diff --git a/flake.lock b/flake.lock
new file mode 100644
index 00000000..64a1044d
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,105 @@
+{
+ "nodes": {
+ "hydra": {
+ "info": {
+ "lastModified": 1587883324,
+ "narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus="
+ },
+ "inputs": {
+ "nix": "nix",
+ "nixpkgs": "nixpkgs_2"
+ },
+ "locked": {
+ "owner": "ehmry",
+ "repo": "hydra",
+ "rev": "e93c36aab1bf96cf392ab0e40157b0620638b599",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ehmry",
+ "ref": "sotest",
+ "repo": "hydra",
+ "type": "github"
+ }
+ },
+ "nix": {
+ "info": {
+ "lastModified": 1586440843,
+ "narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo="
+ },
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "owner": "NixOS",
+ "repo": "nix",
+ "rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef",
+ "type": "github"
+ },
+ "original": {
+ "id": "nix",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs": {
+ "info": {
+ "lastModified": 1585405475,
+ "narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE="
+ },
+ "locked": {
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixos-20.03-small",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs_2": {
+ "info": {
+ "lastModified": 1586219474,
+ "narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78="
+ },
+ "locked": {
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "29eddfc36d720dcc4822581175217543b387b1e8",
+ "type": "github"
+ },
+ "original": {
+ "id": "nixpkgs",
+ "ref": "nixos-20.03",
+ "type": "indirect"
+ }
+ },
+ "nixpkgs_3": {
+ "info": {
+ "lastModified": 1586724123,
+ "narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo="
+ },
+ "locked": {
+ "owner": "nixos",
+ "repo": "nixpkgs-channels",
+ "rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "ref": "nixos-20.03",
+ "repo": "nixpkgs-channels",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "hydra": "hydra",
+ "nixpkgs": "nixpkgs_3"
+ }
+ }
+ },
+ "root": "root",
+ "version": 5
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 00000000..d0c283f0
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,33 @@
+{
+ description = "C3D2 NixOS configurations";
+
+ edition = 201909;
+
+ inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03";
+ inputs.hydra.url = "github:ehmry/hydra/sotest";
+
+ outputs = { self, nixpkgs, hydra }: {
+
+ nixosConfigurations = {
+
+ server7 = nixpkgs.lib.nixosSystem {
+ modules = [ ./hosts/server7 hydra.nixosModules.hydra ];
+ system = "x86_64-linux";
+ };
+
+ hydra = nixpkgs.lib.nixosSystem {
+ modules = [ ./hosts/hydra/configuration.nix ];
+ system = "x86_64-linux";
+ };
+
+ pulsebert = nixpkgs.lib.nixosSystem {
+ modules = [ ./hosts/pulsebert/configuration.nix ];
+ system = "x86_64-linux";
+ };
+
+ };
+
+ nixosModules.c3d2 = import ./lib;
+
+ };
+}
diff --git a/host-registry.nix b/host-registry.nix
index 387091e9..a12b7a23 100644
--- a/host-registry.nix
+++ b/host-registry.nix
@@ -13,6 +13,7 @@ rec {
hydra.publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig";
+ hydra7 = { };
mpd-index = { };
nfs = { };
ncdc.publicKey =
diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix
index edf0fa57..01a49504 100644
--- a/hosts/containers/dn42/configuration.nix
+++ b/hosts/containers/dn42/configuration.nix
@@ -70,6 +70,30 @@ in {
servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors;
};
+ networking.wireguard = {
+ enable = true;
+ interfaces =
+ let
+ wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
+ in
+ builtins.mapAttrs (name: conf: {
+ inherit (conf.wireguard) listenPort privateKey;
+ ips = [ "${address4}/32" "${address6}/64" ];
+ allowedIPsAsRoutes = false;
+ postSetup = ''
+ ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name}
+ ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32
+ '';
+ peers = [ ({
+ inherit (conf.wireguard) publicKey;
+ allowedIPs = [ "0.0.0.0/0" "::0/0" ];
+ persistentKeepalive = 30;
+ } // (lib.optionalAttrs (conf.wireguard ? endpoint) {
+ inherit (conf.wireguard) endpoint;
+ })) ];
+ }) wireguardNeighbors;
+ };
+
services.bird2 = {
enable = true;
config =
diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix
index 19d135ad..81530821 100644
--- a/hosts/containers/dnscache/configuration.nix
+++ b/hosts/containers/dnscache/configuration.nix
@@ -19,7 +19,8 @@
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.useNetworkd = true;
networking.useDHCP = false;
- networking.interfaces.eth0.useDHCP = true;
+ networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ];
+ networking.defaultGateway = "172.20.73.1";
services.resolved.enable = false;
