From 953395752591918e3f9a541a905e56843cc7e65c Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 5 Apr 2020 02:31:57 +0200 Subject: [PATCH 01/63] add containers/freifunk --- hosts/containers/freifunk/configuration.nix | 60 +++++++++++++++++++++ krops.nix | 1 + lib/pkgs/bmxd.nix | 20 +++++++ 3 files changed, 81 insertions(+) create mode 100644 hosts/containers/freifunk/configuration.nix create mode 100644 lib/pkgs/bmxd.nix diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix new file mode 100644 index 00000000..0ba81c2c --- /dev/null +++ b/hosts/containers/freifunk/configuration.nix @@ -0,0 +1,60 @@ +{ config, pkgs, lib, ... }: + +let + meshInterface = "bmx"; +in { + imports = [ + + + + + ]; + + c3d2 = { + isInHq = false; + enableHail = false; + }; + + networking.hostName = "freifunk"; + networking.useNetworkd = true; + networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; + + # Required for krops + services.openssh.enable = true; + environment.systemPackages = with pkgs; [ git tcpdump ]; + + systemd.network.networks = { + "10-bmx" = { + enable = true; + matchConfig = { Name = meshInterface; }; + networkConfig = { + Address = "10.200.0.15/16"; + }; + }; + "20-core" = { + enable = true; + matchConfig = { Name = "core"; }; + networkConfig = { + Address = "172.20.72.40/26"; + Gateway = "172.20.72.7"; + }; + }; + }; + systemd.services.bmxd = + let + bmxd = import (toString ) { inherit pkgs; }; + in { + after = [ "systemd-networkd.service" ]; + wantedBy = [ "network.target" ]; + serviceConfig = { + ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0"; + Restart = "always"; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/krops.nix b/krops.nix index f8e4d1c9..f9ad4e28 100644 --- a/krops.nix +++ b/krops.nix @@ -29,4 +29,5 @@ let in { scrape = deployContainer "scrape" "172.20.73.32"; ledstripes = deployContainer "ledstripes" "172.22.99.168"; + freifunk = deployContainer "freifunk" "172.20.72.40"; } diff --git a/lib/pkgs/bmxd.nix b/lib/pkgs/bmxd.nix new file mode 100644 index 00000000..5b7b7391 --- /dev/null +++ b/lib/pkgs/bmxd.nix @@ -0,0 +1,20 @@ +{ pkgs ? import {}, + src ? builtins.fetchGit "https://gitlab.freifunk-dresden.de/firmware-developer/firmware.git", +}: + +with pkgs; +let + path = "${src}/feeds/19.07/feeds-own/bmxd"; + makefile = builtins.readFile "${path}/Makefile"; + makeDef = name: + builtins.elemAt (builtins.match ".*?${name}:=([^\n]+).*?" makefile) 0; + name = makeDef "PKG_NAME"; + version = makeDef "PKG_VERSION"; + release = makeDef "PKG_RELEASE"; +in stdenv.mkDerivation { + name = "${name}-${version}-${release}"; + src = "${path}/sources"; + installPhase = '' + make install SBINDIR=$out/sbin + ''; +} From d589cba320ba6c793ffbb7eb999581e3dd667945 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 03:05:55 +0200 Subject: [PATCH 02/63] dnscache: add freifunk forward-zones --- hosts/containers/dnscache/configuration.nix | 10 ++++++++ lib/default.nix | 27 +++++++++++++++------ 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 19d135ad..8e44b13f 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -139,6 +139,16 @@ name: "d.f.ip6.arpa" forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 + + forward-zone: + name: "ffdd" + forward-addr: 10.200.0.4 + forward-addr: 10.200.0.16 + + forward-zone: + name: "200.10.in-addr.arpa" + forward-addr: 10.200.0.4 + forward-addr: 10.200.0.16 ''; }; diff --git a/lib/default.nix b/lib/default.nix index 3843e6b0..f5093ca5 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -231,17 +231,30 @@ in { services.collectd = lib.mkIf cfg.hq.statistics.enable { enable = true; - autoLoadPlugin = true; extraConfig = '' - HostName "${config.networking.hostName}" FQDNLookup false Interval 10 - - LoadPlugin network - - Server "grafana.hq" "25826" - ''; + plugins = { + file = '' + LogLevel info + File STDOUT + ''; + network = '' + Server "grafana.hq.c3d2.de" "25826" + ''; + memory = ""; + processes = ""; + disk = ""; + df = ""; + cpu = ""; + entropy = ""; + load = ""; + swap = ""; + cgroups = ""; + vmem = ""; + interface = ""; + }; }; services.hail = lib.mkIf cfg.enableHail { From c3792f16cec90b0aa36c7d83cbdb7efe83699772 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 03:34:10 +0200 Subject: [PATCH 03/63] freifunk: setup all the correct details --- hosts/containers/freifunk/configuration.nix | 131 ++++++++++++++++++-- secrets | 2 +- 2 files changed, 119 insertions(+), 14 deletions(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 0ba81c2c..a2a5fa8f 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -1,7 +1,16 @@ { config, pkgs, lib, ... }: let + coreAddress = "172.20.72.40"; + corePrefixlen = 26; meshInterface = "bmx"; + meshLoopback = "bmx_prime"; + ddmeshRegisterUrl = "https://register.freifunk-dresden.de/bot.php"; + secrets = import ; + ddmeshRegisterKey = secrets.ddmeshRegisterKey; + ddmeshNode = 51073; + ddmeshAddrPart = "200.74"; + rt_table = 7; in { imports = [ @@ -13,30 +22,72 @@ in { c3d2 = { isInHq = false; enableHail = false; + hq.statistics.enable = true; }; networking.hostName = "freifunk"; networking.useNetworkd = true; networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; + networking.firewall.enable = false; + networking.nat = { + enable = true; + externalInterface = meshInterface; + #internalInterfaces = [ "core" ]; + extraCommands = '' + set +e + ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300 + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \ + \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart} + set -e + ''; + }; + networking.iproute2 = { + enable = true; + rttablesExtraConfig = "${toString rt_table} bmx"; + }; # Required for krops services.openssh.enable = true; environment.systemPackages = with pkgs; [ git tcpdump ]; - systemd.network.networks = { - "10-bmx" = { - enable = true; - matchConfig = { Name = meshInterface; }; - networkConfig = { - Address = "10.200.0.15/16"; + systemd.network = { + netdevs = { + bmx_prime = { + enable = true; + netdevConfig = { + Kind = "bridge"; + Name = meshLoopback; + }; }; }; - "20-core" = { - enable = true; - matchConfig = { Name = "core"; }; - networkConfig = { - Address = "172.20.72.40/26"; - Gateway = "172.20.72.7"; + networks = { + "10-bmx" = { + enable = true; + matchConfig = { Name = meshInterface; }; + addresses = [ { + addressConfig = { + Address = "10.201.${ddmeshAddrPart}/16"; + Broadcast = "10.255.255.255"; + }; + } ]; + }; + "11-bmx-loopback" = { + enable = true; + matchConfig = { Name = meshLoopback; }; + addresses = [ { + addressConfig = { + Address = "10.200.${ddmeshAddrPart}/16"; + Broadcast = "10.255.255.255"; + }; + } ]; + }; + "20-core" = { + enable = true; + matchConfig = { Name = "core"; }; + networkConfig = { + Address = "${coreAddress}/${toString corePrefixlen}"; + Gateway = "172.20.72.7"; + }; }; }; }; @@ -47,10 +98,64 @@ in { after = [ "systemd-networkd.service" ]; wantedBy = [ "network.target" ]; serviceConfig = { - ExecStart = "${bmxd}/sbin/bmxd --no_fork 1 --throw-rules 0 --prio-rules 0 dev=${meshInterface} /linklayer 0"; + ExecStart = '' + ${bmxd}/sbin/bmxd \ + --rt_table_offset=${toString rt_table} \ + --no_fork 1 \ + --throw-rules 0 \ + --prio-rules 0 \ + dev=bmx_prime /linklayer 0 \ + dev=${meshInterface} /linklayer 1 + ''; Restart = "always"; }; }; + systemd.services.ddmesh-register-node = { + script = '' + ${pkgs.curl}/bin/curl \ + -o /tmp/ddmesh-registration.json \ + '${ddmeshRegisterUrl}?registerkey=${ddmeshRegisterKey}&node=${toString ddmeshNode}' + ''; + serviceConfig = { + User = "nobody"; + Group = "nogroup"; + }; + }; + systemd.timers.ddmesh-register-node = { + partOf = [ "ddmesh-register-node.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "daily"; + }; + + services.bird2 = { + enable = true; + config = '' + protocol kernel { + ipv4 { + export all; + }; + } + protocol device { + scan time 10; + } + + protocol ospf ZW4 { + ipv4; + area 0 { + networks { + 172.20.72.0/21; + }; + stubnet 10.200.0.0/16; + interface "core" { + authentication cryptographic; + password "${import }"; + }; + }; + } + + router id ${coreAddress}; + ''; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database diff --git a/secrets b/secrets index 35a994c6..8f732b65 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 35a994c6ea2f2720e8ec045ea1369163ea69a35f +Subproject commit 8f732b652a03432da81ed67aa9d968d6842ed0b4 From 9ec20ffd66507ca736d8ce8d451e3d1cf38b5468 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 03:46:03 +0200 Subject: [PATCH 04/63] lib: collectd buildMinimalPackage --- lib/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/default.nix b/lib/default.nix index f5093ca5..ab2e6254 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -235,8 +235,9 @@ in { FQDNLookup false Interval 10 ''; + buildMinimalPackage = true; plugins = { - file = '' + logfile = '' LogLevel info File STDOUT ''; From 4e349e469aca0713ea8a7c2b6bde9a89b97396ab Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 22:18:07 +0200 Subject: [PATCH 05/63] dnscache: try fixing unbound --- hosts/containers/dnscache/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 8e44b13f..3002b3de 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -87,6 +87,7 @@ "1.0.0.1@853" #cloudflare-dns.com "2606:4700:4700::1001@853" #cloudflare-dns.com ]; + forwardTlsUpstream = true; extraConfig = '' server: ssl-upstream: yes @@ -96,11 +97,15 @@ domain-insecure: "22.172.in-addr.arpa" domain-insecure: "23.172.in-addr.arpa" domain-insecure: "d.f.ip6.arpa" + domain-insecure: "ffdd" + domain-insecure: "10.200.in-addr.arpa" local-zone: "20.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault + local-zone: "ffdd" + local-zone: "10.200.in-addr.arpa" remote-control: control-enable: yes From bd86de8c394efbb7d3c58dbf6067ccda930cd837 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 22:43:58 +0200 Subject: [PATCH 06/63] dnscache: try fixing unbound --- hosts/containers/dnscache/configuration.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 3002b3de..86a37305 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -87,7 +87,6 @@ "1.0.0.1@853" #cloudflare-dns.com "2606:4700:4700::1001@853" #cloudflare-dns.com ]; - forwardTlsUpstream = true; extraConfig = '' server: ssl-upstream: yes From f1662e06ef9c350d1c59c55a223144eee745ba71 Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 23:29:13 +0200 Subject: [PATCH 07/63] dnscache: use static address it moved o_0 TODO: exlude this address from dhcp! --- hosts/containers/dnscache/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 86a37305..c09c939a 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -19,7 +19,8 @@ # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.useNetworkd = true; networking.useDHCP = false; - networking.interfaces.eth0.useDHCP = true; + networking.interfaces.eth0.ipv4.addresses = [ { address = "172.20.73.8"; prefixLength = 26; } ]; + networking.defaultGateway = "172.20.73.1"; services.resolved.enable = false; # Set your time zone. From a12ddfb3c3540b5337d41ddf64051a5fe98f5f5c Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 23:30:00 +0200 Subject: [PATCH 08/63] dnscache: remove unreachable fd42 forward addrs from unbound, use ssl only for . --- hosts/containers/dnscache/configuration.nix | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index c09c939a..b7835d43 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -86,11 +86,10 @@ "1.1.1.1@853" #cloudflare-dns.com "2606:4700:4700::1111@853" #cloudflare-dns.com "1.0.0.1@853" #cloudflare-dns.com - "2606:4700:4700::1001@853" #cloudflare-dns.com + "2606:4700:4700::1001@853\n forward-ssl-upstream: yes" #cloudflare-dns.com ]; extraConfig = '' server: - ssl-upstream: yes domain-insecure: "dn42" domain-insecure: "20.172.in-addr.arpa" domain-insecure: "21.172.in-addr.arpa" @@ -104,8 +103,8 @@ local-zone: "22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault - local-zone: "ffdd" - local-zone: "10.200.in-addr.arpa" + local-zone: "ffdd." nodefault + local-zone: "10.200.in-addr.arpa." nodefault remote-control: control-enable: yes @@ -117,32 +116,26 @@ forward-zone: name: "dn42" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: name: "20.172.in-addr.arpa" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: name: "21.172.in-addr.arpa" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: name: "22.172.in-addr.arpa" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: name: "23.172.in-addr.arpa" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: name: "d.f.ip6.arpa" - forward-addr: fd42:d42:d42:53::1 forward-addr: 172.23.0.53 forward-zone: From 370b0c92c57b1c2e12167d7d48ee375f138db78a Mon Sep 17 00:00:00 2001 From: Astro Date: Sun, 12 Apr 2020 23:40:06 +0200 Subject: [PATCH 09/63] dnscache: fix reverse forward-zone switcheroo --- hosts/containers/dnscache/configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index b7835d43..129e9925 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -97,14 +97,14 @@ domain-insecure: "23.172.in-addr.arpa" domain-insecure: "d.f.ip6.arpa" domain-insecure: "ffdd" - domain-insecure: "10.200.in-addr.arpa" + domain-insecure: "200.10.in-addr.arpa" local-zone: "20.172.in-addr.arpa." nodefault local-zone: "21.172.in-addr.arpa." nodefault local-zone: "22.172.in-addr.arpa." nodefault local-zone: "23.172.in-addr.arpa." nodefault local-zone: "d.f.ip6.arpa." nodefault local-zone: "ffdd." nodefault - local-zone: "10.200.in-addr.arpa." nodefault + local-zone: "200.10.in-addr.arpa." nodefault remote-control: control-enable: yes From edf243176b359713bc5ee032d03197db41dcfa55 Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 13 Apr 2020 01:14:37 +0200 Subject: [PATCH 10/63] dnscache: add more directly forwarded zones --- hosts/containers/dnscache/configuration.nix | 45 +++++++++++++++++---- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/hosts/containers/dnscache/configuration.nix b/hosts/containers/dnscache/configuration.nix index 129e9925..81530821 100644 --- a/hosts/containers/dnscache/configuration.nix +++ b/hosts/containers/dnscache/configuration.nix @@ -40,7 +40,7 @@ # Create a few files early before packing tarball for Proxmox # architecture/OS detection. - system.extraSystemBuilderCmds = + system.extraSystemBuilderCmds = '' mkdir -m 0755 -p $out/bin ln -s ${pkgs.bash}/bin/bash $out/bin/sh @@ -113,24 +113,55 @@ control-key-file: /var/lib/unbound/unbound_control.key control-cert-file: /var/lib/unbound/unbound_control.pem + forward-zone: + name: "99.22.172.in-addr.arpa" + forward-host: "ns.c3d2.de" - forward-zone: + forward-zone: + name: "zentralwerk.dn42" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "72.