diff --git a/README.md b/README.md index 35019eb..e625d6d 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,13 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next nix flake lock --update-input nixpkgs ``` +### Formatting +Formatting helps keep everything nice and consistent. + +```shell +nix fmt +``` + diff --git a/applications/acme.nix b/applications/acme.nix index 3018c5a..435715b 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -1,13 +1,17 @@ -{ config, pkgs, lib, ... }: - with lib; - let - cfg = config.skynet_acme; - in { +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.skynet_acme; +in { imports = []; options.skynet_acme = { domains = lib.mkOption { - default = [ ]; + default = []; type = lib.types.listOf lib.types.str; description = '' A list of domains to use for this server. diff --git a/applications/discord.nix b/applications/discord.nix index 7246357..75bef74 100644 --- a/applications/discord.nix +++ b/applications/discord.nix @@ -1,9 +1,13 @@ -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.discord_bot; - in { - +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.discord_bot; +in { imports = [ inputs.skynet_discord_bot.nixosModule."x86_64-linux" ]; @@ -13,26 +17,25 @@ }; config = mkIf cfg.enable { - #backups = [ "/etc/silver_ul_ical/database.db" ]; - age.secrets.discord_token.file = ../secrets/discord/token.age; - age.secrets.discord_ldap.file = ../secrets/discord/ldap.age; - age.secrets.discord_mail.file = ../secrets/email/details.age; + age.secrets.discord_token.file = ../secrets/discord/token.age; + age.secrets.discord_ldap.file = ../secrets/discord/ldap.age; + age.secrets.discord_mail.file = ../secrets/email/details.age; services.skynet_discord_bot = { enable = true; env = { discord = config.age.secrets.discord_token.path; - ldap = config.age.secrets.discord_ldap.path; - mail = config.age.secrets.discord_mail.path; + ldap = config.age.secrets.discord_ldap.path; + mail = config.age.secrets.discord_mail.path; }; discord = { server = "689189992417067052"; role = { - past = "689192357727436926"; + past = "689192357727436926"; current = "1152702256702030035"; }; }; diff --git a/applications/dns.nix b/applications/dns.nix index 8ad62ce..3ade43f 100644 --- a/applications/dns.nix +++ b/applications/dns.nix @@ -1,24 +1,33 @@ -{ lib, pkgs, config, nodes, ... }: -let +{ + lib, + pkgs, + config, + nodes, + ... +}: let cfg = config.skynet_dns; # reads that date to a string (will need to be fixed in 2038) current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}"; # gets a list of records that match this type - filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records; + filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records; filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A"); - filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A"); + filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A"); - process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); - process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;}; - ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); + process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); + process_ptr_sub = record: { + record = builtins.substring 9 3 record.record; + r_type = "PTR"; + value = record.value; + }; + ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server; - sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a; - sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME"); - sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR")); - sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV"); + sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a; + sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME"); + sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR")); + sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV"); format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records; @@ -26,144 +35,142 @@ let padString = text: length: fixedWidthString_post length " " text; # like lib.strings.fixedWidthString but postfix - fixedWidthString_post = width: filler: str: - let - strw = lib.stringLength str; - reqWidth = width - (lib.stringLength filler); - in - assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; + fixedWidthString_post = width: filler: str: let + strw = lib.stringLength str; + reqWidth = width - (lib.stringLength filler); + in + assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; if strw == width then str else (fixedWidthString_post reqWidth filler str) + filler; - - # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) - get_config_file = (domain: -''$TTL 60 ; 1 minute -; hostmaster@${domain} is an email address that recieves stuff related to dns -@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) + get_config_file = ( + domain: '' + $TTL 60 ; 1 minute + ; hostmaster@${domain} is an email address that recieves stuff related to dns + @ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) -@ NS ns1.${domain}. -@ NS ns2.${domain}. - ; @ stands for teh root domain so teh A record below is where ${domain} points to -;@ A 193.1.99.76 -;@ MX 5 ${domain}. + @ NS ns1.${domain}. + @ NS ns2.${domain}. + ; @ stands for teh root domain so teh A record below is where ${domain} points to + ;@ A 193.1.99.76 + ;@ MX 5 ${domain}. -; can have multiple mailserves -@ MX 10 mail.${domain}. + ; can have multiple mailserves + @ MX 10 mail.${domain}. -; ------------------------------------------ -; Server Names (A Records) -; ------------------------------------------ -${format_records sort_records_server 11} + ; ------------------------------------------ + ; Server Names (A Records) + ; ------------------------------------------ + ${format_records sort_records_server 11} -; ------------------------------------------ -; A (non server names -; ------------------------------------------ -${format_records sort_records_a 18} + ; ------------------------------------------ + ; A (non server names + ; ------------------------------------------ + ${format_records sort_records_a 18} -; ------------------------------------------ -; CNAMES -; ------------------------------------------ -${format_records sort_records_cname 31} + ; ------------------------------------------ + ; CNAMES + ; ------------------------------------------ + ${format_records sort_records_cname 31} -; ------------------------------------------ -; TXT -; ------------------------------------------ -${format_records (filter_records_type "TXT") 29} + ; ------------------------------------------ + ; TXT + ; ------------------------------------------ + ${format_records (filter_records_type "TXT") 29} -; ------------------------------------------ -; SRV -; ------------------------------------------ -${format_records sort_records_srv 17} + ; ------------------------------------------ + ; SRV + ; ------------------------------------------ + ${format_records sort_records_srv 17} -'' + '' ); + # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse + # config for our reverse dnspointers (not properly working) + get_config_file_rev = ( + domain: '' + $ORIGIN 64-64.99.1.193.in-addr.arpa. + $TTL 60 ; 1 minute + ; hostmaster@skynet.ie is an email address that recieves stuff related to dns + @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) - # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse - # config for our reverse dnspointers (not properly working) - get_config_file_rev = (domain: -''$ORIGIN 64-64.99.1.193.in-addr.arpa. -$TTL 60 ; 1 minute -; hostmaster@skynet.ie is an email address that recieves stuff related to dns -@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) + @ NS ns1.skynet.ie. + @ NS ns2.skynet.ie. -@ NS ns1.skynet.ie. -@ NS ns2.skynet.ie. + ; ------------------------------------------ + ; PTR + ; ------------------------------------------ + ${format_records sort_records_ptr 3} + '' + ); -; ------------------------------------------ -; PTR -; ------------------------------------------ -${format_records sort_records_ptr 3} -'' - ); + # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. + get_config_file_old_domains = ( + domain: '' + $TTL 60 ; 1 minute + ; hostmaster@skynet.ie is an email address that recieves stuff related to dns + @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) - # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. - get_config_file_old_domains = (domain: -''$TTL 60 ; 1 minute -; hostmaster@skynet.ie is an email address that recieves stuff related to dns -@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) + @ NS ns1.skynet.ie. + @ NS ns2.skynet.ie. -@ NS ns1.skynet.ie. -@ NS ns2.skynet.ie. - -'' - ); + '' + ); # arrys of teh two nameservers tmp1 = ["193.1.99.109"]; tmp2 = ["193.1.99.120"]; - primaries = (if cfg.server.primary then - # primary servers have no primaries (ones they listen to) - [] - else - if builtins.elem cfg.server.ip tmp1 then - tmp2 - else - tmp1 + primaries = ( + if cfg.server.primary + then + # primary servers have no primaries (ones they listen to) + [] + else if builtins.elem cfg.server.ip tmp1 + then tmp2 + else tmp1 ); - secondaries = (if cfg.server.primary then - if builtins.elem cfg.server.ip tmp1 then - tmp2 - else - tmp1 - else - [] + secondaries = ( + if cfg.server.primary + then + if builtins.elem cfg.server.ip tmp1 + then tmp2 + else tmp1 + else [] ); # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router - create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) ); + create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126); - - # standard function to create the etc file, pass in the text and domain and it makes it - create_entry_etc_sub = domain: text: { + # standard function to create the etc file, pass in the text and domain and it makes it + create_entry_etc_sub = domain: text: { # Creates /etc/skynet/dns/domain "skynet/dns/${domain}" = { user = "named"; @@ -175,37 +182,35 @@ ${format_records sort_records_ptr 3} text = text; }; }; -# (text.owned "csn.ul.ie") - + # (text.owned "csn.ul.ie") # standard function to create