# Set your time zone.
@@ -39,7 +40,7 @@
# Create a few files early before packing tarball for Proxmox
# architecture/OS detection.
- system.extraSystemBuilderCmds =
+ system.extraSystemBuilderCmds =
''
mkdir -m 0755 -p $out/bin
ln -s ${pkgs.bash}/bin/bash $out/bin/sh
@@ -85,22 +86,25 @@
"1.1.1.1@853" #cloudflare-dns.com
"2606:4700:4700::1111@853" #cloudflare-dns.com
"1.0.0.1@853" #cloudflare-dns.com
- "2606:4700:4700::1001@853" #cloudflare-dns.com
+ "2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com
];
extraConfig = ''
server:
- ssl-upstream: yes
domain-insecure: "dn42"
domain-insecure: "20.172.in-addr.arpa"
domain-insecure: "21.172.in-addr.arpa"
domain-insecure: "22.172.in-addr.arpa"
domain-insecure: "23.172.in-addr.arpa"
domain-insecure: "d.f.ip6.arpa"
+ domain-insecure: "ffdd"
+ domain-insecure: "200.10.in-addr.arpa"
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
+ local-zone: "ffdd." nodefault
+ local-zone: "200.10.in-addr.arpa." nodefault
remote-control:
control-enable: yes
@@ -109,36 +113,71 @@
control-key-file: /var/lib/unbound/unbound_control.key
control-cert-file: /var/lib/unbound/unbound_control.pem
+ forward-zone:
+ name: "99.22.172.in-addr.arpa"
+ forward-host: "ns.c3d2.de"
- forward-zone:
+ forward-zone:
+ name: "zentralwerk.dn42"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "72.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "73.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "74.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "75.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "76.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
+ name: "77.20.172.in-addr.arpa"
+ forward-host: "dns.serv.zentralwerk.org"
+
+ forward-zone:
name: "dn42"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
- forward-zone:
+ forward-zone:
name: "20.172.in-addr.arpa"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
- forward-zone:
+ forward-zone:
name: "21.172.in-addr.arpa"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
- forward-zone:
+ forward-zone:
name: "22.172.in-addr.arpa"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
- forward-zone:
+ forward-zone:
name: "23.172.in-addr.arpa"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
forward-zone:
name: "d.f.ip6.arpa"
- forward-addr: fd42:d42:d42:53::1
forward-addr: 172.23.0.53
+
+ forward-zone:
+ name: "ffdd"
+ forward-addr: 10.200.0.4
+ forward-addr: 10.200.0.16
+
+ forward-zone:
+ name: "200.10.in-addr.arpa"
+ forward-addr: 10.200.0.4
+ forward-addr: 10.200.0.16
'';
};
@@ -150,7 +189,7 @@
memory = "";
interface = "";
load = "";
- exec =
+ exec =
let
unboundScript = builtins.toFile "unbound.rb" ''
loop do
diff --git a/hosts/containers/freifunk/assets/index.html b/hosts/containers/freifunk/assets/index.html
new file mode 100644
index 00000000..d767ce34
--- /dev/null
+++ b/hosts/containers/freifunk/assets/index.html
@@ -0,0 +1,18 @@
+
+
+
+
+ http://c3d2.ffdd
+
+
+ Chaos Computer Club Dresden
+ Router zu Freifunk Dresden
+
+
+
+
diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix
deleted file mode 100644
index 0ba81c2c..00000000
--- a/hosts/containers/freifunk/configuration.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
- meshInterface = "bmx";
-in {
- imports = [
-
-
-
-
- ];
-
- c3d2 = {
- isInHq = false;
- enableHail = false;
- };
-
- networking.hostName = "freifunk";
- networking.useNetworkd = true;
- networking.nameservers = [ "172.20.73.8" "9.9.9.9" ];
-
- # Required for krops
- services.openssh.enable = true;
- environment.systemPackages = with pkgs; [ git tcpdump ];
-
- systemd.network.networks = {
- "10-bmx" = {
- enable = true;
- matchConfig = { Name = meshInterface; };
- networkConfig = {
- Address = "10.200.0.15/16";
- };
- };
- "20-core" = {
- enable = true;
- matchConfig = { Name = "core"; };
- networkConfig = {
- Address = "172.20.72.40/26";
- Gateway = "172.20.72.7";
- };
- };
- };
- systemd.services.bmxd =
- let
- bmxd = import (toString ) { inherit pkgs; };
- in {
- after = [ "systemd-networkd.service" ];
- wantedBy = [ "network.target" ];
- serviceConfig = {
- ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0";
- Restart = "always";
- };
- };
-
- # This value determines the NixOS release with which your system is to be
- # compatible, in order to avoid breaking some software such as database
- # servers. You should change this only after NixOS release notes say you
- # should.
- system.stateVersion = "20.03"; # Did you read the comment?
-}
diff --git a/hosts/containers/freifunk/sysinfo-json.nix b/hosts/containers/freifunk/sysinfo-json.nix
new file mode 100644
index 00000000..3aafe3c2
--- /dev/null
+++ b/hosts/containers/freifunk/sysinfo-json.nix
@@ -0,0 +1,70 @@
+{ pkgs ? import {},
+ ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git",
+ bmxd,
+ ddmeshNode,
+ ... }:
+
+with pkgs;
+let
+ nvram = {
+ ddmesh_node = toString ddmeshNode;
+ city = "Dresden";
+ autoupdate = "0";
+ contact_name = "C3D2";
+ contact_location = "Zentralwerk";
+ contact_email = "astro@spaceboyz.net";
+ contact_note = "http://www.c3d2.ffdd/";
+ gps_latitude = "51.0810624";
+ gps_longitude = "13.7285866";
+ gps_altitude = "100";
+ };
+in
+stdenv.mkDerivation {
+ name = "sysinfo-json";
+ src = "${ffdd-server}/salt/freifunk/base/ddmesh/";
+ buildPhase = ''
+ cat > bmxddump.sh < \$DB_PATH/gateways
+ ${bmxd}/sbin/bmxd -c --links > \$DB_PATH/links
+ ${bmxd}/sbin/bmxd -c --originators > \$DB_PATH/originators
+ ${bmxd}/sbin/bmxd -c --status > \$DB_PATH/status
+ #${bmxd}/sbin/bmxd -c --networks > \$DB_PATH/networks
+ ${bmxd}/sbin/bmxd -ci > \$DB_PATH/info
+ EOF
+
+ cat > lsb_release <
];
diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix
index f3d1a900..bd174df0 100644
--- a/hosts/containers/scrape/configuration.nix
+++ b/hosts/containers/scrape/configuration.nix
