Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: eol conversion round 2

Browse source
This commit is contained in:
silver 2023-01-25 11:48:44 +00:00
parent 180feb17ec
commit 3d7f99946a
17 changed files with 1324 additions and 1324 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
.gitattributes vendored
View file

@ -1,42 +1,42 @@
# Documents
*.pdf filter=lfs diff=lfs merge=lfs -text
*.doc filter=lfs diff=lfs merge=lfs -text
*.docx filter=lfs diff=lfs merge=lfs -text
# Excel
*.xls filter=lfs diff=lfs merge=lfs -text
*.xlsx filter=lfs diff=lfs merge=lfs -text
*.xlsm filter=lfs diff=lfs merge=lfs -text
# Powerpoints
*.ppt filter=lfs diff=lfs merge=lfs -text
*.pptx filter=lfs diff=lfs merge=lfs -text
# Images
*.png filter=lfs diff=lfs merge=lfs -text
*.jpg filter=lfs diff=lfs merge=lfs -text
# Video
*.mkv filter=lfs diff=lfs merge=lfs -text
*.mp4 filter=lfs diff=lfs merge=lfs -text
# Misc
*.zip filter=lfs diff=lfs merge=lfs -text
# ET4011
*.cbe filter=lfs diff=lfs merge=lfs -text
*.pbs filter=lfs diff=lfs merge=lfs -text
# Open/Libre office
# from https://www.libreoffice.org/discover/what-is-opendocument/
*.odt filter=lfs diff=lfs merge=lfs -text
*.ods filter=lfs diff=lfs merge=lfs -text
*.odp filter=lfs diff=lfs merge=lfs -text
*.odg filter=lfs diff=lfs merge=lfs -text
# Documents
*.pdf filter=lfs diff=lfs merge=lfs -text
*.doc filter=lfs diff=lfs merge=lfs -text
*.docx filter=lfs diff=lfs merge=lfs -text
# Excel
*.xls filter=lfs diff=lfs merge=lfs -text
*.xlsx filter=lfs diff=lfs merge=lfs -text
*.xlsm filter=lfs diff=lfs merge=lfs -text
# Powerpoints
*.ppt filter=lfs diff=lfs merge=lfs -text
*.pptx filter=lfs diff=lfs merge=lfs -text
# Images
*.png filter=lfs diff=lfs merge=lfs -text
*.jpg filter=lfs diff=lfs merge=lfs -text
# Video
*.mkv filter=lfs diff=lfs merge=lfs -text
*.mp4 filter=lfs diff=lfs merge=lfs -text
# Misc
*.zip filter=lfs diff=lfs merge=lfs -text
# ET4011
*.cbe filter=lfs diff=lfs merge=lfs -text
*.pbs filter=lfs diff=lfs merge=lfs -text
# Open/Libre office
# from https://www.libreoffice.org/discover/what-is-opendocument/
*.odt filter=lfs diff=lfs merge=lfs -text
*.ods filter=lfs diff=lfs merge=lfs -text
*.odp filter=lfs diff=lfs merge=lfs -text
*.odg filter=lfs diff=lfs merge=lfs -text

48
.gitignore vendored
View file

@ -1,24 +1,24 @@
# IDE folder
/.idea
# Microsoft office Lockfiles
~$*
*.tmp
# Test files
test.*
*.test.*
/test
# Output of compiling
/out
/build
/target
# Dealing with BlueJ
*.bluej
*.out
*.ctxt
# Dealing with Mac users
.DS_Store
# IDE folder
/.idea
# Microsoft office Lockfiles
~$*
*.tmp
# Test files
test.*
*.test.*
/test
# Output of compiling
/out
/build
/target
# Dealing with BlueJ
*.bluej
*.out
*.ctxt
# Dealing with Mac users
.DS_Store

