
||||||
load = "";
|
load = "";
|
||||||
exec =
|
exec = let
|
||||||
let
|
unboundScript = builtins.toFile "unbound.rb" ''
|
||||||
unboundScript = builtins.toFile "unbound.rb" ''
|
loop do
|
||||||
loop do
|
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
|
||||||
`/run/current-system/sw/bin/unbound-control -c /var/lib/unbound/unbound.conf stats_noreset`
|
.lines
|
||||||
.lines
|
.filter { |l| l =~ /^total\./ }
|
||||||
.filter { |l| l =~ /^total\./ }
|
.each { |l|
|
||||||
.each { |l|
|
if l =~ /total\.(.+?)=([\d\.]+)/
|
||||||
if l =~ /total\.(.+?)=([\d\.]+)/
|
name = $1
|
||||||
name = $1
|
value = $2.to_f
|
||||||
value = $2.to_f
|
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
|
||||||
if name =~ /\.avg$/ || name =~ /\.median$/ || name =~ /\.max$/ || name =~ /\.min$/
|
ty = "gauge"
|
||||||
ty = "gauge"
|
else
|
||||||
else
|
ty = "derive"
|
||||||
ty = "derive"
|
value = value.to_i
|
||||||
value = value.to_i
|
|
||||||
end
|
|
||||||
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
|
|
||||||
end
|
end
|
||||||
}
|
puts "PUTVAL dnscache/unbound/#{ty}-#{name} N:#{value}"
|
||||||
|
end
|
||||||
|
}
|
||||||
|
|
||||||
sleep 10
|
sleep 10
|
||||||
end
|
end
|
||||||
'';
|
|
||||||
in ''
|
|
||||||
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
|
|
||||||
'';
|
'';
|
||||||
|
in ''
|
||||||
|
Exec "collectd" "${pkgs.ruby}/bin/ruby" "${unboundScript}"
|
||||||
|
'';
|
||||||
network = ''
|
network = ''
|
||||||
Server "grafana.serv.zentralwerk.dn42" "25826"
|
Server "grafana.serv.zentralwerk.dn42" "25826"
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -5,31 +5,28 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim ];
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "elastic1";
|
hostName = "elastic1";
|
||||||
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.15"; prefixLength = 26; } ];
|
interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.15";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
defaultGateway = "172.20.73.1";
|
defaultGateway = "172.20.73.1";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [ 22 9200 9300 ];
|
||||||
22
|
|
||||||
9200
|
|
||||||
9300
|
|
||||||
];
|
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -46,35 +43,33 @@
|
||||||
systemd.services.elasticsearch.serviceConfig.Restart = "always";
|
systemd.services.elasticsearch.serviceConfig.Restart = "always";
|
||||||
|
|
||||||
# does not work, needs to be set on hv (done through ansible)
|
# does not work, needs to be set on hv (done through ansible)
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = { "vm.max_map_count" = "262144"; };
|
||||||
"vm.max_map_count"="262144";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.elasticsearch-curator = {
|
services.elasticsearch-curator = {
|
||||||
enable = true;
|
enable = true;
|
||||||
actionYAML = ''
|
actionYAML = ''
|
||||||
---
|
---
|
||||||
actions:
|
actions:
|
||||||
1:
|
1:
|
||||||
action: delete_indices
|
action: delete_indices
|
||||||
description: >-
|
description: >-
|
||||||
Delete indices older than 45 days (based on index name), for logstash-
|
Delete indices older than 45 days (based on index name), for logstash-
|
||||||
prefixed indices. Ignore the error if the filter does not result in an
|
prefixed indices. Ignore the error if the filter does not result in an
|
||||||
actionable list of indices (ignore_empty_list) and exit cleanly.
|
actionable list of indices (ignore_empty_list) and exit cleanly.
|
||||||
options:
|
options:
|
||||||
ignore_empty_list: True
|
ignore_empty_list: True
|
||||||
disable_action: False
|
disable_action: False
|
||||||
filters:
|
filters:
|
||||||
- filtertype: pattern
|
- filtertype: pattern
|
||||||
kind: prefix
|
kind: prefix
|
||||||
value: logstash-
|
value: logstash-
|
||||||
- filtertype: age
|
- filtertype: age
|
||||||
source: name
|
source: name
|
||||||
direction: older
|
direction: older
|
||||||
timestring: '%Y.%m.%d'
|
timestring: '%Y.%m.%d'
|
||||||
unit: days
|
unit: days
|
||||||
unit_count: 45
|
unit_count: 45
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
system.stateVersion = "20.09"; # Did you read the comment?
|
system.stateVersion = "20.09"; # Did you read the comment?
|
||||||
|
|
|
@ -12,9 +12,8 @@ let
|
||||||
ddmeshAddrPart = "200.74";
|
ddmeshAddrPart = "200.74";
|
||||||
rt_table = 7;
|
rt_table = 7;
|
||||||
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
|
bmxd = import (toString <lib/pkgs/bmxd.nix>) { inherit pkgs; };
|
||||||
sysinfo-json = import <this-host/sysinfo-json.nix> {
|
sysinfo-json =
|
||||||
inherit pkgs bmxd ddmeshNode;
|
import <this-host/sysinfo-json.nix> { inherit pkgs bmxd ddmeshNode; };
|
||||||
};
|
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
<nixpkgs/nixos/modules/profiles/minimal.nix>
|
||||||
|
@ -78,23 +77,23 @@ in {
|
||||||
"10-bmx" = {
|
"10-bmx" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
matchConfig = { Name = meshInterface; };
|
matchConfig = { Name = meshInterface; };
|
||||||
addresses = [ {
|
addresses = [{
|
||||||
addressConfig = {
|
addressConfig = {
|
||||||
Address = "10.201.${ddmeshAddrPart}/16";
|
Address = "10.201.${ddmeshAddrPart}/16";
|
||||||
Broadcast = "10.255.255.255";
|
Broadcast = "10.255.255.255";
|
||||||
};
|
};
|
||||||
} ];
|
}];
|
||||||
};
|
};
|
||||||
# Dummy interface for primary (10.200) address
|
# Dummy interface for primary (10.200) address
|
||||||
"11-bmx-loopback" = {
|
"11-bmx-loopback" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
matchConfig = { Name = meshLoopback; };
|
matchConfig = { Name = meshLoopback; };
|
||||||
addresses = [ {
|
addresses = [{
|
||||||
addressConfig = {
|
addressConfig = {
|
||||||
Address = "10.200.${ddmeshAddrPart}/32";
|
Address = "10.200.${ddmeshAddrPart}/32";
|
||||||
Broadcast = "10.255.255.255";
|
Broadcast = "10.255.255.255";
|
||||||
};
|
};
|
||||||
} ];
|
}];
|
||||||
};
|
};
|
||||||
# ZW
|
# ZW
|
||||||
"20-core" = {
|
"20-core" = {
|
||||||
|
@ -131,7 +130,7 @@ in {
|
||||||
-g 500000/50000 \
|
-g 500000/50000 \
|
||||||
dev=bmx_prime /linklayer 0 \
|
dev=bmx_prime /linklayer 0 \
|
||||||
dev=${meshInterface} /linklayer 1
|
dev=${meshInterface} /linklayer 1
|
||||||
'';
|
'';
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -141,7 +140,9 @@ in {
|
||||||
script = ''
|
script = ''
|
||||||
${pkgs.curl}/bin/curl \
|
${pkgs.curl}/bin/curl \
|
||||||
-o /tmp/ddmesh-registration.json \
|
-o /tmp/ddmesh-registration.json \
|
||||||
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}'
|
'${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${
|
||||||
|
toString ddmeshNode
|
||||||
|
}'
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "nobody";
|
User = "nobody";
|
||||||
|
@ -149,8 +150,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.timers.ddmesh-register-node = {
|
systemd.timers.ddmesh-register-node = {
|
||||||
partOf = [ "ddmesh-register-node.service" ];
|
partOf = [ "ddmesh-register-node.service" ];
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
timerConfig.OnCalendar = "daily";
|
timerConfig.OnCalendar = "daily";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -162,8 +163,8 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
systemd.timers.sysinfo-json = {
|
systemd.timers.sysinfo-json = {
|
||||||
partOf = [ "sysinfo-json.service" ];
|
partOf = [ "sysinfo-json.service" ];
|
||||||
wantedBy = [ "timers.target" ];
|
wantedBy = [ "timers.target" ];
|
||||||
timerConfig.OnCalendar = "minutely";
|
timerConfig.OnCalendar = "minutely";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -171,49 +172,49 @@ in {
|
||||||
services.bird2 = {
|
services.bird2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
protocol kernel K4 {
|
protocol kernel K4 {
|
||||||
ipv4 {
|
ipv4 {
|
||||||
export all;
|
export all;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
protocol kernel K6 {
|
protocol kernel K6 {
|
||||||
ipv6 {
|
ipv6 {
|
||||||
export all;
|
export all;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
protocol device {
|
protocol device {
|
||||||
scan time 10;
|
scan time 10;
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol ospf v2 ZW4 {
|
protocol ospf v2 ZW4 {
|
||||||
area 0 {
|
area 0 {
|
||||||
networks {
|
networks {
|
||||||
172.20.72.0/21;
|
172.20.72.0/21;
|
||||||
};
|
|
||||||
stubnet 10.200.0.0/15;
|
|
||||||
interface "core" {
|
|
||||||
authentication cryptographic;
|
|
||||||
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
stubnet 10.200.0.0/15;