@@ -45,10 +45,6 @@
script = "xerox";
host = "roxi.hq.c3d2.de";
};
- scrape-luftdaten = makeService {
- script = "luftdaten";
- host = "";
- };
scrape-fhem = makeService {
script = "fhem";
host = "fhem.hq.c3d2.de";
@@ -59,6 +55,30 @@
host = "matemat.hq.c3d2.de";
inherit (matematLogin) user password;
};
+ scrape-node1139 = makeService {
+ script = "freifunk_node";
+ host = "10.200.4.120";
+ };
+ scrape-node1487 = makeService {
+ script = "freifunk_node";
+ host = "10.200.5.213";
+ };
+ scrape-node1884 = makeService {
+ script = "freifunk_node";
+ host = "10.200.7.100";
+ };
+ scrape-node1891 = makeService {
+ script = "freifunk_node";
+ host = "10.200.7.107";
+ };
+ scrape-node1768 = makeService {
+ script = "freifunk_node";
+ host = "10.200.6.239";
+ };
+ scrape-node1176 = makeService {
+ script = "freifunk_node";
+ host = "10.200.7.80";
+ };
};
systemd.timers.scrape-xeri = {
partOf = [ "scrape-xeri.service" ];
@@ -70,11 +90,6 @@
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
- systemd.timers.scrape-luftdaten = {
- partOf = [ "scrape-luftdaten.service" ];
- wantedBy = [ "timers.target" ];
- timerConfig.OnCalendar = "minutely";
- };
systemd.timers.scrape-fhem = {
partOf = [ "scrape-fhem.service" ];
wantedBy = [ "timers.target" ];
@@ -85,6 +100,36 @@
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
+ systemd.timers.scrape-node1139 = {
+ partOf = [ "scrape-node1139.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
+ systemd.timers.scrape-node1487 = {
+ partOf = [ "scrape-node1487.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
+ systemd.timers.scrape-node1884 = {
+ partOf = [ "scrape-node1884.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
+ systemd.timers.scrape-node1891 = {
+ partOf = [ "scrape-node1894.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
+ systemd.timers.scrape-node1768 = {
+ partOf = [ "scrape-node1768.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
+ systemd.timers.scrape-node1176 = {
+ partOf = [ "scrape-node1176.service" ];
+ wantedBy = [ "timers.target" ];
+ timerConfig.OnCalendar = "minutely";
+ };
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix
index 457851c6..b4b7a87d 100644
--- a/hosts/hydra/configuration.nix
+++ b/hosts/hydra/configuration.nix
@@ -2,12 +2,9 @@
{
imports = [
-
./hydra.nix
./cache.nix
../../lib
- ../../lib/hq.nix
- ../../lib/yggdrasil.nix
];
c3d2 = {
@@ -18,26 +15,17 @@
isInHq = true;
mapHqHosts = true;
hq.interface = "eth0";
+ hq.yggdrasil.enableGateway = true;
};
networking.interfaces.eth0.preferTempAddress = false;
- systemd.services.yggdrasil.preStart = ''
- mkdir -p /dev/net
- mknod /dev/net/tun c 10 200 || true
- chmod 0666 /dev/net/tun
- '';
- services.yggdrasil = {
- configFile = "/var/lib/yggdrasil/keys";
- config.Peers = [
- "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
- "tcp://ygg.thingylabs.io:443" # Nürnberg
- "tcp://176.223.130.120:22632" # Wrocław
- "tcp://[2a05:9403::8b]:7743" # Praha
- ];
- };
nixpkgs.config.allowUnfree = true;
+ security.acme = {
+ email = "mail@c3d2.de";
+ acceptTerms = true;
+ };
security.pam.enableSSHAgentAuth = true;
services.openssh = {
diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix
index 5a187b71..f00d958f 100644
--- a/hosts/hydra/hydra.nix
+++ b/hosts/hydra/hydra.nix
@@ -15,8 +15,11 @@
allowed-uris = http:// https://
'';
buildMachines = [{
- hostName = "localhost";
+ hostName = "server7.hq";
+ sshUser = "hydra";
+ sshKey = "/var/lib/hydra/queue-runner/id_rsa";
system = "x86_64-linux";
+ speedFactor = 2;
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 8;
}];
@@ -27,6 +30,7 @@
hydraURL = "https://hydra.hq.c3d2.de";
logo = ./c3d2.svg;
notificationSender = "hydra@spam.works";
+ package = pkgs.hydra-unstable;
useSubstitutes = false;
};
diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix
index 497ca89c..ff33c871 100644
--- a/hosts/pulsebert/configuration.nix
+++ b/hosts/pulsebert/configuration.nix
@@ -13,7 +13,6 @@ in {
../../lib
../../lib/admins.nix
../../lib/hq.nix
- ../../lib/yggdrasil.nix
./mpdConsole.nix
];
@@ -27,6 +26,7 @@ in {
hq = {
interface = "eno1";
enableMpdProxy = true;
+ yggdrasi.enableGateway = true;
};
enableHail = true;
};
diff --git a/hosts/server7/borgbackup.nix b/hosts/server7/borgbackup.nix
new file mode 100644
index 00000000..0801a910
--- /dev/null
+++ b/hosts/server7/borgbackup.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+
+{
+ services.borgbackup.repos.emery = {
+ allowSubRepos = true;
+ authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys;
+ path = "/srv/ceph/c3d2/backups/emery";
+ quota = "200G";
+ };
+}
diff --git a/hosts/server7/containers/adc/default.nix b/hosts/server7/containers/adc/default.nix
index b0e3a04c..365f3b37 100644
--- a/hosts/server7/containers/adc/default.nix
+++ b/hosts/server7/containers/adc/default.nix
@@ -2,7 +2,16 @@ name:
(import ../outer-defaults.nix name) // {
config = { config, pkgs, lib, ... }: {
- imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
+ imports = [ ../inner-defaults.nix ];
+
+ c3d2.hq.yggdrasil.enableGateway = true;
+
+ networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
+
+ networking.interfaces.eth0.ipv6.addresses = [{
+ address = "310:5217:69c0:9afc:0:576d:1184:c3d2";
+ prefixLength = 64;
+ }]; # Old address used by some clients
services.uhub = {
enable = true;
@@ -18,8 +27,6 @@ name:
};
};
- networking.firewall.allowedTCPPorts = [ config.services.uhub.port ];
- hq.yggdrasil.enable = true;
};
}
diff --git a/hosts/server7/containers/default.nix b/hosts/server7/containers/default.nix
index f7b77205..e26eb748 100644
--- a/hosts/server7/containers/default.nix
+++ b/hosts/server7/containers/default.nix
@@ -1,8 +1,6 @@
{ lib, ... }:
let
- yggaddr = import ../yggaddr.nix;
-
containerFunc = name:
