Added domain option. Maybe fixed binary cache signing.

This commit is contained in:
Kevin Baensch 2019-03-23 02:50:48 +01:00
parent 63e40a5a29
commit 66ca5839e5
17 changed files with 238 additions and 139 deletions

View file

@ -11,7 +11,7 @@
'';
sshServe.enable = if config.services.hydra.enable then true else false;
sshServe.keys = if config.services.hydra.enable then [ (builtins.readFile /secret/nix-ssh.pub) ] else [];
binaryCachePublicKeys = if config.services.hydra.enable then [ (builtins.readFile /secret/hydra_cache.pub) ] else [];
binaryCachePublicKeys = [ (builtins.readFile /secret/hydra_cache.pub) ];
trustedBinaryCaches = [
"https://cache.nixos.org"
"https://cache.ophanim.de"

View file

@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
{
users = {
mutableUsers = false;
@ -9,13 +11,16 @@
createHome = true;
description = "";
group = "derped";
extraGroups = [ "audio" "wheel" "network" ] ++ (if config.machine.hostName != "Ophanim" then ["input" "cups" "lp" "docker"] else []);
extraGroups = [ "audio" "wheel" "network" ]
++ (if config.services.xserver.enable then [ "input" ] else [])
++ (if config.services.printing.enable then [ "cups" "lp" ] else [])
++ (if config.virtualisation.docker.enable then [ "docker"] else []);
uid = 1337;
shell = "/run/current-system/sw/bin/zsh";
passwordFile = "/secret/derped";
openssh.authorizedKeys.keyFiles = (if config.machine.hostName != "Ophanim" then [] else [ "/secret/derped.pub" ]);
openssh.authorizedKeys.keyFiles = if config.services.openssh.enable then [ "/secret/derped.pub" ] else [];
};
groups.derped = {
name = "derped";
gid = 1337;

View file

@ -2,15 +2,19 @@
with lib;
# hint: use 'echo -n' so there is no newline char in the hostName file
let
# hint: use 'echo -n' so there is no newline char in the hostName file
cfgPath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName) + "/configuration.nix"));
in rec {
machinePath = (builtins.toPath ("/etc/nixos/machines/" + (builtins.readFile /secret/hostName)));
machineConf = machinePath + "/configuration.nix";
machineOpts = machinePath + "/options.nix";
in {
imports = [
cfgPath
./config/default.nix # same problem as above
machineConf
machineOpts
./config/default.nix
./pkgs/nixpkgs.nix
./pkgs/pkgsets.nix
./services/default.nix # same problem as above
./services/containers.nix
./services/default.nix
];
}

View file

@ -10,20 +10,12 @@
];
system.autoUpgrade.enable = false;
# services.vsftp = {
# enable = true;
# ssl_sslv3 = true;
# forceLocalDataSSL = true;
# writeEnable = false;
# userlist = [];
# };
services.haveged.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09";
system.stateVersion = "19.03";
}

View file

@ -0,0 +1,41 @@
{ config, lib, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
hostName = "CDServer";
allowUnfree = true;
conffiles = [
"etcvars"
# "security"
"zsh"
];
pkgs = [
"base"
"emacs"
"server"
];
services = [
"docker"
# "fail2ban"
# "gitea"
# "mailserver"
"cd-internes"
"mariaDB"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
}

View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
services = {
gnome3.gnome-terminal-server.enable = true;
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
'';
};
environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
system.stateVersion = "19.03";
}

View file

@ -1,46 +1,19 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
../../options/machine.nix
./Lilim.nix
imports = [
./hardware-configuration.nix
];
config.machine = {
allowUnfree = true;
hostName = "Lilim";
conffiles = [
"etcfiles"
"etcvars"
"fonts"
"zsh"
];
pkgs = [
"base"
"dict"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
"xserver"
"docker"
"udev"
"cups"
];
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
services = {
gnome3.gnome-terminal-server.enable = true;
udev.extraRules = ''
SUBSYSTEM=="usb", ATTRS{idVendor}=="28de", MODE="0666"
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_mode=uinput"
'';
};
environment.systemPackages = with pkgs; [ firmware_surface xdiskusage ];
system.stateVersion = "19.03";
}