|
||||||
|
interface "core" {
|
||||||
protocol ospf v3 ZW6 {
|
authentication cryptographic;
|
||||||
area 0 {
|
password "${import <secrets/shared/ospf/message-digest-key.nix>}";
|
||||||
networks {
|
|
||||||
fd23:42:c3d2:500::/56;
|
|
||||||
2a02:8106:208:5200::/56;
|
|
||||||
2a02:8106:211:e900::/56;
|
|
||||||
};
|
|
||||||
interface "core" {
|
|
||||||
#authentication cryptographic;
|
|
||||||
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
};
|
||||||
|
}
|
||||||
|
|
||||||
router id ${coreAddress};
|
protocol ospf v3 ZW6 {
|
||||||
'';
|
area 0 {
|
||||||
|
networks {
|
||||||
|
fd23:42:c3d2:500::/56;
|
||||||
|
2a02:8106:208:5200::/56;
|
||||||
|
2a02:8106:211:e900::/56;
|
||||||
|
};
|
||||||
|
interface "core" {
|
||||||
|
#authentication cryptographic;
|
||||||
|
#password "${import <secrets/shared/ospf/message-digest-key.nix>}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
router id ${coreAddress};
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# HTTP Reverse Proxy to provide services into Freifunk
|
# HTTP Reverse Proxy to provide services into Freifunk
|
||||||
|
@ -229,34 +230,37 @@ in {
|
||||||
"c3d2.ffdd" = {
|
"c3d2.ffdd" = {
|
||||||
default = true;
|
default = true;
|
||||||
root = <this-host/assets>;
|
root = <this-host/assets>;
|
||||||
locations =
|
locations = let
|
||||||
let
|
sysinfo-json = {
|
||||||
sysinfo-json = {
|
alias = "/run/nginx/sysinfo.json";
|
||||||
alias = "/run/nginx/sysinfo.json";
|
extraConfig = ''
|
||||||
extraConfig = ''
|
add_header Content-Type "application/json;charset=UTF-8";
|
||||||
add_header Content-Type "application/json;charset=UTF-8";
|
'';
|
||||||
'';
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
"/" = {
|
|
||||||
index = "index.html";
|
|
||||||
extraConfig = ''
|
|
||||||
etag off;
|
|
||||||
add_header etag "\"${builtins.substring 11 32 (<this-host> + "/assets")}\"";
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"=/sysinfo-json.cgi" = sysinfo-json;
|
|
||||||
"=/sysinfo.json" = sysinfo-json;
|
|
||||||
};
|
};
|
||||||
|
in {
|
||||||
|
"/" = {
|
||||||
|
index = "index.html";
|
||||||
|
extraConfig = ''
|
||||||
|
etag off;
|
||||||
|
add_header etag "\"${
|
||||||
|
builtins.substring 11 32 (<this-host> + "/assets")
|
||||||
|
}\"";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"=/sysinfo-json.cgi" = sysinfo-json;
|
||||||
|
"=/sysinfo.json" = sysinfo-json;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
"storage.hq.c3d2.ffdd".locations."/".proxyPass = "http://storage.hq.c3d2.de/";
|
"storage.hq.c3d2.ffdd".locations."/".proxyPass =
|
||||||
|
"http://storage.hq.c3d2.de/";
|
||||||
"grafana.hq.c3d2.ffdd".locations."/" = {
|
"grafana.hq.c3d2.ffdd".locations."/" = {
|
||||||
proxyPass = "https://grafana.hq.c3d2.de/";
|
proxyPass = "https://grafana.hq.c3d2.de/";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"influxdb.hq.c3d2.ffdd".locations."/".proxyPass = "http://grafana.hq.c3d2.de:8086/";
|
"influxdb.hq.c3d2.ffdd".locations."/".proxyPass =
|
||||||
|
"http://grafana.hq.c3d2.de:8086/";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
{ pkgs ? import <nixpkgs> {},
|
{ pkgs ? import <nixpkgs> { }, ffdd-server ?
|
||||||
ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
|
builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", bmxd
|
||||||
bmxd,
|
, ddmeshNode, ... }:
|
||||||
ddmeshNode,
|
|
||||||
... }:
|
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
let
|
let
|
||||||
|
@ -18,8 +16,7 @@ let
|
||||||
gps_longitude = "13.7285866";
|
gps_longitude = "13.7285866";
|
||||||
gps_altitude = "100";
|
gps_altitude = "100";
|
||||||
};
|
};
|
||||||
in
|
in stdenv.mkDerivation {
|
||||||
stdenv.mkDerivation {
|
|
||||||
name = "sysinfo-json";
|
name = "sysinfo-json";
|
||||||
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
|
src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
|
||||||
buildPhase = ''
|
buildPhase = ''
|
||||||
|
@ -50,14 +47,21 @@ stdenv.mkDerivation {
|
||||||
--replace '"node_type":"server"' '"node_type":"node"' \
|
--replace '"node_type":"server"' '"node_type":"node"' \
|
||||||
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
|
--replace ddmesh-ipcalc.sh $out/bin/ddmesh-ipcalc.sh \
|
||||||
--replace lsb_release $out/bin/lsb_release \
|
--replace lsb_release $out/bin/lsb_release \
|
||||||
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
--replace ${
|
||||||
--replace ${lib.strings.escapeShellArg "$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"} 0 \
|
lib.strings.escapeShellArg
|
||||||
|
"$(sudo /sbin/iptables -w -xvn -L stat_from_ovpn | awk '/RETURN/{print $2}')"
|
||||||
|
} 0 \
|
||||||
|
--replace ${
|
||||||
|
lib.strings.escapeShellArg
|
||||||
|
"$(sudo /sbin/iptables -w -xvn -L stat_to_ovpn | awk '/RETURN/{print $2}')"
|
||||||
|
} 0 \
|
||||||
--replace 'nettype_lookup[$2]' '"lan"' \
|
--replace 'nettype_lookup[$2]' '"lan"' \
|
||||||
--replace awk ${gawk}/bin/awk
|
--replace awk ${gawk}/bin/awk
|
||||||
'' +
|
'' + lib.strings.concatStrings (lib.attrsets.mapAttrsToList (var: value: ''
|
||||||
lib.strings.concatStrings (lib.attrsets.mapAttrsToList (
|
substituteInPlace sysinfo-json.cgi --replace ${
|
||||||
var: value: "substituteInPlace sysinfo-json.cgi --replace ${lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"} '${value}'\n"
|
lib.strings.escapeShellArg "$(uci -qX get ffdd.sys.${var})"
|
||||||
) nvram);
|
} '${value}'
|
||||||
|
'') nvram);
|
||||||
installPhase = ''
|
installPhase = ''
|
||||||
pwd
|
pwd
|
||||||
mkdir -p $out/bin
|
mkdir -p $out/bin
|
||||||
|
|
|
@ -15,7 +15,10 @@
|
||||||
|
|
||||||
networking.hostName = "grafana";
|
networking.hostName = "grafana";
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.43"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.43";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
# http https influxdb
|
# http https influxdb
|
||||||
|
|
|
@ -9,7 +9,10 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "kibana";
|
networking.hostName = "kibana";
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.44"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.44";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
@ -31,32 +34,30 @@
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
email = "mail@c3d2.de";
|
email = "mail@c3d2.de";
|
||||||
};
|
};
|
||||||
services.nginx =
|
services.nginx = let
|
||||||
let
|
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
|
||||||
authFile = pkgs.writeText "htpasswd" "k-ot:sawCOTsl/fIUY";
|
vhost = url: {
|
||||||
vhost = url: {
|
forceSSL = true;
|
||||||
forceSSL = true;
|
enableACME = true;
|
||||||
enableACME = true;
|
locations."/" = {
|
||||||
locations."/" = {
|
proxyPass = url;
|
||||||
proxyPass = url;
|
extraConfig = ''
|
||||||
extraConfig = ''
|
auth_basic "Chaos";
|
||||||
auth_basic "Chaos";
|
auth_basic_user_file ${authFile};
|
||||||
auth_basic_user_file ${authFile};
|
'';
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
enable = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
virtualHosts = {
|
|
||||||
"kibana.hq.c3d2.de" =
|
|
||||||
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
|
|
||||||
"kibana-es.hq.c3d2.de" =
|
|
||||||
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
in {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
virtualHosts = {
|
||||||
|
"kibana.hq.c3d2.de" =
|
||||||
|
vhost "http://127.0.0.1:${toString config.services.kibana.port}";
|
||||||
|
"kibana-es.hq.c3d2.de" =
|
||||||
|
vhost "http://127.0.0.1:${toString config.services.elasticsearch.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
|
|
@ -5,33 +5,24 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim ];
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "logging";
|
hostName = "logging";
|
||||||
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.13"; prefixLength = 26; } ];
|
interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.13";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
defaultGateway = "172.20.73.1";
|
defaultGateway = "172.20.73.1";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [ 22 9000 80 443 5044 12201 514 ];
|
||||||
22
|
allowedUDPPorts = [ 514 ];
|
||||||
9000
|
|
||||||
80
|
|
||||||
443
|
|
||||||
5044
|
|
||||||
12201
|
|
||||||
514
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
514
|
|
||||||
];
|
|
||||||
enable = false;
|
enable = false;
|
||||||
};
|
};
|
||||||
dhcpcd.denyInterfaces = [ "eth1" ];
|
dhcpcd.denyInterfaces = [ "eth1" ];
|
||||||