294
applications/dns.nix
View file

@ -1,148 +1,148 @@
{ lib, pkgs, config, ... }:
let
cfg = config.skynet_dns;
in {
options = {
skynet_dns = {
enable = lib.mkEnableOption {
default = false;
example = true;
description = "Skynet DNS";
type = lib.types.bool;
};
own = {
nameserver = lib.mkOption {
default = "ns1";
type = lib.types.str;
description = ''
the hostname of this nameserver, eg ns1, ns2
'';
};
external = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: agentjones A 193.1.99.72
'';
};
cname = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: ns1 CNAME ns1
'';
};
};
records = {
external = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: agentjones A 193.1.99.72
'';
};
cname = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: ns1 CNAME ns1
'';
};
};
};
};
config = lib.mkIf cfg.enable {
services.bind = {
enable = true;
forwarders = [
# these were in old config file
#"193.1.100.130"
#"193.1.100.131"
];
zones = {
/*
put any other zones above skynet and link to their files like so:
example.ie = {
extraConfig = "";
file = ./dns/example;
master = true;
masters = [];
slaves = [ ];
};
Skynet is handled a bit more dynamically since it is the key one we should focus on
*/
"skynet.ie" = {
extraConfig = "";
# really wish teh nixos config didnt use master/slave
master = true;
slaves = [ ];
# need to write this to a file
file = pkgs.writeText "dns_zone_skynet"
# no leading whitespace for first line
''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
; @ stands for teh root domain so teh A record below is where skynet.ie points to
A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
'';
};
};
};
};
{ lib, pkgs, config, ... }:
let
cfg = config.skynet_dns;
in {
options = {
skynet_dns = {
enable = lib.mkEnableOption {
default = false;
example = true;
description = "Skynet DNS";
type = lib.types.bool;
};
own = {
nameserver = lib.mkOption {
default = "ns1";
type = lib.types.str;
description = ''
the hostname of this nameserver, eg ns1, ns2
'';
};
external = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: agentjones A 193.1.99.72
'';
};
cname = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: ns1 CNAME ns1
'';
};
};
records = {
external = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: agentjones A 193.1.99.72
'';
};
cname = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
External records like: ns1 CNAME ns1
'';
};
};
};
};
config = lib.mkIf cfg.enable {
services.bind = {
enable = true;
forwarders = [
# these were in old config file
#"193.1.100.130"
#"193.1.100.131"
];
zones = {
/*
put any other zones above skynet and link to their files like so:
example.ie = {
extraConfig = "";
file = ./dns/example;
master = true;
masters = [];
slaves = [ ];
};
Skynet is handled a bit more dynamically since it is the key one we should focus on
*/
"skynet.ie" = {
extraConfig = "";
# really wish teh nixos config didnt use master/slave
master = true;
slaves = [ ];
# need to write this to a file
file = pkgs.writeText "dns_zone_skynet"
# no leading whitespace for first line
''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
; @ stands for teh root domain so teh A record below is where skynet.ie points to
A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external}
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname}
'';
};
};
};
};
}

88
applications/dns/example
View file

@ -1,44 +1,44 @@
; use this file as an example of how to config zone files
$TTL 60 ; 1 minute
@ IN SOA ns1.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
;A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
agentjones A 193.1.99.72
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
; ns1 CNAME ns1
; use this file as an example of how to config zone files
$TTL 60 ; 1 minute
@ IN SOA ns1.skynet.ie. hostmaster.skynet.ie. (
2023011701 ; Serial (YYYYMMDDCC)
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
2419200 ; Expire (4 weeks)
3600 ; Minimum (1 hour)
)
NS ns1.skynet.ie.
NS ns2.skynet.ie.
;A 193.1.99.76
MX 5 mail.skynet.ie.
; can have multiple mailserves
;MX 20 mail2.skynet.ie.
; ------------------------------------------
; Server Names
; ------------------------------------------
; External addresses
; ------------------------------------------
agentjones A 193.1.99.72
; this is fixed for now
wintermute A 193.1.101.148
; internal addresses
; ------------------------------------------
; May come back to this idea in teh future
; agentjones.int A 172.20.20.1
; cname's
; ------------------------------------------
; ns1 CNAME ns1

