Added domain option. Maybe fixed binary cache signing.

2019-03-23 02:50:48 +01:00 · 2019-03-23 02:50:48 +01:00 · 66ca5839e5
commit 66ca5839e5
parent 63e40a5a29
17 changed files with 238 additions and 139 deletions
--- a/config/nix.nix
+++ b/config/nix.nix
@ -11,7 +11,7 @@
    '';
    sshServe.enable = if config.services.hydra.enable then true else false;
    sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
-    binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else [];
+    binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ];
    trustedBinaryCaches = [
      "https://cache.nixos.org"
      "https://cache.ophanim.de"
--- a/config/users.nix
+++ b/config/users.nix
@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:

+with lib;
+
 {
  users = {
    mutableUsers = false;
@ -9,13 +11,16 @@
      createHome = true;
      description = "";
      group = "derped";
-      extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
+      extraGroups = [ "audio" "wheel" "network" ]
+        ++ (if config.services.xserver.enable then [ "input" ] else [])
+        ++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
+        ++ (if config.virtualisation.docker.enable then [ "docker"] else []);
      uid = 1337;
      shell = "/run/current-system/sw/bin/zsh";
      passwordFile = "/secret/derped";
-      openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
+      openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else [];
    };
-    
+
    groups.derped = {
      name = "derped";
      gid = 1337;
--- a/configuration.nix
+++ b/configuration.nix
@ -2,15 +2,19 @@

 with lib;

+# hint: use 'echo -n' so there is no newline char in the hostName file
 let
-  # hint: use 'echo -n' so there is no newline char in the hostName file
-  cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
-in rec {
+  machinePath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName)));
+  machineConf = machinePath + "/configuration.nix";
+  machineOpts = machinePath + "/options.nix";
+in {
  imports = [
-    cfgPath
-    ./config/default.nix # same problem as above
+    machineConf
+    machineOpts
+    ./config/default.nix
    ./pkgs/nixpkgs.nix
    ./pkgs/pkgsets.nix
-    ./services/default.nix # same problem as above
+    ./services/containers.nix
+    ./services/default.nix
  ];
 }
--- a/machines/CDServer/configuration.nix
+++ b/machines/CDServer/configuration.nix
@ -10,20 +10,12 @@
    ];

  system.autoUpgrade.enable = false;
-
-#    services.vsftp = {
-#      enable = true;
-#      ssl_sslv3 = true;
-#      forceLocalDataSSL = true;
-#      writeEnable = false;
-#      userlist = [];
-#    };
  services.haveged.enable = true;

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
-  system.stateVersion = "18.09";
+  system.stateVersion = "19.03";

 }
--- a/machines/CDServer/options.nix
+++ b/machines/CDServer/options.nix
@ -0,0 +1,41 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    hostName = "CDServer";
+    allowUnfree = true;
+    conffiles = [
+      "etcvars"
+#      "security"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "emacs"
+      "server"
+    ];
+    services = [
+      "docker"
+#      "fail2ban"
+#      "gitea"
+#      "mailserver"
+      "cd-internes"
+      "mariaDB"
+      "nginx"
+      "openssh"
+    ];
+    firewall = {
+      allowPing = false;
+      allowedUDPPorts = [ 22 80 443 ];
+      allowedTCPPorts = [ 80 443 ];
+      allowedUDPPortRanges = [];
+      allowedTCPPortRanges = [];
+    };
+  };
+}
--- a/machines/Lilim/Lilim.nix
+++ b/machines/Lilim/Lilim.nix
@ -1,19 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  services = {
-    gnome3.gnome-terminal-server.enable = true;
-    udev.extraRules = ''
-      SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
-      KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
-    '';
-  };
-
-  environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
-
-  system.stateVersion = "19.03";
-}
--- a/machines/Lilim/configuration.nix
+++ b/machines/Lilim/configuration.nix
@ -1,46 +1,19 @@
 { config, lib, pkgs, ... }:

-with lib;
-
 {
-  imports = [ 
-    ../../options/machine.nix 
-    ./Lilim.nix
+  imports = [
+    ./hardware-configuration.nix
  ];