# Generate a container expression from the directory at `name`.
{
diff --git a/hosts/server7/containers/hydra7/default.nix b/hosts/server7/containers/hydra7/default.nix
new file mode 100644
index 00000000..5ad2522b
--- /dev/null
+++ b/hosts/server7/containers/hydra7/default.nix
@@ -0,0 +1,35 @@
+name:
+
+(import ../outer-defaults.nix name) // {
+
+ ephemeral = true;
+
+ config = { config, pkgs, lib, ... }: {
+ imports = [ ../inner-defaults.nix ];
+ c3d2.hq.yggdrasil.enableGateway = true;
+ networking.firewall.enable = false;
+ networking.interfaces.eth0.useDHCP = true;
+ security.acme = {
+ acceptTerms = true;
+ email = "mail@c3d2.de";
+ };
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
+ virtualHosts = {
+ "hydra7.hq.c3d2.de" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/".proxyPass = "http://172.22.99.245:3000";
+ };
+ "hydra7.y.c3d2.de" = {
+ default = true;
+ addSSL = false;
+ locations."/".proxyPass = "http://172.22.99.245:3000";
+ };
+ };
+ };
+ };
+
+}
diff --git a/hosts/server7/containers/ncdc/default.nix b/hosts/server7/containers/ncdc/default.nix
index d169ece4..4fdd3bdf 100644
--- a/hosts/server7/containers/ncdc/default.nix
+++ b/hosts/server7/containers/ncdc/default.nix
@@ -10,11 +10,12 @@ name:
config = { config, pkgs, lib, ... }:
let ncdcPort = 1512;
in {
- imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ];
+ imports = [ ../inner-defaults.nix ];
c3d2 = {
users.k-ot = true;
hq.statistics.enable = true;
+ hq.yggdrasil.enableGateway = true;
};
services.openssh.enable = true;
@@ -23,7 +24,6 @@ name:
environment.systemPackages = with pkgs; [ tmux ncdc ];
networking.firewall.enable = false;
- hq.yggdrasil.enable = true;
};
}
diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix
index c5a4a9a5..680bec38 100644
--- a/hosts/server7/containers/outer-defaults.nix
+++ b/hosts/server7/containers/outer-defaults.nix
@@ -7,12 +7,4 @@ in {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
-
- localAddress6 = with builtins; let
- hash = hashString "sha256" name;
- hextet0 = substring 0 4 hash;
- hextet1 = substring 4 4 hash;
- in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64";
- # Generate a deterministic IPv6 address for the container.
- # This address is accessible within HQ and Yggdrasil but not from ARPANET.
}
diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix
index 67a0a52b..93319fe5 100644
--- a/hosts/server7/containers/storage/default.nix
+++ b/hosts/server7/containers/storage/default.nix
@@ -13,6 +13,7 @@ name:
c3d2 = {
users.k-ot = true;
hq.statistics.enable = true;
+ hq.yggdrasil.enableGateway = true;
};
services.openssh = {
@@ -20,6 +21,8 @@ name:
allowSFTP = true;
};
+ environment.systemPackages = with pkgs; [ git borgbackup ];
+
services.nginx = {
enable = true;
package = pkgs.nginx.override {
@@ -45,7 +48,7 @@ name:
fancyindex on;
# autoindex on;
dav_access all:r;
- '';
+ '';
};
};
};
diff --git a/hosts/server7/configuration.nix b/hosts/server7/default.nix
similarity index 67%
rename from hosts/server7/configuration.nix
rename to hosts/server7/default.nix
index dc4de885..11fc3461 100644
--- a/hosts/server7/configuration.nix
+++ b/hosts/server7/default.nix
@@ -3,16 +3,21 @@
let yggaddr = import ./yggaddr.nix;
in {
imports = [
-
+ #
../../lib
../../lib/default-gateway.nix
- ../../lib/yggdrasil.nix
+ ./borgbackup.nix
./containers
./hardware-configuration.nix
./hydra.nix
./nix-serve.nix
];
+ security.acme = {
+ email = " mail@c3d2.de";
+ acceptTerms = true;
+ };
+
c3d2 = {
users = {
emery = true;
@@ -40,20 +45,13 @@ in {
];
};
- services.nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- statusPage = true;
- };
-
# Route IPv6
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
# Obtain global IPv6 despite being a router myself
boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2;
services.yggdrasil = {
+ enable = true;
configFile = "/var/lib/yggdrasil/keys";
config.Peers = [
"tcp://[2a03:3b40:fe:ab::1]:46370" # Praha
@@ -74,28 +72,43 @@ in {
nix = {
package = pkgs.nixFlakes;
- extraOptions = "experimental-features = nix-command flakes ca-references";
gc.automatic = true;
optimise.automatic = true;
+ extraOptions = ''
+ experimental-features = nix-command flakes ca-references
+ post-build-hook = ${
+ pkgs.writeScript "post-build-sign-paths" ''
+ #!${pkgs.runtimeShell}
+ nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS
+ ''
+ }
+ '';
};
+ nixpkgs.overlays = [
+ (self: super: {
+ nix = super.nix // { meta.platforms = lib.platforms.linux; };
+ })
+ ];
virtualisation.docker.enable = true;
networking = {
firewall.enable = false;
+ firewall.trustedInterfaces = [ "br0" ];
hostName = "server7";
+ hostId = "454fe12c";
useDHCP = false;
bridges.br0.interfaces = [ "enp2s0f0" ];
interfaces = {
br0 = {
useDHCP = true;
- preferTempAddress = false;
+ tempAddress = "disabled";
ipv4.addresses = [{
address = "172.22.99.245";
prefixLength = 24;
}];
ipv6.addresses = [{
- address = yggaddr.prefix + ":1";
+ address = yggaddr.prefix64 + "::1";
prefixLength = 64;
}];
};
@@ -107,19 +120,21 @@ in {
boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0;
boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0;
- environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ];
+ environment.systemPackages = with pkgs; [
+ tmux
+ htop
+ vim
+ gitMinimal
+ nixfmt
+ zfsStable
+ ];
services.collectd.extraConfig = ''
- LoadPlugin sensors
LoadPlugin memory
- LoadPlugin irq
- LoadPlugin thermal
LoadPlugin processes
LoadPlugin disk
- LoadPlugin hddtemp
LoadPlugin df
LoadPlugin cpu
- LoadPlugin cpufreq
LoadPlugin entropy
LoadPlugin load
LoadPlugin swap
@@ -139,4 +154,9 @@ in {
time.timeZone = "Europe/Berlin";
system.stateVersion = "19.09"; # Did you read the comment?