|
@ -53,28 +44,26 @@
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
default = {
|
default = { locations = { "/".proxyPass = "http://127.0.0.1:9000/"; }; };
|
||||||
locations = {
|
|
||||||
"/".proxyPass = "http://127.0.0.1:9000/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.graylog = {
|
services.graylog = {
|
||||||
enable = true;
|
enable = true;
|
||||||
passwordSecret = "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
|
passwordSecret =
|
||||||
|
"SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
|
||||||
# mongo.serv.zentralwerk. ?
|
# mongo.serv.zentralwerk. ?
|
||||||
elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ];
|
elasticsearchHosts = [ "http://elastic1.serv.zentralwerk.org:9200" ];
|
||||||
rootPasswordSha2 = "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
|
rootPasswordSha2 =
|
||||||
|
"3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
|
||||||
# mongo.serv.zentralwerk. ?
|
# mongo.serv.zentralwerk. ?
|
||||||
mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog";
|
mongodbUri = "mongodb://mongo.serv.zentralwerk.org/graylog";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
http_bind_address = 0.0.0.0:9000
|
http_bind_address = 0.0.0.0:9000
|
||||||
http_publish_uri = http://logging.serv.zentralwerk.org/
|
http_publish_uri = http://logging.serv.zentralwerk.org/
|
||||||
elasticsearch_shards = 1
|
elasticsearch_shards = 1
|
||||||
allow_highlighting = true
|
allow_highlighting = true
|
||||||
allow_leading_wildcard_searches = true
|
allow_leading_wildcard_searches = true
|
||||||
'';
|
'';
|
||||||
user = "root";
|
user = "root";
|
||||||
};
|
};
|
||||||
|
|
|
@ -22,9 +22,7 @@
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ wget vim ];
|
||||||
wget vim
|
|
||||||
];
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
|
|
@ -5,26 +5,23 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim mongodb-tools ];
|
||||||
vim
|
|
||||||
mongodb-tools
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "mongo";
|
hostName = "mongo";
|
||||||
interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.21"; prefixLength = 26; } ];
|
interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.21";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
defaultGateway = "172.20.73.1";
|
defaultGateway = "172.20.73.1";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [ 22 27017 ];
|
||||||
22
|
|
||||||
27017
|
|
||||||
];
|
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,34 +1,39 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
tiggerGit = builtins.fetchTarball https://github.com/astro/tigger/archive/master.tar.gz;
|
tiggerGit = builtins.fetchTarball
|
||||||
in
|
"https://github.com/astro/tigger/archive/master.tar.gz";
|
||||||
{
|
in {
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
"${tiggerGit}/module.nix"
|
"${tiggerGit}/module.nix"
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "mucbot";
|
networking.hostName = "mucbot";
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.27"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.27";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
networking.nameservers =
|
||||||
|
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
||||||
|
|
||||||
users.users.tigger = {
|
users.users.tigger = {
|
||||||
createHome = true;
|
createHome = true;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
group = "tigger";
|
group = "tigger";
|
||||||
};
|
};
|
||||||
users.groups.tigger = {};
|
users.groups.tigger = { };
|
||||||
services.tigger = {
|
services.tigger = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "tigger";
|
user = "tigger";
|
||||||
group = "tigger";
|
group = "tigger";
|
||||||
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
|
jid = import ../../../secrets/hosts/mucbot/jabber-jid.nix;
|
||||||
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
|
password = import ../../../secrets/hosts/mucbot/jabber-password.nix;
|
||||||
mucs = [ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
|
mucs =
|
||||||
|
[ "c3d2@chat.c3d2.de/Astrobot" "international@chat.c3d2.de/Astrobot" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
|
|
|
@ -5,28 +5,18 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ vim ];
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "prometheus";
|
hostName = "prometheus";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [ 22 80 443 9090 9091 9093 9094 ];
|
||||||
22
|
|
||||||
80
|
|
||||||
443
|
|
||||||
9090
|
|
||||||
9091
|
|
||||||
9093
|
|
||||||
9094
|
|
||||||
];
|
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -51,23 +41,21 @@
|
||||||
"repeat_interval" = "4h";
|
"repeat_interval" = "4h";
|
||||||
"receiver" = "team-admins";
|
"receiver" = "team-admins";
|
||||||
};
|
};
|
||||||
"receivers" = [
|
"receivers" = [{
|
||||||
{
|
"name" = "team-admins";
|
||||||
"name" = "team-admins";
|
# "email_configs" = [
|
||||||
# "email_configs" = [
|
# {
|
||||||
# {
|
# "to" = "devnull@example.com";
|
||||||
# "to" = "devnull@example.com";
|
# "send_resolved" = true;
|
||||||
# "send_resolved" = true;
|
# }
|
||||||
# }
|
# ];
|
||||||
# ];
|
# "webhook_configs" = [
|
||||||
# "webhook_configs" = [
|
# {
|
||||||
# {
|
# "url" = "https://example.com/prometheus-alerts";
|
||||||
# "url" = "https://example.com/prometheus-alerts";
|
# "send_resolved" = true;
|
||||||
# "send_resolved" = true;
|
# }
|
||||||
# }
|
# ];
|
||||||
# ];
|
}];
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -75,12 +63,12 @@
|
||||||
|
|
||||||
pushgateway = {
|
pushgateway = {
|
||||||
enable = true;
|
enable = true;
|
||||||
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
|
web.external-url = "http://prometheus.serv.zentralwerk.org/push/";
|
||||||
};
|
};
|
||||||
|
|
||||||
exporters.collectd.enable = true;
|
exporters.collectd.enable = true;
|
||||||
exporters.collectd.openFirewall = true;
|
exporters.collectd.openFirewall = true;
|
||||||
|
|
||||||
exporters.nginx.enable = true;
|
exporters.nginx.enable = true;
|
||||||
exporters.nginx.openFirewall = true;
|
exporters.nginx.openFirewall = true;
|
||||||
|
|
||||||
|
|
|
@ -5,17 +5,20 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
./proxy.nix
|
./proxy.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "public-access-proxy";
|
networking.hostName = "public-access-proxy";
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.interfaces.eth0 = {
|
networking.interfaces.eth0 = {
|
||||||
ipv4.addresses = [ { address = "172.20.73.45"; prefixLength = 26; } ];
|
ipv4.addresses = [{
|
||||||
|
address = "172.20.73.45";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
};
|
};
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
|
@ -24,35 +27,55 @@
|
||||||
proxyHosts = [
|
proxyHosts = [
|
||||||
{
|
{
|
||||||
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
|
hostNames = [ "cloud.bombenverleih.de" "unifi.arkom.men" ];
|
||||||
proxyTo = { host = "172.22.99.192"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
|
host = "172.22.99.192";
|
||||||
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
hostNames = [ "grafana.hq.c3d2.de" ];
|
||||||
proxyTo = { host = "grafana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
|
host = "grafana.serv.zentralwerk.dn42";
|
||||||
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
|
hostNames = [ "kibana.hq.c3d2.de" "kibana-es.hq.c3d2.de" ];
|
||||||
proxyTo = { host = "kibana.serv.zentralwerk.dn42"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
|
host = "kibana.serv.zentralwerk.dn42";
|
||||||
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostNames = [ "robo1.hq.c3d2.de" ];
|
hostNames = [ "robo1.hq.c3d2.de" ];
|
||||||
proxyTo = { host = "172.20.79.62"; httpPort = 80; };
|
proxyTo = {
|
||||||
|
host = "172.20.79.62";
|
||||||
|
httpPort = 80;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostNames = [ "robots.datenspuren.de" ];
|
hostNames = [ "robots.datenspuren.de" ];
|
||||||
proxyTo = { host = "172.22.99.170"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
|
host = "172.22.99.170";
|
||||||
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
hostNames = [ "error.hq.c3d2.de" ];
|
hostNames = [ "error.hq.c3d2.de" ];
|
||||||
proxyTo = { host = "172.20.73.47"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
|
host = "172.20.73.47";
|
||||||
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
80
|
|
||||||
443
|
|
||||||
];
|
|
||||||
|
|
||||||
system.stateVersion = "18.09"; # Did you read the comment?