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "73.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "74.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "75.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "76.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: + name: "77.20.172.in-addr.arpa" + forward-host: "dns.serv.zentralwerk.org" + + forward-zone: name: "dn42" forward-addr: 172.23.0.53 - forward-zone: + forward-zone: name: "20.172.in-addr.arpa" forward-addr: 172.23.0.53 - forward-zone: + forward-zone: name: "21.172.in-addr.arpa" forward-addr: 172.23.0.53 - forward-zone: + forward-zone: name: "22.172.in-addr.arpa" forward-addr: 172.23.0.53 - forward-zone: + forward-zone: name: "23.172.in-addr.arpa" forward-addr: 172.23.0.53 @@ -158,7 +189,7 @@ memory = ""; interface = ""; load = ""; - exec = + exec = let unboundScript = builtins.toFile "unbound.rb" '' loop do From 840a3eedd7c0888842f892677492f44b429a12ef Mon Sep 17 00:00:00 2001 From: Astro Date: Mon, 13 Apr 2020 01:14:56 +0200 Subject: [PATCH 11/63] freifunk: fix bmx-lookback netmask --- hosts/containers/freifunk/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index a2a5fa8f..dcfcdc04 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -76,7 +76,7 @@ in { matchConfig = { Name = meshLoopback; }; addresses = [ { addressConfig = { - Address = "10.200.${ddmeshAddrPart}/16"; + Address = "10.200.${ddmeshAddrPart}/32"; Broadcast = "10.255.255.255"; }; } ]; From ba13bda063917e2990e9a16f2032f564e0f49754 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 26 Mar 2020 06:00:45 +0100 Subject: [PATCH 12/63] server7: hydra-dev, zfs support, fixed dhcp id --- hosts/server7/configuration.nix | 14 +++++++++--- hosts/server7/hardware-configuration.nix | 29 ++++++++++++------------ 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/hosts/server7/configuration.nix b/hosts/server7/configuration.nix index dc4de885..ede227e6 100644 --- a/hosts/server7/configuration.nix +++ b/hosts/server7/configuration.nix @@ -6,7 +6,7 @@ in { ../../lib ../../lib/default-gateway.nix - ../../lib/yggdrasil.nix + ./borgbackup.nix ./containers ./hardware-configuration.nix ./hydra.nix @@ -84,12 +84,13 @@ in { networking = { firewall.enable = false; hostName = "server7"; + hostId = "454fe12c"; useDHCP = false; bridges.br0.interfaces = [ "enp2s0f0" ]; interfaces = { br0 = { useDHCP = true; - preferTempAddress = false; + tempAddress = "disabled"; ipv4.addresses = [{ address = "172.22.99.245"; prefixLength = 24; @@ -107,7 +108,14 @@ in { boot.kernel.sysctl."net.bridge.bridge-nf-call-iptables" = 0; boot.kernel.sysctl."net.bridge.bridge-nf-call-ip6tables" = 0; - environment.systemPackages = with pkgs; [ tmux htop vim gitMinimal nixfmt ]; + environment.systemPackages = with pkgs; [ + tmux + htop + vim + gitMinimal + nixfmt + zfsStable + ]; services.collectd.extraConfig = '' LoadPlugin sensors diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index b5bf6419..8af951b0 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -4,27 +4,28 @@ { config, lib, pkgs, ... }: { - imports = - [ - ]; + imports = [ ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = + [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; + boot.supportedFilesystems = [ "zfs" ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/f14628ce-0f13-4544-9197-0ddda291f48f"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9812-00B2"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/9812-00B2"; + fsType = "vfat"; + }; swapDevices = [ ]; - nix.maxJobs = lib.mkDefault 20; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + nix.maxJobs = lib.mkDefault 10; + nix.buildCores = lib.mkDefault 40; + powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; } From ac3663a4d4fb9ec2f0e76b4662d73eeb64ae54d8 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 26 Mar 2020 06:06:43 +0100 Subject: [PATCH 13/63] server7: add nvme mountpoints --- hosts/server7/hardware-configuration.nix | 145 +++++++++++++++++++++++ 1 file changed, 145 insertions(+) diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index 8af951b0..24a47fa8 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -23,6 +23,151 @@ fsType = "vfat"; }; + fileSystems."/nvme0n1" = { + device = "nvme0n1"; + fsType = "zfs"; + }; + + fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { + device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fsType = "zfs"; + }; + + fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { + device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; + fsType = "zfs"; + }; + + fileSystems."/zones/archive" = { + device = "nvme0n1/archive"; + fsType = "zfs"; + }; + + fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = { + device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f"; + fsType = "zfs"; + }; + + fileSystems."/zones/global/cores" = { + device = "nvme0n1/cores/global"; + fsType = "zfs"; + }; + + fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { + device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fsType = "zfs"; + }; + + fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { + device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; + fsType = "zfs"; + }; + + fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { + device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/zones/9a9880d3-82db-c500-fcaa-d4e5a5cc617d/cores" = { + device = "nvme0n1/cores/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { + device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { + device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { + device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de" = { + device = "nvme0n1/c3d2.de"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { + device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { + device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { + device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = { + device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = { + device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { + device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89" = { + device = "nvme0n1/d5a8bfc2-6d01-6d5e-ad3f-edf032eedd89"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4" = { + device = "nvme0n1/a9786e8b-fce2-7567-6467-2a95086a51d4"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { + device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43" = { + device = "nvme0n1/7644820f-5ce5-f9f1-94b7-4537ee598f43"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = { + device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f" = { + device = "nvme0n1/e71d4460-8eef-6623-a875-dd5ec20b650f"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/admin" = { + device = "nvme0n1/c3d2.de/admin"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/templates" = { + device = "nvme0n1/c3d2.de/templates"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/iso" = { + device = "nvme0n1/c3d2.de/iso"; + fsType = "zfs"; + }; + swapDevices = [ ]; nix.maxJobs = lib.mkDefault 10; From cf11f394b9a39ba3c002c99343072ae127c897e3 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 26 Mar 2020 06:08:14 +0100 Subject: [PATCH 14/63] server7: add borg backup --- hosts/server7/borgbackup.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 hosts/server7/borgbackup.nix diff --git a/hosts/server7/borgbackup.nix b/hosts/server7/borgbackup.nix new file mode 100644 index 00000000..0801a910 --- /dev/null +++ b/hosts/server7/borgbackup.nix @@ -0,0 +1,10 @@ +{ config, ... }: + +{ + services.borgbackup.repos.emery = { + allowSubRepos = true; + authorizedKeys = config.users.users.emery.openssh.authorizedKeys.keys; + path = "/srv/ceph/c3d2/backups/emery"; + quota = "200G"; + }; +} From 6c84fc4ebfd7c81490d8bb91b4fda21c887555c2 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 25 Mar 2020 19:52:13 +0100 Subject: [PATCH 15/63] server7: switch to flake, re-enable hydra --- flake.lock | 27 +++ flake.nix | 13 ++ hosts/server7/containers/outer-defaults.nix | 11 +- hosts/server7/containers/storage/default.nix | 2 +- .../{configuration.nix => default.nix} | 4 +- hosts/server7/hardware-configuration.nix | 2 +- hosts/server7/hydra.nix | 165 +----------------- hosts/server7/nix-serve.nix | 4 +- lib/lxc/default.nix | 7 +- 9 files changed, 64 insertions(+), 171 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix rename hosts/server7/{configuration.nix => default.nix} (97%) diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..18c029ef --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "info": { + "lastModified": 1586508340, + "narHash": "sha256-d5jSxQw5h2N72iLnMP1ri5atw5oTsjLvgO4cTe1C2IM=" + }, + "locked": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "807ca93fadd5197c2260490de0c76e500562dc05", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 5 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 00000000..b5aa89eb --- /dev/null +++ b/flake.nix @@ -0,0 +1,13 @@ +{ + description = "C3D2 NixOS configurations"; + + edition = 201909; + + outputs = { self, nixpkgs }: { + nixosConfigurations.server7 = nixpkgs.lib.nixosSystem { + modules = + [ ./hosts/server7 ]; + system = "x86_64-linux"; + }; + }; +} diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix index c5a4a9a5..9b849ea1 100644 --- a/hosts/server7/containers/outer-defaults.nix +++ b/hosts/server7/containers/outer-defaults.nix @@ -8,11 +8,12 @@ in { privateNetwork = true; hostBridge = "br0"; - localAddress6 = with builtins; let - hash = hashString "sha256" name; - hextet0 = substring 0 4 hash; - hextet1 = substring 4 4 hash; - in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64"; + localAddress6 = with builtins; + let + hash = hashString "sha256" name; + hextet0 = substring 0 4 hash; + hextet1 = substring 4 4 hash; + in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64"; # Generate a deterministic IPv6 address for the container. # This address is accessible within HQ and Yggdrasil but not from ARPANET. } diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix index 67a0a52b..be8631c9 100644 --- a/hosts/server7/containers/storage/default.nix +++ b/hosts/server7/containers/storage/default.nix @@ -45,7 +45,7 @@ name: fancyindex on; # autoindex on; dav_access all:r; - ''; + ''; }; }; }; diff --git a/hosts/server7/configuration.nix b/hosts/server7/default.nix similarity index 97% rename from hosts/server7/configuration.nix rename to hosts/server7/default.nix index ede227e6..1ef1a4e4 100644 --- a/hosts/server7/configuration.nix +++ b/hosts/server7/default.nix @@ -3,7 +3,7 @@ let yggaddr = import ./yggaddr.nix; in { imports = [ - + # ../../lib ../../lib/default-gateway.nix ./borgbackup.nix @@ -40,6 +40,7 @@ in { ]; }; + services.nginx = { enable = true; recommendedGzipSettings = true; @@ -54,6 +55,7 @@ in { boot.kernel.sysctl."net.ipv6.conf.eth0.accept_ra" = 2; services.yggdrasil = { + enable = true; configFile = "/var/lib/yggdrasil/keys"; config.Peers = [ "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index 24a47fa8..6fcb239c 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -4,7 +4,7 @@ { config, lib, pkgs, ... }: { - imports = [ ]; + # imports = [ ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix index 5d57ed3d..53481e63 100644 --- a/hosts/server7/hydra.nix +++ b/hosts/server7/hydra.nix @@ -1,173 +1,18 @@ -let - hydraFlakes = pkgs: - with pkgs; - let - perlDeps = buildEnv { - name = "hydra-perl-deps"; - paths = with perlPackages; [ - ModulePluggable - CatalystActionREST - CatalystAuthenticationStoreDBIxClass - CatalystDevel - CatalystDispatchTypeRegex - CatalystPluginAccessLog - CatalystPluginAuthorizationRoles - CatalystPluginCaptcha - CatalystPluginSessionStateCookie - CatalystPluginSessionStoreFastMmap - CatalystPluginStackTrace - CatalystPluginUnicodeEncoding - CatalystTraitForRequestProxyBase - CatalystViewDownload - CatalystViewJSON - CatalystViewTT - CatalystXScriptServerStarman - CatalystXRoleApplicator - CryptRandPasswd - DBDPg - DBDSQLite - DataDump - DateTime - DigestSHA1 - EmailMIME - EmailSender - FileSlurp - IOCompress - IPCRun - JSON - JSONAny - JSONXS - LWP - LWPProtocolHttps - NetAmazonS3 - NetPrometheus - NetStatsd - PadWalker - Readonly - SQLSplitStatement - SetScalar - Starman - SysHostnameLong - TermSizeAny - TestMore - TextDiff - TextTable - XMLSimple - pkgs.nixFlakes - pkgs.nixFlakes.perl-bindings - git - boehmgc - ]; - }; +{ config, pkgs, ... }: - in stdenv.mkDerivation { - - name = "hydra-flake"; - - src = pkgs.fetchFromGitHub { - owner = "NixOS"; - repo = "hydra"; - rev = "47797576838974c8209536b67bb45e953a50900f"; - sha256 = "1vqib99d7wgnl3c6ccx0xx2q88qmdkpydkb6gd0pik9wg2nn3jng"; - }; - - buildInputs = [ - makeWrapper - autoconf - automake - libtool - unzip - nukeReferences - pkgconfig - sqlite - libpqxx - gitAndTools.topGit - mercurial - darcs - subversion - bazaar - openssl - bzip2 - libxslt - guile # optional, for Guile + Guix support - perlDeps - perl - pkgs.nixFlakes - postgresql95 # for running the tests - boost - (nlohmann_json.override { multipleHeaders = true; }) - ]; - - hydraPath = lib.makeBinPath ([ - sqlite - subversion - openssh - pkgs.nixFlakes - coreutils - findutils - pixz - gzip - bzip2 - lzma - gnutar - unzip - git - gitAndTools.topGit - mercurial - darcs - gnused - bazaar - ] ++ lib.optionals stdenv.isLinux [ rpm dpkg cdrkit ]); - - configureFlags = [ "--with-docbook-xsl=${docbook_xsl}/xml/xsl/docbook" ]; - - shellHook = '' - PATH=$(pwd)/src/hydra-evaluator:$(pwd)/src/script:$(pwd)/src/hydra-eval-jobs:$(pwd)/src/hydra-queue-runner:$PATH - PERL5LIB=$(pwd)/src/lib:$PERL5LIB - ''; - - preConfigure = "autoreconf -vfi"; - - NIX_LDFLAGS = [ "-lpthread" ]; - - enableParallelBuilding = true; - - preCheck = '' - patchShebangs . - export LOGNAME=''${LOGNAME:-foo} - ''; - - postInstall = '' - mkdir -p $out/nix-support - - for i in $out/bin/*; do - read -n 4 chars < $i - if [[ $chars =~ ELF ]]; then continue; fi - wrapProgram $i \ - --prefix PERL5LIB ':' $out/libexec/hydra/lib:$PERL5LIB \ - --prefix PATH ':' $out/bin:$hydraPath \ - --set HYDRA_RELEASE 0.1 \ - --set HYDRA_HOME $out/libexec/hydra \ - --set NIX_RELEASE ${pkgs.nixFlakes.name or "unknown"} - done - ''; - - dontStrip = true; - - meta.description = "Build of Hydra on ${system}"; - passthru.perlDeps = perlDeps; - }; -in { config, pkgs, ... }: { +{ services.hydra = { enable = true; hydraURL = "https://server7.hq.c3d2.de"; logo = ./hydra.svg; notificationSender = "hydra@spam.works"; - package = hydraFlakes pkgs; + package = pkgs.hydra-unstable; listenHost = "127.0.0.1"; }; + nix.trustedUsers = [ "hydra" ]; + nix.buildMachines = [{ hostName = "localhost"; system = "x86_64-linux"; diff --git a/hosts/server7/nix-serve.nix b/hosts/server7/nix-serve.nix index a3456808..58c6d80a 100644 --- a/hosts/server7/nix-serve.nix +++ b/hosts/server7/nix-serve.nix @@ -15,7 +15,9 @@ addSSL = true; enableACME = true; locations."/".proxyPass = - "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + "http://${config.services.nix-serve.bindAddress}:${ + toString config.services.nix-serve.port + }"; }; }; }; diff --git a/lib/lxc/default.nix b/lib/lxc/default.nix index 37cf50bd..185058e6 100644 --- a/lib/lxc/default.nix +++ b/lib/lxc/default.nix @@ -3,8 +3,11 @@ with lib; let - nixcloud-webservices = builtins.fetchGit { - url = "https://github.com/nixcloud/nixcloud-webservices.git"; + nixcloud-webservices = pkgs.fetchFromGitHub { + owner = "nixcloud"; + repo = "nixcloud-webservices"; + rev = "3a0767f0536fac811065eb87e6342f27eac085aa"; + sha256 = "vC0vBu+0HchrevuWsmE7giouKnSt/q4F0TffwhuNJv8="; }; nixcloud = ( import "${nixcloud-webservices}/pkgs" { inherit pkgs; } From b23ed3c746a0e160986a833b1c590741fa5a5687 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Mon, 13 Apr 2020 13:03:27 +0200 Subject: [PATCH 16/63] server7: update hardware config to avoid boot failure If the boot fails, just hit CTRL-D --- hosts/server7/hardware-configuration.nix | 122 ++++++++++++----------- 1 file changed, 66 insertions(+), 56 deletions(-) diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index 6fcb239c..46c05dfc 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -23,48 +23,23 @@ fsType = "vfat"; }; + fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { + device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + fileSystems."/nvme0n1" = { device = "nvme0n1"; fsType = "zfs"; }; - fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { - device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; - fsType = "zfs"; - }; - - fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { - device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; - fsType = "zfs"; - }; - - fileSystems."/zones/archive" = { - device = "nvme0n1/archive"; - fsType = "zfs"; - }; - - fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = { - device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f"; - fsType = "zfs"; - }; - - fileSystems."/zones/global/cores" = { - device = "nvme0n1/cores/global"; - fsType = "zfs"; - }; - - fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { - device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; - fsType = "zfs"; - }; - fileSystems."/zones/9f467f1e-000b-e771-e117-b32261e48220/cores" = { device = "nvme0n1/cores/9f467f1e-000b-e771-e117-b32261e48220"; fsType = "zfs"; }; - fileSystems."/zones/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3/cores" = { - device = "nvme0n1/cores/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fileSystems."/zones/archive" = { + device = "nvme0n1/archive"; fsType = "zfs"; }; @@ -73,18 +48,28 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { - device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; + fileSystems."/zones/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5/cores" = { + device = "nvme0n1/cores/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; fsType = "zfs"; }; - fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { - device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fileSystems."/zones/global/cores" = { + device = "nvme0n1/cores/global"; fsType = "zfs"; }; - fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { - device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; + fileSystems."/zones/b090f14b-0a60-4451-e82a-c5291e5951de/cores" = { + device = "nvme0n1/cores/b090f14b-0a60-4451-e82a-c5291e5951de"; + fsType = "zfs"; + }; + + fileSystems."/zones/3516ab22-69b0-e327-95ec-f9be8852ee44/cores" = { + device = "nvme0n1/cores/3516ab22-69b0-e327-95ec-f9be8852ee44"; + fsType = "zfs"; + }; + + fileSystems."/zones/e71d4460-8eef-6623-a875-dd5ec20b650f/cores" = { + device = "nvme0n1/cores/e71d4460-8eef-6623-a875-dd5ec20b650f"; fsType = "zfs"; }; @@ -93,33 +78,33 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { - device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de" = { device = "nvme0n1/b090f14b-0a60-4451-e82a-c5291e5951de"; fsType = "zfs"; }; - fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { - device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f" = { device = "nvme0n1/55bcd862-bb70-11e9-9991-7b9a40d4e95f"; fsType = "zfs"; }; - fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = { - device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3"; + fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { + device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; fsType = "zfs"; }; - fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { - device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; + fileSystems."/nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3" = { + device = "nvme0n1/9c31e6c7-97ee-e757-b5e8-d4f07a25bdc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/admin" = { + device = "nvme0n1/c3d2.de/admin"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/c3d2.de/templates" = { + device = "nvme0n1/c3d2.de/templates"; fsType = "zfs"; }; @@ -133,8 +118,33 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d" = { - device = "nvme0n1/9a9880d3-82db-c500-fcaa-d4e5a5cc617d"; + fileSystems."/nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75" = { + device = "nvme0n1/3e65fa50-2f41-8792-df46-8c826bddab75"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9f467f1e-000b-e771-e117-b32261e48220" = { + device = "nvme0n1/9f467f1e-000b-e771-e117-b32261e48220"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = { + device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317" = { + device = "nvme0n1/b28b36ed-1824-3a6c-cdbb-258c7dd63317"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3" = { + device = "nvme0n1/9651893f-4b85-293a-2d72-60ea3b541bc3"; + fsType = "zfs"; + }; + + fileSystems."/nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9" = { + device = "nvme0n1/0cc567e5-5e4c-1868-eca3-4426508cbfb9"; fsType = "zfs"; }; @@ -143,8 +153,8 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5" = { - device = "nvme0n1/eec98403-5f4f-cadf-f4ff-aa9a99b4cdb5"; + fileSystems."/nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d" = { + device = "nvme0n1/63d6e664-3f1f-11e8-aef6-a3120cf8dd9d"; fsType = "zfs"; }; From 2ec4213eb6c1a2f6f4c4f33c421d66f891d9591b Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 14 Apr 2020 12:12:13 +0530 Subject: [PATCH 17/63] Add Nixos module to flake, make check pass --- flake.nix | 7 +++++-- hosts/server7/default.nix | 5 +++++ hosts/server7/hardware-configuration.nix | 10 ---------- 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index b5aa89eb..ec1e9ff4 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,13 @@ edition = 201909; outputs = { self, nixpkgs }: { + nixosConfigurations.server7 = nixpkgs.lib.nixosSystem { - modules = - [ ./hosts/server7 ]; + modules = [ ./hosts/server7 ]; system = "x86_64-linux"; }; + + nixosModules.c3d2 = import ./lib; + }; } diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 1ef1a4e4..663db6bf 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -13,6 +13,11 @@ in { ./nix-serve.nix ]; + security.acme = { + email = " mail@c3d2.de"; + acceptTerms = true; + }; + c3d2 = { users = { emery = true; diff --git a/hosts/server7/hardware-configuration.nix b/hosts/server7/hardware-configuration.nix index 46c05dfc..e198467f 100644 --- a/hosts/server7/hardware-configuration.nix +++ b/hosts/server7/hardware-configuration.nix @@ -163,16 +163,6 @@ fsType = "zfs"; }; - fileSystems."/nvme0n1/c3d2.de/admin" = { - device = "nvme0n1/c3d2.de/admin"; - fsType = "zfs"; - }; - - fileSystems."/nvme0n1/c3d2.de/templates" = { - device = "nvme0n1/c3d2.de/templates"; - fsType = "zfs"; - }; - fileSystems."/nvme0n1/c3d2.de/iso" = { device = "nvme0n1/c3d2.de/iso"; fsType = "zfs"; From 14cbbe53270ed1a35482ecc1fdd3ac2878fdfcdc Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 14 Apr 2020 20:38:04 +0530 Subject: [PATCH 18/63] emery: add ssh key for distributed nix builds --- lib/users/emery.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/users/emery.nix b/lib/users/emery.nix index 27834ed1..49a061ba 100644 --- a/lib/users/emery.nix +++ b/lib/users/emery.nix @@ -4,6 +4,7 @@ let keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgL2kRs+cXAcUzOO2Tp+mtMBVuHqMuslQy3LN+HLSP4 emery@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVmyXQNE5IhcFdAWNfd4Cgg+rc+z/uClSQdPcaAVbYf emery@nixos" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC55d1lIbI00AyDnlfig3znWKPToGUcM8TKj5s8EHQm5SkUn0DeG1+h5/wciyu7NonIxykgtx2nfnLAewgNjKDk1Q7bqNTxvIkb5dtpuEvGWuuLmm5VCQUszPSNmQAMocFAc+A0ALDTdR0pS+DFuKPx4DncYLQxDFwdV+1vw0PYCXNHfS6umJW/bsQ2jLc2+H3bnXqhcoQX6EVvlQS3QNpWOY3qhK9Yy58NJywmcSSzamc4Fyd1Jz/R67/4hYDfB65f7bs6l0BjFj+yciiVYyZuILPb6CZicXcNTjnW6YFGHDQt3owsr/pQuuPxUWiP8rfrrrwnyi1SFeYrmCKSQ6WOZMA5mHZ6091LbspwrlGiGBXKPoZhHHUW/dDmojy1XAIK/XFg/5+DiG+2Rc61l1AnRaP4IRiFViV9VlPBYBG5TFmAfxCz6iiwuDQY1cSX4+duqL7sIkZTPMkQP0Bf3ek1hTK1U8nbSOP6sILt7e5ApRCoAu9S+fFtbpI+l1GCy90= root@bigpad" ]; in { From 09ff8fc7cdd4aac4c8d2f5269fec8a08e0b62466 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 14 Apr 2020 20:56:54 +0200 Subject: [PATCH 19/63] freifunk: add collectd plugin `protocols' --- hosts/containers/freifunk/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index dcfcdc04..4719fa32 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -24,6 +24,7 @@ in { enableHail = false; hq.statistics.enable = true; }; + services.collectd.plugins.protocols = ""; networking.hostName = "freifunk"; networking.useNetworkd = true; From 89cad8060af3cedc45c18c06c2fc06393ad608c3 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 14 Apr 2020 20:57:27 +0200 Subject: [PATCH 20/63] freifunk: configure ipv6 --- hosts/containers/freifunk/configuration.nix | 52 ++++++++++++++++++--- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 4719fa32..ae2d5b2e 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -85,10 +85,30 @@ in { "20-core" = { enable = true; matchConfig = { Name = "core"; }; - networkConfig = { - Address = "${coreAddress}/${toString corePrefixlen}"; - Gateway = "172.20.72.7"; - }; + addresses = [ { + addressConfig = { + Address = "${coreAddress}/${toString corePrefixlen}"; + }; + } { + addressConfig = { + Address = "2a02:8106:208:5281:8000::1/64"; + }; + } { + addressConfig = { + Address = "fd23:42:c3d2:581:8000::1/64"; + }; + } ]; + routes = [ { + routeConfig = { + # upstream1 + Gateway = "2a02:8106:208:5281::b:0"; + }; + } { + routeConfig = { + # anon1 + Gateway = "172.20.72.7"; + }; + } ]; }; }; }; @@ -131,17 +151,21 @@ in { services.bird2 = { enable = true; config = '' - protocol kernel { + protocol kernel K4 { ipv4 { export all; }; } + protocol kernel K6 { + ipv6 { + export all; + }; + } protocol device { scan time 10; } - protocol ospf ZW4 { - ipv4; + protocol ospf v2 ZW4 { area 0 { networks { 172.20.72.0/21; @@ -154,6 +178,20 @@ in { }; } + protocol ospf v3 ZW6 { + area 0 { + networks { + fd23:42:c3d2:500::/56; + 2a02:8106:208:5200::/56; + 2a02:8106:211:e900::/56; + }; + interface "core" { + #authentication cryptographic; + #password "${import }"; + }; + }; + } + router id ${coreAddress}; ''; }; From cc0761579f4a66ad4876dbfc1f4262a00995e56a Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 14 Apr 2020 20:58:04 +0200 Subject: [PATCH 21/63] freifunk: add nginx --- hosts/containers/freifunk/assets/index.html | 9 ++++ .../freifunk/assets/sysinfo-json.cgi | 50 +++++++++++++++++++ hosts/containers/freifunk/configuration.nix | 48 ++++++++++++++++++ krops.nix | 1 + 4 files changed, 108 insertions(+) create mode 100644 hosts/containers/freifunk/assets/index.html create mode 100644 hosts/containers/freifunk/assets/sysinfo-json.cgi diff --git a/hosts/containers/freifunk/assets/index.html b/hosts/containers/freifunk/assets/index.html new file mode 100644 index 00000000..4d2028c2 --- /dev/null +++ b/hosts/containers/freifunk/assets/index.html @@ -0,0 +1,9 @@ +