268
applications/firewall.nix
View file

@ -1,134 +1,134 @@
{lib, pkgs, config, ...}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = {
skynet_firewall = {
enable = lib.mkEnableOption {
default = false;
example = true;
description = "Skynet Firewall";
type = lib.types.bool;
};
forward = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of routes to forward
'';
};
own = {
ip = lib.mkOption {
default = "127.0.0.1";
type = lib.types.str;
description = ''
IP of the firewall
'';
};
ports = {
tcp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of TCP ports for the machiene running the firewall
'';
};
udp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of UDP ports for the machiene running the firewall
'';
};
};
};
};
};
config = lib.mkIf config.skynet_firewall.enable {
# disable default firewall to enable nftables
networking.firewall.enable = false;
networking.nftables.enable = true;
# fules for the firewall
# beware of EOL conversion.
networking.nftables.ruleset =
''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
# forward anything with port 2222 to this specific ip
# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
# forward http/s traffic from 76 to 123
# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# the internal network
ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
}
chain output {
type nat hook output priority -100; policy accept;
}
}
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
# for the host machiene
# TCP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "tcp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.tcp)}
# UDP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "udp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.udp)}
}
chain forward {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump rejects
# accept these ip/ports
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
# can basically make each machiene responsibile for their own forwarding (in config at least)
${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}
counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
chain output {
type filter hook output priority filter; policy accept;
# no outgoing limits (for now)
}
chain fail2ban-ssh {
# ban these
# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain rejects {
# Reject all these
# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
}
'';
};
}
{lib, pkgs, config, ...}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = {
skynet_firewall = {
enable = lib.mkEnableOption {
default = false;
example = true;
description = "Skynet Firewall";
type = lib.types.bool;
};
forward = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of routes to forward
'';
};
own = {
ip = lib.mkOption {
default = "127.0.0.1";
type = lib.types.str;
description = ''
IP of the firewall
'';
};
ports = {
tcp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of TCP ports for the machiene running the firewall
'';
};
udp = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.int;
description = ''
A list of UDP ports for the machiene running the firewall
'';
};
};
};
};
};
config = lib.mkIf config.skynet_firewall.enable {
# disable default firewall to enable nftables
networking.firewall.enable = false;
networking.nftables.enable = true;
# fules for the firewall
# beware of EOL conversion.
networking.nftables.ruleset =
''
# Check out https://wiki.nftables.org/ for better documentation.
# Table for both IPv4 and IPv6.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
# forward anything with port 2222 to this specific ip
# tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22
# forward http/s traffic from 76 to 123
# ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80
# ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# the internal network
ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade
}
chain output {
type nat hook output priority -100; policy accept;
}
}
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
# for the host machiene
# TCP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "tcp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.tcp)}
# UDP
${lib.strings.concatMapStrings (x: x + "\n") (map (port: "udp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.udp)}
}
chain forward {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump rejects
# accept these ip/ports
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
# can basically make each machiene responsibile for their own forwarding (in config at least)
${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}
counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
chain output {
type filter hook output priority filter; policy accept;
# no outgoing limits (for now)
}
chain fail2ban-ssh {
# ban these
# ip saddr 104.236.151.120 counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain rejects {
# Reject all these
# ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited
}
}
'';
};
}

124
applications/games.nix
View file

@ -1,63 +1,63 @@
{ ... }: {
imports = [];
/*
backups = [
"/etc/silver_satisfactory/config/"
"/etc/silver_valheim/config/"
];
*/
# since this is going to be pulled into a machiene that has skynet_dns we dont need to import it above
# gonna use it to create sub-subdomains for each game server
skynet_dns.records = {
external = [];
cname = [
# create a sub-subdomain for each game
"mc_compsoc.games CNAME games"
];
};
# arion is one way to use docker on nixos
virtualisation.arion = {
backend = "docker";
projects = {
mc_compsoc.settings = {
docker-compose.raw.networks.default.name = "mc_compsoc";
services.mc_compsoc = {
service.image = "nimmis/spigot:latest";
# setting these here as they arent special
service.environment = {
# this is what it last ran on
SPIGOT_VER="1.18.2";
};
service.volumes = [
# figure out what this needs and use itt o get up and running
# /home/nimmis/mc-srv:/minecraft
#"/etc/games_satisfactory/config:/config"
];
service.ports = [
"25565:25565/tcp"
];
};
};
};
};
/*
services = {
nginx.virtualHosts = {
"valhiem.brendan.ie" = {
forceSSL = true;
useACMEHost = "brendan";
locations."/".proxyPass = "http://localhost:2456";
};
};
};
*/
{ ... }: {
imports = [];
/*
backups = [
"/etc/silver_satisfactory/config/"
"/etc/silver_valheim/config/"
];
*/
# since this is going to be pulled into a machiene that has skynet_dns we dont need to import it above
# gonna use it to create sub-subdomains for each game server
skynet_dns.records = {
external = [];
cname = [
# create a sub-subdomain for each game
"mc_compsoc.games CNAME games"
];
};
# arion is one way to use docker on nixos
virtualisation.arion = {
backend = "docker";
projects = {
mc_compsoc.settings = {
docker-compose.raw.networks.default.name = "mc_compsoc";
services.mc_compsoc = {
service.image = "nimmis/spigot:latest";
# setting these here as they arent special
service.environment = {
# this is what it last ran on
SPIGOT_VER="1.18.2";
};
service.volumes = [
# figure out what this needs and use itt o get up and running
# /home/nimmis/mc-srv:/minecraft
#"/etc/games_satisfactory/config:/config"
];
service.ports = [
"25565:25565/tcp"
];
};
};
};
};
/*
services = {
nginx.virtualHosts = {
"valhiem.brendan.ie" = {
forceSSL = true;
useACMEHost = "brendan";
locations."/".proxyPass = "http://localhost:2456";
};
};
};
*/
}