View file

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
allowUnfree = true;
hostName = "Lilim";
conffiles = [
"etcfiles"
"etcvars"
"fonts"
"zsh"
];
pkgs = [
"base"
"dict"
"emacs"
"extra"
"cpp"
"haskell"
"mailutils"
"python3"
"rustpkgs"
"xpkgs"
];
services = [
# "containers"
"xserver"
# "docker"
"udev"
"cups"
];
firewall = {
allowPing = true;
allowedUDPPorts = [];
allowedTCPPorts = [];
allowedUDPPortRanges = [ { from = 1714; to = 1764; } ];
allowedTCPPortRanges = [ { from = 1714; to = 1764; } ];
};
};
}

View file

@ -1,42 +1,29 @@
{ config, lib, ... }:
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
with lib;
{ config, pkgs, ... }:
{
imports = [
../../options/machine.nix
./Ophanim.nix
];
imports = [
./hardware-configuration.nix
];
system.autoUpgrade.enable = false;
# services.vsftp = {
# enable = true;
# ssl_sslv3 = true;
# forceLocalDataSSL = true;
# writeEnable = false;
# userlist = [];
# };
services.haveged.enable = true;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09";
config.machine = {
hostName = "Ophanim";
allowUnfree = true;
conffiles = [
"etcvars"
"security"
"zsh"
];
pkgs = [
"base"
"emacs"
"server"
];
services = [
"fail2ban"
"gitea"
"hydra"
"mailserver"
"mariaDB"
"nextcloud"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
}

View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
with lib;
{
imports = [
../../options/machine.nix
];
config.machine = {
hostName = "Ophanim";
domain = "ophanim.de";
allowUnfree = true;
conffiles = [
"etcvars"
"security"
"zsh"
];
pkgs = [
"base"
"emacs"
"server"
];
services = [
"fail2ban"
"gitea"
"hydra"
"mailserver"
"mariaDB"
"nextcloud"
"nginx"
"openssh"
];
firewall = {
allowPing = false;
allowedUDPPorts = [ 22 80 443 ];
allowedTCPPorts = [ 80 443 ]; # 5222 5269 ];
allowedUDPPortRanges = [];
allowedTCPPortRanges = [];
};
};
}

View file

@ -4,12 +4,6 @@ with lib;
{
options.machine = {
confPath = mkOption {
type = types.path;
description = ''
Path to the machines configuration.nix
'';
};
allowUnfree = mkOption {
type = types.bool;
description = ''
@ -40,6 +34,13 @@ with lib;
The Machines HostName
'';
};
domain = mkOption {
type = types.str;
default = "localhost";
description = ''
The Machines domain name.
'';
};
firewall = {
allowPing = mkOption {
type = types.bool;

View file

@ -37,7 +37,7 @@ let
nix-update-source
nix-zsh-completions
nixbang
nixops
# nixops
nmap
nox
ntfs3g
@ -58,7 +58,7 @@ let
unzipNLS
usbutils
vim
# vulnix
vulnix
wget
whois
wirelesstools
@ -250,7 +250,7 @@ let
];
in {
environment.systemPackages = base
environment.systemPackages = base
++ (optPkgs dict "dict")
++ (optPkgs [emacs] "emacs")
++ (optPkgs extra "extra")

23
services/containers.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with lib;
mkIf (elem "containers" config.machine.services) {
containers.CDServer = {
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config =
{ config, lib, pkgs, ... }:
{
imports = [
../machines/CDServer/options.nix
./default.nix
../config/default.nix
../pkgs/nixpkgs.nix
../pkgs/pkgsets.nix
];
};
};
}