+
+ users.extraUsers.hydra.openssh.authorizedKeys.keys = [
+ # allow the old hydra to build here
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra"
+ ];
}
diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix
index b5bf6419..e198467f 100644
--- a/hosts/server7/hardware-configuration.nix
+++ b/hosts/server7/hardware-configuration.nix
@@ -4,27 +4,173 @@
{ config, lib, pkgs, ... }:
{
- imports =
- [
- ];
+ # imports = [ ];
- boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+ boot.initrd.availableKernelModules =
+ [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
+ boot.supportedFilesystems = [ "zfs" ];
- fileSystems."/" =
- { device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
- fsType = "ext4";
- };
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f";
+ fsType = "ext4";
+ };
- fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/9812-00B2";
- fsType = "vfat";
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/9812-00B2";
+ fsType = "vfat";
+ };
+
+ fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = {
+ device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1" = {
+ device = "nvme0n1";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = {
+ device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/archive" = {
+ device = "nvme0n1/archive";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = {
+ device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = {
+ device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/global/cores" = {
+ device = "nvme0n1/cores/global";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = {
+ device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = {
+ device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44";
+ fsType = "zfs";
+ };
+
+ fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = {
+ device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/c3d2.de" = {
+ device = "nvme0n1/c3d2.de";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = {
+ device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = {
+ device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = {
+ device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = {
+ device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/c3d2.de/admin" = {
+ device = "nvme0n1/c3d2.de/admin";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/c3d2.de/templates" = {
+ device = "nvme0n1/c3d2.de/templates";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = {
+ device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = {
+ device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = {
+ device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = {
+ device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = {
+ device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = {
+ device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = {
+ device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = {
+ device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = {
+ device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = {
+ device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = {
+ device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f";
+ fsType = "zfs";
+ };
+
+ fileSystems."/nvme0n1/c3d2.de/iso" = {
+ device = "nvme0n1/c3d2.de/iso";
+ fsType = "zfs";
+ };
swapDevices = [ ];
- nix.maxJobs = lib.mkDefault 20;
- powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+ nix.maxJobs = lib.mkDefault 10;
+ nix.buildCores = lib.mkDefault 40;
+ powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
}
diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix
index 5d57ed3d..52692b0e 100644
--- a/hosts/server7/hydra.nix
+++ b/hosts/server7/hydra.nix
@@ -1,173 +1,28 @@
-let
- hydraFlakes = pkgs:
- with pkgs;
- let
- perlDeps = buildEnv {
- name = "hydra-perl-deps";
- paths = with perlPackages; [
- ModulePluggable
- CatalystActionREST
- CatalystAuthenticationStoreDBIxClass
- CatalystDevel
- CatalystDispatchTypeRegex
- CatalystPluginAccessLog
- CatalystPluginAuthorizationRoles
- CatalystPluginCaptcha
- CatalystPluginSessionStateCookie
- CatalystPluginSessionStoreFastMmap
- CatalystPluginStackTrace
- CatalystPluginUnicodeEncoding
- CatalystTraitForRequestProxyBase
- CatalystViewDownload
- CatalystViewJSON
- CatalystViewTT
- CatalystXScriptServerStarman
- CatalystXRoleApplicator
- CryptRandPasswd
- DBDPg
- DBDSQLite
- DataDump
- DateTime
- DigestSHA1
- EmailMIME
- EmailSender
- FileSlurp
- IOCompress
- IPCRun
- JSON
- JSONAny
- JSONXS
- LWP
- LWPProtocolHttps
- NetAmazonS3
- NetPrometheus
- NetStatsd
- PadWalker
- Readonly
- SQLSplitStatement
- SetScalar
- Starman
- SysHostnameLong
- TermSizeAny
- TestMore
- TextDiff
- TextTable
- XMLSimple
- pkgs.nixFlakes
- pkgs.nixFlakes.perl-bindings
- git
- boehmgc
- ];
- };
+{ config, lib, pkgs, ... }:
- in stdenv.mkDerivation {
-
- name = "hydra-flake";
-
- src = pkgs.fetchFromGitHub {
- owner = "NixOS";
- repo = "hydra";
- rev = "47797576838974c8209536b67bb45e953a50900f";
- sha256 = "1vqib99d7wgnl3c6ccx0xx2q88qmdkpydkb6gd0pik9wg2nn3jng";
- };
-
- buildInputs = [
- makeWrapper
- autoconf
- automake
- libtool
- unzip
- nukeReferences
- pkgconfig
- sqlite
- libpqxx
- gitAndTools.topGit
- mercurial
- darcs
- subversion
- bazaar
- openssl
- bzip2
- libxslt
- guile # optional, for Guile + Guix support
- perlDeps
- perl
- pkgs.nixFlakes
- postgresql95 # for running the tests
- boost
- (nlohmann_json.override { multipleHeaders = true; })
- ];
-
- hydraPath = lib.makeBinPath ([
- sqlite
- subversion
- openssh
- pkgs.nixFlakes
- coreutils
- findutils
- pixz
- gzip
- bzip2
- lzma
- gnutar
- unzip
- git
- gitAndTools.topGit
- mercurial
- darcs
- gnused
- bazaar
- ] ++ lib.optionals stdenv.isLinux [ rpm dpkg cdrkit ]);
-
- configureFlags = [ "--with-docbook-xsl=${docbook_xsl}/xml/xsl/docbook" ];
-
- shellHook = ''
- PATH=$(pwd)/src/hydra-evaluator:$(pwd)/src/script:$(pwd)/src/hydra-eval-jobs:$(pwd)/src/hydra-queue-runner:$PATH
- PERL5LIB=$(pwd)/src/lib:$PERL5LIB
- '';
-
- preConfigure = "autoreconf -vfi";
-
- NIX_LDFLAGS = [ "-lpthread" ];
-
- enableParallelBuilding = true;
-
- preCheck = ''
- patchShebangs .
