Added domain option. Maybe fixed binary cache signing.

This commit is contained in:
Kevin Baensch 2019-03-23 02:50:48 +01:00
parent 63e40a5a29
commit 66ca5839e5
17 changed files with 238 additions and 139 deletions

View file

@ -11,7 +11,7 @@
''; '';
sshServe.enable = if config.services.hydra.enable then true else false; sshServe.enable = if config.services.hydra.enable then true else false;
sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else []; sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else []; binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ];
trustedBinaryCaches = [ trustedBinaryCaches = [
"https://cache.nixos.org" "https://cache.nixos.org"
"https://cache.ophanim.de" "https://cache.ophanim.de"

View file

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
{ {
users = { users = {
mutableUsers = false; mutableUsers = false;
@ -9,11 +11,14 @@
createHome = true; createHome = true;
description = ""; description = "";
group = "derped"; group = "derped";
extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []); extraGroups = [ "audio" "wheel" "network" ]
++ (if config.services.xserver.enable then [ "input" ] else [])
++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
++ (if config.virtualisation.docker.enable then [ "docker"] else []);
uid = 1337; uid = 1337;
shell = "/run/current-system/sw/bin/zsh"; shell = "/run/current-system/sw/bin/zsh";
passwordFile = "/secret/derped"; passwordFile = "/secret/derped";
openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]); openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else [];
}; };
groups.derped = { groups.derped = {

View file

@ -2,15 +2,19 @@
with lib; with lib;
let
# hint: use 'echo -n' so there is no newline char in the hostName file # hint: use 'echo -n' so there is no newline char in the hostName file
cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix")); let
in rec { machinePath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName)));
machineConf = machinePath + "/configuration.nix";
machineOpts = machinePath + "/options.nix";
in {
imports = [ imports = [
cfgPath machineConf
./config/default.nix # same problem as above machineOpts
./config/default.nix
./pkgs/nixpkgs.nix ./pkgs/nixpkgs.nix
./pkgs/pkgsets.nix ./pkgs/pkgsets.nix
./services/default.nix # same problem as above ./services/containers.nix
./services/default.nix
]; ];
} }

View file

@ -10,20 +10,12 @@
]; ];
system.autoUpgrade.enable = false; system.autoUpgrade.enable = false;
# services.vsftp = {
# enable = true;
# ssl_sslv3 = true;
# forceLocalDataSSL = true;
# writeEnable = false;
# userlist = [];
# };
services.haveged.enable = true; services.haveged.enable = true;
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you # servers. You should change this only after NixOS release notes say you
# should. # should.
system.stateVersion = "18.09"; system.stateVersion = "19.03";
} }

View file

@ -0,0 +1,41 @@
{ config, lib, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
hostName = "CDServer";
allowUnfree = true;
conffiles = [
"etcvars"
# "security"
"zsh"
];
pkgs = [
"base"
"emacs"
"server"
];
services = [
"docker"
# "fail2ban"
# "gitea"
# "mailserver"
"cd-internes"
"mariaDB"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
}

View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
services = {
gnome3.gnome-terminal-server.enable = true;
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
'';
};
environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
system.stateVersion = "19.03";
}

View file

@ -1,46 +1,19 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
{ {
imports = [ imports = [
../../options/machine.nix ./hardware-configuration.nix
./Lilim.nix
]; ];
config.machine = { services = {
allowUnfree = true; gnome3.gnome-terminal-server.enable = true;
hostName = "Lilim"; udev.extraRules = ''
conffiles = [ SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
"etcfiles" KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
"etcvars" '';
"fonts"
"zsh"
];
pkgs = [
"base"
"dict"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
"xserver"
"docker"
"udev"
"cups"
];
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
}; };
environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
system.stateVersion = "19.03";
} }

View file

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
allowUnfree = true;
hostName = "Lilim";
conffiles = [
"etcfiles"
"etcvars"
"fonts"
"zsh"
];
pkgs = [
"base"
"dict"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
# "containers"
"xserver"
# "docker"
"udev"
"cups"
];
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
};
}

View file

@ -1,42 +1,29 @@
{ config, lib, ... }: # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
with lib; { config, pkgs, ... }:
{ {
imports = [ imports = [
../../options/machine.nix ./hardware-configuration.nix
./Ophanim.nix
]; ];
config.machine = { system.autoUpgrade.enable = false;
hostName = "Ophanim";
allowUnfree = true; # services.vsftp = {
conffiles = [ # enable = true;
"etcvars" # ssl_sslv3 = true;
"security" # forceLocalDataSSL = true;
"zsh" # writeEnable = false;
]; # userlist = [];
pkgs = [ # };
"base" services.haveged.enable = true;
"emacs"
"server" # This value determines the NixOS release with which your system is to be
]; # compatible, in order to avoid breaking some software such as database
services = [ # servers. You should change this only after NixOS release notes say you
"fail2ban" # should.
"gitea" system.stateVersion = "18.09";
"hydra"
"mailserver"
"mariaDB"
"nextcloud"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
} }

View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
hostName = "Ophanim";
domain = "ophanim.de";
allowUnfree = true;
conffiles = [
"etcvars"
"security"
"zsh"
];
pkgs = [
"base"
"emacs"
"server"
];
services = [
"fail2ban"
"gitea"
"hydra"
"mailserver"
"mariaDB"
"nextcloud"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
}