the etc file, pass in the text and domain and it makes it create_entry_etc = domain: type: - if type == "owned" then - create_entry_etc_sub domain (text.owned domain) - else if type == "reverse" then - create_entry_etc_sub domain (text.reverse domain) - else if type == "old" then - create_entry_etc_sub domain (text.old domain) - else - {}; + if type == "owned" + then create_entry_etc_sub domain (text.owned domain) + else if type == "reverse" + then create_entry_etc_sub domain (text.reverse domain) + else if type == "old" + then create_entry_etc_sub domain (text.old domain) + else {}; - create_entry_zone = (domain: extraConfig: { - "${domain}" = { - extraConfig = '' -${extraConfig} -// for bumping the config -// ${current_date} -''; - # really wish teh nixos config didnt use master/slave - master = cfg.server.primary; - masters = primaries; - slaves = secondaries; - # need to write this to a file - # using the date in it so it will trigger a restart - file = "/etc/skynet/dns/${domain}"; - # no leading whitespace for first line - }; - }); + create_entry_zone = domain: extraConfig: { + "${domain}" = { + extraConfig = '' + ${extraConfig} + // for bumping the config + // ${current_date} + ''; + # really wish teh nixos config didnt use master/slave + master = cfg.server.primary; + masters = primaries; + slaves = secondaries; + # need to write this to a file + # using the date in it so it will trigger a restart + file = "/etc/skynet/dns/${domain}"; + # no leading whitespace for first line + }; + }; text = { owned = domain: get_config_file domain; @@ -215,15 +220,14 @@ ${extraConfig} extraConfig = { owned = - if cfg.server.primary then -'' -allow-update { key rfc2136key.skynet.ie.; }; + if cfg.server.primary + then '' + allow-update { key rfc2136key.skynet.ie.; }; -dnssec-policy default; -inline-signing yes; -'' - else - ""; + dnssec-policy default; + inline-signing yes; + '' + else ""; # no extra config for reverse reverse = ""; @@ -232,30 +236,52 @@ inline-signing yes; }; records = builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - let + lib.attrsets.mapAttrsToList ( + key: value: let details_server = value.config.skynet_dns.server; details_records = value.config.skynet_dns.records; in - if builtins.hasAttr "skynet_dns" value.config - then ( - # got to handle habing a dns record for the dns serves themselves. - if details_server.enable - then ( - if details_server.primary - then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ] - else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ] - ) - else details_records - ) - else [] - ) nodes + if builtins.hasAttr "skynet_dns" value.config + then + ( + # got to handle habing a dns record for the dns serves themselves. + if details_server.enable + then + ( + if details_server.primary + then + details_records + ++ [ + { + record = "ns1"; + r_type = "A"; + value = details_server.ip; + server = false; + } + ] + else + details_records + ++ [ + { + record = "ns2"; + r_type = "A"; + value = details_server.ip; + server = false; + } + ] + ) + else details_records + ) + else [] + ) + nodes ); - nameserver = if cfg.server.primary then "ns1" else "ns2"; - + nameserver = + if cfg.server.primary + then "ns1" + else "ns2"; in { - imports = [ ../applications/firewall.nix ]; @@ -284,31 +310,30 @@ in { records = lib.mkOption { description = "Records, sorted based on therir type"; - type = with lib.types; listOf (submodule { - options = { - record = lib.mkOption { - type = str; + type = with lib.types; + listOf (submodule { + options = { + record = lib.mkOption { + type = str; + }; + r_type = lib.mkOption { + type = enum ["A" "CNAME" "TXT" "PTR" "SRV"]; + }; + value = lib.mkOption { + type = str; + }; + server = lib.mkOption { + description = "Core record for a server"; + type = bool; + default = false; + }; }; - r_type = lib.mkOption { - type = enum ["A" "CNAME" "TXT" "PTR" "SRV"]; - }; - value = lib.mkOption { - type = str; - }; - server = lib.mkOption { - description = "Core record for a server"; - type = bool; - default = false; - }; - }; - }); + }); }; - }; }; config = lib.mkIf cfg.server.enable { - # open the firewall for this skynet_firewall.forward = [ "ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept" @@ -316,25 +341,20 @@ in { ]; services.bind.zones = - (create_entry_zone "csn.ul.ie" extraConfig.owned ) // - (create_entry_zone "skynet.ie" extraConfig.owned ) // - (create_entry_zone "ulcompsoc.ie" extraConfig.owned ) // - - (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) // - - (create_entry_zone "conradcollins.net" extraConfig.old )// - (create_entry_zone "edelharty.net" extraConfig.old ); + (create_entry_zone "csn.ul.ie" extraConfig.owned) + // (create_entry_zone "skynet.ie" extraConfig.owned) + // (create_entry_zone "ulcompsoc.ie" extraConfig.owned) + // (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse) + // (create_entry_zone "conradcollins.net" extraConfig.old) + // (create_entry_zone "edelharty.net" extraConfig.old); environment.etc = - (create_entry_etc "csn.ul.ie" "owned") // - (create_entry_etc "skynet.ie" "owned") // - (create_entry_etc "ulcompsoc.ie" "owned") // - - (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") // - - (create_entry_etc "conradcollins.net" "old") // - (create_entry_etc "edelharty.net" "old"); - + (create_entry_etc "csn.ul.ie" "owned") + // (create_entry_etc "skynet.ie" "owned") + // (create_entry_etc "ulcompsoc.ie" "owned") + // (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") + // (create_entry_etc "conradcollins.net" "old") + // (create_entry_etc "edelharty.net" "old"); # secrets required age.secrets.dns_dnskeys = { @@ -374,23 +394,25 @@ in { "9.9.9.9" ]; - cacheNetworks = [ - # this server itself - "127.0.0.0/24" + cacheNetworks = + [ + # this server itself + "127.0.0.0/24" - # skynet server in the dmz - "193.1.96.165/32" - # all of skynet can use this as a resolver - /* - Origianl idea, however all external traffic had the ip of the router - "193.1.99.64/26" + # skynet server in the dmz + "193.1.96.165/32" + # all of skynet can use this as a resolver + /* + Origianl idea, however all external traffic had the ip of the router + "193.1.99.64/26" - So to fix this we need to allow smaller ranges? - Didnt work - Fallback is explisitly listing each ip we have + So to fix this we need to allow smaller ranges? - Didnt work + Fallback is explisitly listing each ip we have - Now have a function for it - */ - ] ++ create_cache_networks; + Now have a function for it + */ + ] + ++ create_cache_networks; }; # deletes teh journal files evey start so it no longer stalls out @@ -404,6 +426,5 @@ in { createHome = true; home = "/etc/skynet/dns"; }; - }; -} \ No newline at end of file +} diff --git a/applications/email.nix b/applications/email.nix index 265fc45..c91f4da 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -1,17 +1,21 @@ -{ config, pkgs, lib, inputs, ...}: with lib; - let - cfg = config.services.skynet_email; +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet_email; - # create teh new strings - create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); + # create teh new strings + create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); - create_filter_join = (x: concatStringsSep "" x); - - # thought you could escape racket? - create_filter = (groups: create_filter_join (create_filter_array groups) ); - - in { + create_filter_join = x: concatStringsSep "" x; + # thought you could escape racket? + create_filter = groups: create_filter_join (create_filter_array groups); +in { imports = [ ./dns.nix ./acme.nix @@ -85,7 +89,6 @@ default = "cn=admin,${cfg.ldap.base}"; description = lib.mdDoc "where to find users"; }; - }; }; @@ -104,40 +107,80 @@ # set up dns record for it skynet_dns.records = [ # basic one - {record="mail"; r_type="A"; value=cfg.host.ip;} + { + record = "mail"; + r_type = "A"; + value = cfg.host.ip; + } # TXT records, all tehse are inside escaped strings to allow using "" # SPF record - {record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';} - + { + record = "${cfg.domain}."; + r_type = "TXT"; + value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"''; + } + # DKIM keys - {record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';} - {record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';} + { + record = "mail._domainkey.skynet.ie."; + r_type = "TXT"; + value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"''; + } + { + record = "mail._domainkey.ulcompsoc.ie."; + r_type = "TXT"; + value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"''; + } # DMARC - {record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';} + { + record = "_dmarc.${cfg.domain}."; + r_type = "TXT"; + value = ''"v=DMARC1; p=none"''; + } # reverse pointer - {record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";} + { + record = cfg.host.ip; + r_type = "PTR"; + value = "${cfg.sub}.${cfg.domain}."; + } - # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie + # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie # https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406 # response should be: # _imap._tcp SRV 0 1 143 imap.example.com. - {record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";} - {record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";} - {record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";} - {record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";} + { + record = "_imaps._tcp"; + r_type = "SRV"; + value = "0 1 993 ${cfg.sub}.${cfg.domain}."; + } + { + record = "_imap._tcp"; + r_type = "SRV"; + value = "0 1 143 ${cfg.sub}.${cfg.domain}."; + } + { + record = "_submissions._tcp"; + r_type = "SRV"; + value = "0 1 465 ${cfg.sub}.${cfg.domain}."; + } + { + record = "_submission._tcp"; + r_type = "SRV"; + value = "0 1 587 ${cfg.sub}.${cfg.domain}."; + } ]; # to provide the certs services.nginx.virtualHosts = { "${cfg.sub}.${cfg.domain}" = { - forceSSL = true; + forceSSL = true; useACMEHost = "skynet"; # override the inbuilt nginx config enableACME = false; - serverName = "${cfg.sub}.