diff --git a/config/nix.nix b/config/nix.nix index 1872779..e9b5ea9 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -11,7 +11,7 @@ ''; sshServe.enable = if config.services.hydra.enable then true else false; sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else []; - binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else []; + binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ]; trustedBinaryCaches = [ "https://cache.nixos.org" "https://cache.ophanim.de" diff --git a/config/users.nix b/config/users.nix index 20365dc..615664f 100644 --- a/config/users.nix +++ b/config/users.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: +with lib; + { users = { mutableUsers = false; @@ -9,13 +11,16 @@ createHome = true; description = ""; group = "derped"; - extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []); + extraGroups = [ "audio" "wheel" "network" ] + ++ (if config.services.xserver.enable then [ "input" ] else []) + ++ (if config.services.printing.enable then [ "cups" "lp" ] else []) + ++ (if config.virtualisation.docker.enable then [ "docker"] else []); uid = 1337; shell = "/run/current-system/sw/bin/zsh"; passwordFile = "/secret/derped"; - openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]); + openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else []; }; - + groups.derped = { name = "derped"; gid = 1337; diff --git a/configuration.nix b/configuration.nix index 87c7444..ec382c3 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,15 +2,19 @@ with lib; +# hint: use 'echo -n' so there is no newline char in the hostName file let - # hint: use 'echo -n' so there is no newline char in the hostName file - cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix")); -in rec { + machinePath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName))); + machineConf = machinePath + "/configuration.nix"; + machineOpts = machinePath + "/options.nix"; +in { imports = [ - cfgPath - ./config/default.nix # same problem as above + machineConf + machineOpts + ./config/default.nix ./pkgs/nixpkgs.nix ./pkgs/pkgsets.nix - ./services/default.nix # same problem as above + ./services/containers.nix + ./services/default.nix ]; } diff --git a/machines/Ophanim/Ophanim.nix b/machines/CDServer/configuration.nix similarity index 75% rename from machines/Ophanim/Ophanim.nix rename to machines/CDServer/configuration.nix index bc38374..73c1095 100644 --- a/machines/Ophanim/Ophanim.nix +++ b/machines/CDServer/configuration.nix @@ -10,20 +10,12 @@ ]; system.autoUpgrade.enable = false; - -# services.vsftp = { -# enable = true; -# ssl_sslv3 = true; -# forceLocalDataSSL = true; -# writeEnable = false; -# userlist = []; -# }; services.haveged.enable = true; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "18.09"; + system.stateVersion = "19.03"; } diff --git a/machines/CDServer/options.nix b/machines/CDServer/options.nix new file mode 100644 index 0000000..d659dc1 --- /dev/null +++ b/machines/CDServer/options.nix @@ -0,0 +1,41 @@ +{ config, lib, ... }: + +with lib; + +{ + imports = [ + ../../options/machine.nix + ]; + + config.machine = { + hostName = "CDServer"; + allowUnfree = true; + conffiles = [ + "etcvars" +# "security" + "zsh" + ]; + pkgs = [ + "base" + "emacs" + "server" + ]; + services = [ + "docker" +# "fail2ban" +# "gitea" +# "mailserver" + "cd-internes" + "mariaDB" + "nginx" + "openssh" + ]; + firewall = { + allowPing = false; + allowedUDPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPortRanges = []; + allowedTCPPortRanges = []; + }; + }; +} diff --git a/machines/Lilim/Lilim.nix b/machines/Lilim/Lilim.nix deleted file mode 100644 index f9d61c1..0000000 --- a/machines/Lilim/Lilim.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./hardware-configuration.nix - ]; - - services = { - gnome3.gnome-terminal-server.enable = true; - udev.extraRules = '' - SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" - KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput" - ''; - }; - - environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ]; - - system.stateVersion = "19.03"; -} diff --git a/machines/Lilim/configuration.nix b/machines/Lilim/configuration.nix index c519429..f9d61c1 100644 --- a/machines/Lilim/configuration.nix +++ b/machines/Lilim/configuration.nix @@ -1,46 +1,19 @@ { config, lib, pkgs, ... }: -with lib; - { - imports = [ - ../../options/machine.nix - ./Lilim.nix + imports = [ + ./hardware-configuration.nix ]; - config.machine = { - allowUnfree = true; - hostName = "Lilim"; - conffiles = [ - "etcfiles" - "etcvars" - "fonts" - "zsh" - ]; - pkgs = [ - "base" - "dict" - "emacs" - "extra" - "cpp" - "haskell" - "mailutils" - "python3" - "rustpkgs" - "xpkgs" - ]; - services = [ - "xserver" - "docker" - "udev" - "cups" - ]; - firewall = { - allowPing = true; - allowedUDPPorts = []; - allowedTCPPorts = []; - allowedUDPPortRanges = [ { from = 1714; to = 1764; } ]; - allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; - }; + services = { + gnome3.gnome-terminal-server.enable = true; + udev.extraRules = '' + SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666" + KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput" + ''; }; + + environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ]; + + system.stateVersion = "19.03"; } diff --git a/machines/Lilim/options.nix b/machines/Lilim/options.nix new file mode 100644 index 0000000..a80cb88 --- /dev/null +++ b/machines/Lilim/options.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../../options/machine.nix + ]; + + config.machine = { + allowUnfree = true; + hostName = "Lilim"; + conffiles = [ + "etcfiles" + "etcvars" + "fonts" + "zsh" + ]; + pkgs = [ + "base" + "dict" + "emacs" + "extra" + "cpp" + "haskell" + "mailutils" + "python3" + "rustpkgs" + "xpkgs" + ]; + services = [ +# "containers" + "xserver" +# "docker" + "udev" + "cups" + ]; + firewall = { + allowPing = true; + allowedUDPPorts = []; + allowedTCPPorts = []; + allowedUDPPortRanges = [ { from = 1714; to = 1764; } ]; + allowedTCPPortRanges = [ { from = 1714; to = 1764; } ]; + }; + }; +} diff --git a/machines/Ophanim/configuration.nix b/machines/Ophanim/configuration.nix index 227f684..bc38374 100644 --- a/machines/Ophanim/configuration.nix +++ b/machines/Ophanim/configuration.nix @@ -1,42 +1,29 @@ -{ config, lib, ... }: +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). -with lib; +{ config, pkgs, ... }: { - imports = [ - ../../options/machine.nix - ./Ophanim.nix - ]; + imports = [ + ./hardware-configuration.nix + ]; + + system.autoUpgrade.enable = false; + +# services.vsftp = { +# enable = true; +# ssl_sslv3 = true; +# forceLocalDataSSL = true; +# writeEnable = false; +# userlist = []; +# }; + services.haveged.enable = true; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you + # should. + system.stateVersion = "18.09"; - config.machine = { - hostName = "Ophanim"; - allowUnfree = true; - conffiles = [ - "etcvars" - "security" - "zsh" - ]; - pkgs = [ - "base" - "emacs" - "server" - ]; - services = [ - "fail2ban" - "gitea" - "hydra" - "mailserver" - "mariaDB" - "nextcloud" - "nginx" - "openssh" - ]; - firewall = { - allowPing = false; - allowedUDPPorts = [ 22 80 443 ]; - allowedTCPPorts = [ 80 443 ]; # 5222 5269 ]; - allowedUDPPortRanges = []; - allowedTCPPortRanges = []; - }; - }; } diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix new file mode 100644 index 0000000..5119ccc --- /dev/null +++ b/machines/Ophanim/options.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: + +with lib; + +{ + imports = [ + ../../options/machine.nix + ]; + + config.machine = { + hostName = "Ophanim"; + domain = "ophanim.de"; + allowUnfree = true; + conffiles = [ + "etcvars" + "security" + "zsh" + ]; + pkgs = [ + "base" + "emacs" + "server" + ]; + services = [ + "fail2ban" + "gitea" + "hydra" + "mailserver" + "mariaDB" + "nextcloud" + "nginx" + "openssh" + ]; + firewall = { + allowPing = false; + allowedUDPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ 80 443 ]; # 5222 5269 ]; + allowedUDPPortRanges = []; + allowedTCPPortRanges = []; + }; + }; +} diff --git a/options/machine.nix b/options/machine.nix index d152190..6974960 100644 --- a/options/machine.nix +++ b/options/machine.nix @@ -4,12 +4,6 @@ with lib; { options.machine = { - confPath = mkOption { - type = types.path; - description = '' - Path to the machines configuration.nix - ''; - }; allowUnfree = mkOption { type = types.bool; description = '' @@ -40,6 +34,13 @@ with lib; The Machines HostName ''; }; + domain = mkOption { + type = types.str; + default = "localhost"; + description = '' + The Machines domain name. + ''; + }; firewall = { allowPing = mkOption { type = types.bool; diff --git a/pkgs/pkgsets.nix b/pkgs/pkgsets.nix index dbc1077..1c0bd06 100644 --- a/pkgs/pkgsets.nix +++ b/pkgs/pkgsets.nix @@ -37,7 +37,7 @@ let nix-update-source nix-zsh-completions nixbang - nixops +# nixops nmap nox ntfs3g @@ -58,7 +58,7 @@ let unzipNLS usbutils vim -# vulnix + vulnix wget whois wirelesstools @@ -250,7 +250,7 @@ let ]; in { - environment.systemPackages = base + environment.systemPackages = base ++ (optPkgs dict "dict") ++ (optPkgs [emacs] "emacs") ++ (optPkgs extra "extra") diff --git a/services/containers.nix b/services/containers.nix new file mode 100644 index 0000000..6bd262c --- /dev/null +++ b/services/containers.