Chaos Computer Club Dresden

+

Router zu Freifunk Dresden

+ + + diff --git a/hosts/containers/freifunk/assets/sysinfo-json.cgi b/hosts/containers/freifunk/assets/sysinfo-json.cgi new file mode 100644 index 00000000..92dff0ae --- /dev/null +++ b/hosts/containers/freifunk/assets/sysinfo-json.cgi @@ -0,0 +1,50 @@ +{ + "version": "15", + "timestamp": "1586882346", + "data": { + "firmware": { + "version": "0.0.0", + "DISTRIB_ID": "NixOS", + "DISTRIB_RELEASE": "20.03", + "DISTRIB_REVISION": "", + "DISTRIB_CODENAME": "", + "DISTRIB_TARGET": "x86_64", + "DISTRIB_DESCRIPTION": "NixOS 20.03" + }, + "system": { + "uptime": "0 0", + "uname": "Linux 5.3.18", + "nameserver": [ + ], + "date": "Tue Apr 14 18:39:06 CEST 2020", + "cpuinfo": "Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz", + "cpucount": "40", + "bmxd": "bmxd", + "essid": "ZW public", + "node_type": "router", + "splash": 0, + "email_notification": 0, + "autoupdate": 0, + "available_flash_size": "16T", + "bmxd_restart_counter": 0 + }, + "common": { + "city": "Dresden", + "node": "51073", + "domain": "freifunk-dresden.de", + "ip": "10.200.200.74", + "network_id": "1206" + }, + "gps": { + "latitude": 51.0810624, + "longitude": 13.7285866, + "altitude": 100 + }, + "contact": { + "name": "C3D2", + "location": "Zentralwerk Haus B Souterrain", + "email": "astro%40spaceboyz.net", + "note": "" + } + } +} diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index ae2d5b2e..85615a96 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -196,6 +196,54 @@ in { ''; }; + services.nginx = { + enable = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts = + let + aliasFile = path: { + alias = path; + extraConfig = '' + etag off; + add_header etag "\"${builtins.substring 11 32 path}\""; + ''; + }; + in { + "c3d2.ffdd" = { + default = true; + root = ; + locations = { + "/".index = "index.html"; + "/sysinfo-json.cgi".extraConfig = '' + add_header Content-Type "application/json;charset=UTF-8"; + ''; + }; + }; + "storage.hq.c3d2.ffdd" = { + locations = { + "/".proxyPass = "http://storage.hq.c3d2.de/"; + }; + }; + "grafana.hq.c3d2.ffdd" = { + locations = { + "/" = { + proxyPass = "https://grafana.hq.c3d2.de/"; + extraConfig = '' + proxy_ssl_server_name on; + ''; + }; + }; + }; + "influxdb.hq.c3d2.ffdd" = { + locations = { + "/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; + }; + }; + }; + }; + # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/krops.nix b/krops.nix index f9ad4e28..6e31df4d 100644 --- a/krops.nix +++ b/krops.nix @@ -16,6 +16,7 @@ let url = "https://github.com/NixOS/nixpkgs.git"; }; nixos-config.file = toString (./hosts + "/${path}/configuration.nix"); + this-host.file = toString (./hosts + "/${path}"); lib.file = toString ./lib; secrets.file = toString ./secrets; "host-registry.nix".file = toString ./host-registry.nix; From 02fa9225a1ba67431dfe208eefa2fc332d3a072a Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 15 Apr 2020 02:03:48 +0200 Subject: [PATCH 22/63] scrape: scrape freifunk_nodes --- hosts/containers/scrape/configuration.nix | 36 +++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index f3d1a900..9c53cba7 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -59,6 +59,22 @@ host = "matemat.hq.c3d2.de"; inherit (matematLogin) user password; }; + scrape-node1139 = makeService { + script = "freifunk_node"; + host = "10.200.4.120"; + }; + scrape-node1487 = makeService { + script = "freifunk_node"; + host = "10.200.5.213"; + }; + scrape-node1247 = makeService { + script = "freifunk_node"; + host = "10.200.4.228"; + }; + scrape-node1176 = makeService { + script = "freifunk_node"; + host = "10.200.4.157"; + }; }; systemd.timers.scrape-xeri = { partOf = [ "scrape-xeri.service" ]; @@ -85,6 +101,26 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; + systemd.timers.scrape-node1139 = { + partOf = [ "scrape-node1139.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; + systemd.timers.scrape-node1487 = { + partOf = [ "scrape-node1487.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; + systemd.timers.scrape-node1247 = { + partOf = [ "scrape-node1247.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; + systemd.timers.scrape-node1176 = { + partOf = [ "scrape-node1176.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database From 22a6a7d13c0a3dc998c3d097c1bb0ca2ce89c489 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 16 Apr 2020 22:44:46 +0200 Subject: [PATCH 23/63] scrape: replace freifunk node 1176 with 1768 --- hosts/containers/scrape/configuration.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index 9c53cba7..4c782f95 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -71,7 +71,7 @@ script = "freifunk_node"; host = "10.200.4.228"; }; - scrape-node1176 = makeService { + scrape-node1768 = makeService { script = "freifunk_node"; host = "10.200.4.157"; }; @@ -116,8 +116,8 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; - systemd.timers.scrape-node1176 = { - partOf = [ "scrape-node1176.service" ]; + systemd.timers.scrape-node1768 = { + partOf = [ "scrape-node1768.service" ]; wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; From 464c8169d5b7ffec5905425dad43dad87fcaf10d Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 16 Apr 2020 22:45:39 +0200 Subject: [PATCH 24/63] freifunk: tmpOnTmpfs = true --- hosts/containers/freifunk/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 85615a96..4d7f18bd 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -19,6 +19,7 @@ in { ]; + boot.tmpOnTmpfs = true; c3d2 = { isInHq = false; enableHail = false; From f5e258382ee9907dc406f51f6d9f5a8f2714e998 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 16 Apr 2020 22:45:57 +0200 Subject: [PATCH 25/63] freifunk: advertise whole freifunk/15 in ospfv2 --- hosts/containers/freifunk/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 4d7f18bd..2f14142a 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -171,7 +171,7 @@ in { networks { 172.20.72.0/21; }; - stubnet 10.200.0.0/16; + stubnet 10.200.0.0/15; interface "core" { authentication cryptographic; password "${import }"; From 80273f027e485fc5405ddd3d2524881f583fbe96 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 16 Apr 2020 22:46:37 +0200 Subject: [PATCH 26/63] freifunk: serve sysinfo-json.cgi --- .../freifunk/assets/sysinfo-json.cgi | 50 ----------- hosts/containers/freifunk/configuration.nix | 88 +++++++++++-------- hosts/containers/freifunk/sysinfo-json.nix | 70 +++++++++++++++ 3 files changed, 123 insertions(+), 85 deletions(-) delete mode 100644 hosts/containers/freifunk/assets/sysinfo-json.cgi create mode 100644 hosts/containers/freifunk/sysinfo-json.nix diff --git a/hosts/containers/freifunk/assets/sysinfo-json.cgi b/hosts/containers/freifunk/assets/sysinfo-json.cgi deleted file mode 100644 index 92dff0ae..00000000 --- a/hosts/containers/freifunk/assets/sysinfo-json.cgi +++ /dev/null @@ -1,50 +0,0 @@ -{ - "version": "15", - "timestamp": "1586882346", - "data": { - "firmware": { - "version": "0.0.0", - "DISTRIB_ID": "NixOS", - "DISTRIB_RELEASE": "20.03", - "DISTRIB_REVISION": "", - "DISTRIB_CODENAME": "", - "DISTRIB_TARGET": "x86_64", - "DISTRIB_DESCRIPTION": "NixOS 20.03" - }, - "system": { - "uptime": "0 0", - "uname": "Linux 5.3.18", - "nameserver": [ - ], - "date": "Tue Apr 14 18:39:06 CEST 2020", - "cpuinfo": "Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz", - "cpucount": "40", - "bmxd": "bmxd", - "essid": "ZW public", - "node_type": "router", - "splash": 0, - "email_notification": 0, - "autoupdate": 0, - "available_flash_size": "16T", - "bmxd_restart_counter": 0 - }, - "common": { - "city": "Dresden", - "node": "51073", - "domain": "freifunk-dresden.de", - "ip": "10.200.200.74", - "network_id": "1206" - }, - "gps": { - "latitude": 51.0810624, - "longitude": 13.7285866, - "altitude": 100 - }, - "contact": { - "name": "C3D2", - "location": "Zentralwerk Haus B Souterrain", - "email": "astro%40spaceboyz.net", - "note": "" - } - } -} diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 2f14142a..478ef0c5 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -11,6 +11,10 @@ let ddmeshNode = 51073; ddmeshAddrPart = "200.74"; rt_table = 7; + bmxd = import (toString ) { inherit pkgs; }; + sysinfo-json = import { + inherit pkgs bmxd ddmeshNode; + }; in { imports = [ @@ -113,10 +117,7 @@ in { }; }; }; - systemd.services.bmxd = - let - bmxd = import (toString ) { inherit pkgs; }; - in { + systemd.services.bmxd = { after = [ "systemd-networkd.service" ]; wantedBy = [ "network.target" ]; serviceConfig = { @@ -148,6 +149,17 @@ in { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "daily"; }; + systemd.services.sysinfo-json = { + script = '' + ${sysinfo-json}/bin/bmxddump.sh + ${sysinfo-json}/bin/sysinfo-json.cgi > /tmp/sysinfo.json + ''; + }; + systemd.timers.sysinfo-json = { + partOf = [ "sysinfo-json.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; services.bird2 = { enable = true; @@ -202,47 +214,53 @@ in { recommendedOptimisation = true; recommendedGzipSettings = true; - virtualHosts = - let - aliasFile = path: { - alias = path; - extraConfig = '' - etag off; - add_header etag "\"${builtins.substring 11 32 path}\""; - ''; - }; - in { - "c3d2.ffdd" = { - default = true; - root = ; - locations = { - "/".index = "index.html"; - "/sysinfo-json.cgi".extraConfig = '' + virtualHosts = { + "c3d2.ffdd" = { + default = true; + root = ; + locations = { + "/" = { + index = "index.html"; + extraConfig = '' + etag off; + add_header etag "\"${builtins.substring 11 32 ( + "/assets")}\""; + ''; + }; + "=/sysinfo-json.cgi" = { + alias = "/tmp/sysinfo.json"; + extraConfig = '' + add_header Content-Type "application/json;charset=UTF-8"; + ''; + }; + "=/sysinfo.json" = { + alias = "/tmp/sysinfo.json"; + extraConfig = '' add_header Content-Type "application/json;charset=UTF-8"; ''; }; }; - "storage.hq.c3d2.ffdd" = { - locations = { - "/".proxyPass = "http://storage.hq.c3d2.de/"; - }; + }; + "storage.hq.c3d2.ffdd" = { + locations = { + "/".proxyPass = "http://storage.hq.c3d2.de/"; }; - "grafana.hq.c3d2.ffdd" = { - locations = { - "/" = { - proxyPass = "https://grafana.hq.c3d2.de/"; - extraConfig = '' + }; + "grafana.hq.c3d2.ffdd" = { + locations = { + "/" = { + proxyPass = "https://grafana.hq.c3d2.de/"; + extraConfig = '' proxy_ssl_server_name on; ''; - }; - }; - }; - "influxdb.hq.c3d2.ffdd" = { - locations = { - "/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; }; }; }; + "influxdb.hq.c3d2.ffdd" = { + locations = { + "/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; + }; + }; + }; }; # This value determines the NixOS release with which your system is to be diff --git a/hosts/containers/freifunk/sysinfo-json.nix b/hosts/containers/freifunk/sysinfo-json.nix new file mode 100644 index 00000000..3aafe3c2 --- /dev/null +++ b/hosts/containers/freifunk/sysinfo-json.nix @@ -0,0 +1,70 @@ +{ pkgs ? import {}, + ffdd-server ? builtins.fetchGit "https://github.com/Freifunk-Dresden/ffdd-server.git", + bmxd, + ddmeshNode, + ... }: + +with pkgs; +let + nvram = { + ddmesh_node = toString ddmeshNode; + city = "Dresden"; + autoupdate = "0"; + contact_name = "C3D2"; + contact_location = "Zentralwerk"; + contact_email = "astro@spaceboyz.net"; + contact_note = "http://www.c3d2.ffdd/"; + gps_latitude = "51.0810624"; + gps_longitude = "13.7285866"; + gps_altitude = "100"; + }; +in +stdenv.mkDerivation { + name = "sysinfo-json"; + src = "${ffdd-server}/salt/freifunk/base/ddmesh/"; + buildPhase = '' + cat > bmxddump.sh < \$DB_PATH/gateways + ${bmxd}/sbin/bmxd -c --links > \$DB_PATH/links + ${bmxd}/sbin/bmxd -c --originators > \$DB_PATH/originators + ${bmxd}/sbin/bmxd -c --status > \$DB_PATH/status + #${bmxd}/sbin/bmxd -c --networks > \$DB_PATH/networks + ${bmxd}/sbin/bmxd -ci > \$DB_PATH/info + EOF + + cat > lsb_release < Date: Fri, 17 Apr 2020 02:10:43 +0200 Subject: [PATCH 27/63] freifunk: fix index.html encoding --- hosts/containers/freifunk/assets/index.html | 25 ++++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/hosts/containers/freifunk/assets/index.html b/hosts/containers/freifunk/assets/index.html index 4d2028c2..d767ce34 100644 --- a/hosts/containers/freifunk/assets/index.html +++ b/hosts/containers/freifunk/assets/index.html @@ -1,9 +1,18 @@ -

Chaos Computer Club Dresden

-

Router zu Freifunk Dresden

+ + + + + http://c3d2.ffdd + + +

Chaos Computer Club Dresden

+

Router zu Freifunk Dresden

