Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -87,6 +87,13 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next
nix flake lock --update-input nixpkgs nix flake lock --update-input nixpkgs
``` ```
### Formatting
Formatting helps keep everything nice and consistent.
```shell
nix fmt
```

10
applications/acme.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
cfg = config.skynet_acme; cfg = config.skynet_acme;
in { in {
imports = []; imports = [];

13
applications/discord.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.discord_bot; cfg = config.services.discord_bot;
in { in {
imports = [ imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux" inputs.skynet_discord_bot.nixosModule."x86_64-linux"
]; ];
@ -13,7 +17,6 @@
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age; age.secrets.discord_token.file = ../secrets/discord/token.age;

175
applications/dns.nix
View file

@ -1,5 +1,10 @@
{ lib, pkgs, config, nodes, ... }: {
let lib,
pkgs,
config,
nodes,
...
}: let
cfg = config.skynet_dns; cfg = config.skynet_dns;
# reads that date to a string (will need to be fixed in 2038) # reads that date to a string (will need to be fixed in 2038)
@ -11,7 +16,11 @@ let
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A"); filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;}; process_ptr_sub = record: {
record = builtins.substring 9 3 record.record;
r_type = "PTR";
value = record.value;
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server; sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
@ -26,8 +35,7 @@ let
padString = text: length: fixedWidthString_post length " " text; padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix # like lib.strings.fixedWidthString but postfix
fixedWidthString_post = width: filler: str: fixedWidthString_post = width: filler: str: let
let
strw = lib.stringLength str; strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler); reqWidth = width - (lib.stringLength filler);
in in
@ -36,11 +44,10 @@ let
then str then str
else (fixedWidthString_post reqWidth filler str) + filler; else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
get_config_file = (domain: get_config_file = (
''$TTL 60 ; 1 minute domain: ''
$TTL 60 ; 1 minute
; hostmaster@${domain} is an email address that recieves stuff related to dns ; hostmaster@${domain} is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. ( @ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
@ -90,11 +97,11 @@ ${format_records sort_records_srv 17}
'' ''
); );
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working) # config for our reverse dnspointers (not properly working)
get_config_file_rev = (domain: get_config_file_rev = (
''$ORIGIN 64-64.99.1.193.in-addr.arpa. domain: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute $TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
@ -117,8 +124,9 @@ ${format_records sort_records_ptr 3}
); );
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
get_config_file_old_domains = (domain: get_config_file_old_domains = (
''$TTL 60 ; 1 minute domain: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
@ -139,28 +147,27 @@ ${format_records sort_records_ptr 3}
tmp1 = ["193.1.99.109"]; tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"]; tmp2 = ["193.1.99.120"];
primaries = (if cfg.server.primary then primaries = (
if cfg.server.primary
then
# primary servers have no primaries (ones they listen to) # primary servers have no primaries (ones they listen to)
[] []
else else if builtins.elem cfg.server.ip tmp1
if builtins.elem cfg.server.ip tmp1 then then tmp2
tmp2 else tmp1
else
tmp1
); );
secondaries = (if cfg.server.primary then secondaries = (
if builtins.elem cfg.server.ip tmp1 then if cfg.server.primary
tmp2 then
else if builtins.elem cfg.server.ip tmp1
tmp1 then tmp2
else else tmp1
[] else []
); );
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) ); create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it # standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: { create_entry_etc_sub = domain: text: {
@ -177,19 +184,17 @@ ${format_records sort_records_ptr 3}
}; };
# (text.owned "csn.ul.ie") # (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it # standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type: create_entry_etc = domain: type:
if type == "owned" then if type == "owned"
create_entry_etc_sub domain (text.owned domain) then create_entry_etc_sub domain (text.owned domain)
else if type == "reverse" then else if type == "reverse"
create_entry_etc_sub domain (text.reverse domain) then create_entry_etc_sub domain (text.reverse domain)
else if type == "old" then else if type == "old"
create_entry_etc_sub domain (text.old domain) then create_entry_etc_sub domain (text.old domain)
else else {};
{};
create_entry_zone = (domain: extraConfig: { create_entry_zone = domain: extraConfig: {
"${domain}" = { "${domain}" = {
extraConfig = '' extraConfig = ''
${extraConfig} ${extraConfig}
@ -205,7 +210,7 @@ ${extraConfig}
file = "/etc/skynet/dns/${domain}"; file = "/etc/skynet/dns/${domain}";
# no leading whitespace for first line # no leading whitespace for first line
}; };
}); };
text = { text = {
owned = domain: get_config_file domain; owned = domain: get_config_file domain;
@ -215,15 +220,14 @@ ${extraConfig}
extraConfig = { extraConfig = {
owned = owned =
if cfg.server.primary then if cfg.server.primary
'' then ''
allow-update { key rfc2136key.skynet.ie.; }; allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default; dnssec-policy default;
inline-signing yes; inline-signing yes;
'' ''
else else "";
"";
# no extra config for reverse # no extra config for reverse
reverse = ""; reverse = "";
@ -232,30 +236,52 @@ inline-signing yes;
}; };
records = builtins.concatLists ( records = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
let key: value: let
details_server = value.config.skynet_dns.server; details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records; details_records = value.config.skynet_dns.records;
in in
if builtins.hasAttr "skynet_dns" value.config if builtins.hasAttr "skynet_dns" value.config
then ( then
(
# got to handle habing a dns record for the dns serves themselves. # got to handle habing a dns record for the dns serves themselves.