|
system.stateVersion = "18.09"; # Did you read the comment?
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let cfg = config.my.services.proxy;
|
||||||
cfg = config.my.services.proxy;
|
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
@ -15,58 +14,59 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
proxyHosts = mkOption {
|
proxyHosts = mkOption {
|
||||||
type = types.listOf (types.submodule (
|
type = types.listOf (types.submodule ({
|
||||||
{
|
options = {
|
||||||
options = {
|
hostNames = mkOption {
|
||||||
hostNames = mkOption {
|
type = types.listOf types.str;
|
||||||
type = types.listOf types.str;
|
default = [ ];
|
||||||
default = [];
|
description = ''
|
||||||
description = ''
|
Proxy these hostNames.
|
||||||
Proxy these hostNames.
|
'';
|
||||||
'';
|
|
||||||
};
|
|
||||||
proxyTo = mkOption {
|
|
||||||
type = types.submodule (
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
host = mkOption {
|
|
||||||
type = types.nullOr types.string;
|
|
||||||
default = null;
|
|
||||||
description = ''
|
|
||||||
Host to forward traffic to.
|
|
||||||
Any hostname may only be used once
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
httpPort = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 80;
|
|
||||||
description = ''
|
|
||||||
Port to forward http to.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
httpsPort = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 443;
|
|
||||||
description = ''
|
|
||||||
Port to forward http to.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
description = ''
|
|
||||||
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
|
|
||||||
'';
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
proxyTo = mkOption {
|
||||||
|
type = types.submodule ({
|
||||||
|
options = {
|
||||||
|
host = mkOption {
|
||||||
|
type = types.nullOr types.string;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Host to forward traffic to.
|
||||||
|
Any hostname may only be used once
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
httpPort = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 80;
|
||||||
|
description = ''
|
||||||
|
Port to forward http to.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
httpsPort = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 443;
|
||||||
|
description = ''
|
||||||
|
Port to forward http to.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
description = ''
|
||||||
|
{ host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
|
||||||
|
'';
|
||||||
|
default = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
}));
|
}));
|
||||||
default = [];
|
default = [ ];
|
||||||
example = [
|
example = [{
|
||||||
{ hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
|
hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
|
||||||
proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
|
proxyTo = {
|
||||||
}
|
host = "172.22.99.99";
|
||||||
];
|
httpPort = 80;
|
||||||
|
httpsPort = 443;
|
||||||
|
};
|
||||||
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -81,7 +81,7 @@ in {
|
||||||
timeout client 30000
|
timeout client 30000
|
||||||
option http-keep-alive
|
option http-keep-alive
|
||||||
default_backend proxy-backend-http
|
default_backend proxy-backend-http
|
||||||
|
|
||||||
backend proxy-backend-http
|
backend proxy-backend-http
|
||||||
timeout connect 5000
|
timeout connect 5000
|
||||||
timeout check 5000
|
timeout check 5000
|
||||||
|
@ -91,15 +91,16 @@ in {
|
||||||
option forwardfor
|
option forwardfor
|
||||||
http-request set-header X-Forwarded-Proto http
|
http-request set-header X-Forwarded-Proto http
|
||||||
http-request set-header X-Forwarded-Port 80
|
http-request set-header X-Forwarded-Port 80
|
||||||
${concatMapStringsSep "\n" (proxyHost:
|
${
|
||||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
concatMapStringsSep "\n" (proxyHost:
|
||||||
concatMapStringsSep "\n" (hostname: ''
|
optionalString
|
||||||
|
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
||||||
|
(concatMapStringsSep "\n" (hostname: ''
|
||||||
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
|
use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
|
||||||
server ${hostname}-http ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpPort}
|
server ${hostname}-http ${proxyHost.proxyTo.host}:${
|
||||||
''
|
toString proxyHost.proxyTo.httpPort
|
||||||
) (proxyHost.hostNames)
|
}
|
||||||
)
|
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
||||||
) (cfg.proxyHosts)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
frontend https-in
|
frontend https-in
|
||||||
|
@ -114,15 +115,16 @@ in {
|
||||||
option http-server-close
|
option http-server-close
|
||||||
http-request set-header X-Forwarded-Proto https
|
http-request set-header X-Forwarded-Proto https
|
||||||
http-request set-header X-Forwarded-Port 443
|
http-request set-header X-Forwarded-Port 443
|
||||||
${concatMapStringsSep "\n" (proxyHost:
|
${
|
||||||
optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
|
concatMapStringsSep "\n" (proxyHost:
|
||||||
concatMapStringsSep "\n" (hostname: ''
|
optionalString
|
||||||
|
(proxyHost.hostNames != [ ] && proxyHost.proxyTo.host != null)
|
||||||
|
(concatMapStringsSep "\n" (hostname: ''
|
||||||
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
|
use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
|
||||||
server ${hostname}-https ${proxyHost.proxyTo.host}:${toString proxyHost.proxyTo.httpsPort}
|
server ${hostname}-https ${proxyHost.proxyTo.host}:${
|
||||||
''
|
toString proxyHost.proxyTo.httpsPort
|
||||||
) (proxyHost.hostNames)
|
}
|
||||||
)
|
'') (proxyHost.hostNames))) (cfg.proxyHosts)
|
||||||
) (cfg.proxyHosts)
|
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,8 +5,8 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/lxc-container.nix
|
||||||
../../../lib/shared.nix
|
../../../lib/shared.nix
|
||||||
../../../lib/admins.nix
|
../../../lib/admins.nix
|
||||||
];
|
];
|
||||||
|
@ -15,43 +15,34 @@
|
||||||
hostName = "registry";
|
hostName = "registry";
|
||||||
# usePredictableInterfacenames = false;
|
# usePredictableInterfacenames = false;
|
||||||
interfaces.eth0.ipv4.addresses = [{
|
interfaces.eth0.ipv4.addresses = [{
|
||||||
address = "172.22.99.34";
|
address = "172.22.99.34";
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
}];
|
}];
|
||||||
interfaces.eth0.ipv6.addresses = [{
|
interfaces.eth0.ipv6.addresses = [{
|
||||||
address= "2a02:8106:208:5201::34";
|
address = "2a02:8106:208:5201::34";
|
||||||
prefixLength = 64;
|
prefixLength = 64;
|
||||||
}];
|
}];
|
||||||
|
|
||||||
dhcpcd.denyInterfaces = [ "eth0" ];
|
dhcpcd.denyInterfaces = [ "eth0" ];
|
||||||
|
|
||||||
defaultGateway = {
|
defaultGateway = {
|
||||||
address = "172.22.99.1";
|
address = "172.22.99.1";
|
||||||
interface = "eth0";
|
interface = "eth0";
|
||||||
metric = 10;
|
metric = 10;
|
||||||
};
|
};
|
||||||
#defaultGateway6 = {
|
#defaultGateway6 = {
|
||||||
# address = "fe80::a800:42ff:fe7a:3246";
|
# address = "fe80::a800:42ff:fe7a:3246";
|
||||||
# interface = "ens18";
|
# interface = "ens18";
|
||||||
#};
|
#};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Open ports in the firewall.