56
dev.nix
View file

@ -1,29 +1,29 @@
# run with nix dev.nix
# has everything installed for dev
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
let
imports =
let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68";
in
{
agenix = import
(builtins.fetchTarball {
url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz";
sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1";
})
{ inherit pkgs; };
};
in mkShell {
# nativeBuildInputs is usually what you want -- tools you need to run
nativeBuildInputs = [
pkgs.buildPackages.git
pkgs.buildPackages.colmena
pkgs.buildPackages.nmap
];
buildInputs = [ imports.agenix.agenix ];
shellHook = ''export EDITOR="/usr/bin/nano"'';
# run with nix dev.nix
# has everything installed for dev
{ pkgs ? import <nixpkgs> {} }:
with pkgs;
let
imports =
let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68";
in
{
agenix = import
(builtins.fetchTarball {
url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz";
sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1";
})
{ inherit pkgs; };
};
in mkShell {
# nativeBuildInputs is usually what you want -- tools you need to run
nativeBuildInputs = [
pkgs.buildPackages.git
pkgs.buildPackages.colmena
pkgs.buildPackages.nmap
];
buildInputs = [ imports.agenix.agenix ];
shellHook = ''export EDITOR="/usr/bin/nano"'';
}

302
flake.lock
View file

@ -1,151 +1,151 @@
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1673301561,
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"owner": "ryantm",
"repo": "agenix",
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1673629654,
"narHash": "sha256-Ou4//mR6h3F6024ZOm925XkkFBbpEVniIKRGRMVboC8=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1672877861,
"narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "7930f5b1c356270cec420d4f4cb43f4907206640",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1668167720,
"narHash": "sha256-5wDTR6xt9BB3BjgKR+YOjOkZgMyDXKaX79g42sStzDU=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "4fc511d93a55fedf815c1647ad146c26d7a2054e",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "haskell-flake",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1665732960,
"narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1673450908,
"narHash": "sha256-b8em+kwrNtnB7gR8SyVf6WuTyQ+6tHS6dzt9D9wgKF0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6c8644fc37b6e141cbfa6c7dc8d98846c4ff0c2e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1673527292,
"narHash": "sha256-903EpRSDCfUvic7Hsiqwy+h7zlMTLAUbCXkEGGriCfM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6a3f9996408c970b99b8b992b11bb249d1455b62",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"arion": "arion",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3"
}
}
},
"root": "root",
"version": 7
}
{
"nodes": {
"agenix": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1673301561,
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"owner": "ryantm",
"repo": "agenix",
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1673629654,
"narHash": "sha256-Ou4//mR6h3F6024ZOm925XkkFBbpEVniIKRGRMVboC8=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1672877861,
"narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "7930f5b1c356270cec420d4f4cb43f4907206640",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1668167720,
"narHash": "sha256-5wDTR6xt9BB3BjgKR+YOjOkZgMyDXKaX79g42sStzDU=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "4fc511d93a55fedf815c1647ad146c26d7a2054e",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "haskell-flake",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1665732960,
"narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4428e23312933a196724da2df7ab78eb5e67a88e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1673450908,
"narHash": "sha256-b8em+kwrNtnB7gR8SyVf6WuTyQ+6tHS6dzt9D9wgKF0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6c8644fc37b6e141cbfa6c7dc8d98846c4ff0c2e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1673527292,
"narHash": "sha256-903EpRSDCfUvic7Hsiqwy+h7zlMTLAUbCXkEGGriCfM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6a3f9996408c970b99b8b992b11bb249d1455b62",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"arion": "arion",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3"
}
}
},
"root": "root",
"version": 7
}

