diff --git a/applications/dns.nix b/applications/dns.nix index 52daaec..96fe4b5 100644 --- a/applications/dns.nix +++ b/applications/dns.nix @@ -7,96 +7,93 @@ let # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) get_config_file = (domain: - '' - $TTL 60 ; 1 minute - ; hostmaster@${domain} is an email address that recieves stuff related to dns - @ IN SOA ${cfg.own.nameserver}.${domain}. hostmaster.${domain}. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) +''$TTL 60 ; 1 minute +; hostmaster@${domain} is an email address that recieves stuff related to dns +@ IN SOA ${cfg.own.nameserver}.${domain}. hostmaster.${domain}. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) - @ NS ns1.${domain}. - @ NS ns2.${domain}. - ; @ stands for teh root domain so teh A record below is where ${domain} points to - ;@ A 193.1.99.76 - ;@ MX 5 ${domain}. +@ NS ns1.${domain}. +@ NS ns2.${domain}. + ; @ stands for teh root domain so teh A record below is where ${domain} points to +;@ A 193.1.99.76 +;@ MX 5 ${domain}. - ; can have multiple mailserves - @ MX 10 mail.${domain}. +; can have multiple mailserves +@ MX 10 mail.${domain}. - ; ------------------------------------------ - ; Server Names - ; ------------------------------------------ +; ------------------------------------------ +; Server Names +; ------------------------------------------ - ; External addresses - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} +; External addresses +; ------------------------------------------ +${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} - ; this is fixed for now - wintermute A 193.1.101.148 +; this is fixed for now +wintermute A 193.1.101.148 - ; internal addresses - ; ------------------------------------------ - ; May come back to this idea in teh future - ; agentjones.int A 172.20.20.1 +; internal addresses +; ------------------------------------------ +; May come back to this idea in teh future +; agentjones.int A 172.20.20.1 - ; cname's - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} +; cname's +; ------------------------------------------ +${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} - '' +'' ); # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse # config for our reverse dnspointers (not properly working) get_config_file_rev = (domain: - '' - $ORIGIN 99.1.193.in-addr.arpa. - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) +''$ORIGIN 99.1.193.in-addr.arpa. +$TTL 60 ; 1 minute +; hostmaster@skynet.ie is an email address that recieves stuff related to dns +@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) - @ NS ns1.skynet.ie. - @ NS ns2.skynet.ie. +@ NS ns1.skynet.ie. +@ NS ns2.skynet.ie. - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.reverse} - '' +${lib.strings.concatMapStrings (x: x + "\n") cfg.records.reverse} +'' ); # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. get_config_file_old_domains = (domain: - '' - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) +''$TTL 60 ; 1 minute +; hostmaster@skynet.ie is an email address that recieves stuff related to dns +@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) - @ NS ns1.skynet.ie. - @ NS ns2.skynet.ie. +@ NS ns1.skynet.ie. +@ NS ns2.skynet.ie. - '' +'' ); # arrys of teh two nameservers @@ -156,10 +153,10 @@ let create_entry_zone = (domain: extraConfig: { "${domain}" = { extraConfig = '' - ${extraConfig} - // for bumping the config - // ${current_date} - ''; +${extraConfig} +// for bumping the config +// ${current_date} +''; # really wish teh nixos config didnt use master/slave master = cfg.primary; masters = primaries; @@ -180,12 +177,12 @@ let extraConfig = { owned = if cfg.primary then - '' - allow-update { key rfc2136key.skynet.ie.; }; +'' +allow-update { key rfc2136key.skynet.ie.; }; - dnssec-policy default; - inline-signing yes; - '' +dnssec-policy default; +inline-signing yes; +'' else ""; diff --git a/applications/ldap_client.nix b/applications/ldap_client.nix index 5d81926..395f5ae 100644 --- a/applications/ldap_client.nix +++ b/applications/ldap_client.nix @@ -77,41 +77,39 @@ sshAuthorizedKeysIntegration = true; config = '' - [domain/skynet.ie] - #debug_level = 4 +[domain/skynet.ie] +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap - id_provider = ldap - auth_provider = ldap - sudo_provider = ldap +ldap_uri = ldaps://${cfg.address}:636 - ldap_uri = ldaps://${cfg.address}:636 +ldap_search_base = ${cfg.base} +# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d +ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) +ldap_group_search_base = ou=groups,${cfg.base} +ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} - ldap_search_base = ${cfg.base} - # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d - ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) - ldap_group_search_base = ou=groups,${cfg.base} - ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} +ldap_group_nesting_level = 5 - ldap_group_nesting_level = 5 +cache_credentials = false +entry_cache_timeout = 1 - cache_credentials = false - entry_cache_timeout = 1 +ldap_user_member_of = skMemberOf - ldap_user_member_of = skMemberOf +[sssd] +config_file_version = 2 +services = nss, pam, sudo, ssh +domains = skynet.ie - [sssd] - config_file_version = 2 - services = nss, pam, sudo, ssh - domains = skynet.ie +[nss] +# override_homedir = /home/%u - [nss] - # override_homedir = /home/%u +[pam] - [pam] +[sudo] - [sudo] - - [autofs] +[autofs] ''; }; diff --git a/machines/_base.nix b/machines/_base.nix index 75af035..7f63535 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -12,6 +12,9 @@ # every server needs teh ldap client for admins ../applications/ldap_client.nix + + # every server will need the config to backup to + ../applications/restic.nix ]; # flakes are essensial diff --git a/machines/agentjones.nix b/machines/agentjones.nix index 5e35d6d..19cae98 100644 --- a/machines/agentjones.nix +++ b/machines/agentjones.nix @@ -19,6 +19,7 @@ let in { imports = [ + ./hardware/_base.nix ./hardware/RM001.nix ]; @@ -47,7 +48,7 @@ in { # this has to be defined for any physical servers # vms are defined by teh vm host networking.interfaces = { - eno1 = { + eno2 = { ipv4.addresses = [ { address = ip_pub; @@ -55,7 +56,7 @@ in { } ]; }; - eno2 = { + eno1 = { #useDHCP = false; ipv4.addresses = [ { diff --git a/machines/glados.nix b/machines/glados.nix index e0ae46b..8016a99 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -29,7 +29,7 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active" ]; + tags = [ "active-gitlab" ]; }; diff --git a/machines/hardware/_base.nix b/machines/hardware/_base.nix new file mode 100644 index 0000000..ed7ec20 --- /dev/null +++ b/machines/hardware/_base.nix @@ -0,0 +1,17 @@ +{ config, options, lib, ... }: with lib; +let + # get a list of interfaces + interfaces = attrNames config.networking.interfaces; + # check if an IP has been assigned + has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0; +in { + config = { + assertions = [ + { + assertion = lists.any has_ip interfaces; + message = "Must have a ip address set"; + } + ]; + }; + +} \ No newline at end of file diff --git a/machines/neuromancer.nix b/machines/neuromancer.nix index fa23d4d..8c3dba8 100644 --- a/machines/neuromancer.nix +++ b/machines/neuromancer.nix @@ -20,8 +20,8 @@ let in { imports = [ + ./hardware/_base.nix ./hardware/RM007.nix - ../applications/restic.nix ]; diff --git a/machines/vendetta.nix b/machines/vendetta.nix index b506e2b..f0afe73 100644 --- a/machines/vendetta.nix +++ b/machines/vendetta.nix @@ -22,7 +22,7 @@ let ns = "ns1"; in { imports = [ - # the physical hardware for this + ./hardware/_base.nix ./hardware/RM002.nix ]; diff --git a/machines/wheatly.nix b/machines/wheatly.nix index 7d0631e..45d41f6 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -28,7 +28,7 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active" ]; + tags = [ "active-gitlab" ]; }; diff --git a/secrets/backup/restic.age b/secrets/backup/restic.age index d2ee750..ff1ec0b 100644 Binary files a/secrets/backup/restic.age and b/secrets/backup/restic.age differ diff --git a/secrets/backup/restic_pw.age b/secrets/backup/restic_pw.age index 0972478..cf3301b 100644 Binary files a/secrets/backup/restic_pw.age and b/secrets/backup/restic_pw.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5d9de0f..af1cbd3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -28,7 +28,7 @@ let gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir"; - neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFozqR8f8DN7/DLUQV4o290n3UZ75fSEdgVlSwzyza/N root@neuromancer"; + neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7NRDOGzSO4XVEezMS/9pI3chKbOH0fw2aikLRvea2P root@neuromancer"; systems = [ agentjones