From 3d7f99946a6ec0aa9eec1af2f95ad54f092a2452 Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 25 Jan 2023 11:48:44 +0000 Subject: [PATCH] fix: eol conversion round 2 --- .gitattributes | 84 +++++------ .gitignore | 48 +++--- applications/dns.nix | 294 ++++++++++++++++++------------------- applications/dns/example | 88 +++++------ applications/firewall.nix | 268 ++++++++++++++++----------------- applications/games.nix | 124 ++++++++-------- dev.nix | 56 +++---- flake.lock | 302 +++++++++++++++++++------------------- flake.nix | 230 ++++++++++++++--------------- machines/_base.nix | 74 +++++----- machines/agentjones.nix | 210 +++++++++++++------------- machines/ash.nix | 182 +++++++++++------------ machines/galatea.nix | 148 +++++++++---------- machines/optimus.nix | 122 +++++++-------- machines/vendetta.nix | 192 ++++++++++++------------ machines/vigil.nix | 184 +++++++++++------------ secrets/secrets.nix | 42 +++--- 17 files changed, 1324 insertions(+), 1324 deletions(-) diff --git a/.gitattributes b/.gitattributes index 36765a2..3e4aaf8 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,42 +1,42 @@ -# Documents -*.pdf filter=lfs diff=lfs merge=lfs -text -*.doc filter=lfs diff=lfs merge=lfs -text -*.docx filter=lfs diff=lfs merge=lfs -text - - -# Excel -*.xls filter=lfs diff=lfs merge=lfs -text -*.xlsx filter=lfs diff=lfs merge=lfs -text -*.xlsm filter=lfs diff=lfs merge=lfs -text - - -# Powerpoints -*.ppt filter=lfs diff=lfs merge=lfs -text -*.pptx filter=lfs diff=lfs merge=lfs -text - - -# Images -*.png filter=lfs diff=lfs merge=lfs -text -*.jpg filter=lfs diff=lfs merge=lfs -text - - -# Video -*.mkv filter=lfs diff=lfs merge=lfs -text -*.mp4 filter=lfs diff=lfs merge=lfs -text - - -# Misc -*.zip filter=lfs diff=lfs merge=lfs -text - - -# ET4011 -*.cbe filter=lfs diff=lfs merge=lfs -text -*.pbs filter=lfs diff=lfs merge=lfs -text - - -# Open/Libre office -# from https://www.libreoffice.org/discover/what-is-opendocument/ -*.odt filter=lfs diff=lfs merge=lfs -text -*.ods filter=lfs diff=lfs merge=lfs -text -*.odp filter=lfs diff=lfs merge=lfs -text -*.odg filter=lfs diff=lfs merge=lfs -text +# Documents +*.pdf filter=lfs diff=lfs merge=lfs -text +*.doc filter=lfs diff=lfs merge=lfs -text +*.docx filter=lfs diff=lfs merge=lfs -text + + +# Excel +*.xls filter=lfs diff=lfs merge=lfs -text +*.xlsx filter=lfs diff=lfs merge=lfs -text +*.xlsm filter=lfs diff=lfs merge=lfs -text + + +# Powerpoints +*.ppt filter=lfs diff=lfs merge=lfs -text +*.pptx filter=lfs diff=lfs merge=lfs -text + + +# Images +*.png filter=lfs diff=lfs merge=lfs -text +*.jpg filter=lfs diff=lfs merge=lfs -text + + +# Video +*.mkv filter=lfs diff=lfs merge=lfs -text +*.mp4 filter=lfs diff=lfs merge=lfs -text + + +# Misc +*.zip filter=lfs diff=lfs merge=lfs -text + + +# ET4011 +*.cbe filter=lfs diff=lfs merge=lfs -text +*.pbs filter=lfs diff=lfs merge=lfs -text + + +# Open/Libre office +# from https://www.libreoffice.org/discover/what-is-opendocument/ +*.odt filter=lfs diff=lfs merge=lfs -text +*.ods filter=lfs diff=lfs merge=lfs -text +*.odp filter=lfs diff=lfs merge=lfs -text +*.odg filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore index ee0eee0..4a79ea1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,24 +1,24 @@ -# IDE folder -/.idea - -# Microsoft office Lockfiles -~$* -*.tmp - -# Test files -test.* -*.test.* -/test - -# Output of compiling -/out -/build -/target - -# Dealing with BlueJ -*.bluej -*.out -*.ctxt - -# Dealing with Mac users -.DS_Store +# IDE folder +/.idea + +# Microsoft office Lockfiles +~$* +*.tmp + +# Test files +test.* +*.test.* +/test + +# Output of compiling +/out +/build +/target + +# Dealing with BlueJ +*.bluej +*.out +*.ctxt + +# Dealing with Mac users +.DS_Store diff --git a/applications/dns.nix b/applications/dns.nix index b4d10f6..770b99f 100644 --- a/applications/dns.nix +++ b/applications/dns.nix @@ -1,148 +1,148 @@ -{ lib, pkgs, config, ... }: -let - cfg = config.skynet_dns; -in { - options = { - skynet_dns = { - enable = lib.mkEnableOption { - default = false; - example = true; - description = "Skynet DNS"; - type = lib.types.bool; - }; - - own = { - nameserver = lib.mkOption { - default = "ns1"; - type = lib.types.str; - description = '' - the hostname of this nameserver, eg ns1, ns2 - ''; - }; - - external = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - External records like: agentjones A 193.1.99.72 - ''; - }; - - cname = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - External records like: ns1 CNAME ns1 - ''; - }; - }; - - - records = { - external = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - External records like: agentjones A 193.1.99.72 - ''; - }; - - cname = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - External records like: ns1 CNAME ns1 - ''; - }; - }; - - }; - }; - - - config = lib.mkIf cfg.enable { - services.bind = { - enable = true; - - forwarders = [ - # these were in old config file - #"193.1.100.130" - #"193.1.100.131" - ]; - - zones = { - /* - put any other zones above skynet and link to their files like so: - - example.ie = { - extraConfig = ""; - file = ./dns/example; - master = true; - masters = []; - slaves = [ ]; - }; - - Skynet is handled a bit more dynamically since it is the key one we should focus on - */ - - "skynet.ie" = { - extraConfig = ""; - # really wish teh nixos config didnt use master/slave - master = true; - slaves = [ ]; - # need to write this to a file - file = pkgs.writeText "dns_zone_skynet" - # no leading whitespace for first line - '' - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( - 2023011701 ; Serial (YYYYMMDDCC) - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 2419200 ; Expire (4 weeks) - 3600 ; Minimum (1 hour) - ) - NS ns1.skynet.ie. - NS ns2.skynet.ie. - ; @ stands for teh root domain so teh A record below is where skynet.ie points to - A 193.1.99.76 - MX 5 mail.skynet.ie. - - ; can have multiple mailserves - ;MX 20 mail2.skynet.ie. - - - ; ------------------------------------------ - ; Server Names - ; ------------------------------------------ - - ; External addresses - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} - - - ; this is fixed for now - wintermute A 193.1.101.148 - - - ; internal addresses - ; ------------------------------------------ - ; May come back to this idea in teh future - ; agentjones.int A 172.20.20.1 - - - ; cname's - ; ------------------------------------------ - ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} - - ''; - }; - }; - }; - - }; - - - +{ lib, pkgs, config, ... }: +let + cfg = config.skynet_dns; +in { + options = { + skynet_dns = { + enable = lib.mkEnableOption { + default = false; + example = true; + description = "Skynet DNS"; + type = lib.types.bool; + }; + + own = { + nameserver = lib.mkOption { + default = "ns1"; + type = lib.types.str; + description = '' + the hostname of this nameserver, eg ns1, ns2 + ''; + }; + + external = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + External records like: agentjones A 193.1.99.72 + ''; + }; + + cname = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + External records like: ns1 CNAME ns1 + ''; + }; + }; + + + records = { + external = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + External records like: agentjones A 193.1.99.72 + ''; + }; + + cname = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + External records like: ns1 CNAME ns1 + ''; + }; + }; + + }; + }; + + + config = lib.mkIf cfg.enable { + services.bind = { + enable = true; + + forwarders = [ + # these were in old config file + #"193.1.100.130" + #"193.1.100.131" + ]; + + zones = { + /* + put any other zones above skynet and link to their files like so: + + example.ie = { + extraConfig = ""; + file = ./dns/example; + master = true; + masters = []; + slaves = [ ]; + }; + + Skynet is handled a bit more dynamically since it is the key one we should focus on + */ + + "skynet.ie" = { + extraConfig = ""; + # really wish teh nixos config didnt use master/slave + master = true; + slaves = [ ]; + # need to write this to a file + file = pkgs.writeText "dns_zone_skynet" + # no leading whitespace for first line + '' + $TTL 60 ; 1 minute + ; hostmaster@skynet.ie is an email address that recieves stuff related to dns + @ IN SOA ${cfg.own.nameserver}.skynet.ie. hostmaster.skynet.ie. ( + 2023011701 ; Serial (YYYYMMDDCC) + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 2419200 ; Expire (4 weeks) + 3600 ; Minimum (1 hour) + ) + NS ns1.skynet.ie. + NS ns2.skynet.ie. + ; @ stands for teh root domain so teh A record below is where skynet.ie points to + A 193.1.99.76 + MX 5 mail.skynet.ie. + + ; can have multiple mailserves + ;MX 20 mail2.skynet.ie. + + + ; ------------------------------------------ + ; Server Names + ; ------------------------------------------ + + ; External addresses + ; ------------------------------------------ + ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.external} + + + ; this is fixed for now + wintermute A 193.1.101.148 + + + ; internal addresses + ; ------------------------------------------ + ; May come back to this idea in teh future + ; agentjones.int A 172.20.20.1 + + + ; cname's + ; ------------------------------------------ + ${lib.strings.concatMapStrings (x: x + "\n") cfg.records.cname} + + ''; + }; + }; + }; + + }; + + + } \ No newline at end of file diff --git a/applications/dns/example b/applications/dns/example index c12559a..7a60345 100644 --- a/applications/dns/example +++ b/applications/dns/example @@ -1,44 +1,44 @@ -; use this file as an example of how to config zone files - -$TTL 60 ; 1 minute -@ IN SOA ns1.skynet.ie. hostmaster.skynet.ie. ( - 2023011701 ; Serial (YYYYMMDDCC) - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 2419200 ; Expire (4 weeks) - 3600 ; Minimum (1 hour) - ) - NS ns1.skynet.ie. - NS ns2.skynet.ie. - ;A 193.1.99.76 - MX 5 mail.skynet.ie. - - ; can have multiple mailserves - ;MX 20 mail2.skynet.ie. - - -; ------------------------------------------ -; Server Names -; ------------------------------------------ - -; External addresses -; ------------------------------------------ -agentjones A 193.1.99.72 - - -; this is fixed for now -wintermute A 193.1.101.148 - - -; internal addresses -; ------------------------------------------ -; May come back to this idea in teh future -; agentjones.int A 172.20.20.1 - - -; cname's -; ------------------------------------------ -; ns1 CNAME ns1 - - - +; use this file as an example of how to config zone files + +$TTL 60 ; 1 minute +@ IN SOA ns1.skynet.ie. hostmaster.skynet.ie. ( + 2023011701 ; Serial (YYYYMMDDCC) + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 2419200 ; Expire (4 weeks) + 3600 ; Minimum (1 hour) + ) + NS ns1.skynet.ie. + NS ns2.skynet.ie. + ;A 193.1.99.76 + MX 5 mail.skynet.ie. + + ; can have multiple mailserves + ;MX 20 mail2.skynet.ie. + + +; ------------------------------------------ +; Server Names +; ------------------------------------------ + +; External addresses +; ------------------------------------------ +agentjones A 193.1.99.72 + + +; this is fixed for now +wintermute A 193.1.101.148 + + +; internal addresses +; ------------------------------------------ +; May come back to this idea in teh future +; agentjones.int A 172.20.20.1 + + +; cname's +; ------------------------------------------ +; ns1 CNAME ns1 + + + diff --git a/applications/firewall.nix b/applications/firewall.nix index dac3c10..cfe50d2 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -1,134 +1,134 @@ -{lib, pkgs, config, ...}: { - - # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base - options = { - skynet_firewall = { - enable = lib.mkEnableOption { - default = false; - example = true; - description = "Skynet Firewall"; - type = lib.types.bool; - }; - forward = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of routes to forward - ''; - }; - - own = { - ip = lib.mkOption { - default = "127.0.0.1"; - type = lib.types.str; - description = '' - IP of the firewall - ''; - }; - - ports = { - tcp = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.int; - description = '' - A list of TCP ports for the machiene running the firewall - ''; - }; - - udp = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.int; - description = '' - A list of UDP ports for the machiene running the firewall - ''; - }; - - }; - - }; - }; - }; - - config = lib.mkIf config.skynet_firewall.enable { - # disable default firewall to enable nftables - networking.firewall.enable = false; - networking.nftables.enable = true; - - # fules for the firewall - # beware of EOL conversion. - networking.nftables.ruleset = - '' - # Check out https://wiki.nftables.org/ for better documentation. - # Table for both IPv4 and IPv6. - table ip nat { - chain prerouting { - type nat hook prerouting priority dstnat; policy accept; - - # forward anything with port 2222 to this specific ip - # tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22 - - # forward http/s traffic from 76 to 123 - # ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80 - # ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443 - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - - # the internal network - ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade - } - - chain output { - type nat hook output priority -100; policy accept; - } - } - - table ip filter { - chain input { - type filter hook input priority filter; policy accept; - - # for the host machiene - # TCP - ${lib.strings.concatMapStrings (x: x + "\n") (map (port: "tcp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.tcp)} - - # UDP - ${lib.strings.concatMapStrings (x: x + "\n") (map (port: "udp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.udp)} - } - - chain forward { - type filter hook forward priority filter; policy drop; - counter packets 0 bytes 0 jump rejects - - # accept these ip/ports - # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept - - # can basically make each machiene responsibile for their own forwarding (in config at least) - ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward} - - counter packets 0 bytes 0 reject with icmp type admin-prohibited - } - - chain output { - type filter hook output priority filter; policy accept; - - # no outgoing limits (for now) - } - - chain fail2ban-ssh { - # ban these - # ip saddr 104.236.151.120 counter packets 0 bytes 0 drop - counter packets 0 bytes 0 return - } - - chain rejects { - # Reject all these - # ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited - } - } - ''; - - }; - - -} +{lib, pkgs, config, ...}: { + + # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base + options = { + skynet_firewall = { + enable = lib.mkEnableOption { + default = false; + example = true; + description = "Skynet Firewall"; + type = lib.types.bool; + }; + forward = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of routes to forward + ''; + }; + + own = { + ip = lib.mkOption { + default = "127.0.0.1"; + type = lib.types.str; + description = '' + IP of the firewall + ''; + }; + + ports = { + tcp = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.int; + description = '' + A list of TCP ports for the machiene running the firewall + ''; + }; + + udp = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.int; + description = '' + A list of UDP ports for the machiene running the firewall + ''; + }; + + }; + + }; + }; + }; + + config = lib.mkIf config.skynet_firewall.enable { + # disable default firewall to enable nftables + networking.firewall.enable = false; + networking.nftables.enable = true; + + # fules for the firewall + # beware of EOL conversion. + networking.nftables.ruleset = + '' + # Check out https://wiki.nftables.org/ for better documentation. + # Table for both IPv4 and IPv6. + table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + + # forward anything with port 2222 to this specific ip + # tcp dport 2222 counter packets 0 bytes 0 dnat to 193.1.99.76:22 + + # forward http/s traffic from 76 to 123 + # ip daddr 193.1.99.76 tcp dport 80 counter packets 0 bytes 0 dnat to 193.1.99.123:80 + # ip daddr 193.1.99.76 tcp dport 443 counter packets 0 bytes 0 dnat to 193.1.99.123:443 + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + + # the internal network + ip saddr 172.20.20.0/23 counter packets 0 bytes 0 masquerade + } + + chain output { + type nat hook output priority -100; policy accept; + } + } + + table ip filter { + chain input { + type filter hook input priority filter; policy accept; + + # for the host machiene + # TCP + ${lib.strings.concatMapStrings (x: x + "\n") (map (port: "tcp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.tcp)} + + # UDP + ${lib.strings.concatMapStrings (x: x + "\n") (map (port: "udp dport ${toString port} counter packets 0 bytes 0 accept") config.skynet_firewall.own.ports.udp)} + } + + chain forward { + type filter hook forward priority filter; policy drop; + counter packets 0 bytes 0 jump rejects + + # accept these ip/ports + # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept + + # can basically make each machiene responsibile for their own forwarding (in config at least) + ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward} + + counter packets 0 bytes 0 reject with icmp type admin-prohibited + } + + chain output { + type filter hook output priority filter; policy accept; + + # no outgoing limits (for now) + } + + chain fail2ban-ssh { + # ban these + # ip saddr 104.236.151.120 counter packets 0 bytes 0 drop + counter packets 0 bytes 0 return + } + + chain rejects { + # Reject all these + # ip saddr 220.119.33.251 counter packets 0 bytes 0 reject with icmp type admin-prohibited + } + } + ''; + + }; + + +} diff --git a/applications/games.nix b/applications/games.nix index 8a20fd1..970f13c 100644 --- a/applications/games.nix +++ b/applications/games.nix @@ -1,63 +1,63 @@ -{ ... }: { - imports = []; - - /* - backups = [ - "/etc/silver_satisfactory/config/" - "/etc/silver_valheim/config/" - ]; - */ - - # since this is going to be pulled into a machiene that has skynet_dns we dont need to import it above - # gonna use it to create sub-subdomains for each game server - skynet_dns.records = { - external = []; - cname = [ - # create a sub-subdomain for each game - "mc_compsoc.games CNAME games" - ]; - }; - - # arion is one way to use docker on nixos - virtualisation.arion = { - backend = "docker"; - projects = { - - mc_compsoc.settings = { - docker-compose.raw.networks.default.name = "mc_compsoc"; - - services.mc_compsoc = { - service.image = "nimmis/spigot:latest"; - # setting these here as they arent special - service.environment = { - # this is what it last ran on - SPIGOT_VER="1.18.2"; - }; - - service.volumes = [ - # figure out what this needs and use itt o get up and running - # /home/nimmis/mc-srv:/minecraft - #"/etc/games_satisfactory/config:/config" - ]; - service.ports = [ - "25565:25565/tcp" - ]; - }; - }; - - }; - }; - - /* - services = { - nginx.virtualHosts = { - "valhiem.brendan.ie" = { - forceSSL = true; - useACMEHost = "brendan"; - - locations."