if details_server.enable if details_server.enable
then ( then
(
if details_server.primary if details_server.primary
then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ] then
else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ] details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
) )
else details_records else details_records
) )
else [] else []
) nodes )
nodes
); );
nameserver = if cfg.server.primary then "ns1" else "ns2"; nameserver =
if cfg.server.primary
then "ns1"
else "ns2";
in { in {
imports = [ imports = [
../applications/firewall.nix ../applications/firewall.nix
]; ];
@ -284,7 +310,8 @@ in {
records = lib.mkOption { records = lib.mkOption {
description = "Records, sorted based on therir type"; description = "Records, sorted based on therir type";
type = with lib.types; listOf (submodule { type = with lib.types;
listOf (submodule {
options = { options = {
record = lib.mkOption { record = lib.mkOption {
type = str; type = str;
@ -303,12 +330,10 @@ in {
}; };
}); });
}; };
}; };
}; };
config = lib.mkIf cfg.server.enable { config = lib.mkIf cfg.server.enable {
# open the firewall for this # open the firewall for this
skynet_firewall.forward = [ skynet_firewall.forward = [
"ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept" "ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept"
@ -316,25 +341,20 @@ in {
]; ];
services.bind.zones = services.bind.zones =
(create_entry_zone "csn.ul.ie" extraConfig.owned ) // (create_entry_zone "csn.ul.ie" extraConfig.owned)
(create_entry_zone "skynet.ie" extraConfig.owned ) // // (create_entry_zone "skynet.ie" extraConfig.owned)
(create_entry_zone "ulcompsoc.ie" extraConfig.owned ) // // (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
(create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) // // (create_entry_zone "conradcollins.net" extraConfig.old)
// (create_entry_zone "edelharty.net" extraConfig.old);
(create_entry_zone "conradcollins.net" extraConfig.old )//
(create_entry_zone "edelharty.net" extraConfig.old );
environment.etc = environment.etc =
(create_entry_etc "csn.ul.ie" "owned") // (create_entry_etc "csn.ul.ie" "owned")
(create_entry_etc "skynet.ie" "owned") // // (create_entry_etc "skynet.ie" "owned")
(create_entry_etc "ulcompsoc.ie" "owned") // // (create_entry_etc "ulcompsoc.ie" "owned")
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") // // (create_entry_etc "conradcollins.net" "old")
// (create_entry_etc "edelharty.net" "old");
(create_entry_etc "conradcollins.net" "old") //
(create_entry_etc "edelharty.net" "old");
# secrets required # secrets required
age.secrets.dns_dnskeys = { age.secrets.dns_dnskeys = {
@ -374,7 +394,8 @@ in {
"9.9.9.9" "9.9.9.9"
]; ];
cacheNetworks = [ cacheNetworks =
[
# this server itself # this server itself
"127.0.0.0/24" "127.0.0.0/24"
@ -390,7 +411,8 @@ in {
Now have a function for it Now have a function for it
*/ */
] ++ create_cache_networks; ]
++ create_cache_networks;
}; };
# deletes teh journal files evey start so it no longer stalls out # deletes teh journal files evey start so it no longer stalls out
@ -404,6 +426,5 @@ in {
createHome = true; createHome = true;
home = "/etc/skynet/dns"; home = "/etc/skynet/dns";
}; };
}; };
} }

80
applications/email.nix
View file

@ -1,17 +1,21 @@
{ config, pkgs, lib, inputs, ...}: with lib; {
let config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_email; cfg = config.services.skynet_email;
# create teh new strings # create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
create_filter_join = (x: concatStringsSep "" x); create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket? # thought you could escape racket?