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
|
||||||
22
|
|
||||||
80
|
|
||||||
443
|
|
||||||
5000
|
|
||||||
];
|
|
||||||
|
|
||||||
|
# Open ports in the firewall.
|
||||||
|
networking.firewall.allowedTCPPorts = [ 22 80 443 5000 ];
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ wget vim ];
|
||||||
wget
|
|
||||||
vim
|
|
||||||
];
|
|
||||||
|
|
||||||
services.dockerRegistry = {
|
services.dockerRegistry = {
|
||||||
enable = true;
|
enable = true;
|
||||||
storagePath = "/srv/docker-registry";
|
storagePath = "/srv/docker-registry";
|
||||||
|
@ -81,4 +72,3 @@
|
||||||
system.stateVersion = "19.03"; # Did you read the comment?
|
system.stateVersion = "19.03"; # Did you read the comment?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -24,77 +24,77 @@ in {
|
||||||
enableHail = false;
|
enableHail = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
networking.hostName = "scrape";
|
networking.hostName = "scrape";
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.32"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.32";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
|
|
||||||
# Required for krops
|
# Required for krops
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
environment.systemPackages = [ pkgs.git ];
|
environment.systemPackages = [ pkgs.git ];
|
||||||
|
|
||||||
systemd.services =
|
systemd.services = let
|
||||||
let
|
scrapers = import (builtins.fetchGit {
|
||||||
scrapers = import (
|
url = "https://gitea.c3d2.de/astro/scrapers.git";
|
||||||
builtins.fetchGit { url = "https://gitea.c3d2.de/astro/scrapers.git"; }
|
}) { inherit pkgs; };
|
||||||
) {
|
makeService = { script, host, user ? "", password ? "" }: {
|
||||||
inherit pkgs;
|
script =
|
||||||
|
"${scrapers.${script}}/bin/${script} ${host} ${user} ${password}";
|
||||||
|
};
|
||||||
|
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
|
||||||
|
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
|
||||||
|
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
|
||||||
|
makeNodeScraper = nodeId: {
|
||||||
|
name = "scrape-node${nodeId}";
|
||||||
|
value = makeService {
|
||||||
|
script = "freifunk_node";
|
||||||
|
host = freifunkNodes.${nodeId};
|
||||||
};
|
};
|
||||||
makeService = { script, host, user ? "", password ? "" }: {
|
};
|
||||||
script = "${scrapers.${script}}/bin/${script} ${host} ${user} ${password}";
|
in {
|
||||||
};
|
scrape-xeri = makeService {
|
||||||
xeriLogin = import <secrets/hosts/scrape/xeri.nix>;
|
script = "xerox";
|
||||||
fhemLogin = import <secrets/hosts/scrape/fhem.nix>;
|
host = "xeri.hq.c3d2.de";
|
||||||
matematLogin = import <secrets/hosts/scrape/matemat.nix>;
|
inherit (xeriLogin) user password;
|
||||||
makeNodeScraper = nodeId: {
|
};
|
||||||
name = "scrape-node${nodeId}";
|
scrape-roxi = makeService {
|
||||||
value = makeService {
|
script = "xerox";
|
||||||
script = "freifunk_node";
|
host = "roxi.hq.c3d2.de";
|
||||||
host = freifunkNodes.${nodeId};
|
};
|
||||||
};
|
scrape-fhem = makeService {
|
||||||
};
|
script = "fhem";
|
||||||
in {
|
host = "fhem.hq.c3d2.de";
|
||||||
scrape-xeri = makeService {
|
inherit (fhemLogin) user password;
|
||||||
script = "xerox";
|
};
|
||||||
host = "xeri.hq.c3d2.de";
|
scrape-matemat = makeService {
|
||||||
inherit (xeriLogin) user password;
|
script = "matemat";
|
||||||
};
|
host = "matemat.hq.c3d2.de";
|
||||||
scrape-roxi = makeService {
|
inherit (matematLogin) user password;
|
||||||
script = "xerox";
|
};
|
||||||
host = "roxi.hq.c3d2.de";
|
} // builtins.listToAttrs
|
||||||
};
|
(map makeNodeScraper (builtins.attrNames freifunkNodes));
|
||||||
scrape-fhem = makeService {
|
|
||||||
script = "fhem";
|
|
||||||
host = "fhem.hq.c3d2.de";
|
|
||||||
inherit (fhemLogin) user password;
|
|
||||||
};
|
|
||||||
scrape-matemat = makeService {
|
|
||||||
script = "matemat";
|
|
||||||
host = "matemat.hq.c3d2.de";
|
|
||||||
inherit (matematLogin) user password;
|
|
||||||
};
|
|
||||||
} // builtins.listToAttrs (map makeNodeScraper (builtins.attrNames freifunkNodes));
|
|
||||||
|
|
||||||
systemd.timers =
|
systemd.timers = let
|
||||||
let
|
makeTimer = service: interval: {
|
||||||
makeTimer = service: interval: {
|
partOf = [ "${service}.service" ];
|
||||||
partOf = [ "${service}.service" ];
|
wantedBy = [ "timers.target" ];
|
||||||
wantedBy = [ "timers.target" ];
|
timerConfig.OnCalendar = interval;
|
||||||
timerConfig.OnCalendar = interval;
|
};
|
||||||
|
makeNodeScraperTimer = nodeId:
|
||||||
|
let name = "scrape-node${nodeId}";
|
||||||
|
in {
|
||||||
|
inherit name;
|
||||||
|
value = makeTimer name "minutely";
|
||||||
};
|
};
|
||||||
makeNodeScraperTimer = nodeId:
|
in {
|
||||||
let
|
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
|
||||||
name = "scrape-node${nodeId}";
|
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
|
||||||
in {
|
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
|
||||||
inherit name;
|
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
|
||||||
value = makeTimer name "minutely";
|
} // builtins.listToAttrs
|
||||||
};
|
(map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
|
||||||
in {
|
|
||||||
scrape-xeri = makeTimer "scrape-xeri.service" "minutely";
|
|
||||||
scrape-roxi = makeTimer "scrape-roxi.service" "minutely";
|
|
||||||
scrape-fhem = makeTimer "scrape-fhem.service" "minutely";
|
|
||||||
scrape-matemat = makeTimer "scrape-matemat.service" "minutely";
|
|
||||||
} // builtins.listToAttrs (map makeNodeScraperTimer (builtins.attrNames freifunkNodes));
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
|
|
@ -1,24 +1,23 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let spacemsgGit = builtins.fetchGit "https://github.com/astro/spacemsg.git";
|
||||||
spacemsgGit = builtins.fetchGit https://github.com/astro/spacemsg.git;
|
in {
|
||||||
in
|
imports = [
|
||||||
{
|
../../../lib/lxc-container.nix
|
||||||
imports =
|
../../../lib/shared.nix
|
||||||
[ ../../../lib/lxc-container.nix
|
../../../lib/admins.nix
|
||||||
../../../lib/shared.nix
|
"${spacemsgGit}/spaceapi/module.nix"
|
||||||
../../../lib/admins.nix
|
];
|
||||||
"${spacemsgGit}/spaceapi/module.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.hostName = "spaceapi";
|
networking.hostName = "spaceapi";
|
||||||
networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.25"; prefixLength = 26; } ];
|
networking.interfaces.eth0.ipv4.addresses = [{
|
||||||
|
address = "172.20.73.25";
|
||||||
|
prefixLength = 26;
|
||||||
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
services.spaceapi = {
|
services.spaceapi = { enable = true; };
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# This value determines the NixOS release with which your system is to be
|
# This value determines the NixOS release with which your system is to be
|
||||||
# compatible, in order to avoid breaking some software such as database
|
# compatible, in order to avoid breaking some software such as database
|
||||||
|
|
|
@ -44,9 +44,15 @@
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
wget vim git tmux screen
|
wget
|
||||||
chromium firefox
|
vim
|
||||||
mpv kodi
|
git
|
||||||
|
tmux
|
||||||
|
screen
|
||||||
|
chromium
|
||||||
|
firefox
|
||||||
|
mpv
|
||||||
|
kodi
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.user.services.x11vnc = {
|
systemd.user.services.x11vnc = {
|
||||||
|
@ -108,9 +114,7 @@