/".proxyPass = "http://localhost:2456"; - }; - }; - }; - */ +{ ... }: { + imports = []; + + /* + backups = [ + "/etc/silver_satisfactory/config/" + "/etc/silver_valheim/config/" + ]; + */ + + # since this is going to be pulled into a machiene that has skynet_dns we dont need to import it above + # gonna use it to create sub-subdomains for each game server + skynet_dns.records = { + external = []; + cname = [ + # create a sub-subdomain for each game + "mc_compsoc.games CNAME games" + ]; + }; + + # arion is one way to use docker on nixos + virtualisation.arion = { + backend = "docker"; + projects = { + + mc_compsoc.settings = { + docker-compose.raw.networks.default.name = "mc_compsoc"; + + services.mc_compsoc = { + service.image = "nimmis/spigot:latest"; + # setting these here as they arent special + service.environment = { + # this is what it last ran on + SPIGOT_VER="1.18.2"; + }; + + service.volumes = [ + # figure out what this needs and use itt o get up and running + # /home/nimmis/mc-srv:/minecraft + #"/etc/games_satisfactory/config:/config" + ]; + service.ports = [ + "25565:25565/tcp" + ]; + }; + }; + + }; + }; + + /* + services = { + nginx.virtualHosts = { + "valhiem.brendan.ie" = { + forceSSL = true; + useACMEHost = "brendan"; + + locations."/".proxyPass = "http://localhost:2456"; + }; + }; + }; + */ } \ No newline at end of file diff --git a/dev.nix b/dev.nix index 48a03a2..e3cbc48 100644 --- a/dev.nix +++ b/dev.nix @@ -1,29 +1,29 @@ -# run with nix dev.nix -# has everything installed for dev - -{ pkgs ? import {} }: -with pkgs; -let -imports = - let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68"; - in - { - agenix = import - (builtins.fetchTarball { - url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz"; - sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1"; - }) - { inherit pkgs; }; - }; -in mkShell { - # nativeBuildInputs is usually what you want -- tools you need to run - nativeBuildInputs = [ - pkgs.buildPackages.git - pkgs.buildPackages.colmena - pkgs.buildPackages.nmap - ]; - - buildInputs = [ imports.agenix.agenix ]; - - shellHook = ''export EDITOR="/usr/bin/nano"''; +# run with nix dev.nix +# has everything installed for dev + +{ pkgs ? import {} }: +with pkgs; +let +imports = + let agenixCommit = "42d371d861a227149dc9a7e03350c9ab8b8ddd68"; + in + { + agenix = import + (builtins.fetchTarball { + url = "https://github.com/ryantm/agenix/archive/${agenixCommit}.tar.gz"; + sha256 = "14sszf5s85i4jd3lc8c167fbxvpj13da45wl1j7wpd20n0fic5c1"; + }) + { inherit pkgs; }; + }; +in mkShell { + # nativeBuildInputs is usually what you want -- tools you need to run + nativeBuildInputs = [ + pkgs.buildPackages.git + pkgs.buildPackages.colmena + pkgs.buildPackages.nmap + ]; + + buildInputs = [ imports.agenix.agenix ]; + + shellHook = ''export EDITOR="/usr/bin/nano"''; } \ No newline at end of file diff --git a/flake.lock b/flake.lock index 70195ac..f0d78e1 100644 --- a/flake.lock +++ b/flake.lock @@ -1,151 +1,151 @@ -{ - "nodes": { - "agenix": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1673301561, - "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", - "owner": "ryantm", - "repo": "agenix", - "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, - "arion": { - "inputs": { - "flake-parts": "flake-parts", - "haskell-flake": "haskell-flake", - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1673629654, - "narHash": "sha256-Ou4//mR6h3F6024ZOm925XkkFBbpEVniIKRGRMVboC8=", - "owner": "hercules-ci", - "repo": "arion", - "rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "arion", - "rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "arion", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1672877861, - "narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "7930f5b1c356270cec420d4f4cb43f4907206640", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "haskell-flake": { - "locked": { - "lastModified": 1668167720, - "narHash": "sha256-5wDTR6xt9BB3BjgKR+YOjOkZgMyDXKaX79g42sStzDU=", - "owner": "srid", - "repo": "haskell-flake", - "rev": "4fc511d93a55fedf815c1647ad146c26d7a2054e", - "type": "github" - }, - "original": { - "owner": "srid", - "repo": "haskell-flake", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1665732960, - "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1673450908, - "narHash": "sha256-b8em+kwrNtnB7gR8SyVf6WuTyQ+6tHS6dzt9D9wgKF0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6c8644fc37b6e141cbfa6c7dc8d98846c4ff0c2e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1673527292, - "narHash": "sha256-903EpRSDCfUvic7Hsiqwy+h7zlMTLAUbCXkEGGriCfM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6a3f9996408c970b99b8b992b11bb249d1455b62", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, - "root": { - "inputs": { - "agenix": "agenix", - "arion": "arion", - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3" - } - } - }, - "root": "root", - "version": 7 -} +{ + "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1673301561, + "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "owner": "ryantm", + "repo": "agenix", + "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "arion": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1673629654, + "narHash": "sha256-Ou4//mR6h3F6024ZOm925XkkFBbpEVniIKRGRMVboC8=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "rev": "d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1672877861, + "narHash": "sha256-ROnSmsk5grROL6gnHBnSdqlPPBrBJMApCeB7xzY567M=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "7930f5b1c356270cec420d4f4cb43f4907206640", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "haskell-flake": { + "locked": { + "lastModified": 