- - + + + From 7260bbe3c698625d38c7f7046294a0fc0a3b86d6 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 17 Apr 2020 02:12:57 +0200 Subject: [PATCH 28/63] scrape: fix freifunk node 1768 addr --- hosts/containers/scrape/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index 4c782f95..e13c67ab 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -73,7 +73,7 @@ }; scrape-node1768 = makeService { script = "freifunk_node"; - host = "10.200.4.157"; + host = "10.200.6.239"; }; }; systemd.timers.scrape-xeri = { From b163f350de9b710940dd5bcfc45f0f7cd4e429f5 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 17 Apr 2020 02:13:12 +0200 Subject: [PATCH 29/63] scrape: remove luftdaten --- hosts/containers/scrape/configuration.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index e13c67ab..e214e164 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -45,10 +45,6 @@ script = "xerox"; host = "roxi.hq.c3d2.de"; }; - scrape-luftdaten = makeService { - script = "luftdaten"; - host = ""; - }; scrape-fhem = makeService { script = "fhem"; host = "fhem.hq.c3d2.de"; @@ -86,11 +82,6 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; - systemd.timers.scrape-luftdaten = { - partOf = [ "scrape-luftdaten.service" ]; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "minutely"; - }; systemd.timers.scrape-fhem = { partOf = [ "scrape-fhem.service" ]; wantedBy = [ "timers.target" ]; From 6f16c99c38d2de55c539e741a5d545126a0c75a1 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 17 Apr 2020 02:14:14 +0200 Subject: [PATCH 30/63] freifunk: doc --- hosts/containers/freifunk/configuration.nix | 62 ++++++++++++--------- 1 file changed, 35 insertions(+), 27 deletions(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 478ef0c5..de62047e 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -37,8 +37,12 @@ in { networking.firewall.enable = false; networking.nat = { enable = true; + # This doesn't really work, hence the `extraCommands` externalInterface = meshInterface; #internalInterfaces = [ "core" ]; + + # Setup routing into Freifunk, + # masquerading anything that isn't already their IP range extraCommands = '' set +e ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300 @@ -47,17 +51,19 @@ in { set -e ''; }; + # Configure rt_table name networking.iproute2 = { enable = true; rttablesExtraConfig = "${toString rt_table} bmx"; }; - # Required for krops + # Required for krops: ssh git services.openssh.enable = true; environment.systemPackages = with pkgs; [ git tcpdump ]; systemd.network = { netdevs = { + # Dummy interface for primary (10.200) address bmx_prime = { enable = true; netdevConfig = { @@ -67,6 +73,7 @@ in { }; }; networks = { + # Wired mesh interface "10-bmx" = { enable = true; matchConfig = { Name = meshInterface; }; @@ -77,6 +84,7 @@ in { }; } ]; }; + # Dummy interface for primary (10.200) address "11-bmx-loopback" = { enable = true; matchConfig = { Name = meshLoopback; }; @@ -87,22 +95,15 @@ in { }; } ]; }; + # ZW "20-core" = { enable = true; matchConfig = { Name = "core"; }; - addresses = [ { - addressConfig = { - Address = "${coreAddress}/${toString corePrefixlen}"; - }; - } { - addressConfig = { - Address = "2a02:8106:208:5281:8000::1/64"; - }; - } { - addressConfig = { - Address = "fd23:42:c3d2:581:8000::1/64"; - }; - } ]; + addresses = map (Address: { addressConfig = { inherit Address; }; }) [ + "${coreAddress}/${toString corePrefixlen}" + "2a02:8106:208:5281:8000::1/64" + "fd23:42:c3d2:581:8000::1/64" + ]; routes = [ { routeConfig = { # upstream1 @@ -117,22 +118,25 @@ in { }; }; }; + # Freifunk Dresden routing daemon systemd.services.bmxd = { - after = [ "systemd-networkd.service" ]; - wantedBy = [ "network.target" ]; - serviceConfig = { - ExecStart = '' - ${bmxd}/sbin/bmxd \ - --rt_table_offset=${toString rt_table} \ - --no_fork 1 \ - --throw-rules 0 \ - --prio-rules 0 \ - dev=bmx_prime /linklayer 0 \ - dev=${meshInterface} /linklayer 1 + after = [ "systemd-networkd.service" ]; + wantedBy = [ "network.target" ]; + serviceConfig = { + ExecStart = '' + ${bmxd}/sbin/bmxd \ + --rt_table_offset=${toString rt_table} \ + --no_fork 1 \ + --throw-rules 0 \ + --prio-rules 0 \ + dev=bmx_prime /linklayer 0 \ + dev=${meshInterface} /linklayer 1 ''; - Restart = "always"; - }; + Restart = "always"; }; + }; + + # Re-register periodically systemd.services.ddmesh-register-node = { script = '' ${pkgs.curl}/bin/curl \ @@ -149,6 +153,8 @@ in { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "daily"; }; + + # Refresh sysinfo.json systemd.services.sysinfo-json = { script = '' ${sysinfo-json}/bin/bmxddump.sh @@ -161,6 +167,7 @@ in { timerConfig.OnCalendar = "minutely"; }; + # Advertise Freifunk routes to ZW core services.bird2 = { enable = true; config = '' @@ -209,6 +216,7 @@ in { ''; }; + # HTTP Reverse Proxy to provide services into Freifunk services.nginx = { enable = true; recommendedOptimisation = true; From d2f65be2e4682001eb11427b8bfdf16fe158686e Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 17 Apr 2020 03:18:34 +0200 Subject: [PATCH 31/63] freifunk: shorten services.nginx.virtualHosts --- hosts/containers/freifunk/configuration.nix | 62 ++++++++------------- 1 file changed, 24 insertions(+), 38 deletions(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index de62047e..3f4f0e54 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -226,48 +226,34 @@ in { "c3d2.ffdd" = { default = true; root = ; - locations = { - "/" = { - index = "index.html"; - extraConfig = '' - etag off; - add_header etag "\"${builtins.substring 11 32 ( + "/assets")}\""; - ''; - }; - "=/sysinfo-json.cgi" = { - alias = "/tmp/sysinfo.json"; - extraConfig = '' - add_header Content-Type "application/json;charset=UTF-8"; - ''; - }; - "=/sysinfo.json" = { - alias = "/tmp/sysinfo.json"; - extraConfig = '' - add_header Content-Type "application/json;charset=UTF-8"; - ''; - }; - }; - }; - "storage.hq.c3d2.ffdd" = { - locations = { - "/".proxyPass = "http://storage.hq.c3d2.de/"; - }; - }; - "grafana.hq.c3d2.ffdd" = { - locations = { - "/" = { - proxyPass = "https://grafana.hq.c3d2.de/"; - extraConfig = '' - proxy_ssl_server_name on; + locations = + let + sysinfo-json = { + alias = "/tmp/sysinfo.json"; + extraConfig = '' + add_header Content-Type "application/json;charset=UTF-8"; ''; + }; + in { + "/" = { + index = "index.html"; + extraConfig = '' + etag off; + add_header etag "\"${builtins.substring 11 32 ( + "/assets")}\""; + ''; + }; + "=/sysinfo-json.cgi" = sysinfo-json; + "=/sysinfo.json" = sysinfo-json; }; - }; }; - "influxdb.hq.c3d2.ffdd" = { - locations = { - "/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; - }; + "storage.hq.c3d2.ffdd".locations."/".proxyPass = "http://storage.hq.c3d2.de/"; + "grafana.hq.c3d2.ffdd".locations."/" = { + proxyPass = "https://grafana.hq.c3d2.de/"; + extraConfig = '' + proxy_ssl_server_name on; + ''; }; + "influxdb.hq.c3d2.ffdd".locations."/".proxyPass = "http://grafana.hq.c3d2.de:8086/"; }; }; From c0970654bb4f3b9b6f8245ba455ecc6652e4b98f Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 15 Apr 2020 18:56:00 +0200 Subject: [PATCH 32/63] server7: add Nix signing post-build-hook --- hosts/server7/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 663db6bf..f741d4fd 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -81,9 +81,17 @@ in { nix = { package = pkgs.nixFlakes; - extraOptions = "experimental-features = nix-command flakes ca-references"; gc.automatic = true; optimise.automatic = true; + extraOptions = '' + experimental-features = nix-command flakes ca-references + post-build-hook = ${ + pkgs.writeScript "post-build-sign-paths" '' + #!${pkgs.runtimeShell} + nix sign-paths --key-file /var/lib/nix-serve.key $OUT_PATHS + '' + } + ''; }; virtualisation.docker.enable = true; From a1656f95534df2843ccc7eb5070403e6c6bc56d8 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Wed, 15 Apr 2020 19:00:56 +0200 Subject: [PATCH 33/63] server7: use sotest hydra flake --- flake.lock | 86 +++++++++++++++++++++++++++++++++++++++-- flake.nix | 7 +++- hosts/server7/hydra.nix | 5 +-- 3 files changed, 89 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 18c029ef..019f9a2a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,24 +1,102 @@ { "nodes": { + "hydra": { + "info": { + "lastModified": 1586949285, + "narHash": "sha256-mXvLmicI1XtturvkuBbt1Fe4MsiGlbbK8Qlg8pyIyY4=" + }, + "inputs": { + "nix": "nix", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "owner": "ehmry", + "repo": "hydra", + "rev": "59bb3ab8e854cb52782077f2c5a80471d0004ac8", + "type": "github" + }, + "original": { + "owner": "ehmry", + "ref": "sotest", + "repo": "hydra", + "type": "github" + } + }, + "nix": { + "info": { + "lastModified": 1586440843, + "narHash": "sha256-7YxrpRPmAOoCSl6KtepKCXcae5MUm1Pl+lwDunBFGoo=" + }, + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "owner": "NixOS", + "repo": "nix", + "rev": "3aaceeb7e2d3fb8a07a1aa5a21df1dca6bbaa0ef", + "type": "github" + }, + "original": { + "id": "nix", + "type": "indirect" + } + }, "nixpkgs": { "info": { - "lastModified": 1586508340, - "narHash": "sha256-d5jSxQw5h2N72iLnMP1ri5atw5oTsjLvgO4cTe1C2IM=" + "lastModified": 1585405475, + "narHash": "sha256-bESW0n4KgPmZ0luxvwJ+UyATrC6iIltVCsGdLiphVeE=" }, "locked": { "owner": "NixOS", "repo": "nixpkgs", - "rev": "807ca93fadd5197c2260490de0c76e500562dc05", + "rev": "b88ff468e9850410070d4e0ccd68c7011f15b2be", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-20.03-small", "type": "indirect" } }, + "nixpkgs_2": { + "info": { + "lastModified": 1586219474, + "narHash": "sha256-fvfrMnEA2lDnXvH/eInGV5i0sO/EGLVHa4pOek8VG78=" + }, + "locked": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "29eddfc36d720dcc4822581175217543b387b1e8", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-20.03", + "type": "indirect" + } + }, + "nixpkgs_3": { + "info": { + "lastModified": 1586724123, + "narHash": "sha256-VQ7zZy2xpz6dULpjar4jxNaQ0N/2q68l+EYO2nXaXDo=" + }, + "locked": { + "owner": "nixos", + "repo": "nixpkgs-channels", + "rev": "708cb6b307b04ad862cc50de792e57e7a4a8bb5a", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-20.03", + "repo": "nixpkgs-channels", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "hydra": "hydra", + "nixpkgs": "nixpkgs_3" } } }, diff --git a/flake.nix b/flake.nix index ec1e9ff4..8789aa95 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,13 @@ edition = 201909; - outputs = { self, nixpkgs }: { + inputs.nixpkgs.url = "github:nixos/nixpkgs-channels/nixos-20.03"; + inputs.hydra.url = "github:ehmry/hydra/sotest"; + + outputs = { self, nixpkgs, hydra }: { nixosConfigurations.server7 = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/server7 ]; + modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; system = "x86_64-linux"; }; diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix index 53481e63..872bfde9 100644 --- a/hosts/server7/hydra.nix +++ b/hosts/server7/hydra.nix @@ -2,12 +2,11 @@ { - services.hydra = { + services.hydra-dev = { enable = true; hydraURL = "https://server7.hq.c3d2.de"; logo = ./hydra.svg; notificationSender = "hydra@spam.works"; - package = pkgs.hydra-unstable; listenHost = "127.0.0.1"; }; @@ -28,7 +27,7 @@ addSSL = true; enableACME = true; locations."/".proxyPass = - "http://127.0.0.1:${toString config.services.hydra.port}"; + "http://127.0.0.1:${toString config.services.hydra-dev.port}"; }; }; }; From 22495536619c1ffba9a8f5086ea50febc4482ca9 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 21 Apr 2020 10:04:38 +0200 Subject: [PATCH 34/63] server7: Move hydra proxy to a container --- host-registry.nix | 1 + hosts/server7/containers/default.nix | 2 -- hosts/server7/containers/hydra7/default.nix | 33 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 hosts/server7/containers/hydra7/default.nix diff --git a/host-registry.nix b/host-registry.nix index 387091e9..a12b7a23 100644 --- a/host-registry.nix +++ b/host-registry.nix @@ -13,6 +13,7 @@ rec { hydra.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhurL/sxsXRglKdLfiWIcK+iqpyhGrGt/MoBODsgvig"; + hydra7 = { }; mpd-index = { }; nfs = { }; ncdc.publicKey = diff --git a/hosts/server7/containers/default.nix b/hosts/server7/containers/default.nix index f7b77205..e26eb748 100644 --- a/hosts/server7/containers/default.nix +++ b/hosts/server7/containers/default.nix @@ -1,8 +1,6 @@ { lib, ... }: let - yggaddr = import ../yggaddr.nix; - containerFunc = name: # Generate a container expression from the directory at `name`. { diff --git a/hosts/server7/containers/hydra7/default.nix b/hosts/server7/containers/hydra7/default.nix new file mode 100644 index 00000000..10837599 --- /dev/null +++ b/hosts/server7/containers/hydra7/default.nix @@ -0,0 +1,33 @@ +name: + +let port = 3000; +in (import ../outer-defaults.nix name) // { + + bindMounts."