${cfg.domain}"; + serverName = "${cfg.sub}.${cfg.domain}"; }; }; @@ -145,11 +188,11 @@ users.groups.nginx = {}; users.groups.roundcube = {}; services.roundcube = { - enable = true; - # this is the url of the vhost, not necessarily the same as the fqdn of - # the mailserver - hostName = "${cfg.sub}.${cfg.domain}"; - extraConfig = '' + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "${cfg.sub}.${cfg.domain}"; + extraConfig = '' # starttls needed for authentication, so the fqdn required to match # the certificate $config['smtp_server'] = "ssl://${cfg.sub}.${cfg.domain}"; @@ -171,7 +214,7 @@ 'name' => 'cn', 'surname' => 'sn', 'email' => 'skMail:*', - ] + ] ); ''; }; @@ -207,7 +250,7 @@ userAttrs = "quotaEmail=quota_rule=*:bytes=%$,=quota_rule2=Trash:storage=+100M"; # accept emails in, but only allow access to paid up members - passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))"; + passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))"; }; postfix = { @@ -215,14 +258,11 @@ uidAttribute = "skMail"; mailAttribute = "skMail"; }; - }; # feckin spammers rejectRecipients = [ - ]; - }; # tune the spam filter diff --git a/applications/firewall.nix b/applications/firewall.nix index 1faef0e..51bdeb6 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -1,5 +1,9 @@ -{lib, pkgs, config, ...}: { - +{ + lib, + pkgs, + config, + ... +}: { # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base options = { skynet_firewall = { @@ -10,7 +14,7 @@ type = lib.types.bool; }; forward = lib.mkOption { - default = [ ]; + default = []; type = lib.types.listOf lib.types.str; description = '' A list of routes to forward @@ -19,16 +23,16 @@ own = { ip = lib.mkOption { - default = "127.0.0.1"; - type = lib.types.str; - description = '' - IP of the firewall - ''; + default = "127.0.0.1"; + type = lib.types.str; + description = '' + IP of the firewall + ''; }; ports = { tcp = lib.mkOption { - default = [ ]; + default = []; type = lib.types.listOf lib.types.int; description = '' A list of TCP ports for the machiene running the firewall @@ -36,15 +40,13 @@ }; udp = lib.mkOption { - default = [ ]; + default = []; type = lib.types.listOf lib.types.int; description = '' A list of UDP ports for the machiene running the firewall ''; }; - }; - }; }; }; @@ -56,8 +58,7 @@ # fules for the firewall # beware of EOL conversion. - networking.nftables.ruleset = - '' + networking.nftables.ruleset = '' # using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide # Clear out any existing rules @@ -164,9 +165,6 @@ } } - ''; - + ''; }; - - } diff --git a/applications/games.nix b/applications/games.nix index 7c7b126..5b48680 100644 --- a/applications/games.nix +++ b/applications/games.nix @@ -1,52 +1,57 @@ -{ config, pkgs, lib, ... }: - with lib; - let - cfg = config.services.skynet_games; - in { +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.services.skynet_games; +in { imports = [ ./dns.nix ./games/minecraft.nix ]; - options.services.skynet_games = { - enable = mkEnableOption "Skynet Games"; + enable = mkEnableOption "Skynet Games"; - host = { - ip = mkOption { - type = types.str; - }; - - name = mkOption { - type = types.str; - }; + host = { + ip = mkOption { + type = types.str; }; - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; + name = mkOption { + type = types.str; + }; + }; - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - default = "games"; - }; + domain = { + tld = mkOption { + type = types.str; + default = "ie"; }; + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "games"; + }; + }; }; - config = mkIf cfg.enable { skynet_dns.records = [ # need a base domain - {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + { + record = cfg.domain.sub; + r_type = "CNAME"; + value = cfg.host.name; + } ]; # the minecraft servers @@ -62,7 +67,5 @@ sub = "minecraft.${cfg.domain.sub}"; }; }; - - }; -} \ No newline at end of file +} diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index 4fc1a17..6a9f786 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -1,12 +1,16 @@ -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.skynet_games_minecraft; - - # got tired of how long this is so I created a var for it. - short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; - in { +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet_games_minecraft; + # got tired of how long this is so I created a var for it. + short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; +in { imports = [ ../acme.nix ../dns.nix @@ -54,21 +58,41 @@ ]; skynet_acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; skynet_dns.records = [ # the minecraft (web) config server - {record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + { + record = "config.${cfg.domain.sub}"; + r_type = "CNAME"; + value = cfg.host.name; + } # our own minecraft hosts - {record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} - {record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + { + record = "compsoc_classic.${cfg.domain.sub}"; + r_type = "CNAME"; + value = cfg.host.name; + } + { + record = "compsoc.${cfg.domain.sub}"; + r_type = "CNAME"; + value = cfg.host.name; + } # gsoc servers - {record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} - {record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + { + record = "gsoc.${cfg.domain.sub}"; + r_type = "CNAME"; + value = cfg.host.name; + } + { + record = "gsoc_abridged.${cfg.domain.sub}"; + r_type = "CNAME"; + value = cfg.host.name; + } ]; networking.firewall.allowedTCPPorts = [ @@ -77,7 +101,6 @@ ]; services.nginx.virtualHosts = { - # https://config.minecraft.games.skynet.ie "config.${short_domain}" = { forceSSL = true; @@ -94,7 +117,6 @@ useACMEHost = "skynet"; locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/"; }; - }; # arion is one way to use docker on nixos @@ -103,12 +125,11 @@ virtualisation.arion = { backend = "docker"; projects = { - minecraft.settings.services = { mc_proxy.service = { image = "itzg/mc-router:1.18.0"; - ports = [ "25565:25565/tcp" ]; - expose = [ "25565" ]; + ports = ["25565:25565/tcp"]; + expose = ["25565"]; command = [ "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003" ]; @@ -118,7 +139,7 @@ image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1"; environment = { - TZ="Etc/UTC"; + TZ = "Etc/UTC"; }; volumes = [ @@ -144,4 +165,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/applications/gitlab.nix b/applications/gitlab.nix index 8ecda83..0840614 100644 --- a/applications/gitlab.nix +++ b/applications/gitlab.nix @@ -1,8 +1,12 @@ -{ config, pkgs, lib, ... }: - with lib; - let - cfg = config.services.skynet_gitlab; - in { +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.services.skynet_gitlab; +in { imports = [ ./acme.nix ./dns.nix @@ -52,9 +56,7 @@ default = "dc=skynet,dc=ie"; description = lib.mdDoc "The base address in the ldap server"; }; - }; - }; config = mkIf cfg.enable { @@ -97,14 +99,22 @@ skynet_acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" # Lets Encrypt seems to have a 4 levels limit for certs - "*.pages.${cfg.domain.base}.${cfg.domain.tld}" + "*.pages.${cfg.domain.base}.${cfg.domain.tld}" ]; # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide skynet_dns.records = [ - {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + { + record = cfg.domain.sub; + r_type = "CNAME"; + value = cfg.host.name; + } # for gitlab pages - {record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;} + { + record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}."; + r_type = "A"; + value = cfg.host.ip; + } ]; networking.firewall.allowedTCPPorts = [ @@ -112,7 +122,7 @@ 2222 ]; - services.openssh.ports = [ 22 2222 ]; + services.openssh.ports = [22 2222]; services.nginx.virtualHosts = { # main site @@ -163,7 +173,6 @@ auth-server = "https://gitlab.example.com"; */ }; - }; #smtp = { # enable = true; @@ -200,7 +209,7 @@ name = "cn"; }; - group_base= "ou=groups,${cfg.ldap.base}"; + group_base = "ou=groups,${cfg.ldap.base}"; admin_group = "skynet-admins"; sync_ssh_keys = "sshPublicKey"; @@ -217,4 +226,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/applications/gitlab_runner.nix b/applications/gitlab_runner.nix index 48559da..b0535e0 100644 --- a/applications/gitlab_runner.nix +++ b/applications/gitlab_runner.nix @@ -1,10 +1,13 @@ -{ config, pkgs, lib, ... }: - with lib; - let - cfg = config.services.skynet_gitlab_runner; - in { +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.services.skynet_gitlab_runner; +in { imports = [ - ]; options.services.skynet_gitlab_runner = { @@ -44,7 +47,7 @@ config = mkIf cfg.enable { # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner. environment.systemPackages = [ - pkgs.gitlab-runner + pkgs.gitlab-runner ]; age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age; @@ -53,7 +56,7 @@ boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128 - virtualisation.docker.listenOptions = [ "/run/docker.sock" "127.0.0.1:2375" ]; + virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"]; services.gitlab-runner = { enable = true; @@ -68,7 +71,7 @@ runner_nix = { cloneUrl = cfg.runner.gitlab; description = "For Nix only"; - registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; + registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"]; registrationConfigFile = config.age.secrets.runner_01_nix.path; dockerImage = cfg.runner.docker.image; @@ -92,7 +95,7 @@ . ${pkgs.nix}/etc/profile.d/nix-daemon.sh ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3 ${pkgs.nix}/bin/nix-channel --update nixpkgs - ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])} ''; environmentVariables = { ENV = "/etc/profile"; @@ -101,17 +104,17 @@ PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; }; - tagList = [ "nix" ]; + tagList = ["nix"]; }; runner_general = { cloneUrl = cfg.runner.gitlab; description = "General Runner"; - registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; + registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"]; registrationConfigFile = config.age.secrets.runner_02_general.path; dockerImage = cfg.runner.docker.image; }; }; }; }; -} \ No newline at end of file +} diff --git a/applications/ldap/backend.nix b/applications/ldap/backend.nix index d32c577..477a485 100644 --- a/applications/ldap/backend.nix +++ b/applications/ldap/backend.nix @@ -1,10 +1,14 @@ -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.ldap_backend; - port_backend = "8087"; - in { - +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.ldap_backend; + port_backend = "8087"; +in { imports = [ ../acme.nix ../dns.nix @@ -44,7 +48,6 @@ }; config = mkIf cfg.enable { - #backups = [ "/etc/silver_ul_ical/database.db" ]; age.secrets.ldap_details.file = ../../secrets/ldap/details.age; @@ -56,7 +59,11 @@ ]; skynet_dns.records = [ - {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + { + record = cfg.domain.sub; + r_type = "CNAME"; + value = cfg.host.name; + } ]; services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { @@ -64,9 +71,9 @@ useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:${port_backend}"; -# extraConfig = '' -# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}"; -# ''; + # extraConfig = '' + # add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}"; + # ''; extraConfig = '' add_header Access-Control-Allow-Origin "*"; ''; @@ -99,315 +106,316 @@ ]; lifetime = []; banned = []; - restricted = [ - # usernames folks arent allowed to use - "contact" - "dnsadm" - "president" - "treasurer" - "secretary" - "pro" - "sysadmin" - "root" - - ] ++ [ - # basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444 - # start off with compsoc stuff first - "competition_www" - "demo1" - "demouser" - "ftp" - "lost+found" - "postfix" - "skynews.old" - "system_backup" - "test" - "test12" - "test20202" - "test20203" - "tmp" - "webadm" - ] ++ [ - # clubs and socs (as far as I can tell - "aerosoc" - "aikido" - "anfocal" - "bics" - "boarding" - "cns" - "dev" - "filmsoc" - "gaa" - "german" - "golfsoc" - "handball" - "hispanic" - "history" - "hockey" - "home" - "legosoc" - "lifesave" - "mens_gfc" - "musicsoc" - "pagansoc" - "peacesoc" - "physics" - "poker" - "prolife" - "radio" - "ragweek" - "sinnfein" - "soccer" - "ulbs" - "ulcamogie" - "ulcc" - "ulgaa" - "ulils" - "ulladiesfootball" - "ullaughinsoc" - "ulrfc" - "ulriders" - "ulssc" - "ultennis" - "viking" - ] ++ [ - # remaining, most likely usernames - "_9thwonder" - "abc" - "activate" - "aiesec" - "air" - "aladdin" - "alaric" - "aldozzie" - "allenli" - "amg" - "amgl" - "annette" - "annlad" - "ards_backup" - "arisquez" - "arthur" - "austin" - "beta" - "bh" - "bigdave" - "bios" - "bizarroal" - "bmacaree" - "boardy" - "boddah" - "bogus.anime.fakh" - "bogus.bhudt.dacf" - "bogus.citoge.baym" - "bogus.electro.ba0a" - "bogus.fencing.baw5" - "bogus.harry.ba8f" - "bogus.hui.hong.baci" - "bogus.ironman.baqib" - "bogus.joe.bach" - "bogus.kenny.bas6" - "bogus.kerswin.baybb" - "bogus.kravmaga.ba0w" - "bogus.methi.baq5" - "bogus.nelsonmw.bauc" - "bogus.poshea.ba0m" - "bogus.redwolf.bawn" - "bogus.romanov.baat" - "bogus.ryan.bae-" - "bogus.rynnea.bask" - "bogus.sea.af" - "bogus.shane.c.ba8z" - "bogus.t1000.baggb" - "bogus.ullrugby.ba8p" - "brendan" - "bubba" - "c_material_removed" - "ca_worm" - "cactus" - "carticus" - "cathalc" - "cathald-broken" - "cdschedule" - "celtic" - "christine" - "cian" - "ciara" - "ciaran" - "colin" - "cosmo" - "counsel" - "creosote" - "crew" - "cues" - "cur" - "cwhelan" - "dac" - "daktulu" - "datacore" - "davec" - "daverus" - "deano" - "deccy" - "declanmu" - "deiji" - "dermotmc" - "derrick" - "deshocks" - "diarmuid" - "dippy" - "djraptor" - "dmackey" - "dmir" - "dom" - "dom_mckay" - "donie" - "donnacha" - "dos30" - "drazhar" - "duffman" - "eas" - "electal" - "emc" - "emilia" - "emma" - "emmag" - "ents" - "envcom" - "eoinh95" - "epgriffin" - "equest" - "fiacc" - "fint" - "flanno" - "fmannix" - "foodcoop" - "gamenet" - "ganainm" - "gar" - "ger88" - "ghama" - "ging" - "goborobo" - "gooner" - "greekweek" - "hawking" - "hb" - "homer" - "hoshi" - "ian" - "ianrice" - "ilug" - "infinity" - "ingenuus" - "internat" - "jamessy" - "jamiebarry" - "jbravo" - "jdonegan" - "joedredd" - "johann" - "jokill" - "jsoccer" - "jules" - "kate" - "katie" - "kellyj" - "kiely" - "koo" - "l_d_ablo" - "lakes" - "laura" - "lebowski" - "liabraid" - "lynn" - "mal" - "manuel" - "maraz" - "marieke" - "marky" - "mature" - "mbyrne" - "meanturtle" - "mickaful" - "mickasul" - "mikado" - "mikeh" - "mikkel" - "mixiezme" - "mmc" - "molly" - "moochie" - "moonser" - "mopic" - "mp" - "nastros" - "neutrino" - "new" - "nezzy" - "nkdc" - "nmcenroy" - "noelle" - "nugget" - "ob" - "omega" - "oneillbeano" - "pamela" - "peterj" - "photyl" - "plake" - "pmcg1986" - "pyro" - "qubeat" - "rachel" - "rachelg" - "ralmeida" - "raymond" - "razzlero" - "red" - "rmacm" - "rmorrissey" - "robson" - "selena" - "shark" - "shayscannell" - "shazlove" - "shelley" - "shelly" - "silver.old" - "sirhc" - "sithlord" - "sk" - "sligoer" - "slowey" - "smallp" - "smurfy" - "sordfish" - "soul98" - "soular" - "st" - "stefanovich" - "svp" - "szczerba" - "tangsoodo" - "tc" - "tenfor" - "teslacut" - "theematt" - "thomasl" - "tockman" - "ugm" - "vanzan" - "volleyb" - "warren" - "weather" - "wiles" - "yvonne" - "zrahman" - ]; - + restricted = + [ + # usernames folks arent allowed to use + "contact" + "dnsadm" + "president" + "treasurer" + "secretary" + "pro" + "sysadmin" + "root" + ] + ++ [ + # basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444 + # start off with compsoc stuff first + "competition_www" + "demo1" + "demouser" + "ftp" + "lost+found" + "postfix" + "skynews.old" + "system_backup" + "test" + "test12" + "test20202" + "test20203" + "tmp" + "webadm" + ] + ++ [ + # clubs and socs (as far as I can tell + "aerosoc" + "aikido" + "anfocal" + "bics" + "boarding" + "cns" + "dev" + "filmsoc" + "gaa" + "german" + "golfsoc" + "handball" + "hispanic" + "history" + "hockey" + "home" + "legosoc" + "lifesave" + "mens_gfc" + "musicsoc" + "pagansoc" + "peacesoc" + "physics" + "poker" + "prolife" + "radio" + "ragweek" + "sinnfein" + "soccer" + "ulbs" + "ulcamogie" + "ulcc" + "ulgaa" + "ulils" + "ulladiesfootball" + "ullaughinsoc" + "ulrfc" + "ulriders" + "ulssc" + "ultennis" + "viking" + ] + ++ [ + # remaining, most likely usernames + "_9thwonder" + "abc" + "activate" + "aiesec" + "air" + "aladdin" + "alaric" + "aldozzie" + "allenli" + "amg" + "amgl" + "annette" + "annlad" + "ards_backup" + "arisquez" + "arthur" + "austin" + "beta" + "bh" + "bigdave" + "bios" + "bizarroal" + "bmacaree" + "boardy" + "boddah" + "bogus.anime.fakh" + "bogus.bhudt.dacf" + "bogus.citoge.baym" + "bogus.electro.ba0a" + "bogus.fencing.baw5" + "bogus.harry.ba8f" + "bogus.hui.hong.baci" + "bogus.ironman.baqib" + "bogus.joe.bach" + "bogus.kenny.bas6" + "bogus.kerswin.baybb" + "bogus.kravmaga.ba0w" + "bogus.methi.baq5" + "bogus.nelsonmw.bauc" + "bogus.poshea.ba0m" + "bogus.redwolf.bawn" + "bogus.romanov.baat" + "bogus.ryan.bae-" + "bogus.rynnea.bask" + "bogus.sea.af" + "bogus.shane.c.ba8z" + "bogus.t1000.baggb" + "bogus.ullrugby.ba8p" + "brendan" + "bubba" + "c_material_removed" + "ca_worm" + "cactus" + "carticus" + "cathalc" + "cathald-broken" + "cdschedule" + "celtic" + "christine" + "cian" + "ciara" + "ciaran" + "colin" + "cosmo" + "counsel" + "creosote" + "crew" + "cues" + "cur" + "cwhelan" + "dac" + "daktulu" + "datacore" + "davec" + "daverus" + "deano" + "deccy" + "declanmu" + "deiji" + "dermotmc" + "derrick" + "deshocks" + "diarmuid" + "dippy" + "djraptor" + "dmackey" + "dmir" + "dom" + "dom_mckay" + "donie" + "donnacha" + "dos30" + "drazhar" + "duffman" + "eas" + "electal" + "emc" + "emilia" + "emma" + "emmag" + "ents" + "envcom" + "eoinh95" + "epgriffin" + "equest" + "fiacc" + "fint" + "flanno" + "fmannix" + "foodcoop" + "gamenet" + "ganainm" + "gar" + "ger88" + "ghama" + "ging" + "goborobo" + "gooner" + "greekweek" + "hawking" + "hb" + "homer" + "hoshi" + "ian" + "ianrice" + "ilug" + "infinity" + "ingenuus" + "internat" + "jamessy" + "jamiebarry" + "jbravo" + "jdonegan" + "joedredd" + "johann" + "jokill" + "jsoccer" + "jules" + "kate" + "katie" + "kellyj" + "kiely" + "koo" + "l_d_ablo" + "lakes" + "laura" + "lebowski" + "liabraid" + "lynn" + "mal" + "manuel" + "maraz" + "marieke" + "marky" + "mature" + "mbyrne" + "meanturtle" + "mickaful" + "mickasul" + "mikado" + "mikeh" + "mikkel" + "mixiezme" + "mmc" + "molly" + "moochie" + "moonser" + "mopic" + "mp" + "nastros" + "neutrino" + "new" + "nezzy" + "nkdc" + "nmcenroy" + "noelle" + "nugget" + "ob" + "omega" + "oneillbeano" + "pamela" + "peterj" + "photyl" + "plake" + "pmcg1986" + "pyro" + "qubeat" + "rachel" + "rachelg" + "ralmeida" + "raymond" + "razzlero" + "red" + "rmacm" + "rmorrissey" + "robson" + "selena" + "shark" + "shayscannell" + "shazlove" + "shelley" + "shelly" + "silver.old" + "sirhc" + "sithlord" + "sk" + "sligoer" + "slowey" + "smallp" + "smurfy" + "sordfish" + "soul98" + "soular" + "st" + "stefanovich" + "svp" + "szczerba" + "tangsoodo" + "tc" + "tenfor" + "teslacut" + "theematt" + "thomasl" + "tockman" + "ugm" + "vanzan" + "volleyb" + "warren" + "weather" + "wiles" + "yvonne" + "zrahman" + ]; }; - }; }; } diff --git a/applications/ldap/client.nix b/applications/ldap/client.nix index 2a7324a..d172b42 100644 --- a/applications/ldap/client.nix +++ b/applications/ldap/client.nix @@ -1,21 +1,26 @@ -{ config, pkgs, lib, ... }: - with lib; - let - cfg = config.services.skynet_ldap_client; +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.services.skynet_ldap_client; - # always ensure the admin group has access - create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x); + # always ensure the admin group has access + create_filter_check_admin = x: + if !