230
flake.nix
View file

@ -1,115 +1,115 @@
{
description = "Deployment for skynet";
inputs = {
# gonna start off with a fairly modern base
nixpkgs.url = "nixpkgs/nixos-22.11";
# utility stuff
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
# this is the last stable hash that works for 22.11
arion.url = "github:hercules-ci/arion/d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c";
};
outputs = { self, nixpkgs, agenix, arion, ... }: {
# https://github.com/zhaofengli/colmena
colmena = {
meta = {
nixpkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [];
};
};
# installed for each machine
defaults = {
imports = [
./machines/_base.nix
# for the secrets
agenix.nixosModule
];
};
/* TODO:
vm host
jarvis.skynet.ie
193.1.99.73
172.20.20.2
ports
22, 80
none
DNS
vendetta.skynet.ie
ns1.skynet.ie
193.1.99.120
172.20.20.3
Ports
22, 53 (UDP)
53 (UDP)
vigil.skynet.ie
ns2.skynet.ie
193.1.99.121
172.20.20.4
Ports
22, 53 (UDP)
53 (UDP)
Wireguard
ash.skynet.ie Ash is a robot spy from Alien https://en.wikipedia.org/wiki/Ash_(Alien) we need someone to get us into teh network
193.1.99.75
172.20.205.5
Ports
22, 51820 (UDP)
51820 (UDP)
Icecase
stream.skynet.ie
193.1.99.111
172.20.20.6
Ports
22, 80, 443, 8000
80, 443, 8000
Minecraft
minecraft.games.skynet.ie
193.1.99.112
172.20.20.7
Ports
22, 80, 443, 25564, 25565, 25575
80, 443, 25564, 25565, 25575
*/
# firewall machiene
agentjones = import ./machines/agentjones.nix;
# ns1
vendetta = import ./machines/vendetta.nix;
# ns1
vigil = import ./machines/vigil.nix;
# wireguard
ash = import ./machines/ash.nix;
# icecast - ULFM
galatea = import ./machines/galatea.nix;
# Game host
optimus = {
imports = [
./machines/optimus.nix
# for the docker
arion.nixosModules.arion
];
};
};
};
}
{
description = "Deployment for skynet";
inputs = {
# gonna start off with a fairly modern base
nixpkgs.url = "nixpkgs/nixos-22.11";
# utility stuff
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
# this is the last stable hash that works for 22.11
arion.url = "github:hercules-ci/arion/d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c";
};
outputs = { self, nixpkgs, agenix, arion, ... }: {
# https://github.com/zhaofengli/colmena
colmena = {
meta = {
nixpkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [];
};
};
# installed for each machine
defaults = {
imports = [
./machines/_base.nix
# for the secrets
agenix.nixosModule
];
};
/* TODO:
vm host
jarvis.skynet.ie
193.1.99.73
172.20.20.2
ports
22, 80
none
DNS
vendetta.skynet.ie
ns1.skynet.ie
193.1.99.120
172.20.20.3
Ports
22, 53 (UDP)
53 (UDP)
vigil.skynet.ie
ns2.skynet.ie
193.1.99.121
172.20.20.4
Ports
22, 53 (UDP)
53 (UDP)
Wireguard
ash.skynet.ie Ash is a robot spy from Alien https://en.wikipedia.org/wiki/Ash_(Alien) we need someone to get us into teh network
193.1.99.75
172.20.205.5
Ports
22, 51820 (UDP)
51820 (UDP)
Icecase
stream.skynet.ie
193.1.99.111
172.20.20.6
Ports
22, 80, 443, 8000
80, 443, 8000
Minecraft
minecraft.games.skynet.ie
193.1.99.112
172.20.20.7
Ports
22, 80, 443, 25564, 25565, 25575
80, 443, 25564, 25565, 25575
*/
# firewall machiene
agentjones = import ./machines/agentjones.nix;
# ns1
vendetta = import ./machines/vendetta.nix;
# ns1
vigil = import ./machines/vigil.nix;
# wireguard
ash = import ./machines/ash.nix;
# icecast - ULFM
galatea = import ./machines/galatea.nix;
# Game host
optimus = {
imports = [
./machines/optimus.nix
# for the docker
arion.nixosModules.arion
];
};
};
};
}