1668167720, + "narHash": "sha256-5wDTR6xt9BB3BjgKR+YOjOkZgMyDXKaX79g42sStzDU=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "4fc511d93a55fedf815c1647ad146c26d7a2054e", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "haskell-flake", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1665732960, + "narHash": "sha256-WBZ+uSHKFyjvd0w4inbm0cNExYTn8lpYFcHEes8tmec=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4428e23312933a196724da2df7ab78eb5e67a88e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1673450908, + "narHash": "sha256-b8em+kwrNtnB7gR8SyVf6WuTyQ+6tHS6dzt9D9wgKF0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6c8644fc37b6e141cbfa6c7dc8d98846c4ff0c2e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1673527292, + "narHash": "sha256-903EpRSDCfUvic7Hsiqwy+h7zlMTLAUbCXkEGGriCfM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6a3f9996408c970b99b8b992b11bb249d1455b62", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "arion": "arion", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 9eb4aa6..18ce279 100644 --- a/flake.nix +++ b/flake.nix @@ -1,115 +1,115 @@ -{ - - description = "Deployment for skynet"; - - inputs = { - # gonna start off with a fairly modern base - nixpkgs.url = "nixpkgs/nixos-22.11"; - - # utility stuff - flake-utils.url = "github:numtide/flake-utils"; - agenix.url = "github:ryantm/agenix"; - # this is the last stable hash that works for 22.11 - arion.url = "github:hercules-ci/arion/d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c"; - - }; - - outputs = { self, nixpkgs, agenix, arion, ... }: { - # https://github.com/zhaofengli/colmena - colmena = { - meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - overlays = []; - }; - }; - - # installed for each machine - defaults = { - imports = [ - ./machines/_base.nix - # for the secrets - agenix.nixosModule - ]; - }; - - /* TODO: - vm host - jarvis.skynet.ie - 193.1.99.73 - 172.20.20.2 - ports - 22, 80 - none - - DNS - vendetta.skynet.ie - ns1.skynet.ie - 193.1.99.120 - 172.20.20.3 - Ports - 22, 53 (UDP) - 53 (UDP) - - vigil.skynet.ie - ns2.skynet.ie - 193.1.99.121 - 172.20.20.4 - Ports - 22, 53 (UDP) - 53 (UDP) - - Wireguard - ash.skynet.ie Ash is a robot spy from Alien https://en.wikipedia.org/wiki/Ash_(Alien) we need someone to get us into teh network - 193.1.99.75 - 172.20.205.5 - Ports - 22, 51820 (UDP) - 51820 (UDP) - - Icecase - stream.skynet.ie - 193.1.99.111 - 172.20.20.6 - Ports - 22, 80, 443, 8000 - 80, 443, 8000 - - Minecraft - minecraft.games.skynet.ie - 193.1.99.112 - 172.20.20.7 - Ports - 22, 80, 443, 25564, 25565, 25575 - 80, 443, 25564, 25565, 25575 - - */ - - # firewall machiene - agentjones = import ./machines/agentjones.nix; - - # ns1 - vendetta = import ./machines/vendetta.nix; - - # ns1 - vigil = import ./machines/vigil.nix; - - # wireguard - ash = import ./machines/ash.nix; - - # icecast - ULFM - galatea = import ./machines/galatea.nix; - - # Game host - optimus = { - imports = [ - ./machines/optimus.nix - # for the docker - arion.nixosModules.arion - ]; - }; - - }; - }; - -} +{ + + description = "Deployment for skynet"; + + inputs = { + # gonna start off with a fairly modern base + nixpkgs.url = "nixpkgs/nixos-22.11"; + + # utility stuff + flake-utils.url = "github:numtide/flake-utils"; + agenix.url = "github:ryantm/agenix"; + # this is the last stable hash that works for 22.11 + arion.url = "github:hercules-ci/arion/d1cc2b2a7dd0928ebd94a3f18336b5515e95c60c"; + + }; + + outputs = { self, nixpkgs, agenix, arion, ... }: { + # https://github.com/zhaofengli/colmena + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; + }; + }; + + # installed for each machine + defaults = { + imports = [ + ./machines/_base.nix + # for the secrets + agenix.nixosModule + ]; + }; + + /* TODO: + vm host + jarvis.skynet.ie + 193.1.99.73 + 172.20.20.2 + ports + 22, 80 + none + + DNS + vendetta.skynet.ie + ns1.skynet.ie + 193.1.99.120 + 172.20.20.3 + Ports + 22, 53 (UDP) + 53 (UDP) + + vigil.skynet.ie + ns2.skynet.ie + 193.1.99.121 + 172.20.20.4 + Ports + 22, 53 (UDP) + 53 (UDP) + + Wireguard + ash.skynet.ie Ash is a robot spy from Alien https://en.wikipedia.org/wiki/Ash_(Alien) we need someone to get us into teh network + 193.1.99.75 + 172.20.205.5 + Ports + 22, 51820 (UDP) + 51820 (UDP) + + Icecase + stream.skynet.ie + 193.1.99.111 + 172.20.20.6 + Ports + 22, 80, 443, 8000 + 80, 443, 8000 + + Minecraft + minecraft.games.skynet.ie + 193.1.99.112 + 172.20.20.7 + Ports + 22, 80, 443, 25564, 25565, 25575 + 80, 443, 25564, 25565, 25575 + + */ + + # firewall machiene + agentjones = import ./machines/agentjones.nix; + + # ns1 + vendetta = import ./machines/vendetta.nix; + + # ns1 + vigil = import ./machines/vigil.nix; + + # wireguard + ash = import ./machines/ash.nix; + + # icecast - ULFM + galatea = import ./machines/galatea.nix; + + # Game host + optimus = { + imports = [ + ./machines/optimus.nix + # for the docker + arion.nixosModules.arion + ]; + }; + + }; + }; + +} diff --git a/machines/_base.nix b/machines/_base.nix index 80004ae..a9e4f2a 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -1,37 +1,37 @@ -{ pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/virtualisation/proxmox-lxc.nix") - ]; - - # flakes are essensial - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - system.stateVersion = "22.11"; - - services.openssh = { - enable = true; - permitRootLogin = "prohibit-password"; - }; - - users.users.root = { - initialHashedPassword = ""; - - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" - ]; - }; - - - environment.systemPackages = [ - # for flakes - pkgs.git - # useful tools - pkgs.ncdu_2 - pkgs.htop - pkgs.nano - pkgs.nmap - ]; -} +{ pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/virtualisation/proxmox-lxc.nix") + ]; + + # flakes are essensial + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + system.stateVersion = "22.11"; + + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + }; + + users.users.root = { + initialHashedPassword = ""; + + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" + ]; + }; + + + environment.systemPackages = [ + # for flakes + pkgs.git + # useful tools + pkgs.ncdu_2 + pkgs.htop + pkgs.nano + pkgs.nmap + ]; +} diff --git a/machines/agentjones.nix b/machines/agentjones.nix index 02c1d60..19bb809 100644 --- a/machines/agentjones.nix +++ b/machines/agentjones.nix @@ -1,105 +1,105 @@ -/* - - Name: https://matrix.fandom.com/wiki/Agent_Jones - Type: Physical - Hardware: PowerEdge r210 - From: 2011 (?) - Role: Firewall - Notes: Used to have Agent Smith as a partner but it died (Ironically) - -*/ - -{ pkgs, lib, nodes, ... }: -let - # name of the server, sets teh hostname and record for it - name = "agentjones"; - ip_pub = "193.1.99.72"; - ip_priv = "172.20.20.1"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ./hardware/agentjones.