Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of https://gitlab.skynet.ie/compsoc/skynet/nixos

Browse source
This commit is contained in:
silver 2023-07-15 13:44:21 +01:00
commit 03fa2255c3
12 changed files with 121 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

143
applications/dns.nix
View file

@ -7,96 +7,93 @@ let
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
get_config_file = (domain: get_config_file = (domain:
'' ''$TTL 60 ; 1 minute
$TTL 60 ; 1 minute ; hostmaster@${domain} is an email address that recieves stuff related to dns
; hostmaster@${domain} is an email address that recieves stuff related to dns @ IN SOA ${cfg.own.nameserver}.${domain}. hostmaster.${domain}. (
@ IN SOA ${cfg.own.nameserver}.${domain}. hostmaster.${domain}. ( ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ${current_date}
${current_date} 600 ; Refresh (10 minutes)
600 ; Refresh (10 minutes) 300 ; Retry (5 minutes)
300 ; Retry (5 minutes) 604800 ; Expire (1 week)
604800 ; Expire (1 week) 3600 ; Minimum (1 hour)
3600 ; Minimum (1 hour) )
)
@ NS ns1.${domain}. @ NS ns1.${domain}.
@ NS ns2.${domain}. @ NS ns2.${domain}.
; @ stands for teh root domain so teh A record below is where ${domain} points to ; @ stands for teh root domain so teh A record below is where ${domain} points to
;@ A 193.1.99.76 ;@ A 193.1.99.76
;@ MX 5 ${domain}. ;@ MX 5 ${domain}.
; can have multiple mailserves ; can have multiple mailserves
@ MX 10 mail.${domain}. @ MX 10 mail.${domain}.
; ------------------------------------------ ; ------------------------------------------
; Server Names ; Server Names
; ------------------------------------------ ; ------------------------------------------
; External addresses ; External addresses
; ------------------------------------------ ; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
; this is fixed for now ; this is fixed for now
wintermute A 193.1.101.148 wintermute A 193.1.101.148
; internal addresses ; internal addresses
; ------------------------------------------ ; ------------------------------------------
; May come back to this idea in teh future ; May come back to this idea in teh future
; agentjones.int A 172.20.20.1 ; agentjones.int A 172.20.20.1
; cname's ; cname's
; ------------------------------------------ ; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
'' ''
); );
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working) # config for our reverse dnspointers (not properly working)
get_config_file_rev = (domain: get_config_file_rev = (domain:
'' ''$ORIGIN 99.1.193.in-addr.arpa.
$ORIGIN 99.1.193.in-addr.arpa. $TTL 60 ; 1 minute
$TTL 60 ; 1 minute ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
; hostmaster@skynet.ie is an email address that recieves stuff related to dns @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ${current_date}
${current_date} 600 ; Refresh (10 minutes)
600 ; Refresh (10 minutes) 300 ; Retry (5 minutes)
300 ; Retry (5 minutes) 604800 ; Expire (1 week)
604800 ; Expire (1 week) 3600 ; Minimum (1 hour)
3600 ; Minimum (1 hour) )
)
@ NS ns1.skynet.ie. @ NS ns1.skynet.ie.
@ NS ns2.skynet.ie. @ NS ns2.skynet.ie.
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.reverse} ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.reverse}
'' ''
); );
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
get_config_file_old_domains = (domain: get_config_file_old_domains = (domain:
'' ''$TTL 60 ; 1 minute
$TTL 60 ; 1 minute ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
; hostmaster@skynet.ie is an email address that recieves stuff related to dns @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ${current_date}
${current_date} 600 ; Refresh (10 minutes)
600 ; Refresh (10 minutes) 300 ; Retry (5 minutes)
300 ; Retry (5 minutes) 604800 ; Expire (1 week)
604800 ; Expire (1 week) 3600 ; Minimum (1 hour)
3600 ; Minimum (1 hour) )
)
@ NS ns1.skynet.ie. @ NS ns1.skynet.ie.
@ NS ns2.skynet.ie. @ NS ns2.skynet.ie.
'' ''
); );
# arrys of teh two nameservers # arrys of teh two nameservers
@ -156,10 +153,10 @@ let
create_entry_zone = (domain: extraConfig: { create_entry_zone = (domain: extraConfig: {
"${domain}" = { "${domain}" = {
extraConfig = '' extraConfig = ''
${extraConfig} ${extraConfig}
// for bumping the config // for bumping the config
// ${current_date} // ${current_date}
''; '';
# really wish teh nixos config didnt use master/slave # really wish teh nixos config didnt use master/slave
master = cfg.primary; master = cfg.primary;
masters = primaries; masters = primaries;
@ -180,12 +177,12 @@ let
extraConfig = { extraConfig = {
owned = owned =
if cfg.primary then if cfg.primary then
'' ''
allow-update { key rfc2136key.skynet.ie.; }; allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default; dnssec-policy default;
inline-signing yes; inline-signing yes;
'' ''
else else
""; "";