74
machines/_base.nix
View file

@ -1,37 +1,37 @@
{ pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
# flakes are essensial
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "22.11";
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
};
users.users.root = {
initialHashedPassword = "";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
];
};
environment.systemPackages = [
# for flakes
pkgs.git
# useful tools
pkgs.ncdu_2
pkgs.htop
pkgs.nano
pkgs.nmap
];
}
{ pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
# flakes are essensial
nix.settings.experimental-features = [ "nix-command" "flakes" ];
system.stateVersion = "22.11";
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
};
users.users.root = {
initialHashedPassword = "";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
];
};
environment.systemPackages = [
# for flakes
pkgs.git
# useful tools
pkgs.ncdu_2
pkgs.htop
pkgs.nano
pkgs.nmap
];
}

210
machines/agentjones.nix
View file

@ -1,105 +1,105 @@
/*
Name: https://matrix.fandom.com/wiki/Agent_Jones
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "agentjones";
ip_pub = "193.1.99.72";
ip_priv = "172.20.20.1";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
./hardware/agentjones.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [];
};
networking.hostName = name;
# this has to be defined for any physical servers
# vms are defined by teh vm host
networking.interfaces = {
eno1 = {
ipv4.routes = [
# {
# address = "193.1.99.72";
# prefixLength = 26;
# via = "193.1.99.65";
# }
];
};
eno2 = {
useDHCP = false;
ipv4.addresses = [
{
address = "193.1.99.72";
prefixLength = 26;
}
#{
# address = "172.20.20.1";
# prefixLength = 24;
#}
];
};
};
# this server is teh firewall
skynet_firewall = {
# always good to know oneself
own = {
ip = ip_pub;
ports = {
tcp = [
# ssh in
22
];
udp = [];
};
};
enable = true;
# gonna have to get all the
forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value:
# make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config
then (
if value.config.skynet_firewall.enable
then []
else value.config.skynet_firewall.forward
)
else []
) nodes
);
};
}
/*
Name: https://matrix.fandom.com/wiki/Agent_Jones
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "agentjones";
ip_pub = "193.1.99.72";
ip_priv = "172.20.20.1";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
./hardware/agentjones.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [];
};
networking.hostName = name;
# this has to be defined for any physical servers
# vms are defined by teh vm host
networking.interfaces = {
eno1 = {
ipv4.routes = [
# {
# address = "193.1.99.72";
# prefixLength = 26;
# via = "193.1.99.65";
# }
];
};
eno2 = {
useDHCP = false;
ipv4.addresses = [
{
address = "193.1.99.72";
prefixLength = 26;
}
#{
# address = "172.20.20.1";
# prefixLength = 24;
#}
];
};
};
# this server is teh firewall
skynet_firewall = {
# always good to know oneself
own = {
ip = ip_pub;
ports = {
tcp = [
# ssh in
22
];
udp = [];
};
};
enable = true;
# gonna have to get all the
forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value:
# make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config
then (
if value.config.skynet_firewall.enable
then []
else value.config.skynet_firewall.forward
)
else []
) nodes
);
};
}

182
machines/ash.nix
View file

@ -1,91 +1,91 @@
/*
Name: https://en.wikipedia.org/wiki/Ash_(Alien)
Why: Infilitrate into the network
Type: VM
Hardware: -
From: 2023
Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "ash";
ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
#may asw ell add a cname for this
"wg CNAME ${name}"
];
};
age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = {
nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = ["wg0"];
};
firewall = {
allowedTCPPorts = [22];
allowedUDPPorts = [8000];
interfaces.wg0 = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];
};
};
wireguard.interfaces.wg0 = {
# may need to change this to the same base as the full network
ips = ["172.20.21.0/24"];
listenPort = 8000;
privateKeyFile = "/run/agenix/wireguard";
peers = [
{ # silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = [ "172.20.21.2/32" ];
}
];
};
};
environment.systemPackages = [
# needed to generate keys
pkgs.wireguard-tools
];
}
/*
Name: https://en.wikipedia.org/wiki/Ash_(Alien)
Why: Infilitrate into the network
Type: VM
Hardware: -
From: 2023
Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "ash";
ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
#may asw ell add a cname for this
"wg CNAME ${name}"
];
};
age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = {
nat = {
enable = true;
externalInterface = "eth0";
internalInterfaces = ["wg0"];
};
firewall = {
allowedTCPPorts = [22];
allowedUDPPorts = [8000];
interfaces.wg0 = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];
};
};
wireguard.interfaces.wg0 = {
# may need to change this to the same base as the full network
ips = ["172.20.21.0/24"];
listenPort = 8000;
privateKeyFile = "/run/agenix/wireguard";
peers = [
{ # silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = [ "172.20.21.2/32" ];
}
];
};
};
environment.systemPackages = [
# needed to generate keys
pkgs.wireguard-tools
];
}