create_filter = (groups: create_filter_join (create_filter_array groups) ); create_filter = groups: create_filter_join (create_filter_array groups);
in { in {
imports = [ imports = [
./dns.nix ./dns.nix
./acme.nix ./acme.nix
@ -85,7 +89,6 @@
default = "cn=admin,${cfg.ldap.base}"; default = "cn=admin,${cfg.ldap.base}";
description = lib.mdDoc "where to find users"; description = lib.mdDoc "where to find users";
}; };
}; };
}; };
@ -104,30 +107,70 @@
# set up dns record for it # set up dns record for it
skynet_dns.records = [ skynet_dns.records = [
# basic one # basic one
{record="mail"; r_type="A"; value=cfg.host.ip;} {
record = "mail";
r_type = "A";
value = cfg.host.ip;
}
# TXT records, all tehse are inside escaped strings to allow using "" # TXT records, all tehse are inside escaped strings to allow using ""
# SPF record # SPF record
{record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';} {
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys # DKIM keys
{record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';} {
{record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';} record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC # DMARC
{record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';} {
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
value = ''"v=DMARC1; p=none"'';
}
# reverse pointer # reverse pointer
{record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";} {
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406 # https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be: # response should be:
# _imap._tcp SRV 0 1 143 imap.example.com. # _imap._tcp SRV 0 1 143 imap.example.com.
{record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";} {
{record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";} record = "_imaps._tcp";
{record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";} r_type = "SRV";
{record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";} value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
]; ];
# to provide the certs # to provide the certs
@ -215,14 +258,11 @@
uidAttribute = "skMail"; uidAttribute = "skMail";
mailAttribute = "skMail"; mailAttribute = "skMail";
}; };
}; };
# feckin spammers # feckin spammers
rejectRecipients = [ rejectRecipients = [
]; ];
}; };
# tune the spam filter # tune the spam filter

16
applications/firewall.nix
View file

@ -1,5 +1,9 @@
{lib, pkgs, config, ...}: { {
lib,
pkgs,
config,
...
}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = { options = {
skynet_firewall = { skynet_firewall = {
@ -42,9 +46,7 @@
A list of UDP ports for the machiene running the firewall A list of UDP ports for the machiene running the firewall
''; '';
}; };
}; };
}; };
}; };
}; };
@ -56,8 +58,7 @@
# fules for the firewall # fules for the firewall
# beware of EOL conversion. # beware of EOL conversion.
networking.nftables.ruleset = networking.nftables.ruleset = ''
''
# using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide # using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide
# Clear out any existing rules # Clear out any existing rules
@ -165,8 +166,5 @@
} }
} }
''; '';
}; };
} }

21
applications/games.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_games; cfg = config.services.skynet_games;
in { in {
imports = [ imports = [
@ -9,7 +13,6 @@
./games/minecraft.nix ./games/minecraft.nix
]; ];
options.services.skynet_games = { options.services.skynet_games = {
enable = mkEnableOption "Skynet Games"; enable = mkEnableOption "Skynet Games";
@ -39,14 +42,16 @@
default = "games"; default = "games";
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
skynet_dns.records = [ skynet_dns.records = [
# need a base domain # need a base domain
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
# the minecraft servers # the minecraft servers
@ -62,7 +67,5 @@
sub = "minecraft.${cfg.domain.sub}"; sub = "minecraft.${cfg.domain.sub}";
}; };
}; };
}; };
} }

45
applications/games/minecraft.nix
View file

@ -1,12 +1,16 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_games_minecraft; cfg = config.services.skynet_games_minecraft;
# got tired of how long this is so I created a var for it. # got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in { in {
imports = [ imports = [
../acme.nix ../acme.nix
../dns.nix ../dns.nix
@ -60,15 +64,35 @@
skynet_dns.records = [ skynet_dns.records = [
# the minecraft (web) config server # the minecraft (web) config server
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# our own minecraft hosts # our own minecraft hosts
{record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
{record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# gsoc servers # gsoc servers
{record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
{record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -77,7 +101,6 @@
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
# https://config.minecraft.games.skynet.ie # https://config.minecraft.games.skynet.ie
"config.${short_domain}" = { "config.${short_domain}" = {
forceSSL = true; forceSSL = true;
@ -94,7 +117,6 @@
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/"; locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
}; };
}; };
# arion is one way to use docker on nixos # arion is one way to use docker on nixos
@ -103,7 +125,6 @@