|
||||||
services.xserver.xkbOptions = "eurosign:e";
|
services.xserver.xkbOptions = "eurosign:e";
|
||||||
|
|
||||||
services.xserver.displayManager = {
|
services.xserver.displayManager = {
|
||||||
lightdm = {
|
lightdm = { enable = true; };
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
autoLogin = {
|
autoLogin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
user = "k-ot";
|
user = "k-ot";
|
||||||
|
|
|
@ -6,19 +6,20 @@
|
||||||
{
|
{
|
||||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules =
|
||||||
|
[ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
|
device = "/dev/disk/by-uuid/3a8ddd25-0c5d-4fec-b957-bdcea1c52db4";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-uuid/6490-45A0";
|
device = "/dev/disk/by-uuid/6490-45A0";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,7 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [ ./hydra.nix ./cache.nix ../../lib ];
|
||||||
./hydra.nix
|
|
||||||
./cache.nix
|
|
||||||
../../lib
|
|
||||||
];
|
|
||||||
|
|
||||||
c3d2 = {
|
c3d2 = {
|
||||||
users = {
|
users = {
|
||||||
|
|
|
@ -2,10 +2,8 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
binaryCaches = [
|
binaryCaches =
|
||||||
"https://cache.nixos.org"
|
[ "https://cache.nixos.org" "https://genodepkgs.cachix.org" ];
|
||||||
"https://genodepkgs.cachix.org"
|
|
||||||
];
|
|
||||||
binaryCachePublicKeys = [
|
binaryCachePublicKeys = [
|
||||||
"genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw="
|
"genodepkgs.cachix.org-1:j6xcYrUP9Q9c+WbS+MbkJR26cqeytOVdC4SmhOYj2Sw="
|
||||||
];
|
];
|
||||||
|
|
|
@ -3,11 +3,10 @@
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
tickerSrc = builtins.fetchGit {
|
tickerSrc =
|
||||||
url = "https://gitea.c3d2.de/astro/ticker.git";
|
builtins.fetchGit { url = "https://gitea.c3d2.de/astro/ticker.git"; };
|
||||||
};
|
in {
|
||||||
in
|
boot.isContainer = true;
|
||||||
{ boot.isContainer = true;
|
|
||||||
#boot.loader.initScript.enable = true;
|
#boot.loader.initScript.enable = true;
|
||||||
networking.hostName = mkDefault "ticker";
|
networking.hostName = mkDefault "ticker";
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
|
@ -38,7 +37,8 @@ in
|
||||||
color = "#FF3F3F";
|
color = "#FF3F3F";
|
||||||
};
|
};
|
||||||
hicknhack = {
|
hicknhack = {
|
||||||
url = "https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
|
url =
|
||||||
|
"https://www.google.com/calendar/ical/grhnk1uaotql6gv2dkf9ldmqjc%40group.calendar.google.com/public/basic.ics";
|
||||||
color = "#A700A7";
|
color = "#A700A7";
|
||||||
};
|
};
|
||||||
palaissommer = {
|
palaissommer = {
|
||||||
|
@ -58,15 +58,18 @@ in
|
||||||
color = "#FF7F00";
|
color = "#FF7F00";
|
||||||
};
|
};
|
||||||
rosenwerk-home = {
|
rosenwerk-home = {
|
||||||
url = "https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics";
|
url =
|
||||||
|
"https://www.google.com/calendar/ical/bj85d742g31mgkblbaiusmk3s8%40group.calendar.google.com/public/basic.ics";
|
||||||
color = "#BF003F";
|
color = "#BF003F";
|
||||||
};
|
};
|
||||||
rosenwerk-extern = {
|
rosenwerk-extern = {
|
||||||
url = "https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics";
|
url =
|
||||||
|
"https://www.google.com/calendar/ical/ogo94kraeq5ckmu3jsr0uus2mo%40group.calendar.google.com/private-8d048bfa99cca84705ffa675aacfe22a/basic.ics";
|
||||||
color = "#BF002F";
|
color = "#BF002F";
|
||||||
};
|
};
|
||||||
rosenwerk-kultur = {
|
rosenwerk-kultur = {
|
||||||
url = "https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics";
|
url =
|
||||||
|
"https://www.google.com/calendar/ical/93enn926ddhgr79hnqp83ipj3g%40group.calendar.google.com/public/basic.ics";
|
||||||
color = "#BF001F";
|
color = "#BF001F";
|
||||||
};
|
};
|
||||||
haengemathe = {
|
haengemathe = {
|
||||||
|
|
|
@ -7,15 +7,18 @@
|
||||||
let
|
let
|
||||||
octoprintPort = 8080;
|
octoprintPort = 8080;
|
||||||
espCam = "http://172.20.78.164:81";
|
espCam = "http://172.20.78.164:81";
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
imports = [ # Include the results of the hardware scan.
|
imports = [ # Include the results of the hardware scan.
|
||||||
<this-host/hardware-configuration.nix>
|
<this-host/hardware-configuration.nix>
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.grub.enable = false;
|
boot.loader.grub.enable = false;
|
||||||
boot.loader.generic-extlinux-compatible.enable = false;
|
boot.loader.generic-extlinux-compatible.enable = false;
|
||||||
boot.loader.raspberryPi = { enable = true; version = 4; uboot.enable = false; };
|
boot.loader.raspberryPi = {
|
||||||
|
enable = true;
|
||||||
|
version = 4;
|
||||||
|
uboot.enable = false;
|
||||||
|
};
|
||||||
#boot.kernelPackages = pkgs.linuxPackages_rpi4;
|
#boot.kernelPackages = pkgs.linuxPackages_rpi4;
|
||||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
|
||||||
|
@ -49,10 +52,7 @@ in
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [ wget vim git raspberrypi-tools ];
|
||||||
wget vim git
|
|
||||||
raspberrypi-tools
|
|
||||||
];
|
|
||||||
|
|
||||||
# Some programs need SUID wrappers, can be configured further or are
|
# Some programs need SUID wrappers, can be configured further or are
|
||||||
# started in user sessions.
|
# started in user sessions.
|
||||||
|
@ -83,7 +83,6 @@ in
|
||||||
extraGroups = [ "wheel" "audio" ];
|
extraGroups = [ "wheel" "audio" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
# Open ports in the firewall.
|
# Open ports in the firewall.
|
||||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||||
|
@ -111,10 +110,13 @@ in
|
||||||
systemWide = true;
|
systemWide = true;
|
||||||
tcp.enable = true;
|
tcp.enable = true;
|
||||||
tcp.anonymousClients.allowedIpRanges = [
|
tcp.anonymousClients.allowedIpRanges = [
|
||||||
"127.0.0.0/8" "::1/128"
|
"127.0.0.0/8"
|
||||||
|
"::1/128"
|
||||||
"fd23:42:c3d2:500::/56"
|
"fd23:42:c3d2:500::/56"
|
||||||
"172.22.99.0/24" "2a02:8106:208:5200::/56"
|
"172.22.99.0/24"
|
||||||
"172.20.72.0/21" "2a02:8106:211:e900::/56"
|
"2a02:8106:208:5200::/56"
|
||||||
|
"172.20.72.0/21"
|
||||||
|
"2a02:8106:211:e900::/56"
|
||||||
];
|
];
|
||||||
zeroconf.publish.enable = true;
|
zeroconf.publish.enable = true;
|
||||||
package = pkgs.pulseaudioFull;
|
package = pkgs.pulseaudioFull;
|
||||||
|
@ -190,11 +192,11 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# Allow access to printer serial port and GPIO
|
# Allow access to printer serial port and GPIO
|
||||||
users.users.${config.services.octoprint.user}.extraGroups = [ "dialout" "gpio" ];
|
users.users.${config.services.octoprint.user}.extraGroups =
|
||||||
|
[ "dialout" "gpio" ];
|
||||||
|
|
||||||
systemd.services.mjpeg-stream =
|
systemd.services.mjpeg-stream =
|
||||||
let
|
let mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> { };
|
||||||
mjpeg-proxy = pkgs.callPackage <lib/pkgs/mjpeg-proxy.nix> {};
|
|
||||||
in {
|
in {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
|
|
@ -12,19 +12,17 @@
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [ "snd_bcm2835.enable_headphones=1" ];
|
||||||
"snd_bcm2835.enable_headphones=1"
|
|
||||||
];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/disk/by-label/NIXOS_SD";
|
device = "/dev/disk/by-label/NIXOS_SD";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/disk/by-label/FIRMWARE";
|
device = "/dev/disk/by-label/FIRMWARE";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