148
machines/galatea.nix
View file

@ -1,74 +1,74 @@
/*
Name: https://en.wikipedia.org/wiki/Galatea_(mythology)
Why: Created as a product of artistic expression
Type: VM
Hardware: -
From: 2023
Role: Icecast server for ULFM
Notes:
*/
{ pkgs, lib, nodes, config, ... }:
let
# name of the server, sets teh hostname and record for it
name = "galatea";
ip_pub = "193.1.99.111";
ip_priv = "172.20.20.6";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# dosent seem to be any otehr way to have it like read from a file
feck = "d9J4jDsJPuMPUMAAE4J4tH37HsmxEDze";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
# this is also the stream server
"stream CNAME ${name}"
];
};
networking.firewall.allowedTCPPorts = [
22
80
443
8000
];
# config for icecast is smol so can have it in this
services.icecast = {
enable = true;
hostname = hostname;
admin = {
user = "admin";
password = feck;
};
};
}
/*
Name: https://en.wikipedia.org/wiki/Galatea_(mythology)
Why: Created as a product of artistic expression
Type: VM
Hardware: -
From: 2023
Role: Icecast server for ULFM
Notes:
*/
{ pkgs, lib, nodes, config, ... }:
let
# name of the server, sets teh hostname and record for it
name = "galatea";
ip_pub = "193.1.99.111";
ip_priv = "172.20.20.6";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# dosent seem to be any otehr way to have it like read from a file
feck = "d9J4jDsJPuMPUMAAE4J4tH37HsmxEDze";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
# this is also the stream server
"stream CNAME ${name}"
];
};
networking.firewall.allowedTCPPorts = [
22
80
443
8000
];
# config for icecast is smol so can have it in this
services.icecast = {
enable = true;
hostname = hostname;
admin = {
user = "admin";
password = feck;
};
};
}

122
machines/optimus.nix
View file

@ -1,61 +1,61 @@
/*
Name: https://en.wikipedia.org/wiki/Optimus_Prime
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2023
Role: Game host
Notes:
*/
{ pkgs, lib, nodes, arion, ... }:
let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.112";
ip_priv = "172.20.20.7";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
../applications/games.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
# the games are each going to have a subdomain on this
"games CNAME ${name}"
];
};
networking.firewall.allowedTCPPorts = [
22
80
443
25565
];
}
/*
Name: https://en.wikipedia.org/wiki/Optimus_Prime
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2023
Role: Game host
Notes:
*/
{ pkgs, lib, nodes, arion, ... }:
let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.112";
ip_priv = "172.20.20.7";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
../applications/games.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
# these two are to be able to add the rules for firewall and dns
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept"
];
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];
cname = [
# the games are each going to have a subdomain on this
"games CNAME ${name}"
];
};
networking.firewall.allowedTCPPorts = [
22
80
443
25565
];
}