- export LOGNAME=''${LOGNAME:-foo}
- '';
-
- postInstall = ''
- mkdir -p $out/nix-support
-
- for i in $out/bin/*; do
- read -n 4 chars < $i
- if [[ $chars =~ ELF ]]; then continue; fi
- wrapProgram $i \
- --prefix PERL5LIB ':' $out/libexec/hydra/lib:$PERL5LIB \
- --prefix PATH ':' $out/bin:$hydraPath \
- --set HYDRA_RELEASE 0.1 \
- --set HYDRA_HOME $out/libexec/hydra \
- --set NIX_RELEASE ${pkgs.nixFlakes.name or "unknown"}
- done
- '';
-
- dontStrip = true;
-
- meta.description = "Build of Hydra on ${system}";
- passthru.perlDeps = perlDeps;
- };
-in { config, pkgs, ... }: {
-
- services.hydra = {
+{
+ services.hydra-dev = {
enable = true;
+ debugServer = true;
+ extraEnv.HYDRA_DEBUG = "1";
hydraURL = "https://server7.hq.c3d2.de";
logo = ./hydra.svg;
notificationSender = "hydra@spam.works";
- package = hydraFlakes pkgs;
- listenHost = "127.0.0.1";
+ # package = pkgs.hydra-unstable;
+ listenHost = "172.22.99.245";
+ # listenHost = "*";
+ useSubstitutes = true;
+ minimumDiskFree = 2;
+ minimumDiskFreeEvaluator = 2;
+ extraConfig = ''
+
+ authfile = /var/lib/hydra/sotest.auth
+
+ '';
};
+ nix.trustedUsers = [ "hydra" ];
+
nix.buildMachines = [{
hostName = "localhost";
system = "x86_64-linux";
@@ -175,18 +30,20 @@ in { config, pkgs, ... }: {
maxJobs = 8;
}];
+ nix.binaryCachePublicKeys =
+ [ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ];
+ nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ];
+
services.nginx = {
enable = true;
virtualHosts = {
"server7.hq.c3d2.de" = {
- default = true;
addSSL = true;
enableACME = true;
- locations."/".proxyPass =
- "http://127.0.0.1:${toString config.services.hydra.port}";
+ globalRedirect = "hydra7.hq.c3d2.de";
};
};
};
- networking.firewall.allowedTCPPorts = [ 80 443 ];
+
}
diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix
index a3456808..58c6d80a 100644
--- a/hosts/server7/nix-serve.nix
+++ b/hosts/server7/nix-serve.nix
@@ -15,7 +15,9 @@
addSSL = true;
enableACME = true;
locations."/".proxyPass =
- "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+ "http://${config.services.nix-serve.bindAddress}:${
+ toString config.services.nix-serve.port
+ }";
};
};
};
diff --git a/hosts/server7/yggaddr.nix b/hosts/server7/yggaddr.nix
index f5086928..22be5469 100644
--- a/hosts/server7/yggaddr.nix
+++ b/hosts/server7/yggaddr.nix
@@ -1,4 +1,4 @@
{
address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2";
- prefix = "310:5217:69c0:9afc:";
+ prefix64 = "310:5217:69c0:9afc";
}
diff --git a/krops.nix b/krops.nix
index f9ad4e28..6e31df4d 100644
--- a/krops.nix
+++ b/krops.nix
@@ -16,6 +16,7 @@ let
url = "https://github.com/NixOS/nixpkgs.git";
};
nixos-config.file = toString (./hosts + "/${path}/configuration.nix");
+ this-host.file = toString (./hosts + "/${path}");
lib.file = toString ./lib;
secrets.file = toString ./secrets;
"host-registry.nix".file = toString ./host-registry.nix;
diff --git a/lib/default.nix b/lib/default.nix
index 3843e6b0..505a6ab1 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,6 +8,8 @@ let
hqPrefix64 = "fd23:42:c3d2:523";
# TODO: Is this stable? Is there a better place to specifiy this?
+ server7Ygg = import ../hosts/server7/yggaddr.nix;
+
# Generate a deterministic IPv6 address for a 64 bit prefix
# and seed string. Prefix must not contain trailing ':'.
toIpv6Address = prefix64: seed:
@@ -21,14 +23,9 @@ let
# for the HQ networking using a seed string.
toHqPrivateAddress = toIpv6Address hqPrefix64;
- /* # Generate a deterministic public IPv6 addresses
- # for the HQ networking using a seed string.
- toHqPublicAddress = toIpv6Address publicPrefix64;
+ toServer7Address = toIpv6Address server7Ygg.prefix64;
- # Generate a deterministic public IPv6 addresses
- # for the HQ networking using a seed string.