/srv/c3d2" = { + hostPath = "/srv/ceph/c3d2"; + isReadOnly = false; + }; + + ephemeral = true; + + forwardPorts = [{ + containerPort = port; + hostPort = port; + protocol = "tcp"; + }]; + + config = { config, pkgs, lib, ... }: { + imports = [ ../inner-defaults.nix ]; + networking.firewall.enable = false; + services.nginx = { + enable = true; + virtualHosts = { + "hydra7.y.c3d2.de" = { + default = true; + locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + }; + }; + }; + }; + +} From 6882367df861b34f673bcab81442f67706006a87 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Tue, 21 Apr 2020 13:44:42 +0200 Subject: [PATCH 35/63] Consolidate yggdrasil to c3d2.hq.yggdrasil.enableGateway Move the server7 hydra proxy to a container. The yggdrasil addresses for containers has changed now. Add yggdrasil mappings to /etc/hosts. --- flake.nix | 20 +- hosts/hydra/configuration.nix | 18 +- hosts/pulsebert/configuration.nix | 2 +- hosts/server7/containers/adc/default.nix | 13 +- hosts/server7/containers/hydra7/default.nix | 30 +-- hosts/server7/containers/ncdc/default.nix | 4 +- hosts/server7/containers/outer-defaults.nix | 9 - hosts/server7/containers/storage/default.nix | 1 + hosts/server7/default.nix | 12 +- hosts/server7/hydra.nix | 27 ++- hosts/server7/yggaddr.nix | 2 +- lib/default.nix | 41 ++-- lib/hq.nix | 7 - lib/yggdrasil-hq.nix | 40 ---- lib/yggdrasil-service.nix | 185 ------------------- lib/yggdrasil.nix | 13 -- 16 files changed, 90 insertions(+), 334 deletions(-) delete mode 100644 lib/hq.nix delete mode 100644 lib/yggdrasil-hq.nix delete mode 100644 lib/yggdrasil-service.nix delete mode 100644 lib/yggdrasil.nix diff --git a/flake.nix b/flake.nix index 8789aa95..d0c283f0 100644 --- a/flake.nix +++ b/flake.nix @@ -8,9 +8,23 @@ outputs = { self, nixpkgs, hydra }: { - nixosConfigurations.server7 = nixpkgs.lib.nixosSystem { - modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; - system = "x86_64-linux"; + nixosConfigurations = { + + server7 = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/server7 hydra.nixosModules.hydra ]; + system = "x86_64-linux"; + }; + + hydra = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/hydra/configuration.nix ]; + system = "x86_64-linux"; + }; + + pulsebert = nixpkgs.lib.nixosSystem { + modules = [ ./hosts/pulsebert/configuration.nix ]; + system = "x86_64-linux"; + }; + }; nixosModules.c3d2 = import ./lib; diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index 457851c6..b76dab2e 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -2,12 +2,9 @@ { imports = [ - ./hydra.nix ./cache.nix ../../lib - ../../lib/hq.nix - ../../lib/yggdrasil.nix ]; c3d2 = { @@ -18,23 +15,10 @@ isInHq = true; mapHqHosts = true; hq.interface = "eth0"; + hq.yggdrasil.enableGateway = true; }; networking.interfaces.eth0.preferTempAddress = false; - systemd.services.yggdrasil.preStart = '' - mkdir -p /dev/net - mknod /dev/net/tun c 10 200 || true - chmod 0666 /dev/net/tun - ''; - services.yggdrasil = { - configFile = "/var/lib/yggdrasil/keys"; - config.Peers = [ - "tcp://[2a03:3b40:fe:ab::1]:46370" # Praha - "tcp://ygg.thingylabs.io:443" # Nürnberg - "tcp://176.223.130.120:22632" # Wrocław - "tcp://[2a05:9403::8b]:7743" # Praha - ]; - }; nixpkgs.config.allowUnfree = true; diff --git a/hosts/pulsebert/configuration.nix b/hosts/pulsebert/configuration.nix index 497ca89c..ff33c871 100644 --- a/hosts/pulsebert/configuration.nix +++ b/hosts/pulsebert/configuration.nix @@ -13,7 +13,6 @@ in { ../../lib ../../lib/admins.nix ../../lib/hq.nix - ../../lib/yggdrasil.nix ./mpdConsole.nix ]; @@ -27,6 +26,7 @@ in { hq = { interface = "eno1"; enableMpdProxy = true; + yggdrasi.enableGateway = true; }; enableHail = true; }; diff --git a/hosts/server7/containers/adc/default.nix b/hosts/server7/containers/adc/default.nix index b0e3a04c..365f3b37 100644 --- a/hosts/server7/containers/adc/default.nix +++ b/hosts/server7/containers/adc/default.nix @@ -2,7 +2,16 @@ name: (import ../outer-defaults.nix name) // { config = { config, pkgs, lib, ... }: { - imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ]; + imports = [ ../inner-defaults.nix ]; + + c3d2.hq.yggdrasil.enableGateway = true; + + networking.firewall.allowedTCPPorts = [ config.services.uhub.port ]; + + networking.interfaces.eth0.ipv6.addresses = [{ + address = "310:5217:69c0:9afc:0:576d:1184:c3d2"; + prefixLength = 64; + }]; # Old address used by some clients services.uhub = { enable = true; @@ -18,8 +27,6 @@ name: }; }; - networking.firewall.allowedTCPPorts = [ config.services.uhub.port ]; - hq.yggdrasil.enable = true; }; } diff --git a/hosts/server7/containers/hydra7/default.nix b/hosts/server7/containers/hydra7/default.nix index 10837599..5ad2522b 100644 --- a/hosts/server7/containers/hydra7/default.nix +++ b/hosts/server7/containers/hydra7/default.nix @@ -1,30 +1,32 @@ name: -let port = 3000; -in (import ../outer-defaults.nix name) // { - - bindMounts."/srv/c3d2" = { - hostPath = "/srv/ceph/c3d2"; - isReadOnly = false; - }; +(import ../outer-defaults.nix name) // { ephemeral = true; - forwardPorts = [{ - containerPort = port; - hostPort = port; - protocol = "tcp"; - }]; - config = { config, pkgs, lib, ... }: { imports = [ ../inner-defaults.nix ]; + c3d2.hq.yggdrasil.enableGateway = true; networking.firewall.enable = false; + networking.interfaces.eth0.useDHCP = true; + security.acme = { + acceptTerms = true; + email = "mail@c3d2.de"; + }; services.nginx = { enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; virtualHosts = { + "hydra7.hq.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://172.22.99.245:3000"; + }; "hydra7.y.c3d2.de" = { default = true; - locations."/".proxyPass = "http://127.0.0.1:${toString port}"; + addSSL = false; + locations."/".proxyPass = "http://172.22.99.245:3000"; }; }; }; diff --git a/hosts/server7/containers/ncdc/default.nix b/hosts/server7/containers/ncdc/default.nix index d169ece4..4fdd3bdf 100644 --- a/hosts/server7/containers/ncdc/default.nix +++ b/hosts/server7/containers/ncdc/default.nix @@ -10,11 +10,12 @@ name: config = { config, pkgs, lib, ... }: let ncdcPort = 1512; in { - imports = [ ../inner-defaults.nix ../../../../lib/yggdrasil-hq.nix ]; + imports = [ ../inner-defaults.nix ]; c3d2 = { users.k-ot = true; hq.statistics.enable = true; + hq.yggdrasil.enableGateway = true; }; services.openssh.enable = true; @@ -23,7 +24,6 @@ name: environment.systemPackages = with pkgs; [ tmux ncdc ]; networking.firewall.enable = false; - hq.yggdrasil.enable = true; }; } diff --git a/hosts/server7/containers/outer-defaults.nix b/hosts/server7/containers/outer-defaults.nix index 9b849ea1..680bec38 100644 --- a/hosts/server7/containers/outer-defaults.nix +++ b/hosts/server7/containers/outer-defaults.nix @@ -7,13 +7,4 @@ in { autoStart = true; privateNetwork = true; hostBridge = "br0"; - - localAddress6 = with builtins; - let - hash = hashString "sha256" name; - hextet0 = substring 0 4 hash; - hextet1 = substring 4 4 hash; - in "${yggaddr.prefix}:${hextet0}:${hextet1}:c3d2/64"; - # Generate a deterministic IPv6 address for the container. - # This address is accessible within HQ and Yggdrasil but not from ARPANET. } diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix index be8631c9..d36cc141 100644 --- a/hosts/server7/containers/storage/default.nix +++ b/hosts/server7/containers/storage/default.nix @@ -13,6 +13,7 @@ name: c3d2 = { users.k-ot = true; hq.statistics.enable = true; + hq.yggdrasil.enableGateway = true; }; services.openssh = { diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index f741d4fd..bbe60f46 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -45,15 +45,6 @@ in { ]; }; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - statusPage = true; - }; - # Route IPv6 boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; # Obtain global IPv6 despite being a router myself @@ -98,6 +89,7 @@ in { networking = { firewall.enable = false; + firewall.trustedInterfaces = [ "br0" ]; hostName = "server7"; hostId = "454fe12c"; useDHCP = false; @@ -111,7 +103,7 @@ in { prefixLength = 24; }]; ipv6.addresses = [{ - address = yggaddr.prefix + ":1"; + address = yggaddr.prefix64 + "::1"; prefixLength = 64; }]; }; diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix index 872bfde9..f0b68f5a 100644 --- a/hosts/server7/hydra.nix +++ b/hosts/server7/hydra.nix @@ -1,13 +1,22 @@ { config, pkgs, ... }: { - services.hydra-dev = { enable = true; + debugServer = true; + extraEnv.HYDRA_DEBUG = "1"; hydraURL = "https://server7.hq.c3d2.de"; logo = ./hydra.svg; notificationSender = "hydra@spam.works"; - listenHost = "127.0.0.1"; + # package = pkgs.hydra-unstable; + listenHost = "172.22.99.245"; + # listenHost = "*"; + extraConfig = '' + + username = emery + password = 36\#KAVMD + + ''; }; nix.trustedUsers = [ "hydra" ]; @@ -19,18 +28,4 @@ maxJobs = 8; }]; - services.nginx = { - enable = true; - virtualHosts = { - "server7.hq.c3d2.de" = { - default = true; - addSSL = true; - enableACME = true; - locations."/".proxyPass = - "http://127.0.0.1:${toString config.services.hydra-dev.port}"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/hosts/server7/yggaddr.nix b/hosts/server7/yggaddr.nix index f5086928..22be5469 100644 --- a/hosts/server7/yggaddr.nix +++ b/hosts/server7/yggaddr.nix @@ -1,4 +1,4 @@ { address = "210:5217:69c0:9afc:1b95:b9f:8718:c3d2"; - prefix = "310:5217:69c0:9afc:"; + prefix64 = "310:5217:69c0:9afc"; } diff --git a/lib/default.nix b/lib/default.nix index ab2e6254..505a6ab1 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,6 +8,8 @@ let hqPrefix64 = "fd23:42:c3d2:523"; # TODO: Is this stable? Is there a better place to specifiy this? + server7Ygg = import ../hosts/server7/yggaddr.nix; + # Generate a deterministic IPv6 address for a 64 bit prefix # and seed string. Prefix must not contain trailing ':'. toIpv6Address = prefix64: seed: @@ -21,14 +23,9 @@ let # for the HQ networking using a seed string. toHqPrivateAddress = toIpv6Address hqPrefix64; - /* # Generate a deterministic public IPv6 addresses - # for the HQ networking using a seed string. - toHqPublicAddress = toIpv6Address publicPrefix64; + toServer7Address = toIpv6Address server7Ygg.prefix64; - # Generate a deterministic public IPv6 addresses - # for the HQ networking using a seed string. - toserver7YggdrasilAddress = toIpv6Address server7YggrasilPrefix64; - */ + # toHqPublicAddress = toIpv6Address publicPrefix64; cfg = config.c3d2; @@ -106,6 +103,8 @@ in { description = "Whether to proxy the local MPD database"; }; + yggdrasil.enableGateway = mkEnableOption + "Whether to join the host to the Yggdrasil network via a gateway"; }; }; @@ -118,7 +117,8 @@ in { # Configuration specific to this machine assertions = [ - { assertion = cfg.isInHq -> (config.users.users.root.password == null); + { + assertion = cfg.isInHq -> (config.users.users.root.password == null); message = "Root passwords not allowed in HQ"; } { @@ -166,10 +166,16 @@ in { host.ip6 else toHqPrivateAddress hostName; - in [{ - name = ip6; - value = [ "${hostName}.hq" hostName ]; - }] ++ lib.optional (hasAttr "ip4" host) { + in [ + { + name = ip6; + value = [ "${hostName}.hq" hostName ]; + } + { + name = toServer7Address hostName; + value = [ "${hostName}.y.c3d2.de" "${hostName}.y" ]; + } + ] ++ lib.optional (hasAttr "ip4" host) { name = host.ip4; value = [ "${hostName}.hq" hostName ]; }; @@ -196,7 +202,16 @@ in { ipv6.addresses = [{ address = toHqPrivateAddress config.networking.hostName; prefixLength = 64; - }]; + }] ++ lib.optional (cfg.hq.yggdrasil.enableGateway) { + address = toServer7Address config.networking.hostName; + prefixLength = 64; + }; + ipv6.routes = lib.optional (cfg.hq.yggdrasil.enableGateway) { + address = "200::"; + options.pref = "low"; + prefixLength = 7; + via = server7Ygg.prefix64 + "::1"; + }; }; }); diff --git a/lib/hq.nix b/lib/hq.nix deleted file mode 100644 index 4ecc258c..00000000 --- a/lib/hq.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, ... }: - -{ - # Please import only things that are configurable and OFF BY DEFAULT! - imports = [ ./yggdrasil-hq.nix ]; - -} diff --git a/lib/yggdrasil-hq.nix b/lib/yggdrasil-hq.nix deleted file mode 100644 index 21d026b3..00000000 --- a/lib/yggdrasil-hq.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, ... }: -with lib; - -let - cfg = config.hq.yggdrasil; - hostNameHash = builtins.hashString "sha256" config.networking.hostName; - hextets = map (i: substring (4 * i) 4 hostNameHash) [ 0 1 2 3 ]; - hostAddr = concatStringsSep ":" hextets; -in { - options = with types; { - hq.yggdrasil = { - enable = - mkEnableOption "Configure Yggdrasil access via the Yggdrasil router"; - - interface = mkOption { - type = nullOr str; - default = "eth0"; - description = "Network interface to the C3D2 HQ ethernet"; - }; - }; - }; - - config = mkIf cfg.enable { - networking.interfaces = { - "${cfg.interface}" = { - "ipv6" = { - addresses = [{ - address = "310:5217:69c0:9afc:${hostAddr}"; - prefixLength = 64; - }]; - routes = [{ - address = "200::"; - prefixLength = 7; - via = "310:5217:69c0:9afc::1"; - }]; - }; - }; - }; - }; -} diff --git a/lib/yggdrasil-service.nix b/lib/yggdrasil-service.nix deleted file mode 100644 index 33d1f093..00000000 --- a/lib/yggdrasil-service.