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +with lib; + +mkIf (elem "containers" config.machine.services) { + containers.CDServer = { + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + config = + { config, lib, pkgs, ... }: + + { + imports = [ + ../machines/CDServer/options.nix + ./default.nix + ../config/default.nix + ../pkgs/nixpkgs.nix + ../pkgs/pkgsets.nix + ]; + }; + }; +} diff --git a/services/gitea.nix b/services/gitea.nix index 36af9ee..9e0e9d9 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -7,8 +7,8 @@ mkIf (elem "gitea" config.machine.services) { enable = true; user = "git"; cookieSecure = true; - domain = "git.ophanim.de"; - rootUrl = "http://git.ophanim.de/"; + domain = "git.${config.machine.domain}"; + rootUrl = "http://git.${config.machine.domain}/"; database = { type = "mysql"; user = "git"; diff --git a/services/hydra.nix b/services/hydra.nix index 657b68c..91ed123 100644 --- a/services/hydra.nix +++ b/services/hydra.nix @@ -4,9 +4,9 @@ # sudo -u hydra -s # hydra-create-user $USERNAME --password $PASSWORD --role admin -# also for reference some other hydra configs: +# https://qfpl.io/posts/nix/starting-simple-hydra/ +# also for reference a well written hydra config: # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix -# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4 with lib; @@ -23,19 +23,23 @@ mkIf (elem "hydra" config.machine.services) { services.hydra = { enable = true; - hydraURL = "https://builder.ophanim.de"; # externally visible URL + hydraURL = "https://builder.${config.machine.domain}"; # externally visible URL listenHost = "localhost"; port = 3001; minimumDiskFree = 15; minimumDiskFreeEvaluator = 15; - notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service + notificationSender = "hydra@mail.${config.machine.domain}"; # e-mail of hydra service useSubstitutes = true; debugServer = false; + # Hints from hydra-queue-runner: + # binary_cache_dir is deprecated and ignored. use store_uri=file:// instead + # hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead extraConfig = '' max_output_size = 4294967296 - store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache - server_store_uri = https://cache.ophanim.de - binary_cache_public_uri https://cache.ophanim.de + store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br + # add ?local-nar-cache= to set nar cache location + server_store_uri = https://cache.${config.machine.domain} + binary_cache_public_uri https://cache.${config.machine.domain} upload_logs_to_binary_cache = true ''; }; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 8555064..93b08a7 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -6,7 +6,7 @@ mkIf (elem "nextcloud" config.machine.services) { services.nextcloud = { enable = true; home = "/var/lib/nextcloud"; - hostName = "storage.ophanim.de"; + hostName = "storage.${config.machine.domain}"; https = true; maxUploadSize = "1024M"; config = { diff --git a/services/nginx.nix b/services/nginx.nix index 57f7000..3859da1 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -23,12 +23,12 @@ mkIf (elem "nginx" config.machine.services) { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ''; virtualHosts = { - "ophanim.de" = { + "${config.machine.domain}" = { enableACME = true; forceSSL = true; root = "/var/www"; }; - "builder.ophanim.de" = mkIf config.services.hydra.enable { + "builder.${config.machine.domain}" = mkIf config.services.hydra.enable { enableACME = true; forceSSL = true; extraConfig = '' @@ -41,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) { } ''; }; - "cache.ophanim.de" = mkIf config.services.hydra.enable { + "cache.${config.machine.domain}" = mkIf config.services.hydra.enable { enableACME = true; forceSSL = true; root = "/var/cache/hydra"; @@ -49,13 +49,13 @@ mkIf (elem "nginx" config.machine.services) { autoindex on; ''; }; - "mail.ophanim.de" = { + "mail.${config.machine.domain}" = mkIf config.mailserver.enable { enableACME = true; forceSSL = true; root = "/var/www"; }; - "${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable { + "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable { root = pkgs.nextcloud; enableACME = config.services.nextcloud.https; forceSSL = config.services.nextcloud.https; @@ -152,7 +152,7 @@ mkIf (elem "nginx" config.machine.services) { ''; }; - "${config.services.gitea.domain}" = mkIf config.services.gitea.enable { + "git.${config.machine.domain}" = mkIf config.services.gitea.enable { enableACME = true; forceSSL = true; root = "${config.services.gitea.stateDir}/public";