- toserver7YggdrasilAddress = toIpv6Address server7YggrasilPrefix64;
- */
+ # toHqPublicAddress = toIpv6Address publicPrefix64;
cfg = config.c3d2;
@@ -106,6 +103,8 @@ in {
description = "Whether to proxy the local MPD database";
};
+ yggdrasil.enableGateway = mkEnableOption
+ "Whether to join the host to the Yggdrasil network via a gateway";
};
};
@@ -118,7 +117,8 @@ in {
# Configuration specific to this machine
assertions = [
- { assertion = cfg.isInHq -> (config.users.users.root.password == null);
+ {
+ assertion = cfg.isInHq -> (config.users.users.root.password == null);
message = "Root passwords not allowed in HQ";
}
{
@@ -166,10 +166,16 @@ in {
host.ip6
else
toHqPrivateAddress hostName;
- in [{
- name = ip6;
- value = [ "${hostName}.hq" hostName ];
- }] ++ lib.optional (hasAttr "ip4" host) {
+ in [
+ {
+ name = ip6;
+ value = [ "${hostName}.hq" hostName ];
+ }
+ {
+ name = toServer7Address hostName;
+ value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ];
+ }
+ ] ++ lib.optional (hasAttr "ip4" host) {
name = host.ip4;
value = [ "${hostName}.hq" hostName ];
};
@@ -196,7 +202,16 @@ in {
ipv6.addresses = [{
address = toHqPrivateAddress config.networking.hostName;
prefixLength = 64;
- }];
+ }] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) {
+ address = toServer7Address config.networking.hostName;
+ prefixLength = 64;
+ };
+ ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) {
+ address = "200::";
+ options.pref = "low";
+ prefixLength = 7;
+ via = server7Ygg.prefix64 + "::1";
+ };
};
});
@@ -231,17 +246,31 @@ in {
services.collectd = lib.mkIf cfg.hq.statistics.enable {
enable = true;
- autoLoadPlugin = true;
extraConfig = ''
- HostName "${config.networking.hostName}"
FQDNLookup false
Interval 10
-
- LoadPlugin network
-
- Server "grafana.hq" "25826"
-
'';
+ buildMinimalPackage = true;
+ plugins = {
+ logfile = ''
+ LogLevel info
+ File STDOUT
+ '';
+ network = ''
+ Server "grafana.hq.c3d2.de" "25826"
+ '';
+ memory = "";
+ processes = "";
+ disk = "";
+ df = "";
+ cpu = "";
+ entropy = "";
+ load = "";
+ swap = "";
+ cgroups = "";
+ vmem = "";
+ interface = "";
+ };
};
services.hail = lib.mkIf cfg.enableHail {
diff --git a/lib/hq.nix b/lib/hq.nix
deleted file mode 100644
index 4ecc258c..00000000
--- a/lib/hq.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, lib, ... }:
-
-{
- # Please import only things that are configurable and OFF BY DEFAULT!
- imports = [ ./yggdrasil-hq.nix ];
-
-}
diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix
index 9f0e1577..cad10c70 100644
--- a/lib/lxc-container.nix
+++ b/lib/lxc-container.nix
@@ -4,7 +4,6 @@
imports =
[
- ./hq.nix
];
networking.networkmanager.dns = "unbound";
diff --git a/lib/lxc/default.nix b/lib/lxc/default.nix
index 37cf50bd..185058e6 100644
--- a/lib/lxc/default.nix
+++ b/lib/lxc/default.nix
@@ -3,8 +3,11 @@
with lib;
let
- nixcloud-webservices = builtins.fetchGit {
- url = "https://github.com/nixcloud/nixcloud-webservices.git";
+ nixcloud-webservices = pkgs.fetchFromGitHub {
+ owner = "nixcloud";
+ repo = "nixcloud-webservices";
+ rev = "3a0767f0536fac811065eb87e6342f27eac085aa";
+ sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8=";
};
nixcloud = (
import "${nixcloud-webservices}/pkgs" { inherit pkgs; }
diff --git a/lib/users/emery.nix b/lib/users/emery.nix
index 27834ed1..49a061ba 100644
--- a/lib/users/emery.nix
+++ b/lib/users/emery.nix
@@ -4,6 +4,7 @@ let
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC55d1lIbI00AyDnlfig3znWKPToGUcM8TKj5s8EHQm5SkUn0DeG1+h5/wciyu7NonIxykgtx2nfnLAewgNjKDk1Q7bqNTxvIkb5dtpuEvGWuuLmm5VCQUszPSNmQAMocFAc+A0ALDTdR0pS+DFuKPx4DncYLQxDFwdV+1vw0PYCXNHfS6umJW/bsQ2jLc2+H3bnXqhcoQX6EVvlQS3QNpWOY3qhK9Yy58NJywmcSSzamc4Fyd1Jz/R67/4hYDfB65f7bs6l0BjFj+yciiVYyZuILPb6CZicXcNTjnW6YFGHDQt3owsr/pQuuPxUWiP8rfrrrwnyi1SFeYrmCKSQ6WOZMA5mHZ6091LbspwrlGiGBXKPoZhHHUW/dDmojy1XAIK/XFg/5+DiG+2Rc61l1AnRaP4IRiFViV9VlPBYBG5TFmAfxCz6iiwuDQY1cSX4+duqL7sIkZTPMkQP0Bf3ek1hTK1U8nbSOP6sILt7e5ApRCoAu9S+fFtbpI+l1GCy90= root@bigpad"
];
in {
diff --git a/lib/yggdrasil-hq.nix b/lib/yggdrasil-hq.nix
deleted file mode 100644
index 21d026b3..00000000
--- a/lib/yggdrasil-hq.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ config, lib, ... }:
-with lib;
-
-let
- cfg = config.hq.yggdrasil;
- hostNameHash = builtins.hashString "sha256" config.networking.hostName;
- hextets = map (i: substring (4 * i) 4 hostNameHash) [ 0 1 2 3 ];
- hostAddr = concatStringsSep ":" hextets;
-in {
- options = with types; {
- hq.yggdrasil = {
- enable =
- mkEnableOption "Configure Yggdrasil access via the Yggdrasil router";
-
- interface = mkOption {
- type = nullOr str;
- default = "eth0";
- description = "Network interface to the C3D2 HQ ethernet";
- };
- };
- };
-
- config = mkIf cfg.enable {
- networking.interfaces = {
- "${cfg.interface}" = {
- "ipv6" = {
- addresses = [{
- address = "310:5217:69c0:9afc:${hostAddr}";
- prefixLength = 64;
- }];
- routes = [{
- address = "200::";
- prefixLength = 7;
- via = "310:5217:69c0:9afc::1";
- }];
- };
- };
- };
- };
-}
diff --git a/lib/yggdrasil-service.nix b/lib/yggdrasil-service.nix
deleted file mode 100644
index 33d1f093..00000000
--- a/lib/yggdrasil-service.nix
+++ /dev/null
@@ -1,185 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib;
-let
- cfg = config.services.yggdrasil;
- configProvided = (cfg.config != { });
- configAsFile = (if configProvided then
- toString (pkgs.writeTextFile {
- name = "yggdrasil-conf";
- text = builtins.toJSON cfg.config;
- })
- else
- null);
- configFileProvided = (cfg.configFile != null);
- generateConfig = (if configProvided && configFileProvided then
- "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}"
- else if configProvided then
- "cat ${configAsFile}"
- else if configFileProvided then
- "cat ${cfg.configFile}"
- else
- "${cfg.package}/bin/yggdrasil -genconf");
-
-in {
- options = with types; {
- services.yggdrasil = {
- enable = mkEnableOption "the yggdrasil system service";
-
- configFile = mkOption {
- type = nullOr str;
- default = null;
- example = "/run/keys/yggdrasil.conf";
- description = ''
- A file which contains JSON configuration for yggdrasil.