virtualisation.arion = { virtualisation.arion = {
backend = "docker"; backend = "docker";
projects = { projects = {
minecraft.settings.services = { minecraft.settings.services = {
mc_proxy.service = { mc_proxy.service = {
image = "itzg/mc-router:1.18.0"; image = "itzg/mc-router:1.18.0";

25
applications/gitlab.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab; cfg = config.services.skynet_gitlab;
in { in {
imports = [ imports = [
@ -52,9 +56,7 @@
default = "dc=skynet,dc=ie"; default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server"; description = lib.mdDoc "The base address in the ldap server";
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -102,9 +104,17 @@
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
# for gitlab pages # for gitlab pages
{record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;} {
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A";
value = cfg.host.ip;
}
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -163,7 +173,6 @@
auth-server = "https://gitlab.example.com"; auth-server = "https://gitlab.example.com";
*/ */
}; };
}; };
#smtp = { #smtp = {
# enable = true; # enable = true;

11
applications/gitlab_runner.nix
View file

@ -1,10 +1,13 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner; cfg = config.services.skynet_gitlab_runner;
in { in {
imports = [ imports = [
]; ];
options.services.skynet_gitlab_runner = { options.services.skynet_gitlab_runner = {

34
applications/ldap/backend.nix
View file

@ -1,10 +1,14 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.ldap_backend; cfg = config.services.ldap_backend;
port_backend = "8087"; port_backend = "8087";
in { in {
imports = [ imports = [
../acme.nix ../acme.nix
../dns.nix ../dns.nix
@ -44,7 +48,6 @@
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age; age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
@ -56,7 +59,11 @@
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
@ -99,7 +106,8 @@
]; ];
lifetime = []; lifetime = [];
banned = []; banned = [];
restricted = [ restricted =
[
# usernames folks arent allowed to use # usernames folks arent allowed to use
"contact" "contact"
"dnsadm" "dnsadm"
@ -109,8 +117,8 @@
"pro" "pro"
"sysadmin" "sysadmin"
"root" "root"
]
] ++ [ ++ [
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444 # basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
# start off with compsoc stuff first # start off with compsoc stuff first
"competition_www" "competition_www"
@ -127,7 +135,8 @@
"test20203" "test20203"
"tmp" "tmp"
"webadm" "webadm"
] ++ [ ]
++ [
# clubs and socs (as far as I can tell # clubs and socs (as far as I can tell
"aerosoc" "aerosoc"
"aikido" "aikido"
@ -170,7 +179,8 @@
"ulssc" "ulssc"
"ultennis" "ultennis"
"viking" "viking"
] ++ [ ]
++ [
# remaining, most likely usernames # remaining, most likely usernames
"_9thwonder" "_9thwonder"
"abc" "abc"
@ -405,9 +415,7 @@
"yvonne" "yvonne"
"zrahman" "zrahman"
]; ];
}; };
}; };
}; };
} }

34
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client; cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access # always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x); create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings # create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x); create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket? # thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) ); create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in { in {
# these are needed for teh program in question # these are needed for teh program in question
imports = []; imports = [];
@ -46,7 +51,6 @@
]; ];
description = lib.mdDoc "Groups we want to allow access to the server"; description = lib.mdDoc "Groups we want to allow access to the server";
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -54,9 +58,16 @@
security.sudo.extraRules = [ security.sudo.extraRules = [
# admin group has sudo access # admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } {
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
]; ];
# give users a home dir # give users a home dir
security.pam.services.sshd.makeHomeDir = true; security.pam.services.sshd.makeHomeDir = true;
@ -112,6 +123,5 @@ domains = skynet.ie
[autofs] [autofs]
''; '';
}; };
}; };
} }

47
applications/ldap/server.nix
View file

@ -1,13 +1,16 @@
/* /*
Gonna use a priper nixos module for this Gonna use a priper nixos module for this
*/ */
{
{ config, pkgs, lib, inputs, ... }: config,
with lib; pkgs,
let lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_ldap; cfg = config.services.skynet_ldap;
in { in {
# these are needed for teh program in question # these are needed for teh program in question
imports = [ imports = [
../acme.nix ../acme.nix
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
./backend.nix ./backend.nix
]; ];
options.services.skynet_ldap = { options.services.skynet_ldap = {
# options that need to be passed in to make this work # options that need to be passed in to make this work
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# passthrough to the backend # passthrough to the backend
services.ldap_backend = { services.ldap_backend = {
enable = true; enable = true;
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