192
machines/vendetta.nix
View file

@ -1,96 +1,96 @@
/*
Name: https://masseffect.fandom.com/wiki/Vendetta
Why: Vendetta held troves of important data waiting for folks to request it.
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "vendetta";
ip_pub = "193.1.99.120";
ip_priv = "172.20.20.3";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# sets which nameserver it is
ns = "ns1";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
networking = {
firewall = {
allowedTCPPorts = [22 53];
allowedUDPPorts = [53];
};
};
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
];
skynet_dns = {
enable = true;
# this server will have to have dns records
own = {
nameserver = ns;
external = [
"${name} A ${ip_pub}"
"${ns} A ${ip_pub}"
# needs this, temporally
"mail A ${ip_pub}"
];
cname = [
#"misc CNAME vendetta"
];
};
records = {
# using the same logic as the firewall, comments there
external = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.external
else value.config.skynet_dns.records.external
)
else []
) nodes
);
cname = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.cname
else value.config.skynet_dns.records.cname
)
else []
) nodes
);
};
};
}
/*
Name: https://masseffect.fandom.com/wiki/Vendetta
Why: Vendetta held troves of important data waiting for folks to request it.
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
# name of the server, sets teh hostname and record for it
name = "vendetta";
ip_pub = "193.1.99.120";
ip_priv = "172.20.20.3";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# sets which nameserver it is
ns = "ns1";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
networking = {
firewall = {
allowedTCPPorts = [22 53];
allowedUDPPorts = [53];
};
};
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
];
skynet_dns = {
enable = true;
# this server will have to have dns records
own = {
nameserver = ns;
external = [
"${name} A ${ip_pub}"
"${ns} A ${ip_pub}"
# needs this, temporally
"mail A ${ip_pub}"
];
cname = [
#"misc CNAME vendetta"
];
};
records = {
# using the same logic as the firewall, comments there
external = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.external
else value.config.skynet_dns.records.external
)
else []
) nodes
);
cname = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.cname
else value.config.skynet_dns.records.cname
)
else []
) nodes
);
};
};
}

184
machines/vigil.nix
View file

@ -1,92 +1,92 @@
/*
Name: https://masseffect.fandom.com/wiki/Vigil
Why: Counterpart to Vendetta
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
name = "vigil";
ip_pub = "193.1.99.109";
ip_priv = "172.20.20.4";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# sets which nameserver it is
ns = "ns2";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
networking = {
firewall = {
allowedTCPPorts = [22 53];
allowedUDPPorts = [53];
};
};
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
];
skynet_dns = {
enable = true;
# this server will have to have dns records
own = {
nameserver = ns;
external = [
"${name} A ${ip_pub}"
"${ns} A ${ip_pub}"
];
cname = [
#"misc CNAME vendetta"
];
};
records = {
# using the same logic as the firewall, comments there
external = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.external
else value.config.skynet_dns.records.external
)
else []
) nodes
);
cname = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.cname
else value.config.skynet_dns.records.cname
)
else []
) nodes
);
};
};
}
/*
Name: https://masseffect.fandom.com/wiki/Vigil
Why: Counterpart to Vendetta
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
name = "vigil";
ip_pub = "193.1.99.109";
ip_priv = "172.20.20.4";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
# sets which nameserver it is
ns = "ns2";
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = "root";
};
networking = {
firewall = {
allowedTCPPorts = [22 53];
allowedUDPPorts = [53];
};
};
# open the firewall for this
skynet_firewall.forward = [
"ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
"ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
];
skynet_dns = {
enable = true;
# this server will have to have dns records
own = {
nameserver = ns;
external = [
"${name} A ${ip_pub}"
"${ns} A ${ip_pub}"
];
cname = [
#"misc CNAME vendetta"
];
};
records = {
# using the same logic as the firewall, comments there
external = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.external
else value.config.skynet_dns.records.external
)
else []
) nodes
);
cname = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
if builtins.hasAttr "skynet_dns" value.config
then (
if value.config.skynet_dns.enable
then value.config.skynet_dns.own.cname
else value.config.skynet_dns.records.cname
)
else []
) nodes
);
};
};
}

42
secrets/secrets.nix
View file

@ -1,22 +1,22 @@
let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb";
users = [
admin
silver_laptop_wsl
];
# change this when its properly set up
agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbqYQrdVHmGgXZJoMWWRDGVEIj775Zrf4PxB5hoth+k root@agentjones";
ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5";
systems = [
agentjones
ash
];
in
{
# nix run github:ryantm/agenix -- -e secret1.age
"wireguard.age".publicKeys = users ++ systems;
let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb";
users = [
admin
silver_laptop_wsl
];
# change this when its properly set up
agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbqYQrdVHmGgXZJoMWWRDGVEIj775Zrf4PxB5hoth+k root@agentjones";
ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5";
systems = [
agentjones
ash
];
in
{
# nix run github:ryantm/agenix -- -e secret1.age
"wireguard.age".publicKeys = users ++ systems;
}