-  config.machine = {
-    allowUnfree = true;
-    hostName = "Lilim";
-    conffiles = [
-      "etcfiles"
-      "etcvars"
-      "fonts"
-      "zsh"
-    ];
-    pkgs = [
-      "base"
-      "dict"
-      "emacs"
-      "extra"
-      "cpp"
-      "haskell"
-      "mailutils"
-      "python3"
-      "rustpkgs"
-      "xpkgs"
-    ];
-    services = [
-      "xserver"
-      "docker"
-      "udev"
-      "cups"
-    ];
-    firewall = {
-      allowPing = true;
-      allowedUDPPorts = [];
-      allowedTCPPorts = [];
-      allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
-      allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
-    };
+  services = {
+    gnome3.gnome-terminal-server.enable = true;
+    udev.extraRules = ''
+      SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
+      KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
+    '';
  };
+
+  environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
+
+  system.stateVersion = "19.03";
 }
--- a/machines/Lilim/options.nix
+++ b/machines/Lilim/options.nix
@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    allowUnfree = true;
+    hostName = "Lilim";
+    conffiles = [
+      "etcfiles"
+      "etcvars"
+      "fonts"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "dict"
+      "emacs"
+      "extra"
+      "cpp"
+      "haskell"
+      "mailutils"
+      "python3"
+      "rustpkgs"
+      "xpkgs"
+    ];
+    services = [
+#      "containers"
+      "xserver"
+#      "docker"
+      "udev"
+      "cups"
+    ];
+    firewall = {
+      allowPing = true;
+      allowedUDPPorts = [];
+      allowedTCPPorts = [];
+      allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
+      allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
+    };
+  };
+}
--- a/machines/Ophanim/configuration.nix
+++ b/machines/Ophanim/configuration.nix
@ -1,42 +1,29 @@
-{ config, lib, ... }:
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).

-with lib;
+{ config, pkgs, ... }:

 {
-  imports = [ 
-    ../../options/machine.nix 
-    ./Ophanim.nix
-  ];
+  imports = [
+      ./hardware-configuration.nix
+    ];
+
+  system.autoUpgrade.enable = false;
+
+#    services.vsftp = {
+#      enable = true;
+#      ssl_sslv3 = true;
+#      forceLocalDataSSL = true;
+#      writeEnable = false;
+#      userlist = [];
+#    };
+  services.haveged.enable = true;
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "18.09";

-  config.machine = {
-    hostName = "Ophanim";
-    allowUnfree = true;
-    conffiles = [
-      "etcvars"
-      "security"
-      "zsh"
-    ];
-    pkgs = [
-      "base"
-      "emacs"
-      "server"
-    ];
-    services = [
-      "fail2ban"
-      "gitea"
-      "hydra"
-      "mailserver"
-      "mariaDB"
-      "nextcloud"
-      "nginx"
-      "openssh"
-    ];
-    firewall = {
-      allowPing = false;
-      allowedUDPPorts = [ 22 80 443 ];
-      allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
-      allowedUDPPortRanges = [];
-      allowedTCPPortRanges = [];
-    };
-  };
 }
--- a/machines/Ophanim/options.nix
+++ b/machines/Ophanim/options.nix
@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  imports = [ 
+    ../../options/machine.nix 
+  ];
+
+  config.machine = {
+    hostName = "Ophanim";
+    domain = "ophanim.de";
+    allowUnfree = true;
+    conffiles = [
+      "etcvars"
+      "security"
+      "zsh"
+    ];
+    pkgs = [
+      "base"
+      "emacs"
+      "server"
+    ];
+    services = [
+      "fail2ban"
+      "gitea"
+      "hydra"
+      "mailserver"
+      "mariaDB"
+      "nextcloud"
+      "nginx"
+      "openssh"
+    ];
+    firewall = {
+      allowPing = false;
+      allowedUDPPorts = [ 22 80 443 ];
+      allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
+      allowedUDPPortRanges = [];
+      allowedTCPPortRanges = [];
+    };
+  };
+}
--- a/options/machine.nix
+++ b/options/machine.nix
@ -4,12 +4,6 @@ with lib;

 {
  options.machine = {
-    confPath = mkOption {
-      type = types.path;
-      description = ''
-        Path to the machines configuration.nix
-      '';
-    };
    allowUnfree = mkOption {
      type = types.bool;
      description = ''
@ -40,6 +34,13 @@ with lib;
        The Machines HostName
      '';
    };
+    domain = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = ''
+        The Machines domain name.
+      '';
+    };
    firewall = {
        allowPing = mkOption {
          type = types.bool;
--- a/pkgs/pkgsets.nix
+++ b/pkgs/pkgsets.nix
@ -37,7 +37,7 @@ let
    nix-update-source
    nix-zsh-completions
    nixbang
-    nixops
+#    nixops
    nmap
    nox
    ntfs3g
@ -58,7 +58,7 @@ let
    unzipNLS
    usbutils
    vim
-#    vulnix
+    vulnix
    wget
    whois
    wirelesstools
@ -250,7 +250,7 @@ let
  ];