# firewall on teh computer itself # firewall on teh computer itself
@ -122,14 +127,18 @@ Gonna use a priper nixos module for this
enable = true; enable = true;
/* enable plain and secure connections */ /*
enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"]; urlList = ["ldap:///" "ldaps:///"];
settings = { settings = {
attrs = { attrs = {
olcLogLevel = "conns config"; olcLogLevel = "conns config";
/* settings for acme ssl */ /*
settings for acme ssl
*/
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
@ -154,7 +163,6 @@ Gonna use a priper nixos module for this
./skMemberOf.ldif ./skMemberOf.ldif
]; ];
"cn=modules".attrs = { "cn=modules".attrs = {
objectClass = ["olcModuleList"]; objectClass = ["olcModuleList"];
cn = "modules"; cn = "modules";
@ -176,14 +184,18 @@ Gonna use a priper nixos module for this
olcSuffix = cfg.base; olcSuffix = cfg.base;
/* your admin account, do not use writeText on a production system */ /*
your admin account, do not use writeText on a production system
*/
olcRootDN = "cn=admin,${cfg.base}"; olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path; olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof"; #olcOverlay = "memberof";
olcAccess = [ olcAccess = [
/* custom access rules for userPassword attributes */ /*
custom access rules for userPassword attributes
*/
'' {0}to attrs=userPassword '' {0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write by self write
@ -195,13 +207,13 @@ Gonna use a priper nixos module for this
by self write by self write
by * read'' by * read''
/* allow read on anything else */ /*
allow read on anything else
*/
'' {2}to * '' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read'' by * read''
]; ];
}; };
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
olcMemberOfMemberOfAD = "memberOf"; olcMemberOfMemberOfAD = "memberOf";
}; };
}; };
}; };
}; };
}; };
}; };

1
applications/nginx.nix
View file

@ -1,5 +1,4 @@
# using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix # using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix
{pkgs, ...}: { {pkgs, ...}: {
services.nginx = { services.nginx = {
enable = true; enable = true;

41
applications/restic.nix
View file

@ -1,10 +1,14 @@
# nodes is all the nodes # nodes is all the nodes
{ lib, config, nodes, pkgs, ...}: with lib; {
let lib,
config,
nodes,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_backup; cfg = config.services.skynet_backup;
# since they should all have the same config we can do this # since they should all have the same config we can do this
base = { base = {
paths = cfg.normal.backups; paths = cfg.normal.backups;
@ -29,11 +33,12 @@
# then if the server is enabled, # then if the server is enabled,
# then pull relevant dtails # then pull relevant dtails
ownServers = builtins.listToAttrs (builtins.concatLists ( ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
let key: value: let
backup = value.config.services.skynet_backup; backup = value.config.services.skynet_backup;
in in
if ( if
(
(builtins.hasAttr "skynet_backup" value.config.services) (builtins.hasAttr "skynet_backup" value.config.services)
&& backup.server.enable && backup.server.enable
&& backup.host.name != cfg.host.name && backup.host.name != cfg.host.name
@ -42,7 +47,9 @@
then [ then [
{ {
name = backup.host.name; name = backup.host.name;
value = base // { value =
base
// {
repositoryFile = "/etc/skynet/restic/${backup.host.name}"; repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = '' backupPrepareCommand = ''
@ -62,20 +69,15 @@
sed -i "s/password/$line/g" ${backup.host.name} sed -i "s/password/$line/g" ${backup.host.name}
''; '';
}; };
} }
] ]
else [] else []
) nodes )
nodes
)); ));
in { in {
imports = [ imports = [
]; ];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -146,10 +148,8 @@
default = false; default = false;
}; };
}; };
}; };
config = { config = {
# these values are anabled for every client # these values are anabled for every client
@ -168,14 +168,15 @@
cfg.server.port cfg.server.port
]; ];
services.restic.backups = ownServers // { services.restic.backups =
ownServers
// {
# merge teh two configs together # merge teh two configs together
# backblaze = base // { # backblaze = base // {
# # backupos for each server are stored in a folder under their name # # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${cfg.host.name}"; # repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path; # #environmentFile = config.age.secrets.backblaze.path;
# }; # };
}; };
age.secrets.restic_pw = mkIf cfg.server.enable { age.secrets.restic_pw = mkIf cfg.server.enable {
@ -193,7 +194,5 @@
appendOnly = cfg.server.appendOnly; appendOnly = cfg.server.appendOnly;
privateRepos = true; privateRepos = true;
}; };
}; };
} }

30
applications/skynet.ie.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet; cfg = config.services.skynet;
in { in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -29,9 +33,21 @@
skynet_dns.records = [ skynet_dns.records = [
# means root domain, so skynet.ie # means root domain, so skynet.ie
{record="@"; r_type="A"; value=cfg.host.ip;} {
{record="2016"; r_type="CNAME"; value=cfg.host.name;} record = "@";
{record="discord"; r_type="CNAME"; value=cfg.host.name;} r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];

25
applications/skynet_users.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_users; cfg = config.services.skynet_users;