View file

@ -7,8 +7,8 @@ mkIf (elem "gitea" config.machine.services) {
enable = true;
user = "git";
cookieSecure = true;
domain = "git.ophanim.de";
rootUrl = "http://git.ophanim.de/";
domain = "git.${config.machine.domain}";
rootUrl = "http://git.${config.machine.domain}/";
database = {
type = "mysql";
user = "git";

View file

@ -4,9 +4,9 @@
# sudo -u hydra -s
# hydra-create-user $USERNAME --password $PASSWORD --role admin
# also for reference some other hydra configs:
# https://qfpl.io/posts/nix/starting-simple-hydra/
# also for reference a well written hydra config:
# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
# https://gist.github.com/LnL7/fcd5c0bf772f2165a1ac40be6617d2f4
with lib;
@ -23,19 +23,23 @@ mkIf (elem "hydra" config.machine.services) {
services.hydra = {
enable = true;
hydraURL = "https://builder.ophanim.de"; # externally visible URL
hydraURL = "https://builder.${config.machine.domain}"; # externally visible URL
listenHost = "localhost";
port = 3001;
minimumDiskFree = 15;
minimumDiskFreeEvaluator = 15;
notificationSender = "hydra@mail.ophanim.de"; # e-mail of hydra service
notificationSender = "hydra@mail.${config.machine.domain}"; # e-mail of hydra service
useSubstitutes = true;
debugServer = false;
# Hints from hydra-queue-runner:
# binary_cache_dir is deprecated and ignored. use store_uri=file:// instead
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = ''
max_output_size = 4294967296
store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache
server_store_uri = https://cache.ophanim.de
binary_cache_public_uri https://cache.ophanim.de
store_uri = file:///var/cache/hydra?secret-key=/secret/hydra_cache&write-nar-listing=1&ls-compression=br&log-compression=br
# add ?local-nar-cache= to set nar cache location
server_store_uri = https://cache.${config.machine.domain}
binary_cache_public_uri https://cache.${config.machine.domain}
upload_logs_to_binary_cache = true
'';
};

View file

@ -6,7 +6,7 @@ mkIf (elem "nextcloud" config.machine.services) {
services.nextcloud = {
enable = true;
home = "/var/lib/nextcloud";
hostName = "storage.ophanim.de";
hostName = "storage.${config.machine.domain}";
https = true;
maxUploadSize = "1024M";
config = {

View file

@ -23,12 +23,12 @@ mkIf (elem "nginx" config.machine.services) {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
'';
virtualHosts = {
"ophanim.de" = {
"${config.machine.domain}" = {
enableACME = true;
forceSSL = true;
root = "/var/www";
};
"builder.ophanim.de" = mkIf config.services.hydra.enable {
"builder.${config.machine.domain}" = mkIf config.services.hydra.enable {
enableACME = true;
forceSSL = true;
extraConfig = ''
@ -41,7 +41,7 @@ mkIf (elem "nginx" config.machine.services) {
}
'';
};
"cache.ophanim.de" = mkIf config.services.hydra.enable {
"cache.${config.machine.domain}" = mkIf config.services.hydra.enable {
enableACME = true;
forceSSL = true;
root = "/var/cache/hydra";
@ -49,13 +49,13 @@ mkIf (elem "nginx" config.machine.services) {
autoindex on;
'';
};
"mail.ophanim.de" = {
"mail.${config.machine.domain}" = mkIf config.mailserver.enable {
enableACME = true;
forceSSL = true;
root = "/var/www";
};
"${config.services.nextcloud.hostName}" = mkIf config.services.nextcloud.enable {
"storage.${config.machine.domain}" = mkIf config.services.nextcloud.enable {
root = pkgs.nextcloud;
enableACME = config.services.nextcloud.https;
forceSSL = config.services.nextcloud.https;
@ -152,7 +152,7 @@ mkIf (elem "nginx" config.machine.services) {
'';
};
"${config.services.gitea.domain}" = mkIf config.services.gitea.enable {
"git.${config.machine.domain}" = mkIf config.services.gitea.enable {
enableACME = true;
forceSSL = true;
root = "${config.services.gitea.stateDir}/public";