View file

@ -4,12 +4,6 @@ with lib;
{ {
options.machine = { options.machine = {
confPath = mkOption {
type = types.path;
description = ''
Path to the machines configuration.nix
'';
};
allowUnfree = mkOption { allowUnfree = mkOption {
type = types.bool; type = types.bool;
description = '' description = ''
@ -40,6 +34,13 @@ with lib;
The Machines HostName The Machines HostName
''; '';
}; };
domain = mkOption {
type = types.str;
default = "localhost";
description = ''
The Machines domain name.
'';
};
firewall = { firewall = {
allowPing = mkOption { allowPing = mkOption {
type = types.bool; type = types.bool;

View file

@ -37,7 +37,7 @@ let
nix-update-source nix-update-source
nix-zsh-completions nix-zsh-completions
nixbang nixbang
nixops # nixops
nmap nmap
nox nox
ntfs3g ntfs3g
@ -58,7 +58,7 @@ let
unzipNLS unzipNLS
usbutils usbutils
vim vim
# vulnix vulnix
wget wget
whois whois
wirelesstools wirelesstools

23
services/containers.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with lib;
mkIf (elem "containers" config.machine.services) {
containers.CDServer = {
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config =
{ config, lib, pkgs, ... }:
{
imports = [
../machines/CDServer/options.nix
./default.nix
../config/default.nix
../pkgs/nixpkgs.nix
../pkgs/pkgsets.nix
];
};
};
}

View file

@ -7,8 +7,8 @@ mkIf (elem "gitea" config.machine.services) {
enable = true; enable = true;
user = "git"; user = "git";
cookieSecure = true; cookieSecure = true;
domain = "git.ophanim.de"; domain = "git.${config.machine.domain}";
rootUrl = "http://git.ophanim.de/"; rootUrl = "http://git.${config.machine.domain}/";
database = { database = {
type = "mysql"; type = "mysql";
user = "git"; user = "git";

View file

@ -4,9 +4,9 @@
# sudo -u hydra -s # sudo -u hydra -s
# hydra-create-user $USERNAME --password $PASSWORD --role admin # hydra-create-user $USERNAME --password $PASSWORD --role admin
# also for reference some other hydra configs: # https://qfpl.io/posts/nix/starting-simple-hydra/
# also for reference a well written hydra config:
# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix # https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4
with lib; with lib;
@ -23,19 +23,23 @@ mkIf (elem "hydra" config.machine.services) {
services.hydra = { services.hydra = {
enable = true; enable = true;
hydraURL = "https://builder.ophanim.de"; # externally visible URL hydraURL = "https://builder.${config.machine.domain}"; # externally visible URL
listenHost = "localhost"; listenHost = "localhost";
port = 3001; port = 3001;
minimumDiskFree = 15; minimumDiskFree = 15;
minimumDiskFreeEvaluator = 15; minimumDiskFreeEvaluator = 15;
notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service notificationSender = "hydra@mail.${config.machine.domain}"; # e-mail of hydra service
useSubstitutes = true; useSubstitutes = true;
debugServer = false; debugServer = false;
# Hints from hydra-queue-runner:
# binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = '' extraConfig = ''
max_output_size = 4294967296 max_output_size = 4294967296
store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
server_store_uri = https://cache.ophanim.de # add ?local-nar-cache= to set nar cache location
binary_cache_public_uri https://cache.ophanim.de server_store_uri = https://cache.${config.machine.domain}
binary_cache_public_uri https://cache.${config.machine.domain}
upload_logs_to_binary_cache = true upload_logs_to_binary_cache = true
''; '';
}; };

View file

@ -6,7 +6,7 @@ mkIf (elem "nextcloud" config.machine.services) {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
home = "/var/lib/nextcloud"; home = "/var/lib/nextcloud";
hostName = "storage.ophanim.de"; hostName = "storage.${config.machine.domain}";
https = true; https = true;
maxUploadSize = "1024M"; maxUploadSize = "1024M";
config = { config = {

View file

@ -23,12 +23,12 @@ mkIf (elem "nginx" config.machine.services) {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
''; '';
virtualHosts = { virtualHosts = {
"ophanim.de" = { "${config.machine.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www"; root = "/var/www";
}; };
"builder.ophanim.de" = mkIf config.services.hydra.enable { "builder.${config.machine.domain}" = mkIf config.services.hydra.enable {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = '' extraConfig = ''
@ -41,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) {
} }
''; '';
}; };
"cache.ophanim.de" = mkIf config.services.hydra.enable { "cache.${config.machine.domain}" = mkIf config.services.hydra.enable {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/cache/hydra"; root = "/var/cache/hydra";
@ -49,13 +49,13 @@ mkIf (elem "nginx" config.machine.services) {
autoindex on; autoindex on;
''; '';
}; };
"mail.ophanim.de" = { "mail.${config.machine.domain}" = mkIf config.mailserver.enable {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "/var/www"; root = "/var/www";
}; };
"${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable { "storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
root = pkgs.nextcloud; root = pkgs.nextcloud;
enableACME = config.services.nextcloud.https; enableACME = config.services.nextcloud.https;
forceSSL = config.services.nextcloud.https; forceSSL = config.services.nextcloud.https;
@ -152,7 +152,7 @@ mkIf (elem "nginx" config.machine.services) {
''; '';
}; };
"${config.services.gitea.domain}" = mkIf config.services.gitea.enable { "git.${config.machine.domain}" = mkIf config.services.gitea.enable {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
root = "${config.services.gitea.stateDir}/public"; root = "${config.services.gitea.stateDir}/public";