in { in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -32,7 +36,6 @@
]; ];
}; };
# Website config # Website config
skynet_acme.domains = [ skynet_acme.domains = [
"users.skynet.ie" "users.skynet.ie"
@ -40,8 +43,16 @@
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record ="users"; r_type="CNAME"; value=cfg.host.name;} {
{record="*.users"; r_type="CNAME"; value=cfg.host.name;} record = "users";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "*.users";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];

19
applications/ulfm.nix
View file

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }: {
with lib; config,
let lib,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_ulfm; cfg = config.services.skynet_ulfm;
in { in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -55,7 +58,11 @@
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
skynet_firewall.forward = [ skynet_firewall.forward = [
@ -91,7 +98,5 @@
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000"; locations."/".proxyPass = "http://localhost:8000";
}; };
}; };
} }

79
flake.lock
View file

@ -20,6 +20,29 @@
"type": "github" "type": "github"
} }
}, },
"alejandra": {
"inputs": {
"fenix": "fenix",
"flakeCompat": "flakeCompat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1660510326,
"narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=",
"owner": "kamadorueda",
"repo": "alejandra",
"rev": "ef03f7ef74ec97fd91a016a51c9c9667fb315652",
"type": "github"
},
"original": {
"owner": "kamadorueda",
"ref": "3.0.0",
"repo": "alejandra",
"type": "github"
}
},
"arion": { "arion": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
@ -78,6 +101,28 @@
"type": "github" "type": "github"
} }
}, },
"fenix": {
"inputs": {
"nixpkgs": [
"alejandra",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1657607339,
"narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -133,6 +178,22 @@
"type": "github" "type": "github"
} }
}, },
"flakeCompat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"haskell-flake": { "haskell-flake": {
"locked": { "locked": {
"lastModified": 1675296942, "lastModified": 1675296942,
@ -401,6 +462,7 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"alejandra": "alejandra",
"arion": "arion", "arion": "arion",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
@ -412,6 +474,23 @@
"skynet_website_2016": "skynet_website_2016" "skynet_website_2016": "skynet_website_2016"
} }
}, },
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1657557289,
"narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "caf23f29144b371035b864a1017dbc32573ad56d",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",

17
flake.nix
View file

@ -1,5 +1,4 @@
{ {
description = "Deployment for skynet"; description = "Deployment for skynet";
inputs = { inputs = {
@ -10,6 +9,10 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion"; arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
# email # email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
@ -27,10 +30,16 @@
nixConfig.bash-prompt-suffix = "[Skynet Dev] "; nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
outputs = { self, nixpkgs, agenix, ... } @inputs: outputs = {
let self,
nixpkgs,
agenix,
alejandra,
...
} @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
in { in {
formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux";
devShells.x86_64-linux.default = pkgs.mkShell { devShells.x86_64-linux.default = pkgs.mkShell {
name = "Skynet build env"; name = "Skynet build env";
@ -92,8 +101,6 @@
# Main skynet sites # Main skynet sites
earth = import ./machines/earth.nix; earth = import ./machines/earth.nix;
}; };
}; };
} }

9
machines/_base.nix
View file

@ -1,6 +1,11 @@
{ pkgs, modulesPath, config, options, inputs, ... }:
{ {
pkgs,
modulesPath,
config,
options,
inputs,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")

34
machines/agentjones.nix
View file

@ -6,17 +6,18 @@
From: 2011 (?) From: 2011 (?)
Role: Firewall Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically) Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "agentjones"; name = "agentjones";
ip_pub = "193.1.99.72"; ip_pub = "193.1.99.72";
ip_priv = "193.1.99.125"; ip_priv = "193.1.99.125";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
./hardware/_base.nix ./hardware/_base.nix
@ -33,8 +34,17 @@ in {
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -92,18 +102,20 @@ in {
# gonna have to get all the # gonna have to get all the
forward = builtins.concatLists ( forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
key: value:
# make sure that anything running this firewall dosent count (recursion otherewise) # make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later # firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config if builtins.hasAttr "skynet_firewall" value.config
then ( then
(
if value.config.skynet_firewall.enable if value.config.skynet_firewall.enable
then [] then []
else value.config.skynet_firewall.forward else value.config.skynet_firewall.forward
) )
else [] else []
) nodes )
nodes
); );
}; };
} }

26
machines/earth.nix
View file

@ -7,15 +7,17 @@
From: 2023 From: 2023
Role: Webserver Role: Webserver
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, inputs, ... }: pkgs,
let lib,
nodes,
inputs,
...