(builtins.elem "skynet-admins" x) + then x ++ ["skynet-admins"] + else x; - # create teh new strings - create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); + # create teh new strings + create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); - create_filter_join = (x: concatStringsSep "" x); - - # thought you could escape racket? - create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) ); - - in { + create_filter_join = x: concatStringsSep "" x; + # thought you could escape racket? + create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x)); +in { # these are needed for teh program in question imports = []; @@ -46,7 +51,6 @@ ]; description = lib.mdDoc "Groups we want to allow access to the server"; }; - }; config = mkIf cfg.enable { @@ -54,10 +58,17 @@ security.sudo.extraRules = [ # admin group has sudo access - { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } + { + groups = ["skynet-admins-linux"]; + commands = [ + { + command = "ALL"; + options = ["NOPASSWD"]; + } + ]; + } ]; - # give users a home dir security.pam.services.sshd.makeHomeDir = true; @@ -68,7 +79,7 @@ # tell users where tehy cna setup their ssh key banner = '' If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address} - ''; + ''; }; services.sssd = { @@ -77,41 +88,40 @@ sshAuthorizedKeysIntegration = true; config = '' -[domain/skynet.ie] -id_provider = ldap -auth_provider = ldap -sudo_provider = ldap + [domain/skynet.ie] + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap -ldap_uri = ldaps://${cfg.address}:636 + ldap_uri = ldaps://${cfg.address}:636 -ldap_search_base = ${cfg.base} -# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d -ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) -ldap_group_search_base = ou=groups,${cfg.base} -ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} + ldap_search_base = ${cfg.base} + # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d + ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) + ldap_group_search_base = ou=groups,${cfg.base} + ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} -ldap_group_nesting_level = 5 + ldap_group_nesting_level = 5 -cache_credentials = false -entry_cache_timeout = 1 + cache_credentials = false + entry_cache_timeout = 1 -ldap_user_member_of = skMemberOf + ldap_user_member_of = skMemberOf -[sssd] -config_file_version = 2 -services = nss, pam, sudo, ssh -domains = skynet.ie + [sssd] + config_file_version = 2 + services = nss, pam, sudo, ssh + domains = skynet.ie -[nss] -# override_homedir = /home/%u + [nss] + # override_homedir = /home/%u -[pam] + [pam] -[sudo] + [sudo] -[autofs] + [autofs] ''; }; - }; -} \ No newline at end of file +} diff --git a/applications/ldap/server.nix b/applications/ldap/server.nix index b63861f..2090879 100644 --- a/applications/ldap/server.nix +++ b/applications/ldap/server.nix @@ -1,13 +1,16 @@ /* Gonna use a priper nixos module for this */ - -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.skynet_ldap; - in { - +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet_ldap; +in { # these are needed for teh program in question imports = [ ../acme.nix @@ -16,7 +19,6 @@ Gonna use a priper nixos module for this ./backend.nix ]; - options.services.skynet_ldap = { # options that need to be passed in to make this work @@ -61,7 +63,6 @@ Gonna use a priper nixos module for this }; config = mkIf cfg.enable { - # passthrough to the backend services.ldap_backend = { enable = true; @@ -82,7 +83,11 @@ Gonna use a priper nixos module for this ]; skynet_dns.records = [ - {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + { + record = cfg.domain.sub; + r_type = "CNAME"; + value = cfg.host.name; + } ]; # firewall on teh computer itself @@ -111,25 +116,29 @@ Gonna use a priper nixos module for this # using https://nixos.wiki/wiki/OpenLDAP for base config systemd.services.openldap = { - wants = [ "acme-${cfg.domain.base}.service" ]; - after = [ "acme-${cfg.domain.base}.service" ]; + wants = ["acme-${cfg.domain.base}.service"]; + after = ["acme-${cfg.domain.base}.service"]; }; - users.groups.acme.members = [ "openldap" ]; + users.groups.acme.members = ["openldap"]; services.openldap = { # backup /var/lib/openldap/slapd.d enable = true; - /* enable plain and secure connections */ - urlList = [ "ldap:///" "ldaps:///" ]; + /* + enable plain and secure connections + */ + urlList = ["ldap:///" "ldaps:///"]; settings = { attrs = { olcLogLevel = "conns config"; - /* settings for acme ssl */ + /* + settings for acme ssl + */ olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; @@ -154,67 +163,70 @@ Gonna use a priper nixos module for this ./skMemberOf.ldif ]; - "cn=modules".attrs = { - objectClass = [ "olcModuleList" ]; - cn = "modules"; + objectClass = ["olcModuleList"]; + cn = "modules"; olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"]; }; "olcDatabase={-1}frontend".attrs = { - objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; + objectClass = ["olcDatabaseConfig" "olcFrontendConfig"]; olcPasswordHash = "{SSHA512}"; }; "olcDatabase={1}mdb" = { attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = cfg.base; - /* your admin account, do not use writeText on a production system */ + /* + your admin account, do not use writeText on a production system + */ olcRootDN = "cn=admin,${cfg.base}"; olcRootPW.path = config.age.secrets.ldap_pw.path; #olcOverlay = "memberof"; olcAccess = [ - /* custom access rules for userPassword attributes */ - ''{0}to attrs=userPassword - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by self write - by anonymous auth - by * none'' + /* + custom access rules for userPassword attributes + */ + '' {0}to attrs=userPassword + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by self write + by anonymous auth + by * none'' - ''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by self write - by * read'' + '' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by self write + by * read'' - /* allow read on anything else */ - ''{2}to * - by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by * read'' + /* + allow read on anything else + */ + '' {2}to * + by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage + by * read'' ]; - - }; # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ children = { "olcOverlay=dynlist".attrs = { - objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; - olcOverlay = "dynlist"; + objectClass = ["olcOverlayConfig" "olcDynamicList"]; + olcOverlay = "dynlist"; olcDlAttrSet = "skPerson labeledURI skMemberOf"; }; "olcOverlay=memberof".attrs = { - objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ]; - olcOverlay = "memberof"; + objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"]; + olcOverlay = "memberof"; olcMemberOfDangling = "ignore"; olcMemberOfRefInt = "TRUE"; @@ -223,10 +235,7 @@ Gonna use a priper nixos module for this olcMemberOfMemberOfAD = "memberOf"; }; }; - - }; - }; }; }; diff --git a/applications/nginx.nix b/applications/nginx.nix index d2524fc..254de6c 100644 --- a/applications/nginx.nix +++ b/applications/nginx.nix @@ -1,5 +1,4 @@ # using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix - {pkgs, ...}: { services.nginx = { enable = true; diff --git a/applications/restic.nix b/applications/restic.nix index 1598acb..4ccf611 100644 --- a/applications/restic.nix +++ b/applications/restic.nix @@ -1,154 +1,154 @@ - # nodes is all the nodes -{ lib, config, nodes, pkgs, ...}: with lib; - let - cfg = config.services.skynet_backup; +{ + lib, + config, + nodes, + pkgs, + ... +}: +with lib; let + cfg = config.services.skynet_backup; + # since they should all have the same config we can do this + base = { + paths = cfg.normal.backups; + exclude = cfg.normal.exclude; + initialize = true; + passwordFile = config.age.secrets.restic.path; - # since they should all have the same config we can do this - base = { - paths = cfg.normal.backups; - exclude = cfg.normal.exclude; - initialize = true; - passwordFile = config.age.secrets.restic.path; + pruneOpts = [ + #"--keep-within 0y2m0d0h" + #"--keep-monthly 2" + ]; - pruneOpts = [ - #"--keep-within 0y2m0d0h" - #"--keep-monthly 2" - ]; - - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - RandomizedDelaySec = "5h"; - }; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "5h"; }; + }; - # takes nodes, - # for each check if iut has teh abckup attribute, - # then if the server is enabled, - # then pull relevant dtails - ownServers = builtins.listToAttrs (builtins.concatLists ( - lib.attrsets.mapAttrsToList (key: value: - let - backup = value.config.services.skynet_backup; - in - if ( - (builtins.hasAttr "skynet_backup" value.config.services) - && backup.server.enable - && backup.host.name != cfg.host.name - && !backup.server.appendOnly - ) + # takes nodes, + # for each check if iut has teh abckup attribute, + # then if the server is enabled, + # then pull relevant dtails + ownServers = builtins.listToAttrs (builtins.concatLists ( + lib.attrsets.mapAttrsToList ( + key: value: let + backup = value.config.services.skynet_backup; + in + if + ( + (builtins.hasAttr "skynet_backup" value.config.services) + && backup.server.enable + && backup.host.name != cfg.host.name + && !backup.server.appendOnly + ) then [ { name = backup.host.name; - value = base // { - repositoryFile = "/etc/skynet/restic/${backup.host.name}"; + value = + base + // { + repositoryFile = "/etc/skynet/restic/${backup.host.name}"; - backupPrepareCommand = '' - #!${pkgs.stdenv.shell} - set -euo pipefail + backupPrepareCommand = '' + #!