|
|
@ -100,8 +100,8 @@ in {
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
# Enable the OpenSSH daemon.
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowSFTP = true;
|
allowSFTP = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.atftpd = {
|
services.atftpd = {
|
||||||
|
|
|
@ -4,27 +4,24 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
|
||||||
[ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
|
boot.initrd.availableKernelModules =
|
||||||
|
[ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{ device = "/dev/vda1";
|
device = "/dev/vda1";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" = {
|
||||||
{ device = "/dev/vda3";
|
device = "/dev/vda3";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices =
|
swapDevices = [{ device = "/dev/vda2"; }];
|
||||||
[ { device = "/dev/vda2"; }
|
|
||||||
];
|
|
||||||
|
|
||||||
nix.maxJobs = lib.mkDefault 4;
|
nix.maxJobs = lib.mkDefault 4;
|
||||||
}
|
}
|
||||||
|
|
18
krops.nix
18
krops.nix
|
@ -1,12 +1,10 @@
|
||||||
let
|
let
|
||||||
krops = builtins.fetchGit {
|
krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
|
||||||
url = "https://cgit.krebsco.de/krops/";
|
|
||||||
};
|
|
||||||
lib = import "${krops}/lib";
|
lib = import "${krops}/lib";
|
||||||
pkgs = import "${krops}/pkgs" {};
|
pkgs = import "${krops}/pkgs" { };
|
||||||
|
|
||||||
hostSource = path: nixos-branch:
|
hostSource = path: nixos-branch:
|
||||||
lib.evalSource [ {
|
lib.evalSource [{
|
||||||
nixpkgs.git = {
|
nixpkgs.git = {
|
||||||
ref = "origin/${nixos-branch}";
|
ref = "origin/${nixos-branch}";
|
||||||
url = "https://github.com/NixOS/nixpkgs.git";
|
url = "https://github.com/NixOS/nixpkgs.git";
|
||||||
|
@ -16,7 +14,7 @@ let
|
||||||
lib.file = toString ./lib;
|
lib.file = toString ./lib;
|
||||||
secrets.file = toString ./secrets;
|
secrets.file = toString ./secrets;
|
||||||
"host-registry.nix".file = toString ./host-registry.nix;
|
"host-registry.nix".file = toString ./host-registry.nix;
|
||||||
} ];
|
}];
|
||||||
|
|
||||||
deployContainer = containerName: host:
|
deployContainer = containerName: host:
|
||||||
pkgs.krops.writeDeploy containerName {
|
pkgs.krops.writeDeploy containerName {
|
||||||
|
@ -31,14 +29,10 @@ in {
|
||||||
|
|
||||||
glotzbert = pkgs.krops.writeDeploy "glotzbert" {
|
glotzbert = pkgs.krops.writeDeploy "glotzbert" {
|
||||||
source = hostSource "glotzbert" "nixos-20.09";
|
source = hostSource "glotzbert" "nixos-20.09";
|
||||||
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // {
|
target = lib.mkTarget "k-ot@glotzbert.hq.c3d2.de" // { sudo = true; };
|
||||||
sudo = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
pulsebert = pkgs.krops.writeDeploy "pulsebert" {
|
pulsebert = pkgs.krops.writeDeploy "pulsebert" {
|
||||||
source = hostSource "pulsebert" "nixos-20.09";
|
source = hostSource "pulsebert" "nixos-20.09";
|
||||||
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // {
|
target = lib.mkTarget "k-ot@pulsebert.hq.c3d2.de" // { sudo = true; };
|
||||||
sudo = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1 @@
|
||||||
{ config, ... }:
|
{ config, ... }: { imports = [ ../secrets/lib/authorized_keys ]; }
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
../secrets/lib/authorized_keys
|
|
||||||
];
|
|
||||||
}
|
|
||||||
|
|
|
@ -162,12 +162,10 @@ in {
|
||||||
host.ip6
|
host.ip6
|
||||||
else
|
else
|
||||||
toHqPrivateAddress hostName;
|
toHqPrivateAddress hostName;
|
||||||
in [
|
in [{
|
||||||
{
|
name = ip6;
|
||||||
name = ip6;
|
value = [ "${hostName}.hq" hostName ];
|
||||||
value = [ "${hostName}.hq" hostName ];
|
}] ++ lib.optional (hasAttr "ip4" host) {
|
||||||
}
|
|
||||||
] ++ lib.optional (hasAttr "ip4" host) {
|
|
||||||
name = host.ip4;
|
name = host.ip4;
|
||||||
value = [ "${hostName}.hq" hostName ];
|
value = [ "${hostName}.hq" hostName ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -20,10 +20,9 @@ let
|
||||||
# replace the hostnames with the IP or hostname of your Graylog2 server
|
# replace the hostnames with the IP or hostname of your Graylog2 server
|
||||||
access_log syslog:server=graylog.server.org:12301 graylog2_json;
|
access_log syslog:server=graylog.server.org:12301 graylog2_json;
|
||||||
error_log syslog:server=graylog.server.org:12302;
|
error_log syslog:server=graylog.server.org:12302;
|
||||||
'';
|
'';
|
||||||
|
|
||||||
in
|
in {
|
||||||
{
|
|
||||||
|
|
||||||
# add central logging
|
# add central logging
|
||||||
services.journalbeat = {
|
services.journalbeat = {
|
||||||
|
|
|
@ -15,7 +15,8 @@
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
networking.useDHCP = false;
|
networking.useDHCP = false;
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
networking.nameservers = [ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
networking.nameservers =
|
||||||
|
[ "172.20.73.8" "172.20.72.6" "172.20.72.10" "9.9.9.9" ];