}: let
name = "earth"; name = "earth";
ip_pub = "193.1.99.79"; ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/skynet.ie.nix ../applications/skynet.ie.nix
@ -31,8 +33,17 @@ in {
# it has two network devices so two # it has two network devices so two
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -48,5 +59,4 @@ in {
name = name; name = name;
}; };
}; };
} }

24
machines/galatea.nix
View file

@ -7,11 +7,14 @@
From: 2023 From: 2023
Role: Icecast server for ULFM Role: Icecast server for ULFM
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, config, ... }: pkgs,
let lib,
nodes,
config,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "galatea"; name = "galatea";
ip_pub = "193.1.99.111"; ip_pub = "193.1.99.111";
@ -30,8 +33,17 @@ in {
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

24
machines/gir.nix
View file

@ -7,17 +7,18 @@
From: 2023 From: 2023
Role: Email Server Role: Email Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "gir"; name = "gir";
ip_pub = "193.1.99.76"; ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
#hostname = ip_pub; #hostname = ip_pub;
in { in {
imports = [ imports = [
../applications/email.nix ../applications/email.nix
@ -33,8 +34,17 @@ in {
# add this server to dns # add this server to dns
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

26
machines/glados.nix
View file

@ -8,16 +8,17 @@
Role: Git server Role: Git server
Notes: Each user has roughly 20gb os storage Notes: Each user has roughly 20gb os storage
20 * 100 = 2000gb 20 * 100 = 2000gb
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "glados"; name = "glados";
ip_pub = "193.1.99.75"; ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/gitlab.nix ../applications/gitlab.nix
@ -31,10 +32,18 @@ in {
tags = ["active-gitlab"]; tags = ["active-gitlab"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -51,5 +60,4 @@ in {
name = name; name = name;
}; };
}; };
} }

24
machines/hardware/RM001.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = []; boot.kernelModules = [];
boot.extraModulePackages = []; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e"; device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/41AD-70AF"; device = "/dev/disk/by-uuid/41AD-70AF";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; } {device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

24
machines/hardware/RM002.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = []; boot.kernelModules = [];
boot.extraModulePackages = []; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743"; device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/8B03-4D11"; device = "/dev/disk/by-uuid/8B03-4D11";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; } {device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

24
machines/hardware/RM007.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = []; boot.kernelModules = [];
boot.extraModulePackages = []; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/76CE-C65E"; device = "/dev/disk/by-uuid/76CE-C65E";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; } {device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

10
machines/hardware/_base.nix
View file

@ -1,5 +1,10 @@
{ config, options, lib, ... }: with lib; {
let config,
options,
lib,
...
}:
with lib; let
# get a list of interfaces # get a list of interfaces
interfaces = attrNames config.networking.interfaces; interfaces = attrNames config.networking.interfaces;
# check if an IP has been assigned # check if an IP has been assigned
@ -13,5 +18,4 @@ in {
} }
]; ];
}; };
} }

24
machines/kitt.nix
View file

@ -7,17 +7,18 @@
From: 2023 From: 2023
Role: LDAP Server Role: LDAP Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "kitt"; name = "kitt";
ip_pub = "193.1.99.74"; ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
#hostname = ip_pub; #hostname = ip_pub;
in { in {
imports = [ imports = [
../applications/ldap/server.nix ../applications/ldap/server.nix
@ -34,8 +35,17 @@ in {
# add this server to dns # add this server to dns
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

26
machines/neuromancer.nix
View file

@ -7,23 +7,23 @@
From: 2023 From: 2023
Role: Backup Server Role: Backup Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "neuromancer"; name = "neuromancer";
ip_pub = "193.1.99.80"; ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
./hardware/_base.nix ./hardware/_base.nix
./hardware/RM007.nix ./hardware/RM007.nix
]; ];
networking.hostName = name; networking.hostName = name;
# this has to be defined for any physical servers # this has to be defined for any physical servers
# vms are defined by teh vm host # vms are defined by teh vm host
@ -43,8 +43,17 @@ in {
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -54,5 +63,4 @@ in {
name = name; name = name;
}; };
}; };
} }

25
machines/optimus.nix
View file

@ -7,16 +7,18 @@
From: 2023 From: 2023
Role: Game host Role: Game host
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, arion, ... }: pkgs,
let lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "optimus"; name = "optimus";
ip_pub = "193.1.99.112"; ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/games.nix ../applications/games.nix
@ -31,8 +33,17 @@ in {
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

17
machines/retired/ash.nix
View file

@ -7,18 +7,19 @@
From: 2023 From: 2023
Role: Wireguard (VPN) Server Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "ash"; name = "ash";
ip_pub = "193.1.99.75"; ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5"; ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie"; # hostname = "${name}.skynet.ie";
hostname = ip_pub; hostname = ip_pub;
in { in {
imports = [ imports = [
# applications for this particular server # applications for this particular server
@ -48,7 +49,6 @@ in {
]; ];
}; };
age.secrets.wireguard.file = ../secrets/wireguard.age; age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = { networking = {
@ -74,12 +74,12 @@ in {
privateKeyFile = "/run/agenix/wireguard"; privateKeyFile = "/run/agenix/wireguard";
peers = [ peers = [
{ # silver - Brendan {
# silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = ["172.20.21.2/32"]; allowedIPs = ["172.20.21.2/32"];
} }
]; ];
}; };
}; };
@ -87,5 +87,4 @@ in {
# needed to generate keys # needed to generate keys
pkgs.wireguard-tools pkgs.wireguard-tools
]; ];
} }

25
machines/skynet.nix
View file

@ -7,17 +7,19 @@
From: 2023 From: 2023
Role: Webserver and member linux box Role: Webserver and member linux box
Notes: Does not host offical sites Notes: Does not host offical sites
*/ */
{
{ pkgs, lib, nodes, inputs, ... }: pkgs,
let lib,
nodes,
inputs,
...