 in {
- environment.systemPackages =  base
+  environment.systemPackages =  base
                            ++ (optPkgs dict "dict")
                            ++ (optPkgs [emacs] "emacs")
                            ++ (optPkgs extra "extra")
--- a/services/containers.nix
+++ b/services/containers.nix
@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+mkIf (elem "containers" config.machine.services) {
+  containers.CDServer = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.10";
+    localAddress = "192.168.100.11";
+    config =
+      { config, lib, pkgs, ... }:
+
+      {
+        imports = [
+          ../machines/CDServer/options.nix
+          ./default.nix
+          ../config/default.nix
+          ../pkgs/nixpkgs.nix
+          ../pkgs/pkgsets.nix
+        ];
+      };
+  };
+}
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -7,8 +7,8 @@ mkIf (elem "gitea" config.machine.services) {
    enable = true;
    user = "git";
    cookieSecure = true;
-    domain = "git.ophanim.de";
-    rootUrl = "http://git.ophanim.de/";
+    domain = "git.${config.machine.domain}";
+    rootUrl = "http://git.${config.machine.domain}/";
    database = {
      type = "mysql";
      user = "git";
--- a/services/hydra.nix
+++ b/services/hydra.nix
@ -4,9 +4,9 @@
 # sudo -u hydra -s
 # hydra-create-user $USERNAME --password $PASSWORD --role admin

-# also for reference some other hydra configs:
+# https://qfpl.io/posts/nix/starting-simple-hydra/
+# also for reference a well written hydra config:
 # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
-# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4

 with lib;

@ -23,19 +23,23 @@ mkIf (elem "hydra" config.machine.services) {

  services.hydra = {
    enable = true;
-    hydraURL = "https://builder.ophanim.de"; # externally visible URL
+    hydraURL = "https://builder.${config.machine.domain}"; # externally visible URL
    listenHost = "localhost";
    port = 3001;
    minimumDiskFree = 15;
    minimumDiskFreeEvaluator = 15;
-    notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service
+    notificationSender = "hydra@mail.${config.machine.domain}"; # e-mail of hydra service
    useSubstitutes = true;
    debugServer = false;
+    # Hints from hydra-queue-runner:
+    # binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
+    # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
    extraConfig = ''
      max_output_size = 4294967296
-      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache
-      server_store_uri = https://cache.ophanim.de
-      binary_cache_public_uri https://cache.ophanim.de
+      store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
+      # add ?local-nar-cache= to set nar cache location
+      server_store_uri = https://cache.${config.machine.domain}
+      binary_cache_public_uri https://cache.${config.machine.domain}
      upload_logs_to_binary_cache = true
    '';
  };
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -6,7 +6,7 @@ mkIf (elem "nextcloud" config.machine.services) {
  services.nextcloud = {
    enable = true;
    home = "/var/lib/nextcloud";
-    hostName = "storage.ophanim.de";
+    hostName = "storage.${config.machine.domain}";
    https = true;
    maxUploadSize = "1024M";
    config = {
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -23,12 +23,12 @@ mkIf (elem "nginx" config.machine.services) {
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    '';
    virtualHosts = {
-      "ophanim.de" = {
+      "${config.machine.domain}" = {
        enableACME = true;
        forceSSL = true;
        root = "/var/www";
      };
-      "builder.ophanim.de" = mkIf config.services.hydra.enable {
+      "builder.${config.machine.domain}" = mkIf config.services.hydra.enable {
        enableACME = true;
        forceSSL = true;
        extraConfig = ''
@ -41,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) {
          }
        '';
      };
-      "cache.ophanim.de" = mkIf config.services.hydra.enable {
+      "cache.${config.machine.domain}" = mkIf config.services.hydra.enable {
        enableACME = true;
        forceSSL = true;
        root = "/var/cache/hydra";
@ -49,13 +49,13 @@ mkIf (elem "nginx" config.machine.services) {
          autoindex on;
        '';
      };
-      "mail.ophanim.de" = {
+      "mail.${config.machine.domain}" = mkIf config.mailserver.enable {
        enableACME = true;
        forceSSL = true;
        root = "/var/www";
      };

-      "${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable {
+      "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
        root = pkgs.nextcloud;
        enableACME = config.services.nextcloud.https;
        forceSSL = config.services.nextcloud.https;
@ -152,7 +152,7 @@ mkIf (elem "nginx" config.machine.services) {
        '';
      };

-      "${config.services.gitea.domain}" = mkIf config.services.gitea.enable {
+      "git.${config.machine.domain}" = mkIf config.services.gitea.enable {
        enableACME = true;
        forceSSL = true;
        root = "${config.services.gitea.stateDir}/public";