-
- You do not have to supply a complete configuration, as
- yggdrasil will use default values for anything which is
- omitted. If the encryption and signing keys are omitted,
- yggdrasil will generate new ones each time the service is
- started, resulting in a random IPv6 address on the yggdrasil
- network each time.
-
- If both this option and are
- supplied, they will be combined, with values from
- taking precedence.
-
- You can use the command nix-shell -p yggdrasil --run
- "yggdrasil -genconf -json" to generate a default
- JSON configuration.
- '';
- };
-
- config = mkOption {
- type = attrs;
- default = { };
- example = {
- Peers = [
- "tcp://aa.bb.cc.dd:eeeee"
- "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff"
- ];
- Listen = [ "tcp://0.0.0.0:xxxxx" ];
- };
- description = ''
- Configuration for yggdrasil, as a Nix attribute set.
-
- Warning: this is stored in the WORLD-READABLE Nix store!
- Therefore, it is not appropriate for private keys. If you
- do not specify the keys, yggdrasil will generate a new set
- each time the service is started, creating a random IPv6
- address on the yggdrasil network each time.
-
- If you wish to specify the keys, use
- . If both
- and are
- supplied, they will be combined, with values from
- taking precedence.
-
- You can use the command nix-shell -p yggdrasil --run
- "yggdrasil -genconf" to generate default
- configuration values with documentation.
- '';
- };
-
- openMulticastPort = mkOption {
- type = bool;
- default = false;
- description = ''
- Whether to open the UDP port used for multicast peer
- discovery. The NixOS firewall blocks link-local
- communication, so in order to make local peering work you
- will also need to set LinkLocalTCPPort in your
- yggdrasil configuration ( or
- ) to a port number other than 0,
- and then add that port to
- .
- '';
- };
-
- denyDhcpcdInterfaces = mkOption {
- type = listOf str;
- default = [ ];
- example = [ "tap*" ];
- description = ''
- Disable the DHCP client for any interface whose name matches
- any of the shell glob patterns in this list. Use this
- option to prevent the DHCP client from broadcasting requests
- on the yggdrasil network. It is only necessary to do so
- when yggdrasil is running in TAP mode, because TUN
- interfaces do not support broadcasting.
- '';
- };
-
- package = mkOption {
- type = package;
- default = pkgs.yggdrasil;
- defaultText = "pkgs.yggdrasil";
- description = "Yggdrasil package to use.";
- };
- };
- };
-
- config = mkIf cfg.enable {
- assertions = [{
- assertion = config.networking.enableIPv6;
- message = "networking.enableIPv6 must be true for yggdrasil to work";
- }];
-
- systemd.services.yggdrasil = {
- description = "Yggdrasil Network Service";
- path = [ cfg.package ]
- ++ optional (configProvided && configFileProvided) pkgs.jq;
- bindsTo = [ "network-online.target" ];
- after = [ "network-online.target" ];
- wantedBy = [ "multi-user.target" ];
-
- preStart = ''
- ${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf
- '';
-
- serviceConfig = {
- ExecStart =
- "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf";
- ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
- Restart = "always";
-
- RuntimeDirectory = "yggdrasil";
- RuntimeDirectoryMode = "0700";
- BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ];
-
- # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails
- # to set up the network adapter when DynamicUser is set. See
- # github.com/yggdrasil-network/yggdrasil-go/issues/557. The
- # following options are implied by DynamicUser according to
- # the systemd.exec documentation, and can be removed if the
- # upstream issue is fixed and DynamicUser is set to true:
- PrivateTmp = true;
- RemoveIPC = true;
- NoNewPrivileges = true;
- ProtectSystem = "strict";
- RestrictSUIDSGID = true;
- # End of list of options implied by DynamicUser.
-
- AmbientCapabilities = "CAP_NET_ADMIN";
- CapabilityBoundingSet = "CAP_NET_ADMIN";
- MemoryDenyWriteExecute = true;
- ProtectControlGroups = true;
- ProtectHome = "tmpfs";
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
- RestrictNamespaces = true;
- RestrictRealtime = true;
- SystemCallArchitectures = "native";
- SystemCallFilter =
- "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
- };
- };
-
- networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces;
- networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ];
-
- # Make yggdrasilctl available on the command line.
- environment.systemPackages = [ cfg.package ];
- };
- meta.maintainers = with lib.maintainers; [ gazally ];
-}
diff --git a/lib/yggdrasil.nix b/lib/yggdrasil.nix
deleted file mode 100644
index f497dc6e..00000000
--- a/lib/yggdrasil.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, ... }: {
- imports = [ ./yggdrasil-service.nix ];
-
- services.yggdrasil = {
- enable = true;
- package = (import { }).yggdrasil;
- openMulticastPort = true;
- config.NodeInfo = {
- name = config.networking.hostName + ".c3d2";
- location = "Dresden";
- };
- };
-}
diff --git a/secrets b/secrets
index 35a994c6..eb06c122 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f
+Subproject commit eb06c122762133b7831475615b1a3b039eaa389e