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - cfg = config.services.yggdrasil; - configProvided = (cfg.config != { }); - configAsFile = (if configProvided then - toString (pkgs.writeTextFile { - name = "yggdrasil-conf"; - text = builtins.toJSON cfg.config; - }) - else - null); - configFileProvided = (cfg.configFile != null); - generateConfig = (if configProvided && configFileProvided then - "${pkgs.jq}/bin/jq -s add ${configAsFile} ${cfg.configFile}" - else if configProvided then - "cat ${configAsFile}" - else if configFileProvided then - "cat ${cfg.configFile}" - else - "${cfg.package}/bin/yggdrasil -genconf"); - -in { - options = with types; { - services.yggdrasil = { - enable = mkEnableOption "the yggdrasil system service"; - - configFile = mkOption { - type = nullOr str; - default = null; - example = "/run/keys/yggdrasil.conf"; - description = '' - A file which contains JSON configuration for yggdrasil. - - You do not have to supply a complete configuration, as - yggdrasil will use default values for anything which is - omitted. If the encryption and signing keys are omitted, - yggdrasil will generate new ones each time the service is - started, resulting in a random IPv6 address on the yggdrasil - network each time. - - If both this option and are - supplied, they will be combined, with values from - taking precedence. - - You can use the command nix-shell -p yggdrasil --run - "yggdrasil -genconf -json" to generate a default - JSON configuration. - ''; - }; - - config = mkOption { - type = attrs; - default = { }; - example = { - Peers = [ - "tcp://aa.bb.cc.dd:eeeee" - "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff" - ]; - Listen = [ "tcp://0.0.0.0:xxxxx" ]; - }; - description = '' - Configuration for yggdrasil, as a Nix attribute set. - - Warning: this is stored in the WORLD-READABLE Nix store! - Therefore, it is not appropriate for private keys. If you - do not specify the keys, yggdrasil will generate a new set - each time the service is started, creating a random IPv6 - address on the yggdrasil network each time. - - If you wish to specify the keys, use - . If both - and are - supplied, they will be combined, with values from - taking precedence. - - You can use the command nix-shell -p yggdrasil --run - "yggdrasil -genconf" to generate default - configuration values with documentation. - ''; - }; - - openMulticastPort = mkOption { - type = bool; - default = false; - description = '' - Whether to open the UDP port used for multicast peer - discovery. The NixOS firewall blocks link-local - communication, so in order to make local peering work you - will also need to set LinkLocalTCPPort in your - yggdrasil configuration ( or - ) to a port number other than 0, - and then add that port to - . - ''; - }; - - denyDhcpcdInterfaces = mkOption { - type = listOf str; - default = [ ]; - example = [ "tap*" ]; - description = '' - Disable the DHCP client for any interface whose name matches - any of the shell glob patterns in this list. Use this - option to prevent the DHCP client from broadcasting requests - on the yggdrasil network. It is only necessary to do so - when yggdrasil is running in TAP mode, because TUN - interfaces do not support broadcasting. - ''; - }; - - package = mkOption { - type = package; - default = pkgs.yggdrasil; - defaultText = "pkgs.yggdrasil"; - description = "Yggdrasil package to use."; - }; - }; - }; - - config = mkIf cfg.enable { - assertions = [{ - assertion = config.networking.enableIPv6; - message = "networking.enableIPv6 must be true for yggdrasil to work"; - }]; - - systemd.services.yggdrasil = { - description = "Yggdrasil Network Service"; - path = [ cfg.package ] - ++ optional (configProvided && configFileProvided) pkgs.jq; - bindsTo = [ "network-online.target" ]; - after = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - ${generateConfig} | yggdrasil -normaliseconf -useconf > /run/yggdrasil/yggdrasil.conf - ''; - - serviceConfig = { - ExecStart = - "${cfg.package}/bin/yggdrasil -useconffile /run/yggdrasil/yggdrasil.conf"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - - RuntimeDirectory = "yggdrasil"; - RuntimeDirectoryMode = "0700"; - BindReadOnlyPaths = mkIf configFileProvided [ "${cfg.configFile}" ]; - - # TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails - # to set up the network adapter when DynamicUser is set. See - # github.com/yggdrasil-network/yggdrasil-go/issues/557. The - # following options are implied by DynamicUser according to - # the systemd.exec documentation, and can be removed if the - # upstream issue is fixed and DynamicUser is set to true: - PrivateTmp = true; - RemoveIPC = true; - NoNewPrivileges = true; - ProtectSystem = "strict"; - RestrictSUIDSGID = true; - # End of list of options implied by DynamicUser. - - AmbientCapabilities = "CAP_NET_ADMIN"; - CapabilityBoundingSet = "CAP_NET_ADMIN"; - MemoryDenyWriteExecute = true; - ProtectControlGroups = true; - ProtectHome = "tmpfs"; - ProtectKernelModules = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = - "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; - }; - }; - - networking.dhcpcd.denyInterfaces = cfg.denyDhcpcdInterfaces; - networking.firewall.allowedUDPPorts = mkIf cfg.openMulticastPort [ 9001 ]; - - # Make yggdrasilctl available on the command line. - environment.systemPackages = [ cfg.package ]; - }; - meta.maintainers = with lib.maintainers; [ gazally ]; -} diff --git a/lib/yggdrasil.nix b/lib/yggdrasil.nix deleted file mode 100644 index f497dc6e..00000000 --- a/lib/yggdrasil.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: { - imports = [ ./yggdrasil-service.nix ]; - - services.yggdrasil = { - enable = true; - package = (import { }).yggdrasil; - openMulticastPort = true; - config.NodeInfo = { - name = config.networking.hostName + ".c3d2"; - location = "Dresden"; - }; - }; -} From 3d5fdf0a28c9333f8518f568975fe4fa663ebf5b Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 18:43:39 +0200 Subject: [PATCH 36/63] scrape: add freifunk_node 1176 --- hosts/containers/scrape/configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index e214e164..fa9cb991 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -71,6 +71,10 @@ script = "freifunk_node"; host = "10.200.6.239"; }; + scrape-node1176 = makeService { + script = "freifunk_node"; + host = "10.200.7.80"; + }; }; systemd.timers.scrape-xeri = { partOf = [ "scrape-xeri.service" ]; @@ -112,6 +116,11 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; + systemd.timers.scrape-node1176 = { + partOf = [ "scrape-node1176.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database From cc10aadbbb9af61768fd3e5ddb7d711360c716ac Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 18:44:25 +0200 Subject: [PATCH 37/63] freifunk: disable nginx proxy_buffering --- hosts/containers/freifunk/configuration.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index 3f4f0e54..bfa7ed8f 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -221,6 +221,9 @@ in { enable = true; recommendedOptimisation = true; recommendedGzipSettings = true; + appendHttpConfig = '' + proxy_buffering off; + ''; virtualHosts = { "c3d2.ffdd" = { From 25c0c05a5a3e9d0e3e91231f3e909abdf319d547 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 18:44:40 +0200 Subject: [PATCH 38/63] freifunk: DRY --- hosts/containers/freifunk/configuration.nix | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index bfa7ed8f..c64cc9e0 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -104,17 +104,12 @@ in { "2a02:8106:208:5281:8000::1/64" "fd23:42:c3d2:581:8000::1/64" ]; - routes = [ { - routeConfig = { - # upstream1 - Gateway = "2a02:8106:208:5281::b:0"; - }; - } { - routeConfig = { - # anon1 - Gateway = "172.20.72.7"; - }; - } ]; + routes = map (Gateway: { routeConfig = { inherit Gateway; }; }) [ + # upstream1 + "2a02:8106:208:5281::b:0" + # anon1 + "172.20.72.7" + ]; }; }; }; From 461a5680fdc347c2fa6bfe56663f77b369f36cad Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 18:45:53 +0200 Subject: [PATCH 39/63] remove lib/hq.nix remnants --- hosts/containers/lxc-template.nix | 1 - lib/lxc-container.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/hosts/containers/lxc-template.nix b/hosts/containers/lxc-template.nix index 7b226d2d..f33129df 100644 --- a/hosts/containers/lxc-template.nix +++ b/hosts/containers/lxc-template.nix @@ -9,7 +9,6 @@ [ ../../lib/lxc-container.nix ../../lib/shared.nix ../../lib/admins.nix - ../../lib/hq.nix ]; diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix index 9f0e1577..cad10c70 100644 --- a/lib/lxc-container.nix +++ b/lib/lxc-container.nix @@ -4,7 +4,6 @@ imports = [ - ./hq.nix ]; networking.networkmanager.dns = "unbound"; From 4ee1e24064367bff8671c56afffe21986e5d34d1 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 18:46:35 +0200 Subject: [PATCH 40/63] server7/storage: add git+borg to systemPackages --- hosts/server7/containers/storage/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/server7/containers/storage/default.nix b/hosts/server7/containers/storage/default.nix index d36cc141..93319fe5 100644 --- a/hosts/server7/containers/storage/default.nix +++ b/hosts/server7/containers/storage/default.nix @@ -21,6 +21,8 @@ name: allowSFTP = true; }; + environment.systemPackages = with pkgs; [ git borgbackup ]; + services.nginx = { enable = true; package = pkgs.nginx.override { From 8adb86f47a035764e3fc75897d3b180ec6cf99c3 Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 20:13:18 +0200 Subject: [PATCH 41/63] freifunk: improve nat rules --- hosts/containers/freifunk/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index c64cc9e0..eb6f2c32 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -44,8 +44,9 @@ in { # Setup routing into Freifunk, # masquerading anything that isn't already their IP range extraCommands = '' - set +e + ${pkgs.iproute}/bin/ip rule del priority 300 || true ${pkgs.iproute}/bin/ip rule add to 10.200.0.0/16 table bmx priority 300 + ${pkgs.iptables}/bin/iptables -t nat -F POSTROUTING ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING \ \! --source 10.200.0.0/15 -o ${meshInterface} -j SNAT --to 10.200.${ddmeshAddrPart} set -e From ac0bc652c56cb0e3549a8b9539e77e4d53e8dfae Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 23 Apr 2020 20:13:32 +0200 Subject: [PATCH 42/63] freifunk: announce being a bmxd gateway --- hosts/containers/freifunk/configuration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/containers/freifunk/configuration.nix b/hosts/containers/freifunk/configuration.nix index eb6f2c32..a9c8b65f 100644 --- a/hosts/containers/freifunk/configuration.nix +++ b/hosts/containers/freifunk/configuration.nix @@ -125,6 +125,10 @@ in { --no_fork 1 \ --throw-rules 0 \ --prio-rules 0 \ + --gateway_tunnel_network 10.200.0.0/16 \ + --purge_timeout 20 \ + --one_way_tunnel 1 \ + -g 500000/50000 \ dev=bmx_prime /linklayer 0 \ dev=${meshInterface} /linklayer 1 ''; From b390162f362e1e4443dd248c784864edf799cc46 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Thu, 23 Apr 2020 19:06:12 +0200 Subject: [PATCH 43/63] hosts/hydra: upgrade to 20.03, use server7 builder --- hosts/hydra/configuration.nix | 4 ++++ hosts/hydra/hydra.nix | 6 +++++- hosts/server7/default.nix | 5 +++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/hosts/hydra/configuration.nix b/hosts/hydra/configuration.nix index b76dab2e..b4b7a87d 100644 --- a/hosts/hydra/configuration.nix +++ b/hosts/hydra/configuration.nix @@ -22,6 +22,10 @@ nixpkgs.config.allowUnfree = true; + security.acme = { + email = "mail@c3d2.de"; + acceptTerms = true; + }; security.pam.enableSSHAgentAuth = true; services.openssh = { diff --git a/hosts/hydra/hydra.nix b/hosts/hydra/hydra.nix index 5a187b71..f00d958f 100644 --- a/hosts/hydra/hydra.nix +++ b/hosts/hydra/hydra.nix @@ -15,8 +15,11 @@ allowed-uris = http:// https:// ''; buildMachines = [{ - hostName = "localhost"; + hostName = "server7.hq"; + sshUser = "hydra"; + sshKey = "/var/lib/hydra/queue-runner/id_rsa"; system = "x86_64-linux"; + speedFactor = 2; supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ]; maxJobs = 8; }]; @@ -27,6 +30,7 @@ hydraURL = "https://hydra.hq.c3d2.de"; logo = ./c3d2.svg; notificationSender = "hydra@spam.works"; + package = pkgs.hydra-unstable; useSubstitutes = false; }; diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index bbe60f46..84e06653 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -154,4 +154,9 @@ in { time.timeZone = "Europe/Berlin"; system.stateVersion = "19.09"; # Did you read the comment? + + users.extraUsers.hydra.openssh.authorizedKeys.keys = [ + # allow the old hydra to build here + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7HuDlyTlPC4rCjwhklY8kiYIxdgPhiu6wxs29ksnpKZmJa2R7qoD02N3ACm9cTb1GVkIWukAXI3KvU9h08+WLQJqUH0cHVBj3V1sDYmkN2QecE59gz3e1gfN3zPtwmQEUe6xvHWK3X3qdH45pGPUtxk1eDTZl45037C0NClWF7RXI4m6UXng4bL9wnPvoVqCI+ySsNWaTkHDLE/D9s/VrqGxJ1w2KiJb1F73g9/x/zjL8Ixb16wkPmLE0e50MQAQa7EMFTyPZoEskFnEviLYXM9pDexABAjJfbfZ39lLyMgVYGwnzEDbjDlm68dE6wQWUY1OV6wbt8uYreB2IRrlb root@hydra" + ]; } From 9b5b7432caaf6236fa3788c02b48ba5a69147cb6 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Fri, 24 Apr 2020 10:14:08 +0200 Subject: [PATCH 44/63] server7: update hydra revision --- flake.lock | 6 +++--- hosts/server7/default.nix | 5 +++++ hosts/server7/hydra.nix | 28 +++++++++++++++++++++++----- 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index 019f9a2a..93b03c3d 100644 --- a/flake.lock +++ b/flake.lock @@ -2,8 +2,8 @@ "nodes": { "hydra": { "info": { - "lastModified": 1586949285, - "narHash": "sha256-mXvLmicI1XtturvkuBbt1Fe4MsiGlbbK8Qlg8pyIyY4=" + "lastModified": 1587633099, + "narHash": "sha256-cOsYakp2nJgRY0cP6YNBLV4srP19v6XQEZM7EefS3Kw=" }, "inputs": { "nix": "nix", @@ -12,7 +12,7 @@ "locked": { "owner": "ehmry", "repo": "hydra", - "rev": "59bb3ab8e854cb52782077f2c5a80471d0004ac8", + "rev": "e1ae3bd9a4bdaac8ff6878febf2c64fee12544f2", "type": "github" }, "original": { diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 84e06653..05a07eb2 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -84,6 +84,11 @@ in { } ''; }; + nixpkgs.overlays = [ + (self: super: { + nix = super.nix // { meta.platforms = lib.platforms.linux; }; + }) + ]; virtualisation.docker.enable = true; diff --git a/hosts/server7/hydra.nix b/hosts/server7/hydra.nix index f0b68f5a..52692b0e 100644 --- a/hosts/server7/hydra.nix +++ b/hosts/server7/hydra.