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - skynet_dns.records = { - external = [ - "${name} A ${ip_pub}" - ]; - cname = []; - }; - - networking.hostName = name; - # this has to be defined for any physical servers - # vms are defined by teh vm host - networking.interfaces = { - eno1 = { - ipv4.routes = [ -# { -# address = "193.1.99.72"; -# prefixLength = 26; -# via = "193.1.99.65"; -# } - ]; - }; - eno2 = { - useDHCP = false; - ipv4.addresses = [ - { - address = "193.1.99.72"; - prefixLength = 26; - } - #{ - # address = "172.20.20.1"; - # prefixLength = 24; - #} - ]; - }; - }; - - # this server is teh firewall - skynet_firewall = { - # always good to know oneself - - own = { - ip = ip_pub; - - ports = { - tcp = [ - # ssh in - 22 - ]; - udp = []; - }; - }; - - enable = true; - - # gonna have to get all the - forward = builtins.concatLists ( - # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list - lib.attrsets.mapAttrsToList (key: value: - # make sure that anything running this firewall dosent count (recursion otherewise) - # firewall may want to open ports in itself but can deal with that later - if builtins.hasAttr "skynet_firewall" value.config - then ( - if value.config.skynet_firewall.enable - then [] - else value.config.skynet_firewall.forward - ) - else [] - ) nodes - ); - }; - -} +/* + + Name: https://matrix.fandom.com/wiki/Agent_Jones + Type: Physical + Hardware: PowerEdge r210 + From: 2011 (?) + Role: Firewall + Notes: Used to have Agent Smith as a partner but it died (Ironically) + +*/ + +{ pkgs, lib, nodes, ... }: +let + # name of the server, sets teh hostname and record for it + name = "agentjones"; + ip_pub = "193.1.99.72"; + ip_priv = "172.20.20.1"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ./hardware/agentjones.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + cname = []; + }; + + networking.hostName = name; + # this has to be defined for any physical servers + # vms are defined by teh vm host + networking.interfaces = { + eno1 = { + ipv4.routes = [ +# { +# address = "193.1.99.72"; +# prefixLength = 26; +# via = "193.1.99.65"; +# } + ]; + }; + eno2 = { + useDHCP = false; + ipv4.addresses = [ + { + address = "193.1.99.72"; + prefixLength = 26; + } + #{ + # address = "172.20.20.1"; + # prefixLength = 24; + #} + ]; + }; + }; + + # this server is teh firewall + skynet_firewall = { + # always good to know oneself + + own = { + ip = ip_pub; + + ports = { + tcp = [ + # ssh in + 22 + ]; + udp = []; + }; + }; + + enable = true; + + # gonna have to get all the + forward = builtins.concatLists ( + # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list + lib.attrsets.mapAttrsToList (key: value: + # make sure that anything running this firewall dosent count (recursion otherewise) + # firewall may want to open ports in itself but can deal with that later + if builtins.hasAttr "skynet_firewall" value.config + then ( + if value.config.skynet_firewall.enable + then [] + else value.config.skynet_firewall.forward + ) + else [] + ) nodes + ); + }; + +} diff --git a/machines/ash.nix b/machines/ash.nix index 4488540..db0923b 100644 --- a/machines/ash.nix +++ b/machines/ash.nix @@ -1,91 +1,91 @@ -/* - - Name: https://en.wikipedia.org/wiki/Ash_(Alien) - Why: Infilitrate into the network - Type: VM - Hardware: - - From: 2023 - Role: Wireguard (VPN) Server - Notes: Thius vpn is for admin use only, to give access to all the servers via ssh - -*/ - -{ pkgs, lib, nodes, ... }: -let - # name of the server, sets teh hostname and record for it - name = "ash"; - ip_pub = "193.1.99.75"; - ip_priv = "172.20.20.5"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - # these two are to be able to add the rules for firewall and dns - # open the firewall for this - skynet_firewall.forward = [ - "ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept" - ]; - - skynet_dns.records = { - external = [ - "${name} A ${ip_pub}" - ]; - cname = [ - #may asw ell add a cname for this - "wg CNAME ${name}" - ]; - }; - - - age.secrets.wireguard.file = ../secrets/wireguard.age; - - networking = { - nat = { - enable = true; - externalInterface = "eth0"; - internalInterfaces = ["wg0"]; - }; - - firewall = { - allowedTCPPorts = [22]; - allowedUDPPorts = [8000]; - interfaces.wg0 = { - allowedTCPPorts = [53]; - allowedUDPPorts = [53]; - }; - }; - - wireguard.interfaces.wg0 = { - # may need to change this to the same base as the full network - ips = ["172.20.21.0/24"]; - listenPort = 8000; - privateKeyFile = "/run/agenix/wireguard"; - - peers = [ - { # silver - Brendan - publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; - allowedIPs = [ "172.20.21.2/32" ]; - } - ]; - - }; - }; - - environment.systemPackages = [ - # needed to generate keys - pkgs.wireguard-tools - ]; - -} +/* + + Name: https://en.wikipedia.org/wiki/Ash_(Alien) + Why: Infilitrate into the network + Type: VM + Hardware: - + From: 2023 + Role: Wireguard (VPN) Server + Notes: Thius vpn is for admin use only, to give access to all the servers via ssh + +*/ + +{ pkgs, lib, nodes, ... }: +let + # name of the server, sets teh hostname and record for it + name = "ash"; + ip_pub = "193.1.99.75"; + ip_priv = "172.20.20.5"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + # these two are to be able to add the rules for firewall and dns + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept" + ]; + + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + cname = [ + #may asw ell add a cname for this + "wg CNAME ${name}" + ]; + }; + + + age.secrets.wireguard.file = ../secrets/wireguard.age; + + networking = { + nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = ["wg0"]; + }; + + firewall = { + allowedTCPPorts = [22]; + allowedUDPPorts = [8000]; + interfaces.wg0 = { + allowedTCPPorts = [53]; + allowedUDPPorts = [53]; + }; + }; + + wireguard.interfaces.wg0 = { + # may need to change this to the same base as the full network + ips = ["172.20.21.0/24"]; + listenPort = 8000; + privateKeyFile = "/run/agenix/wireguard"; + + peers = [ + { # silver - Brendan + publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; + allowedIPs = [ "172.20.21.2/32" ]; + } + ]; + + }; + }; + + environment.systemPackages = [ + # needed to generate keys + pkgs.wireguard-tools + ]; + +} diff --git a/machines/galatea.nix b/machines/galatea.nix index 293fc58..5def808 100644 --- a/machines/galatea.nix +++ b/machines/galatea.nix @@ -1,74 +1,74 @@ -/* - - Name: https://en.wikipedia.org/wiki/Galatea_(mythology) - Why: Created as a product of artistic expression - Type: VM - Hardware: - - From: 2023 - Role: Icecast server for ULFM - Notes: - -*/ - -{ pkgs, lib, nodes, config, ... }: -let - # name of the server, sets teh hostname and record for it - name = "galatea"; - ip_pub = "193.1.99.111"; - ip_priv = "172.20.20.6"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - - # dosent seem to be any otehr way to have it like read from a file - feck = "d9J4jDsJPuMPUMAAE4J4tH37HsmxEDze"; -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - # these two are to be able to add the rules for firewall and dns - # open the firewall for this - skynet_firewall.forward = [ - "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept" - ]; - - skynet_dns.records = { - external = [ - "${name} A ${ip_pub}" - ]; - cname = [ - # this is also the stream server - "stream CNAME ${name}" - ]; - }; - - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 8000 - ]; - - # config for icecast is smol so can have it in this - services.icecast = { - enable = true; - hostname = hostname; - - admin = { - user = "admin"; - password = feck; - }; - - }; - -} +/* + + Name: https://en.wikipedia.org/wiki/Galatea_(mythology) + Why: Created as a product of artistic expression + Type: VM + Hardware: - + From: 2023 + Role: Icecast server for ULFM + Notes: + +*/ + +{ pkgs, lib, nodes, config, ... }: +let + # name of the server, sets teh hostname and record for it + name = "galatea"; + ip_pub = "193.1.99.111"; + ip_priv = "172.20.20.6"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + + # dosent seem to be any otehr way to have it like read from a file + feck = "d9J4jDsJPuMPUMAAE4J4tH37HsmxEDze"; +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + # these two are to be able to add the rules for firewall and dns + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept" + ]; + + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + cname = [ + # this is also the stream server + "stream CNAME ${name}" + ]; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 8000 + ]; + + # config for icecast is smol so can have it in this + services.icecast = { + enable = true; + hostname = hostname; + + admin = { + user = "admin"; + password = feck; + }; + + }; + +} diff --git a/machines/optimus.nix b/machines/optimus.nix index 4426d93..7c96bc1 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -1,61 +1,61 @@ -/* - - Name: https://en.wikipedia.org/wiki/Optimus_Prime - Why: Created to sell toys so this vm is for games - Type: VM - Hardware: - - From: 2023 - Role: Game host - Notes: - -*/ - -{ pkgs, lib, nodes, arion, ... }: -let - # name of the server, sets teh hostname and record for it - name = "optimus"; - ip_pub = "193.1.99.112"; - ip_priv = "172.20.20.7"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ../applications/games.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - # these two are to be able to add the rules for firewall and dns - # open the firewall for this - skynet_firewall.forward = [ - "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept" - ]; - - skynet_dns.records = { - external = [ - "${name} A ${ip_pub}" - ]; - cname = [ - # the games are each going to have a subdomain on this - "games CNAME ${name}" - ]; - }; - - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - 25565 - ]; - -} +/* + + Name: https://en.wikipedia.org/wiki/Optimus_Prime + Why: Created to sell toys so this vm is for games + Type: VM + Hardware: - + From: 2023 + Role: Game host + Notes: + +*/ + +{ pkgs, lib, nodes, arion, ... }: +let + # name of the server, sets teh hostname and record for it + name = "optimus"; + ip_pub = "193.1.99.112"; + ip_priv = "172.20.20.7"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ../applications/games.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + # these two are to be able to add the rules for firewall and dns + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept" + ]; + + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + cname = [ + # the games are each going to have a subdomain on this + "games CNAME ${name}" + ]; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 25565 + ]; + +} diff --git a/machines/vendetta.nix b/machines/vendetta.nix index 954e542..7d5b5ec 100644 --- a/machines/vendetta.nix +++ b/machines/vendetta.nix @@ -1,96 +1,96 @@ -/* - - Name: https://masseffect.fandom.com/wiki/Vendetta - Why: Vendetta held troves of important data waiting for folks to request it. - Type: VM - Hardware: - - From: 2023 - Role: DNS Server - Notes: - -*/ - -{ pkgs, lib, nodes, ... }: -let - # name of the server, sets teh hostname and record for it - name = "vendetta"; - ip_pub = "193.1.99.120"; - ip_priv = "172.20.20.3"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - - # sets which nameserver it is - ns = "ns1"; -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - networking = { - firewall = { - allowedTCPPorts = [22 53]; - allowedUDPPorts = [53]; - }; - }; - - # open the firewall for this - skynet_firewall.forward = [ - "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept" - ]; - - skynet_dns = { - enable = true; - - # this server will have to have dns records - own = { - nameserver = ns; - external = [ - "${name} A ${ip_pub}" - "${ns} A ${ip_pub}" - - # needs this, temporally - "mail A ${ip_pub}" - ]; - cname = [ - #"misc CNAME vendetta" - ]; - }; - - records = { - # using the same logic as the firewall, comments there - external = builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - if builtins.hasAttr "skynet_dns" value.config - then ( - if value.config.skynet_dns.enable - then value.config.skynet_dns.own.external - else value.config.skynet_dns.records.external - ) - else [] - ) nodes - ); - - cname = builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - if builtins.hasAttr "skynet_dns" value.config - then ( - if value.config.skynet_dns.enable - then value.config.skynet_dns.own.cname - else value.config.skynet_dns.records.cname - ) - else [] - ) nodes - ); - }; - }; - -} +/* + + Name: https://masseffect.fandom.com/wiki/Vendetta + Why: Vendetta held troves of important data waiting for folks to request it. + Type: VM + Hardware: - + From: 2023 + Role: DNS Server + Notes: + +*/ + +{ pkgs, lib, nodes, ... }: +let + # name of the server, sets teh hostname and record for it + name = "vendetta"; + ip_pub = "193.1.99.120"; + ip_priv = "172.20.20.3"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + + # sets which nameserver it is + ns = "ns1"; +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + networking = { + firewall = { + allowedTCPPorts = [22 53]; + allowedUDPPorts = [53]; + }; + }; + + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept" + ]; + + skynet_dns = { + enable = true; + + # this server will have to have dns records + own = { + nameserver = ns; + external = [ + "${name} A ${ip_pub}" + "${ns} A ${ip_pub}" + + # needs this, temporally + "mail A ${ip_pub}" + ]; + cname = [ + #"misc CNAME vendetta" + ]; + }; + + records = { + # using the same logic as the firewall, comments there + external = builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + if builtins.hasAttr "skynet_dns" value.config + then ( + if value.config.skynet_dns.enable + then value.config.skynet_dns.own.external + else value.config.skynet_dns.records.external + ) + else [] + ) nodes + ); + + cname = builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + if builtins.hasAttr "skynet_dns" value.config + then ( + if value.config.skynet_dns.enable + then value.config.skynet_dns.own.cname + else value.config.skynet_dns.records.cname + ) + else [] + ) nodes + ); + }; + }; + +} diff --git a/machines/vigil.nix b/machines/vigil.nix index 476890c..2119756 100644 --- a/machines/vigil.nix +++ b/machines/vigil.nix @@ -1,92 +1,92 @@ -/* - - Name: https://masseffect.fandom.com/wiki/Vigil - Why: Counterpart to Vendetta - Type: VM - Hardware: - - From: 2023 - Role: DNS Server - Notes: - -*/ - -{ pkgs, lib, nodes, ... }: -let - name = "vigil"; - ip_pub = "193.1.99.109"; - ip_priv = "172.20.20.4"; - # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - - # sets which nameserver it is - ns = "ns2"; -in { - imports = [ - # applications for this particular server - ../applications/firewall.nix - ../applications/dns.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = "root"; - }; - - networking = { - firewall = { - allowedTCPPorts = [22 53]; - allowedUDPPorts = [53]; - }; - }; - - # open the firewall for this - skynet_firewall.forward = [ - "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept" - "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept" - ]; - - skynet_dns = { - enable = true; - - # this server will have to have dns records - own = { - nameserver = ns; - external = [ - "${name} A ${ip_pub}" - "${ns} A ${ip_pub}" - ]; - cname = [ - #"misc CNAME vendetta" - ]; - }; - - records = { - # using the same logic as the firewall, comments there - external = builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - if builtins.hasAttr "skynet_dns" value.config - then ( - if value.config.skynet_dns.enable - then value.config.skynet_dns.own.external - else value.config.skynet_dns.records.external - ) - else [] - ) nodes - ); - - cname = builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - if builtins.hasAttr "skynet_dns" value.config - then ( - if value.config.skynet_dns.enable - then value.config.skynet_dns.own.cname - else value.config.skynet_dns.records.cname - ) - else [] - ) nodes - ); - }; - }; - -} +/* + + Name: https://masseffect.fandom.com/wiki/Vigil + Why: Counterpart to Vendetta + Type: VM + Hardware: - + From: 2023 + Role: DNS Server + Notes: + +*/ + +{ pkgs, lib, nodes, ... }: +let + name = "vigil"; + ip_pub = "193.1.99.109"; + ip_priv = "172.20.20.4"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + + # sets which nameserver it is + ns = "ns2"; +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + networking = { + firewall = { + allowedTCPPorts = [22 53]; + allowedUDPPorts = [53]; + }; + }; + + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept" + "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept" + ]; + + skynet_dns = { + enable = true; + + # this server will have to have dns records + own = { + nameserver = ns; + external = [ + "${name} A ${ip_pub}" + "${ns} A ${ip_pub}" + ]; + cname = [ + #"misc CNAME vendetta" + ]; + }; + + records = { + # using the same logic as the firewall, comments there + external = builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + if builtins.hasAttr "skynet_dns" value.config + then ( + if value.config.skynet_dns.enable + then value.config.skynet_dns.own.external + else value.config.skynet_dns.records.external + ) + else [] + ) nodes + ); + + cname = builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + if builtins.hasAttr "skynet_dns" value.config + then ( + if value.config.skynet_dns.enable + then value.config.skynet_dns.own.cname + else value.config.skynet_dns.records.cname + ) + else [] + ) nodes + ); + }; + }; + +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 28ab18b..2c7e97f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,22 +1,22 @@ -let - admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; - silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"; - - users = [ - admin - silver_laptop_wsl - ]; - - # change this when its properly set up - agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbqYQrdVHmGgXZJoMWWRDGVEIj775Zrf4PxB5hoth+k root@agentjones"; - ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5"; - systems = [ - agentjones - ash - ]; -in -{ - # nix run github:ryantm/agenix -- -e secret1.age - - "wireguard.age".publicKeys = users ++ systems; +let + admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; + silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"; + + users = [ + admin + silver_laptop_wsl + ]; + + # change this when its properly set up + agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbqYQrdVHmGgXZJoMWWRDGVEIj775Zrf4PxB5hoth+k root@agentjones"; + ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5"; + systems = [ + agentjones + ash + ]; +in +{ + # nix run github:ryantm/agenix -- -e secret1.age + + "wireguard.age".publicKeys = users ++ systems; } \ No newline at end of file