${pkgs.stdenv.shell} + set -euo pipefail - baseDir="/etc/skynet/restic" + baseDir="/etc/skynet/restic" - mkdir -p $baseDir - cd $baseDir + mkdir -p $baseDir + cd $baseDir - echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name} + echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name} - # read in teh password - #PW = `cat ${config.age.secrets.restic.path}` - line=$(head -n 1 ${config.age.secrets.restic.path}) + # read in teh password + #PW = `cat ${config.age.secrets.restic.path}` + line=$(head -n 1 ${config.age.secrets.restic.path}) - sed -i "s/password/$line/g" ${backup.host.name} - ''; - - }; + sed -i "s/password/$line/g" ${backup.host.name} + ''; + }; } ] - else [ ] - ) nodes - )); + else [] + ) + nodes + )); +in { + imports = [ + ]; + # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base + # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix + # will eb enabled on every server + options.services.skynet_backup = { + # backup is enabled by default + # enable = mkEnableOption "Skynet backup"; - - in { - - imports = [ - - ]; - - # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base - # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix - # will eb enabled on every server - options.services.skynet_backup = { - # backup is enabled by default - # enable = mkEnableOption "Skynet backup"; - - # what folders to backup - normal = { - backups = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to backup. - ''; - }; - - exclude = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to exclide . - ''; - }; + # what folders to backup + normal = { + backups = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to backup. + ''; }; - # append only data so space limited - secure = { - backups = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to backup. - ''; - }; - - exclude = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to exclide . - ''; - }; + exclude = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to exclide . + ''; }; - - host = { - ip = mkOption { - type = types.str; - }; - - name = mkOption { - type = types.str; - }; - }; - - server = { - enable = mkEnableOption "Skynet backup Server"; - - port = mkOption { - type = types.port; - default = 8765; - }; - - appendOnly = mkOption { - type = types.bool; - default = false; - }; - }; - }; + # append only data so space limited + secure = { + backups = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to backup. + ''; + }; + + exclude = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to exclide . + ''; + }; + }; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + server = { + enable = mkEnableOption "Skynet backup Server"; + + port = mkOption { + type = types.port; + default = 8765; + }; + + appendOnly = mkOption { + type = types.bool; + default = false; + }; + }; + }; config = { # these values are anabled for every client @@ -162,21 +162,22 @@ # nix-shell -p apacheHttpd # htpasswd -nbB "" "password" | cut -d: -f2 - age.secrets.restic.file = ../secrets/backup/restic.age; + age.secrets.restic.file = ../secrets/backup/restic.age; networking.firewall.allowedTCPPorts = [ cfg.server.port ]; - services.restic.backups = ownServers // { - # merge teh two configs together -# backblaze = base // { -# # backupos for each server are stored in a folder under their name -# repository = "b2:NixOS-Main2:/${cfg.host.name}"; -# #environmentFile = config.age.secrets.backblaze.path; -# }; - - }; + services.restic.backups = + ownServers + // { + # merge teh two configs together + # backblaze = base // { + # # backupos for each server are stored in a folder under their name + # repository = "b2:NixOS-Main2:/${cfg.host.name}"; + # #environmentFile = config.age.secrets.backblaze.path; + # }; + }; age.secrets.restic_pw = mkIf cfg.server.enable { file = ../secrets/backup/restic_pw.age; @@ -187,13 +188,11 @@ group = "restic"; }; - services.restic.server = mkIf cfg.server.enable{ + services.restic.server = mkIf cfg.server.enable { enable = true; listenAddress = "${cfg.host.ip}:${toString cfg.server.port}"; appendOnly = cfg.server.appendOnly; privateRepos = true; }; - - }; } diff --git a/applications/skynet.ie.nix b/applications/skynet.ie.nix index 190366c..0e8e878 100644 --- a/applications/skynet.ie.nix +++ b/applications/skynet.ie.nix @@ -1,9 +1,13 @@ -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.skynet; - in { - +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet; +in { imports = [ ./acme.nix ./dns.nix @@ -29,9 +33,21 @@ skynet_dns.records = [ # means root domain, so skynet.ie - {record="@"; r_type="A"; value=cfg.host.ip;} - {record="2016"; r_type="CNAME"; value=cfg.host.name;} - {record="discord"; r_type="CNAME"; value=cfg.host.name;} + { + record = "@"; + r_type = "A"; + value = cfg.host.ip; + } + { + record = "2016"; + r_type = "CNAME"; + value = cfg.host.name; + } + { + record = "discord"; + r_type = "CNAME"; + value = cfg.host.name; + } ]; networking.firewall.allowedTCPPorts = [80 443]; @@ -63,4 +79,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/applications/skynet_users.nix b/applications/skynet_users.nix index 8fa1058..194f53f 100644 --- a/applications/skynet_users.nix +++ b/applications/skynet_users.nix @@ -1,9 +1,13 @@ -{ config, pkgs, lib, inputs, ... }: - with lib; - let - cfg = config.services.skynet_users; - in { - +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet_users; +in { imports = [ ./acme.nix ./dns.nix @@ -32,22 +36,29 @@ ]; }; - # Website config skynet_acme.domains = [ - "users.skynet.ie" + "users.skynet.ie" "*.users.skynet.ie" ]; skynet_dns.records = [ - {record ="users"; r_type="CNAME"; value=cfg.host.name;} - {record="*.users"; r_type="CNAME"; value=cfg.host.name;} + { + record = "users"; + r_type = "CNAME"; + value = cfg.host.name; + } + { + record = "*.users"; + r_type = "CNAME"; + value = cfg.host.name; + } ]; networking.firewall.allowedTCPPorts = [80 443]; # normally services cannot read home dirs - systemd.services.nginx.serviceConfig.ProtectHome="read-only"; + systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; services.nginx.virtualHosts = { # main site @@ -69,4 +80,4 @@ }; }; }; -} \ No newline at end of file +} diff --git a/applications/ulfm.nix b/applications/ulfm.nix index f970e0d..9280084 100644 --- a/applications/ulfm.nix +++ b/applications/ulfm.nix @@ -1,9 +1,12 @@ -{ config, lib, pkgs, ... }: - with lib; - let - cfg = config.services.skynet_ulfm; - in { - +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.skynet_ulfm; +in { imports = [ ./acme.nix ./dns.nix @@ -12,34 +15,34 @@ ]; options.services.skynet_ulfm = { - enable = mkEnableOption "ULFM service"; + enable = mkEnableOption "ULFM service"; - host = { - ip = mkOption { - type = types.str; - }; + host = { + ip = mkOption { + type = types.str; + }; - name = mkOption { - type = types.str; - }; - }; + name = mkOption { + type = types.str; + }; + }; - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; - base = mkOption { - type = types.str; - default = "skynet"; - }; + base = mkOption { + type = types.str; + default = "skynet"; + }; - sub = mkOption { - type = types.str; - default = "ulfm"; - }; - }; + sub = mkOption { + type = types.str; + default = "ulfm"; + }; + }; }; config = mkIf cfg.enable { @@ -55,7 +58,11 @@ ]; skynet_dns.records = [ - {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + { + record = cfg.domain.sub; + r_type = "CNAME"; + value = cfg.host.name; + } ]; skynet_firewall.forward = [ @@ -74,9 +81,9 @@ }; systemd.services.icecast = { - after = [ "network.target" ]; + after = ["network.target"]; description = "Icecast Network Audio Streaming Server"; - wantedBy = [ "multi-user.target" ]; + wantedBy = ["multi-user.target"]; preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast"; serviceConfig = { @@ -91,7 +98,5 @@ useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:8000"; }; - }; - -} \ No newline at end of file +} diff --git a/flake.lock b/flake.lock index 469db8f..d348048 100644 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,29 @@ "type": "github" } }, + "alejandra": { + "inputs": { + "fenix": "fenix", + "flakeCompat": "flakeCompat", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660510326, + "narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=", + "owner": "kamadorueda", + "repo": "alejandra", + "rev": "ef03f7ef74ec97fd91a016a51c9c9667fb315652", + "type": "github" + }, + "original": { + "owner": "kamadorueda", + "ref": "3.0.0", + "repo": "alejandra", + "type": "github" + } + }, "arion": { "inputs": { "flake-parts": "flake-parts", @@ -78,6 +101,28 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "alejandra", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1657607339, + "narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=", + "owner": "nix-community", + "repo": "fenix", + "rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -133,6 +178,22 @@ "type": "github" } }, + "flakeCompat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "haskell-flake": { "locked": { "lastModified": 1675296942, @@ -401,6 +462,7 @@ "root": { "inputs": { "agenix": "agenix", + "alejandra": "alejandra", "arion": "arion", "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_3", @@ -412,6 +474,23 @@ "skynet_website_2016": "skynet_website_2016" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1657557289, + "narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "caf23f29144b371035b864a1017dbc32573ad56d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", diff --git a/flake.nix b/flake.nix index 447efb5..be197da 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,4 @@ { - description = "Deployment for skynet"; inputs = { @@ -10,13 +9,17 @@ flake-utils.url = "github:numtide/flake-utils"; agenix.url = "github:ryantm/agenix"; arion.url = "github:hercules-ci/arion"; + alejandra = { + url = "github:kamadorueda/alejandra/3.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # email # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; # account.skynet.ie - skynet_ldap_backend.url = "gitlab:compsoc1%2Fskynet%2Fldap/backend?host=gitlab.skynet.ie"; + skynet_ldap_backend.url = "gitlab:compsoc1%2Fskynet%2Fldap/backend?host=gitlab.skynet.ie"; skynet_ldap_frontend.url = "gitlab:compsoc1%2Fskynet%2Fldap/frontend?host=gitlab.skynet.ie"; skynet_website.