48
applications/ldap_client.nix
View file

@ -77,41 +77,39 @@
sshAuthorizedKeysIntegration = true; sshAuthorizedKeysIntegration = true;
config = '' config = ''
[domain/skynet.ie] [domain/skynet.ie]
#debug_level = 4 id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
id_provider = ldap ldap_uri = ldaps://${cfg.address}:636
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://${cfg.address}:636 ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_search_base = ${cfg.base} ldap_group_nesting_level = 5
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_group_nesting_level = 5 cache_credentials = false
entry_cache_timeout = 1
cache_credentials = false ldap_user_member_of = skMemberOf
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf [sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[sssd] [nss]
config_file_version = 2 # override_homedir = /home/%u
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss] [pam]
# override_homedir = /home/%u
[pam] [sudo]
[sudo] [autofs]
[autofs]
''; '';
}; };

3
machines/_base.nix
View file

@ -12,6 +12,9 @@
# every server needs teh ldap client for admins # every server needs teh ldap client for admins
../applications/ldap_client.nix ../applications/ldap_client.nix
# every server will need the config to backup to
../applications/restic.nix
]; ];
# flakes are essensial # flakes are essensial

5
machines/agentjones.nix
View file

@ -19,6 +19,7 @@ let
in { in {
imports = [ imports = [
./hardware/_base.nix
./hardware/RM001.nix ./hardware/RM001.nix
]; ];
@ -47,7 +48,7 @@ in {
# this has to be defined for any physical servers # this has to be defined for any physical servers
# vms are defined by teh vm host # vms are defined by teh vm host
networking.interfaces = { networking.interfaces = {
eno1 = { eno2 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = ip_pub; address = ip_pub;
@ -55,7 +56,7 @@ in {
} }
]; ];
}; };
eno2 = { eno1 = {
#useDHCP = false; #useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [
{ {

2
machines/glados.nix
View file

@ -29,7 +29,7 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active" ]; tags = [ "active-gitlab" ];
}; };

17
machines/hardware/_base.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, options, lib, ... }: with lib;
let
# get a list of interfaces
interfaces = attrNames config.networking.interfaces;
# check if an IP has been assigned
has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0;
in {
config = {
assertions = [
{
assertion = lists.any has_ip interfaces;
message = "Must have a ip address set";
}
];
};
}

2
machines/neuromancer.nix
View file

@ -20,8 +20,8 @@ let
in { in {
imports = [ imports = [
./hardware/_base.nix
./hardware/RM007.nix ./hardware/RM007.nix
../applications/restic.nix
]; ];

2
machines/vendetta.nix
View file

@ -22,7 +22,7 @@ let
ns = "ns1"; ns = "ns1";
in { in {
imports = [ imports = [
# the physical hardware for this ./hardware/_base.nix
./hardware/RM002.nix ./hardware/RM002.nix
]; ];

2
machines/wheatly.nix
View file

@ -28,7 +28,7 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active" ]; tags = [ "active-gitlab" ];
}; };

BIN
secrets/backup/restic.age
View file

Binary file not shown.

BIN
secrets/backup/restic_pw.age
View file

Binary file not shown.

2
secrets/secrets.nix
View file

@ -28,7 +28,7 @@ let
gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir"; gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFozqR8f8DN7/DLUQV4o290n3UZ75fSEdgVlSwzyza/N root@neuromancer"; neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7NRDOGzSO4XVEezMS/9pI3chKbOH0fw2aikLRvea2P root@neuromancer";
systems = [ systems = [
agentjones agentjones