}: let
name = "skynet"; name = "skynet";
# DMZ that ITD provided # DMZ that ITD provided
ip_pub = "193.1.96.165"; ip_pub = "193.1.96.165";
ip_int = "193.1.99.81"; ip_int = "193.1.99.81";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/skynet_users.nix ../applications/skynet_users.nix
@ -33,8 +35,17 @@ in {
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup.host = { services.skynet_backup.host = {

24
machines/vendetta.nix
View file

@ -7,11 +7,13 @@
From: 2011 (?) From: 2011 (?)
Role: DNS Server Role: DNS Server
Notes: Using the server that used to be called Earth Notes: Using the server that used to be called Earth
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "vendetta"; name = "vendetta";
ip_pub = "193.1.99.120"; ip_pub = "193.1.99.120";
@ -61,10 +63,18 @@ in {
records = [ records = [
# vendetta IN A 193.1.99.120 # vendetta IN A 193.1.99.120
{record=name; r_type="A"; value=ip_pub; server=true;} {
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie. # 120 IN PTR vendetta.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;} {
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
}; };
} }

25
machines/vigil.nix
View file

@ -7,17 +7,18 @@
From: 2023 From: 2023
Role: DNS Server Role: DNS Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
name = "vigil"; name = "vigil";
ip_pub = "193.1.99.109"; ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
]; ];
deployment = { deployment = {
@ -46,10 +47,18 @@ in {
# this server will have to have dns records # this server will have to have dns records
records = [ records = [
# vigil IN A 193.1.99.109 # vigil IN A 193.1.99.109
{record=name; r_type="A"; value=ip_pub; server=true;} {
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie. # 109 IN PTR vigil.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;} {
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
}; };
} }

26
machines/wheatly.nix
View file

@ -7,16 +7,17 @@
From: 2023 From: 2023
Role: Gitlab Runner Role: Gitlab Runner
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "wheatly"; name = "wheatly";
ip_pub = "193.1.99.78"; ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/gitlab_runner.nix ../applications/gitlab_runner.nix
@ -30,10 +31,18 @@ in {
tags = ["active-gitlab"]; tags = ["active-gitlab"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -47,5 +56,4 @@ in {
enable = true; enable = true;
runner.name = "runner01"; runner.name = "runner01";
}; };
} }

10
secrets/secrets.nix
View file

@ -57,7 +57,8 @@ let
gir gir
]; ];
ldap = [ ldap =
[
kitt kitt
] ]
++ gitlab ++ gitlab
@ -72,7 +73,8 @@ let
]; ];
# these need dns stuff # these need dns stuff
webservers = [ webservers =
[
# ULFM # ULFM
galatea galatea
# Games # Games
@ -93,8 +95,7 @@ let
discord = [ discord = [
kitt kitt
]; ];
in in {
{
# nix run github:ryantm/agenix -- -e secret1.age # nix run github:ryantm/agenix -- -e secret1.age
"dns_certs.secret.age".publicKeys = users ++ webservers; "dns_certs.secret.age".publicKeys = users ++ webservers;
@ -102,7 +103,6 @@ in
"stream_ulfm.age".publicKeys = users ++ [galatea]; "stream_ulfm.age".publicKeys = users ++ [galatea];
"gitlab/pw.age".publicKeys = users ++ gitlab; "gitlab/pw.age".publicKeys = users ++ gitlab;
"gitlab/db_pw.age".publicKeys = users ++ gitlab; "gitlab/db_pw.age".publicKeys = users ++ gitlab;
"gitlab/secrets_db.age".publicKeys = users ++ gitlab; "gitlab/secrets_db.age".publicKeys = users ++ gitlab;