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2023?host=gitlab.skynet.ie"; @@ -27,19 +30,25 @@ nixConfig.bash-prompt-suffix = "[Skynet Dev] "; - outputs = { self, nixpkgs, agenix, ... } @inputs: - let - pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; - in { + outputs = { + self, + nixpkgs, + agenix, + alejandra, + ... + } @ inputs: let + pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; + in { + formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux"; devShells.x86_64-linux.default = pkgs.mkShell { name = "Skynet build env"; nativeBuildInputs = [ - pkgs.buildPackages.git - pkgs.buildPackages.colmena - pkgs.buildPackages.nmap + pkgs.buildPackages.git + pkgs.buildPackages.colmena + pkgs.buildPackages.nmap ]; - buildInputs = [ agenix.packages.x86_64-linux.default ]; + buildInputs = [agenix.packages.x86_64-linux.default]; shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"''; }; @@ -55,7 +64,7 @@ }; # installed for each machine - defaults = import ./machines/_base.nix ; + defaults = import ./machines/_base.nix; # firewall machiene agentjones = import ./machines/agentjones.nix; @@ -92,8 +101,6 @@ # Main skynet sites earth = import ./machines/earth.nix; - }; }; - } diff --git a/machines/_base.nix b/machines/_base.nix index 2a14cfc..d3425a6 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -1,6 +1,11 @@ -{ pkgs, modulesPath, config, options, inputs, ... }: - { + pkgs, + modulesPath, + config, + options, + inputs, + ... +}: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") @@ -21,7 +26,7 @@ ]; # flakes are essensial - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.experimental-features = ["nix-command" "flakes"]; system.stateVersion = "22.11"; @@ -69,7 +74,7 @@ }; # time on vendetta is strangely out of sync - networking.timeServers = options.networking.timeServers.default ++ [ "ie.pool.ntp.org" ]; + networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"]; services.ntp.enable = true; # use teh above nameservers as the fallback dns diff --git a/machines/agentjones.nix b/machines/agentjones.nix index cde9245..3276335 100644 --- a/machines/agentjones.nix +++ b/machines/agentjones.nix @@ -1,22 +1,23 @@ /* - Name: https://matrix.fandom.com/wiki/Agent_Jones - Type: Physical - Hardware: PowerEdge r210 - From: 2011 (?) - Role: Firewall - Notes: Used to have Agent Smith as a partner but it died (Ironically) - +Name: https://matrix.fandom.com/wiki/Agent_Jones +Type: Physical +Hardware: PowerEdge r210 +From: 2011 (?) +Role: Firewall +Notes: Used to have Agent Smith as a partner but it died (Ironically) */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "agentjones"; - ip_pub = "193.1.99.72"; - ip_priv = "193.1.99.125"; - hostname = "${name}.skynet.ie"; - + name = "agentjones"; + ip_pub = "193.1.99.72"; + ip_priv = "193.1.99.125"; + hostname = "${name}.skynet.ie"; in { imports = [ ./hardware/_base.nix @@ -29,12 +30,21 @@ in { targetUser = "root"; # somehow ssh from runner to this fails - tags = [ "active-firewall" ]; + tags = ["active-firewall"]; }; skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -92,18 +102,20 @@ in { # gonna have to get all the forward = builtins.concatLists ( # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list - lib.attrsets.mapAttrsToList (key: value: + lib.attrsets.mapAttrsToList ( + key: value: # make sure that anything running this firewall dosent count (recursion otherewise) # firewall may want to open ports in itself but can deal with that later - if builtins.hasAttr "skynet_firewall" value.config - then ( - if value.config.skynet_firewall.enable - then [] - else value.config.skynet_firewall.forward - ) - else [] - ) nodes + if builtins.hasAttr "skynet_firewall" value.config + then + ( + if value.config.skynet_firewall.enable + then [] + else value.config.skynet_firewall.forward + ) + else [] + ) + nodes ); }; - } diff --git a/machines/earth.nix b/machines/earth.nix index f2eee16..577a772 100644 --- a/machines/earth.nix +++ b/machines/earth.nix @@ -1,21 +1,23 @@ /* - Name: https://hitchhikers.fandom.com/wiki/Earth - Why: Our home(page) - Type: VM - Hardware: - - From: 2023 - Role: Webserver - Notes: - +Name: https://hitchhikers.fandom.com/wiki/Earth +Why: Our home(page) +Type: VM +Hardware: - +From: 2023 +Role: Webserver +Notes: */ - -{ pkgs, lib, nodes, inputs, ... }: -let - name = "earth"; - ip_pub = "193.1.99.79"; - hostname = "${name}.skynet.ie"; - +{ + pkgs, + lib, + nodes, + inputs, + ... +}: let + name = "earth"; + ip_pub = "193.1.99.79"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/skynet.ie.nix @@ -26,13 +28,22 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-core" ]; + tags = ["active-core"]; }; # it has two network devices so two skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -48,5 +59,4 @@ in { name = name; }; }; - -} \ No newline at end of file +} diff --git a/machines/galatea.nix b/machines/galatea.nix index 4989e78..6500e7f 100644 --- a/machines/galatea.nix +++ b/machines/galatea.nix @@ -1,21 +1,24 @@ /* - Name: https://en.wikipedia.org/wiki/Galatea_(mythology) - Why: Created as a product of artistic expression - Type: VM - Hardware: - - From: 2023 - Role: Icecast server for ULFM - Notes: - +Name: https://en.wikipedia.org/wiki/Galatea_(mythology) +Why: Created as a product of artistic expression +Type: VM +Hardware: - +From: 2023 +Role: Icecast server for ULFM +Notes: */ - -{ pkgs, lib, nodes, config, ... }: -let +{ + pkgs, + lib, + nodes, + config, + ... +}: let # name of the server, sets teh hostname and record for it - name = "galatea"; - ip_pub = "193.1.99.111"; - hostname = "${name}.skynet.ie"; + name = "galatea"; + ip_pub = "193.1.99.111"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/ulfm.nix @@ -26,12 +29,21 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active" ]; + tags = ["active"]; }; skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { diff --git a/machines/gir.nix b/machines/gir.nix index 2e16a39..a30ecb6 100644 --- a/machines/gir.nix +++ b/machines/gir.nix @@ -1,23 +1,24 @@ /* - Name: https://zim.fandom.com/wiki/GIR - Why: Gir used to have this role before, servers never die - Type: VM - Hardware: - - From: 2023 - Role: Email Server - Notes: - +Name: https://zim.fandom.com/wiki/GIR +Why: Gir used to have this role before, servers never die +Type: VM +Hardware: - +From: 2023 +Role: Email Server +Notes: */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "gir"; - ip_pub = "193.1.99.76"; - hostname = "${name}.skynet.ie"; + name = "gir"; + ip_pub = "193.1.99.76"; + hostname = "${name}.skynet.ie"; #hostname = ip_pub; - in { imports = [ ../applications/email.nix @@ -28,13 +29,22 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-core" ]; + tags = ["active-core"]; }; # add this server to dns skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { diff --git a/machines/glados.nix b/machines/glados.nix index fc2ec0e..bf63cd5 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -1,23 +1,24 @@ /* - Name: https://half-life.fandom.com/wiki/GLaDOS - Why: Glados has a vast experence of testing and deploying. - Type: VM - Hardware: - - From: 2023 - Role: Git server - Notes: Each user has roughly 20gb os storage - 20 * 100 = 2000gb - +Name: https://half-life.fandom.com/wiki/GLaDOS +Why: Glados has a vast experence of testing and deploying. +Type: VM +Hardware: - +From: 2023 +Role: Git server +Notes: Each user has roughly 20gb os storage + 20 * 100 = 2000gb */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "glados"; - ip_pub = "193.1.99.75"; - hostname = "${name}.skynet.ie"; - + name = "glados"; + ip_pub = "193.1.99.75"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/gitlab.nix @@ -28,13 +29,21 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-gitlab" ]; + tags = ["active-gitlab"]; }; - skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -51,5 +60,4 @@ in { name = name; }; }; - -} \ No newline at end of file +} diff --git a/machines/hardware/RM001.nix b/machines/hardware/RM001.nix index c5880d2..6e756a7 100644 --- a/machines/hardware/RM001.nix +++ b/machines/hardware/RM001.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/41AD-70AF"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/41AD-70AF"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/hardware/RM002.nix b/machines/hardware/RM002.nix index 06f4ad2..01336bd 100644 --- a/machines/hardware/RM002.nix +++ b/machines/hardware/RM002.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/8B03-4D11"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/8B03-4D11"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/hardware/RM007.nix b/machines/hardware/RM007.nix index 02ecb10..3888e34 100644 --- a/machines/hardware/RM007.nix +++ b/machines/hardware/RM007.nix @@ -1,31 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; - fileSystems."/" = - { device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/76CE-C65E"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/76CE-C65E"; + fsType = "vfat"; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7";} + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/hardware/_base.nix b/machines/hardware/_base.nix index ed7ec20..ae8b77f 100644 --- a/machines/hardware/_base.nix +++ b/machines/hardware/_base.nix @@ -1,5 +1,10 @@ -{ config, options, lib, ... }: with lib; -let +{ + config, + options, + lib, + ... +}: +with lib; let # get a list of interfaces interfaces = attrNames config.networking.interfaces; # check if an IP has been assigned @@ -13,5 +18,4 @@ in { } ]; }; - -} \ No newline at end of file +} diff --git a/machines/kitt.nix b/machines/kitt.nix index 5858f9a..aa7efcd 100644 --- a/machines/kitt.nix +++ b/machines/kitt.nix @@ -1,23 +1,24 @@ /* - Name: https://en.wikipedia.org/wiki/KITT - Why: Kitt used to have this role before (as well as email and dns) - Type: VM - Hardware: - - From: 2023 - Role: LDAP Server - Notes: - +Name: https://en.wikipedia.org/wiki/KITT +Why: Kitt used to have this role before (as well as email and dns) +Type: VM +Hardware: - +From: 2023 +Role: LDAP Server +Notes: */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "kitt"; - ip_pub = "193.1.99.74"; - hostname = "${name}.skynet.ie"; + name = "kitt"; + ip_pub = "193.1.99.74"; + hostname = "${name}.skynet.ie"; #hostname = ip_pub; - in { imports = [ ../applications/ldap/server.nix @@ -29,13 +30,22 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-core" ]; + tags = ["active-core"]; }; # add this server to dns skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { diff --git a/machines/neuromancer.nix b/machines/neuromancer.nix index db3ad3e..59521bd 100644 --- a/machines/neuromancer.nix +++ b/machines/neuromancer.nix @@ -1,29 +1,29 @@ /* - Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI) - Why: A sibling to Wintermute, stores and archives memories. - Type: VM - Hardware: - - From: 2023 - Role: Backup Server - Notes: - +Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI) +Why: A sibling to Wintermute, stores and archives memories. +Type: VM +Hardware: - +From: 2023 +Role: Backup Server +Notes: */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "neuromancer"; - ip_pub = "193.1.99.80"; - hostname = "${name}.skynet.ie"; - + name = "neuromancer"; + ip_pub = "193.1.99.80"; + hostname = "${name}.skynet.ie"; in { imports = [ ./hardware/_base.nix ./hardware/RM007.nix ]; - networking.hostName = name; # this has to be defined for any physical servers # vms are defined by teh vm host @@ -39,12 +39,21 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-core" ]; + tags = ["active-core"]; }; skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -54,5 +63,4 @@ in { name = name; }; }; - -} \ No newline at end of file +} diff --git a/machines/optimus.nix b/machines/optimus.nix index 10d36c4..9a3e598 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -1,22 +1,24 @@ /* - Name: https://en.wikipedia.org/wiki/Optimus_Prime - Why: Created to sell toys so this vm is for games - Type: VM - Hardware: - - From: 2023 - Role: Game host - Notes: - +Name: https://en.wikipedia.org/wiki/Optimus_Prime +Why: Created to sell toys so this vm is for games +Type: VM +Hardware: - +From: 2023 +Role: Game host +Notes: */ - -{ pkgs, lib, nodes, arion, ... }: -let +{ + pkgs, + lib, + nodes, + arion, + ... +}: let # name of the server, sets teh hostname and record for it - name = "optimus"; - ip_pub = "193.1.99.112"; - hostname = "${name}.skynet.ie"; - + name = "optimus"; + ip_pub = "193.1.99.112"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/games.nix @@ -27,12 +29,21 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active" ]; + tags = ["active"]; }; skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -49,4 +60,4 @@ in { name = name; }; }; -} \ No newline at end of file +} diff --git a/machines/retired/ash.nix b/machines/retired/ash.nix index 5c0b2cb..bbb04e5 100644 --- a/machines/retired/ash.nix +++ b/machines/retired/ash.nix @@ -1,24 +1,25 @@ /* - Name: https://en.wikipedia.org/wiki/Ash_(Alien) - Why: Infilitrate into the network - Type: VM - Hardware: - - From: 2023 - Role: Wireguard (VPN) Server - Notes: Thius vpn is for admin use only, to give access to all the servers via ssh - +Name: https://en.wikipedia.org/wiki/Ash_(Alien) +Why: Infilitrate into the network +Type: VM +Hardware: - +From: 2023 +Role: Wireguard (VPN) Server +Notes: Thius vpn is for admin use only, to give access to all the servers via ssh */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "ash"; - ip_pub = "193.1.99.75"; - ip_priv = "172.20.20.5"; + name = "ash"; + ip_pub = "193.1.99.75"; + ip_priv = "172.20.20.5"; # hostname = "${name}.skynet.ie"; - hostname = ip_pub; - + hostname = ip_pub; in { imports = [ # applications for this particular server @@ -48,7 +49,6 @@ in { ]; }; - age.secrets.wireguard.file = ../secrets/wireguard.age; networking = { @@ -74,12 +74,12 @@ in { privateKeyFile = "/run/agenix/wireguard"; peers = [ - { # silver - Brendan + { + # silver - Brendan publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; - allowedIPs = [ "172.20.21.2/32" ]; + allowedIPs = ["172.20.21.2/32"]; } ]; - }; }; @@ -87,5 +87,4 @@ in { # needed to generate keys pkgs.wireguard-tools ]; - } diff --git a/machines/skynet.nix b/machines/skynet.nix index bc018df..db34510 100644 --- a/machines/skynet.nix +++ b/machines/skynet.nix @@ -1,23 +1,25 @@ /* - Name: https://en.wikipedia.org/wiki/Skynet_(Terminator) - Why: Skynet is eternal - Type: VM - Hardware: - - From: 2023 - Role: Webserver and member linux box - Notes: Does not host offical sites - +Name: https://en.wikipedia.org/wiki/Skynet_(Terminator) +Why: Skynet is eternal +Type: VM +Hardware: - +From: 2023 +Role: Webserver and member linux box +Notes: Does not host offical sites */ - -{ pkgs, lib, nodes, inputs, ... }: -let - name = "skynet"; +{ + pkgs, + lib, + nodes, + inputs, + ... +}: let + name = "skynet"; # DMZ that ITD provided - ip_pub = "193.1.96.165"; - ip_int = "193.1.99.81"; - hostname = "${name}.skynet.ie"; - + ip_pub = "193.1.96.165"; + ip_int = "193.1.99.81"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/skynet_users.nix @@ -29,12 +31,21 @@ in { targetUser = "root"; # this one is manually deployed - tags = [ "active-ext" ]; + tags = ["active-ext"]; }; skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup.host = { @@ -83,4 +94,4 @@ in { name = name; }; }; -} \ No newline at end of file +} diff --git a/machines/vendetta.nix b/machines/vendetta.nix index 0f87579..c1ddcb5 100644 --- a/machines/vendetta.nix +++ b/machines/vendetta.nix @@ -1,21 +1,23 @@ /* - Name: https://masseffect.fandom.com/wiki/Vendetta - Why: Vendetta held troves of important data waiting for folks to request it. - Type: Physical - Hardware: PowerEdge r210 - From: 2011 (?) - Role: DNS Server - Notes: Using the server that used to be called Earth - +Name: https://masseffect.fandom.com/wiki/Vendetta +Why: Vendetta held troves of important data waiting for folks to request it. +Type: Physical +Hardware: PowerEdge r210 +From: 2011 (?) +Role: DNS Server +Notes: Using the server that used to be called Earth */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "vendetta"; - ip_pub = "193.1.99.120"; - hostname = "${name}.skynet.ie"; + name = "vendetta"; + ip_pub = "193.1.99.120"; + hostname = "${name}.skynet.ie"; in { imports = [ ./hardware/_base.nix @@ -27,7 +29,7 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-dns" "dns" ]; + tags = ["active-dns" "dns"]; }; networking = { @@ -61,10 +63,18 @@ in { records = [ # vendetta IN A 193.1.99.120 - {record=name; r_type="A"; value=ip_pub; server=true;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } # 120 IN PTR vendetta.skynet.ie. - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; }; - } diff --git a/machines/vigil.nix b/machines/vigil.nix index 8a73e42..4d5c9dd 100644 --- a/machines/vigil.nix +++ b/machines/vigil.nix @@ -1,23 +1,24 @@ /* - Name: https://masseffect.fandom.com/wiki/Vigil - Why: Counterpart to Vendetta - Type: VM - Hardware: - - From: 2023 - Role: DNS Server - Notes: - +Name: https://masseffect.fandom.com/wiki/Vigil +Why: Counterpart to Vendetta +Type: VM +Hardware: - +From: 2023 +Role: DNS Server +Notes: */ - -{ pkgs, lib, nodes, ... }: -let - name = "vigil"; - ip_pub = "193.1.99.109"; - hostname = "${name}.skynet.ie"; +{ + pkgs, + lib, + nodes, + ... +}: let + name = "vigil"; + ip_pub = "193.1.99.109"; + hostname = "${name}.skynet.ie"; in { imports = [ - ]; deployment = { @@ -25,7 +26,7 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-dns" "dns" ]; + tags = ["active-dns" "dns"]; }; services.skynet_backup = { @@ -46,10 +47,18 @@ in { # this server will have to have dns records records = [ # vigil IN A 193.1.99.109 - {record=name; r_type="A"; value=ip_pub; server=true;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } # 109 IN PTR vigil.skynet.ie. - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; }; - } diff --git a/machines/wheatly.nix b/machines/wheatly.nix index 69f556c..a787be0 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -1,22 +1,23 @@ /* - Name: https://theportalwiki.com/wiki/Wheatley - Why: Whereever GLaDOS is Wheatly is not too far away - Type: VM - Hardware: - - From: 2023 - Role: Gitlab Runner - Notes: - +Name: https://theportalwiki.com/wiki/Wheatley +Why: Whereever GLaDOS is Wheatly is not too far away +Type: VM +Hardware: - +From: 2023 +Role: Gitlab Runner +Notes: */ - -{ pkgs, lib, nodes, ... }: -let +{ + pkgs, + lib, + nodes, + ... +}: let # name of the server, sets teh hostname and record for it - name = "wheatly"; - ip_pub = "193.1.99.78"; - hostname = "${name}.skynet.ie"; - + name = "wheatly"; + ip_pub = "193.1.99.78"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/gitlab_runner.nix @@ -27,13 +28,21 @@ in { targetPort = 22; targetUser = "root"; - tags = [ "active-gitlab" ]; + tags = ["active-gitlab"]; }; - skynet_dns.records = [ - {record=name; r_type="A"; value=ip_pub; server=true;} - {record=ip_pub; r_type="PTR"; value=hostname;} + { + record = name; + r_type = "A"; + value = ip_pub; + server = true; + } + { + record = ip_pub; + r_type = "PTR"; + value = hostname; + } ]; services.skynet_backup = { @@ -47,5 +56,4 @@ in { enable = true; runner.name = "runner01"; }; - -} \ No newline at end of file +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f2b09cf..cfc8c12 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,7 +1,7 @@ let admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"; - thenobrainer ="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; + thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; users = [ admin @@ -57,11 +57,12 @@ let gir ]; - ldap = [ - kitt - ] - ++ gitlab - ++ email; + ldap = + [ + kitt + ] + ++ gitlab + ++ email; gitlab = [ glados @@ -72,19 +73,20 @@ let ]; # these need dns stuff - webservers = [ - # ULFM - galatea - # Games - optimus - # skynet is a webserver for users - skynet - # our offical server - earth - ] - # ldap servers are web facing - ++ ldap - ++ gitlab; + webservers = + [ + # ULFM + galatea + # Games + optimus + # skynet is a webserver for users + skynet + # our offical server + earth + ] + # ldap servers are web facing + ++ ldap + ++ gitlab; restic = [ neuromancer @@ -93,8 +95,7 @@ let discord = [ kitt ]; -in -{ +in { # nix run github:ryantm/agenix -- -e secret1.age "dns_certs.secret.age".publicKeys = users ++ webservers; @@ -102,7 +103,6 @@ in "stream_ulfm.age".publicKeys = users ++ [galatea]; - "gitlab/pw.age".publicKeys = users ++ gitlab; "gitlab/db_pw.age".publicKeys = users ++ gitlab; "gitlab/secrets_db.age".publicKeys = users ++ gitlab; @@ -129,4 +129,4 @@ in # email stuff "email/details.age".publicKeys = users ++ ldap ++ discord; -} \ No newline at end of file +}