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: { services.hydra-dev = { @@ -11,11 +11,13 @@ # package = pkgs.hydra-unstable; listenHost = "172.22.99.245"; # listenHost = "*"; + useSubstitutes = true; + minimumDiskFree = 2; + minimumDiskFreeEvaluator = 2; extraConfig = '' - - username = emery - password = 36\#KAVMD - + + authfile = /var/lib/hydra/sotest.auth + ''; }; @@ -28,4 +30,20 @@ maxJobs = 8; }]; + nix.binaryCachePublicKeys = + [ "nix-serve.hq.c3d2.de-2:elqZouiiQP4XNfmEekwXH/YRPL1pXlN5JgVSzT1Ctoc=" ]; + nix.binaryCaches = [ "http://nix-serve.hq.c3d2.de" ]; + + services.nginx = { + enable = true; + virtualHosts = { + "server7.hq.c3d2.de" = { + addSSL = true; + enableACME = true; + globalRedirect = "hydra7.hq.c3d2.de"; + }; + }; + }; + + } From 2fc471687064670e8ed111815dc5c1f5eccfbd4e Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Fri, 24 Apr 2020 10:14:37 +0200 Subject: [PATCH 45/63] server7: remove missing collectd plugins Something happened to collectd between 19.09 and 20.03 --- hosts/server7/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/hosts/server7/default.nix b/hosts/server7/default.nix index 05a07eb2..11fc3461 100644 --- a/hosts/server7/default.nix +++ b/hosts/server7/default.nix @@ -130,16 +130,11 @@ in { ]; services.collectd.extraConfig = '' - LoadPlugin sensors LoadPlugin memory - LoadPlugin irq - LoadPlugin thermal LoadPlugin processes LoadPlugin disk - LoadPlugin hddtemp LoadPlugin df LoadPlugin cpu - LoadPlugin cpufreq LoadPlugin entropy LoadPlugin load LoadPlugin swap From 52387b4db723103def30983953d3431e39c81b60 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:14:47 +0200 Subject: [PATCH 46/63] dn42: implement wireguard --- hosts/containers/dn42/configuration.nix | 14 ++++++++++++++ secrets | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index edf0fa57..cf56ffe1 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -70,6 +70,20 @@ in { servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; }; + wireguard.interfaces = + let + wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; + in + builtins.mapAttrs (_: conf: { + inherit (conf.wireguard) privateKey; + ips = [ "${address4}/32" "${address6}/128" ]; + peers = [ { + inherit (conf.wireguard) endpoint publicKey; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + persistentKeepalive = 30; + } ]; + }) wireguardNeighbors; + services.bird2 = { enable = true; config = diff --git a/secrets b/secrets index 8f732b65..62c54789 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 8f732b652a03432da81ed67aa9d968d6842ed0b4 +Subproject commit 62c54789642e6e437beccd0868923032f5440899 From 68f6b337c95e872cefc5b43c60326d73ab5070a7 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:20:41 +0200 Subject: [PATCH 47/63] dn42: fix wireguard --- hosts/containers/dn42/configuration.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index cf56ffe1..c5bb4256 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -70,12 +70,13 @@ in { servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; }; - wireguard.interfaces = + networking.wireguard.enable = true; + networking.wireguard.interfaces = let wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; in builtins.mapAttrs (_: conf: { - inherit (conf.wireguard) privateKey; + inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/128" ]; peers = [ { inherit (conf.wireguard) endpoint publicKey; From ea275446d52f67f90b955d115b4c446a5505c244 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:28:37 +0200 Subject: [PATCH 48/63] dn42: fix wireguard --- hosts/containers/dn42/configuration.nix | 30 +++++++++++++------------ 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index c5bb4256..25eff957 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -70,20 +70,22 @@ in { servers = builtins.mapAttrs (name: conf: mkServer name conf) openvpnNeighbors; }; - networking.wireguard.enable = true; - networking.wireguard.interfaces = - let - wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; - in - builtins.mapAttrs (_: conf: { - inherit (conf.wireguard) listenPort privateKey; - ips = [ "${address4}/32" "${address6}/128" ]; - peers = [ { - inherit (conf.wireguard) endpoint publicKey; - allowedIPs = [ "0.0.0.0/0" "::0/0" ]; - persistentKeepalive = 30; - } ]; - }) wireguardNeighbors; + networking.wireguard = { + enable = true; + interfaces = + let + wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; + in + builtins.mapAttrs (_: conf: { + inherit (conf.wireguard) listenPort privateKey; + ips = [ "${address4}/32" "${address6}/128" ]; + peers = [ { + inherit (conf.wireguard) endpoint publicKey; + allowedIPs = [ "0.0.0.0/0" "::0/0" ]; + persistentKeepalive = 30; + } ]; + }) wireguardNeighbors; + }; services.bird2 = { enable = true; From 8e9c718f09e98f12357058033aeeb7a117a7eb83 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:32:58 +0200 Subject: [PATCH 49/63] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 62c54789..11b7fff0 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 62c54789642e6e437beccd0868923032f5440899 +Subproject commit 11b7fff067d5b2d3e154692d2907398cc6a70150 From b0be580d7083c8ec206154e908e4d73766cb9637 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:35:31 +0200 Subject: [PATCH 50/63] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 11b7fff0..7ce0d92a 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 11b7fff067d5b2d3e154692d2907398cc6a70150 +Subproject commit 7ce0d92a254224680596c919dfa604df64ef2237 From 6ca8d9bb25ef3c49f335509884843a74e1cf2aef Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:40:40 +0200 Subject: [PATCH 51/63] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 7ce0d92a..1dde029c 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 7ce0d92a254224680596c919dfa604df64ef2237 +Subproject commit 1dde029c2567555a1dd451b65b6286c67904b580 From 150fd521783e0042b8f330a616e8b14d43a462fc Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:40:49 +0200 Subject: [PATCH 52/63] dn42: make wireguard.endpoint optional --- hosts/containers/dn42/configuration.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 25eff957..272dc137 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -80,10 +80,12 @@ in { inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/128" ]; peers = [ { - inherit (conf.wireguard) endpoint publicKey; + inherit (conf.wireguard) publicKey; allowedIPs = [ "0.0.0.0/0" "::0/0" ]; persistentKeepalive = 30; - } ]; + } // (lib.optionalAttrs (conf.wireguard ? endpoint) { + inherit (conf.wireguard) endpoint; + })]; }) wireguardNeighbors; }; From e9818d55c7ed29f2993d0a66c3e655af35c5d245 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 19:41:55 +0200 Subject: [PATCH 53/63] dn42: fix --- hosts/containers/dn42/configuration.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 272dc137..2ec02562 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -79,13 +79,13 @@ in { builtins.mapAttrs (_: conf: { inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/128" ]; - peers = [ { + peers = [ ({ inherit (conf.wireguard) publicKey; allowedIPs = [ "0.0.0.0/0" "::0/0" ]; persistentKeepalive = 30; } // (lib.optionalAttrs (conf.wireguard ? endpoint) { inherit (conf.wireguard) endpoint; - })]; + })) ]; }) wireguardNeighbors; }; From b3fc096343dc092d1952575d4120db8f6dab18e7 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:02:09 +0200 Subject: [PATCH 54/63] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 1dde029c..11d9bf6c 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 1dde029c2567555a1dd451b65b6286c67904b580 +Subproject commit 11d9bf6c1cc4c0817b334cd404fe6d8a80f3c1ba From 5e34762669b31c85f75158b0ad3c85354d75bbbe Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:38:35 +0200 Subject: [PATCH 55/63] dn42: set wireguard.allowedIPsAsRoutes=false --- hosts/containers/dn42/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index 2ec02562..ceac99aa 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -86,6 +86,7 @@ in { } // (lib.optionalAttrs (conf.wireguard ? endpoint) { inherit (conf.wireguard) endpoint; })) ]; + allowedIPsAsRoutes = false; }) wireguardNeighbors; }; From b28eb471f86bca4ce0ae0f67de72f7b54c9ab487 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:42:52 +0200 Subject: [PATCH 56/63] dn42: fix wireguard pointopoint routes --- hosts/containers/dn42/configuration.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index ceac99aa..d907b554 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -76,9 +76,12 @@ in { let wireguardNeighbors = lib.filterAttrs (_: conf: conf ? wireguard) neighbors; in - builtins.mapAttrs (_: conf: { + builtins.mapAttrs (name: conf: { inherit (conf.wireguard) listenPort privateKey; - ips = [ "${address4}/32" "${address6}/128" ]; + ips = [ "${address4}/32" "${address6}/64" ]; + postSetup = '' + ${pkgs.iproute}/bin/ip route add ${address4}/32 dev ${name} + ''; peers = [ ({ inherit (conf.wireguard) publicKey; allowedIPs = [ "0.0.0.0/0" "::0/0" ]; From 07779f2ff8fa60d1b2e074c2a6aea8954eaa0e08 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:48:31 +0200 Subject: [PATCH 57/63] dn42: fix wireguard pointopoint route --- hosts/containers/dn42/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index d907b554..d93f6953 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -80,7 +80,7 @@ in { inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/64" ]; postSetup = '' - ${pkgs.iproute}/bin/ip route add ${address4}/32 dev ${name} + ${pkgs.iproute}/bin/ip route add ${conf.address4}/32 dev ${name} ''; peers = [ ({ inherit (conf.wireguard) publicKey; From 2a039a3b3cec97c109a2d189631fdddc438f448e Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:54:50 +0200 Subject: [PATCH 58/63] dn42: fix wireguard pointopoint route --- hosts/containers/dn42/configuration.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index d93f6953..e078ffa4 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -79,8 +79,10 @@ in { builtins.mapAttrs (name: conf: { inherit (conf.wireguard) listenPort privateKey; ips = [ "${address4}/32" "${address6}/64" ]; + allowedIPsAsRoutes = false; postSetup = '' - ${pkgs.iproute}/bin/ip route add ${conf.address4}/32 dev ${name} + ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} ${conf.address4}/32 ''; peers = [ ({ inherit (conf.wireguard) publicKey; @@ -89,7 +91,6 @@ in { } // (lib.optionalAttrs (conf.wireguard ? endpoint) { inherit (conf.wireguard) endpoint; })) ]; - allowedIPsAsRoutes = false; }) wireguardNeighbors; }; From fa3e90f23f3796f6b48828390eb5d5c9f793c429 Mon Sep 17 00:00:00 2001 From: Astro Date: Fri, 24 Apr 2020 20:55:37 +0200 Subject: [PATCH 59/63] dn42: fix command syntax --- hosts/containers/dn42/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/containers/dn42/configuration.nix b/hosts/containers/dn42/configuration.nix index e078ffa4..01a49504 100644 --- a/hosts/containers/dn42/configuration.nix +++ b/hosts/containers/dn42/configuration.nix @@ -82,7 +82,7 @@ in { allowedIPsAsRoutes = false; postSetup = '' ${pkgs.iproute}/bin/ip addr del ${address4}/32 dev ${name} - ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} ${conf.address4}/32 + ${pkgs.iproute}/bin/ip addr add ${address4} dev ${name} peer ${conf.address4}/32 ''; peers = [ ({ inherit (conf.wireguard) publicKey; From a9a865116a7eecfaf968c1e03bcbf785f5f924d7 Mon Sep 17 00:00:00 2001 From: Emery Hemingway Date: Sun, 26 Apr 2020 08:43:12 +0200 Subject: [PATCH 60/63] Update flake --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 93b03c3d..64a1044d 100644 --- a/flake.lock +++ b/flake.lock @@ -2,8 +2,8 @@ "nodes": { "hydra": { "info": { - "lastModified": 1587633099, - "narHash": "sha256-cOsYakp2nJgRY0cP6YNBLV4srP19v6XQEZM7EefS3Kw=" + "lastModified": 1587883324, + "narHash": "sha256-WQxv9rrG2HX8j2UfXjifeBkMjgea3uIAEB3Swv+IIus=" }, "inputs": { "nix": "nix", @@ -12,7 +12,7 @@ "locked": { "owner": "ehmry", "repo": "hydra", - "rev": "e1ae3bd9a4bdaac8ff6878febf2c64fee12544f2", + "rev": "e93c36aab1bf96cf392ab0e40157b0620638b599", "type": "github" }, "original": { From aae6da4299f7eae01d1116f305cba7fc56cff1ec Mon Sep 17 00:00:00 2001 From: Astro Date: Wed, 29 Apr 2020 22:24:23 +0200 Subject: [PATCH 61/63] scrape: update freifunk node --- hosts/containers/scrape/configuration.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index fa9cb991..e2bfc954 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -63,9 +63,9 @@ script = "freifunk_node"; host = "10.200.5.213"; }; - scrape-node1247 = makeService { + scrape-node1884 = makeService { script = "freifunk_node"; - host = "10.200.4.228"; + host = "10.200.7.100"; }; scrape-node1768 = makeService { script = "freifunk_node"; @@ -106,8 +106,8 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; - systemd.timers.scrape-node1247 = { - partOf = [ "scrape-node1247.service" ]; + systemd.timers.scrape-node1884 = { + partOf = [ "scrape-node1884.service" ]; wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; From f3ae53050695b1a3b731f4a29a45bea7b8c63c4b Mon Sep 17 00:00:00 2001 From: Astro Date: Thu, 30 Apr 2020 20:59:11 +0200 Subject: [PATCH 62/63] scrape: add freifunk node 1891 --- hosts/containers/scrape/configuration.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/containers/scrape/configuration.nix b/hosts/containers/scrape/configuration.nix index e2bfc954..bd174df0 100644 --- a/hosts/containers/scrape/configuration.nix +++ b/hosts/containers/scrape/configuration.nix @@ -67,6 +67,10 @@ script = "freifunk_node"; host = "10.200.7.100"; }; + scrape-node1891 = makeService { + script = "freifunk_node"; + host = "10.200.7.107"; + }; scrape-node1768 = makeService { script = "freifunk_node"; host = "10.200.6.239"; @@ -111,6 +115,11 @@ wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = "minutely"; }; + systemd.timers.scrape-node1891 = { + partOf = [ "scrape-node1894.service" ]; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "minutely"; + }; systemd.timers.scrape-node1768 = { partOf = [ "scrape-node1768.service" ]; wantedBy = [ "timers.target" ]; From f60b14a9f7c2adcd92d8d972e30b0531ff20a703 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 12 May 2020 18:34:47 +0200 Subject: [PATCH 63/63] secrets: update --- secrets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/secrets b/secrets index 11d9bf6c..eb06c122 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 11d9bf6c1cc4c0817b334cd404fe6d8a80f3c1ba +Subproject commit eb06c122762133b7831475615b1a3b039eaa389e