|
||||||
|
|
||||||
networking.interfaces.eth0 = {
|
networking.interfaces.eth0 = {
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
|
@ -36,15 +37,17 @@
|
||||||
|
|
||||||
# Create a few files early before packing tarball for Proxmox
|
# Create a few files early before packing tarball for Proxmox
|
||||||
# architecture/OS detection.
|
# architecture/OS detection.
|
||||||
system.extraSystemBuilderCmds =
|
system.extraSystemBuilderCmds = ''
|
||||||
''
|
mkdir -m 0755 -p $out/bin
|
||||||
mkdir -m 0755 -p $out/bin
|
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
||||||
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
|
mkdir -m 0755 -p $out/sbin
|
||||||
mkdir -m 0755 -p $out/sbin
|
ln -s ../init $out/sbin/init
|
||||||
ln -s ../init $out/sbin/init
|
'';
|
||||||
'';
|
|
||||||
|
|
||||||
fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
|
fileSystems."/" = {
|
||||||
|
fsType = "rootfs";
|
||||||
|
device = "rootfs";
|
||||||
|
};
|
||||||
|
|
||||||
# add central logging
|
# add central logging
|
||||||
services.journalbeat = {
|
services.journalbeat = {
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
{ config, lib, pkgs,
|
{ config, lib, pkgs, ... }:
|
||||||
... }:
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
@ -9,45 +8,39 @@ let
|
||||||
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
|
rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
|
||||||
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
|
sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
|
||||||
};
|
};
|
||||||
nixcloud = (
|
nixcloud = (import "${nixcloud-webservices}/pkgs" { inherit pkgs; }).nixcloud;
|
||||||
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
|
|
||||||
).nixcloud;
|
|
||||||
|
|
||||||
profilesDir = "/nix/var/nix/profiles/lxc";
|
profilesDir = "/nix/var/nix/profiles/lxc";
|
||||||
containers = config.lxc.containers;
|
containers = config.lxc.containers;
|
||||||
nixPath = config.nix.nixPath;
|
nixPath = config.nix.nixPath;
|
||||||
|
|
||||||
toLxcConfig' = path: a:
|
toLxcConfig' = path: a:
|
||||||
if builtins.isString a
|
if builtins.isString a then ''
|
||||||
then "${path} = ${a}\n"
|
${path} = ${a}
|
||||||
else if builtins.isInt a
|
'' else if builtins.isInt a then ''
|
||||||
then "${path} = ${toString a}\n"
|
${path} = ${toString a}
|
||||||
else if builtins.isAttrs a
|
'' else if builtins.isAttrs a then
|
||||||
then lib.concatMapStrings (name:
|
lib.concatMapStrings (name:
|
||||||
let
|
let path' = if path == "" then name else "${path}.${name}";
|
||||||
path' = if path == ""
|
in toLxcConfig' path' (builtins.getAttr name a)) (builtins.attrNames a)
|
||||||
then name
|
else if builtins.isList a then
|
||||||
else "${path}.${name}";
|
lib.concatMapStrings (toLxcConfig' path) a
|
||||||
in
|
else
|
||||||
toLxcConfig' path' (builtins.getAttr name a)
|
throw "Invalid LXC config value";
|
||||||
) (builtins.attrNames a)
|
|
||||||
else if builtins.isList a
|
|
||||||
then lib.concatMapStrings (toLxcConfig' path) a
|
|
||||||
else throw "Invalid LXC config value";
|
|
||||||
toLxcConfig = toLxcConfig' "";
|
toLxcConfig = toLxcConfig' "";
|
||||||
|
|
||||||
lxc-rootfs = pkgs.runCommand "lxc-rootfs" {} ''
|
lxc-rootfs = pkgs.runCommand "lxc-rootfs" { } ''
|
||||||
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
|
mkdir -p $out/share/lxc/rootfs/{dev,nix/store,proc,run,sys,tmp}
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
options = with types; {
|
options = with types; {
|
||||||
lxc.containers = mkOption {
|
lxc.containers = mkOption {
|
||||||
type = attrs;
|
type = attrs;
|
||||||
default = {};
|
default = { };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (containers != {}) {
|
config = mkIf (containers != { }) {
|
||||||
virtualisation.lxc.enable = true;
|
virtualisation.lxc.enable = true;
|
||||||
environment.systemPackages = [ nixcloud.container ];
|
environment.systemPackages = [ nixcloud.container ];
|
||||||
|
|
||||||
|
@ -55,14 +48,18 @@ in {
|
||||||
lxc.id_map = u 0 100000 65536
|
lxc.id_map = u 0 100000 65536
|
||||||
lxc.id_map = g 0 100000 65536
|
lxc.id_map = g 0 100000 65536
|
||||||
'';
|
'';
|
||||||
users.users.root.subGidRanges = [
|
users.users.root.subGidRanges = [{
|
||||||
{ count = 65536; startGid = 100000; }
|
count = 65536;
|
||||||
];
|
startGid = 100000;
|
||||||
users.users.root.subUidRanges = [
|
}];
|
||||||
{ count = 65536; startUid = 100000; }
|
users.users.root.subUidRanges = [{
|
||||||
];
|
count = 65536;
|
||||||
|
startUid = 100000;
|
||||||
|
}];
|
||||||
|
|
||||||
systemd.services = if true then {} else
|
systemd.services = if true then
|
||||||
|
{ }
|
||||||
|
else
|
||||||
builtins.foldl' (services: name:
|
builtins.foldl' (services: name:
|
||||||
let
|
let
|
||||||
systemDir = "/${profilesDir}/${name}/system";
|
systemDir = "/${profilesDir}/${name}/system";
|
||||||
|
@ -94,9 +91,8 @@ in {
|
||||||
|
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
serviceConfig.RemainAfterExit = true;
|
serviceConfig.RemainAfterExit = true;
|
||||||
serviceConfig.Environment = [
|
serviceConfig.Environment =
|
||||||
''NIX_PATH=${builtins.concatStringsSep ":" nixPath}''
|
[ "NIX_PATH=${builtins.concatStringsSep ":" nixPath}" ];
|
||||||
];
|
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
mkdir -p ${profilesDir}/${name}
|
mkdir -p ${profilesDir}/${name}
|
||||||
|
@ -123,7 +119,6 @@ in {
|
||||||
in services // {
|
in services // {
|
||||||
"lxc-container-${name}-builder" = builder;
|
"lxc-container-${name}-builder" = builder;
|
||||||
"lxc-container-${name}" = starter;
|
"lxc-container-${name}" = starter;
|
||||||
}
|
}) { } (builtins.attrNames containers);
|
||||||
) {} (builtins.attrNames containers);
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
{ pkgs ? import <nixpkgs> {},
|
{ pkgs ? import <nixpkgs> { }, src ? builtins.fetchGit
|
||||||
src ? builtins.fetchGit "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git",
|
"https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", }:
|
||||||
}:
|
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
let
|
let
|
||||||
path = "feeds/19.07/feeds-own/bmxd";
|
path = "feeds/19.07/feeds-own/bmxd";
|
||||||
makefile = builtins.readFile "${src}/${path}/Makefile";
|
makefile = builtins.readFile "${src}/${path}/Makefile";
|
||||||
makeDef = name:
|
makeDef = name:
|
||||||
builtins.elemAt (builtins.match ".*?${name}:=([^\n]+).*?" makefile) 0;
|
builtins.elemAt (builtins.match ''
|
||||||
|
.*?${name}:=([^
|
||||||
|
]+).*?'' makefile) 0;
|
||||||
name = makeDef "PKG_NAME";
|
name = makeDef "PKG_NAME";
|
||||||
version = makeDef "PKG_VERSION";
|
version = makeDef "PKG_VERSION";
|
||||||
release = makeDef "PKG_RELEASE";
|
release = makeDef "PKG_RELEASE";
|
||||||
patch = fetchurl {
|
patch = fetchurl {
|
||||||
url = "https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch";
|
url =
|
||||||
|
"https://gitlab.freifunk-dresden.de/firmware-developer/firmware/merge_requests/36.patch";
|
||||||
sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75";
|
sha256 = "10gm1fqg2s8c261i0j1py3sfyyzr0h5b6wwdsgg3icn7lfjd6k75";
|
||||||
};
|
};
|
||||||
in stdenv.mkDerivation {
|
in stdenv.mkDerivation {
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
{ pkgs ? import <nixpkgs> {} }:
|
{ pkgs ? import <nixpkgs> { } }:
|
||||||
|
|
||||||
with pkgs;
|
with pkgs;
|
||||||
let
|
let pile = builtins.fetchGit "https://github.com/astro/pile.git";
|
||||||
pile = builtins.fetchGit "https://github.com/astro/pile.git";
|
|
||||||
in {
|
in {
|
||||||
ledball = rustPlatform.buildRustPackage {
|
ledball = rustPlatform.buildRustPackage {
|
||||||
name = "ledball";
|
name = "ledball";
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [./logging.nix];
|
imports = [ ./logging.nix ];
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
# Select internationalisation properties.
|
# Select internationalisation properties.
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
keys = [
|
keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQbziwBjiSZqzE2b4iOqz1HxjinqHbGjAv1XHLOq+AFfNwMc4wiyQ/u2LpuRG2HlwK9pBeIY/gZSUP3YJZ1RumnrEOxY2Tgmzko0W9ME+hvK1OHZcXI69QA/ctxEVgOUMvTtS8XssFLAbQfkXJYeTL/5yr/Qrs3MDDfa+1UGY7LQlyzh6c4pQ+pBgWJALyzztc0orqgSVUJ2u8naQ210Jv3dQnpE+bwfeG9IuWjQqBXWHwlqxwRDxnnDBVcUj4z24XsMmHHWd/zizD+4C0Qx/rBiFhYBDXP+320U5gpgFzRl3t1HQXiPCb/LAgp2CLpZ8Eh4u9tgIhp6Z6l9r0B+vQ== poelzi@poelzi.org"
|
||||||
];
|
];
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue