Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -87,6 +87,13 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next
nix flake lock --update-input nixpkgs nix flake lock --update-input nixpkgs
``` ```
### Formatting
Formatting helps keep everything nice and consistent.
```shell
nix fmt
```

16
applications/acme.nix
View file

@ -1,13 +1,17 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
cfg = config.skynet_acme; lib,
in { ...
}:
with lib; let
cfg = config.skynet_acme;
in {
imports = []; imports = [];
options.skynet_acme = { options.skynet_acme = {
domains = lib.mkOption { domains = lib.mkOption {
default = [ ]; default = [];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
A list of domains to use for this server. A list of domains to use for this server.

29
applications/discord.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
cfg = config.services.discord_bot; lib,
in { inputs,
...
}:
with lib; let
cfg = config.services.discord_bot;
in {
imports = [ imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux" inputs.skynet_discord_bot.nixosModule."x86_64-linux"
]; ];
@ -13,26 +17,25 @@
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age; age.secrets.discord_token.file = ../secrets/discord/token.age;
age.secrets.discord_ldap.file = ../secrets/discord/ldap.age; age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
age.secrets.discord_mail.file = ../secrets/email/details.age; age.secrets.discord_mail.file = ../secrets/email/details.age;
services.skynet_discord_bot = { services.skynet_discord_bot = {
enable = true; enable = true;
env = { env = {
discord = config.age.secrets.discord_token.path; discord = config.age.secrets.discord_token.path;
ldap = config.age.secrets.discord_ldap.path; ldap = config.age.secrets.discord_ldap.path;
mail = config.age.secrets.discord_mail.path; mail = config.age.secrets.discord_mail.path;
}; };
discord = { discord = {
server = "689189992417067052"; server = "689189992417067052";
role = { role = {
past = "689192357727436926"; past = "689192357727436926";
current = "1152702256702030035"; current = "1152702256702030035";
}; };
}; };

461
applications/dns.nix
View file

@ -1,24 +1,33 @@
{ lib, pkgs, config, nodes, ... }: {
let lib,
pkgs,
config,
nodes,
...
}: let
cfg = config.skynet_dns; cfg = config.skynet_dns;
# reads that date to a string (will need to be fixed in 2038) # reads that date to a string (will need to be fixed in 2038)
current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}"; current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
# gets a list of records that match this type # gets a list of records that match this type
filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records; filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records;
filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A"); filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A");
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A"); filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;}; process_ptr_sub = record: {
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); record = builtins.substring 9 3 record.record;
r_type = "PTR";
value = record.value;
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server; sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a; sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a;
sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME"); sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME");
sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR")); sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR"));
sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV"); sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV");
format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records; format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
@ -26,144 +35,142 @@ let
padString = text: length: fixedWidthString_post length " " text; padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix # like lib.strings.fixedWidthString but postfix
fixedWidthString_post = width: filler: str: fixedWidthString_post = width: filler: str: let
let strw = lib.stringLength str;
strw = lib.stringLength str; reqWidth = width - (lib.stringLength filler);
reqWidth = width - (lib.stringLength filler); in
in assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
if strw == width if strw == width
then str then str
else (fixedWidthString_post reqWidth filler str) + filler; else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
get_config_file = (domain: get_config_file = (
''$TTL 60 ; 1 minute domain: ''
; hostmaster@${domain} is an email address that recieves stuff related to dns $TTL 60 ; 1 minute
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. ( ; hostmaster@${domain} is an email address that recieves stuff related to dns
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated @ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
${current_date} ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
600 ; Refresh (10 minutes) ${current_date}
300 ; Retry (5 minutes) 600 ; Refresh (10 minutes)
604800 ; Expire (1 week) 300 ; Retry (5 minutes)
3600 ; Minimum (1 hour) 604800 ; Expire (1 week)
) 3600 ; Minimum (1 hour)
)
@ NS ns1.${domain}. @ NS ns1.${domain}.
@ NS ns2.${domain}. @ NS ns2.${domain}.
; @ stands for teh root domain so teh A record below is where ${domain} points to ; @ stands for teh root domain so teh A record below is where ${domain} points to
;@ A 193.1.99.76 ;@ A 193.1.99.76
;@ MX 5 ${domain}. ;@ MX 5 ${domain}.
; can have multiple mailserves ; can have multiple mailserves
@ MX 10 mail.${domain}. @ MX 10 mail.${domain}.
; ------------------------------------------ ; ------------------------------------------
; Server Names (A Records) ; Server Names (A Records)
; ------------------------------------------ ; ------------------------------------------
${format_records sort_records_server 11} ${format_records sort_records_server 11}
; ------------------------------------------ ; ------------------------------------------
; A (non server names ; A (non server names
; ------------------------------------------ ; ------------------------------------------
${format_records sort_records_a 18} ${format_records sort_records_a 18}
; ------------------------------------------ ; ------------------------------------------
; CNAMES ; CNAMES
; ------------------------------------------ ; ------------------------------------------
${format_records sort_records_cname 31} ${format_records sort_records_cname 31}
; ------------------------------------------ ; ------------------------------------------
; TXT ; TXT
; ------------------------------------------ ; ------------------------------------------
${format_records (filter_records_type "TXT") 29} ${format_records (filter_records_type "TXT") 29}
; ------------------------------------------ ; ------------------------------------------
; SRV ; SRV
; ------------------------------------------ ; ------------------------------------------
${format_records sort_records_srv 17} ${format_records sort_records_srv 17}
'' ''
); );
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working)
get_config_file_rev = (
domain: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse @ NS ns1.skynet.ie.
# config for our reverse dnspointers (not properly working) @ NS ns2.skynet.ie.
get_config_file_rev = (domain:
''$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
@ NS ns1.skynet.ie. ; ------------------------------------------
@ NS ns2.skynet.ie. ; PTR
; ------------------------------------------
${format_records sort_records_ptr 3}
''
);
; ------------------------------------------ # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
; PTR get_config_file_old_domains = (
; ------------------------------------------ domain: ''
${format_records sort_records_ptr 3} $TTL 60 ; 1 minute
'' ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
); @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. @ NS ns1.skynet.ie.
get_config_file_old_domains = (domain: @ NS ns2.skynet.ie.
''$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
3600 ; Minimum (1 hour)
)
@ NS ns1.skynet.ie. ''
@ NS ns2.skynet.ie. );
''
);
# arrys of teh two nameservers # arrys of teh two nameservers
tmp1 = ["193.1.99.109"]; tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"]; tmp2 = ["193.1.99.120"];
primaries = (if cfg.server.primary then primaries = (
# primary servers have no primaries (ones they listen to) if cfg.server.primary
[] then
else # primary servers have no primaries (ones they listen to)
if builtins.elem cfg.server.ip tmp1 then []
tmp2 else if builtins.elem cfg.server.ip tmp1
else then tmp2
tmp1 else tmp1
); );
secondaries = (if cfg.server.primary then secondaries = (
if builtins.elem cfg.server.ip tmp1 then if cfg.server.primary
tmp2 then
else if builtins.elem cfg.server.ip tmp1
tmp1 then tmp2
else else tmp1
[] else []
); );
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) ); create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it
# standard function to create the etc file, pass in the text and domain and it makes it create_entry_etc_sub = domain: text: {
create_entry_etc_sub = domain: text: {
# Creates /etc/skynet/dns/domain # Creates /etc/skynet/dns/domain
"skynet/dns/${domain}" = { "skynet/dns/${domain}" = {
user = "named"; user = "named";
@ -175,37 +182,35 @@ ${format_records sort_records_ptr 3}
text = text; text = text;
}; };
}; };
# (text.owned "csn.ul.ie") # (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it # standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type: create_entry_etc = domain: type:
if type == "owned" then if type == "owned"
create_entry_etc_sub domain (text.owned domain) then create_entry_etc_sub domain (text.owned domain)
else if type == "reverse" then else if type == "reverse"
create_entry_etc_sub domain (text.reverse domain) then create_entry_etc_sub domain (text.reverse domain)
else if type == "old" then else if type == "old"
create_entry_etc_sub domain (text.old domain) then create_entry_etc_sub domain (text.old domain)
else else {};
{};
create_entry_zone = (domain: extraConfig: { create_entry_zone = domain: extraConfig: {
"${domain}" = { "${domain}" = {
extraConfig = '' extraConfig = ''
${extraConfig} ${extraConfig}
// for bumping the config // for bumping the config
// ${current_date} // ${current_date}
''; '';
# really wish teh nixos config didnt use master/slave # really wish teh nixos config didnt use master/slave
master = cfg.server.primary; master = cfg.server.primary;
masters = primaries; masters = primaries;
slaves = secondaries; slaves = secondaries;
# need to write this to a file # need to write this to a file
# using the date in it so it will trigger a restart # using the date in it so it will trigger a restart
file = "/etc/skynet/dns/${domain}"; file = "/etc/skynet/dns/${domain}";
# no leading whitespace for first line # no leading whitespace for first line
}; };
}); };
text = { text = {
owned = domain: get_config_file domain; owned = domain: get_config_file domain;
@ -215,15 +220,14 @@ ${extraConfig}
extraConfig = { extraConfig = {
owned = owned =
if cfg.server.primary then if cfg.server.primary
'' then ''
allow-update { key rfc2136key.skynet.ie.; }; allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default; dnssec-policy default;
inline-signing yes; inline-signing yes;
'' ''
else else "";
"";
# no extra config for reverse # no extra config for reverse
reverse = ""; reverse = "";
@ -232,30 +236,52 @@ inline-signing yes;
}; };
records = builtins.concatLists ( records = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
let key: value: let
details_server = value.config.skynet_dns.server; details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records; details_records = value.config.skynet_dns.records;
in in
if builtins.hasAttr "skynet_dns" value.config if builtins.hasAttr "skynet_dns" value.config
then ( then
# got to handle habing a dns record for the dns serves themselves. (
if details_server.enable # got to handle habing a dns record for the dns serves themselves.
then ( if details_server.enable
if details_server.primary then
then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ] (
else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ] if details_server.primary
) then
else details_records details_records
) ++ [
else [] {
) nodes record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
)
nodes
); );
nameserver = if cfg.server.primary then "ns1" else "ns2"; nameserver =
if cfg.server.primary
then "ns1"
else "ns2";
in { in {
imports = [ imports = [
../applications/firewall.nix ../applications/firewall.nix
]; ];
@ -284,31 +310,30 @@ in {
records = lib.mkOption { records = lib.mkOption {
description = "Records, sorted based on therir type"; description = "Records, sorted based on therir type";
type = with lib.types; listOf (submodule { type = with lib.types;
options = { listOf (submodule {
record = lib.mkOption { options = {
type = str; record = lib.mkOption {
type = str;
};
r_type = lib.mkOption {
type = enum ["A" "CNAME" "TXT" "PTR" "SRV"];
};
value = lib.mkOption {
type = str;
};
server = lib.mkOption {
description = "Core record for a server";
type = bool;
default = false;
};
}; };
r_type = lib.mkOption { });
type = enum ["A" "CNAME" "TXT" "PTR" "SRV"];
};
value = lib.mkOption {
type = str;
};
server = lib.mkOption {
description = "Core record for a server";
type = bool;
default = false;
};
};
});
}; };
}; };
}; };
config = lib.mkIf cfg.server.enable { config = lib.mkIf cfg.server.enable {
# open the firewall for this # open the firewall for this
skynet_firewall.forward = [ skynet_firewall.forward = [
"ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept" "ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept"
@ -316,25 +341,20 @@ in {
]; ];
services.bind.zones = services.bind.zones =
(create_entry_zone "csn.ul.ie" extraConfig.owned ) // (create_entry_zone "csn.ul.ie" extraConfig.owned)
(create_entry_zone "skynet.ie" extraConfig.owned ) // // (create_entry_zone "skynet.ie" extraConfig.owned)
(create_entry_zone "ulcompsoc.ie" extraConfig.owned ) // // (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
(create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) // // (create_entry_zone "conradcollins.net" extraConfig.old)
// (create_entry_zone "edelharty.net" extraConfig.old);
(create_entry_zone "conradcollins.net" extraConfig.old )//
(create_entry_zone "edelharty.net" extraConfig.old );
environment.etc = environment.etc =
(create_entry_etc "csn.ul.ie" "owned") // (create_entry_etc "csn.ul.ie" "owned")
(create_entry_etc "skynet.ie" "owned") // // (create_entry_etc "skynet.ie" "owned")
(create_entry_etc "ulcompsoc.ie" "owned") // // (create_entry_etc "ulcompsoc.ie" "owned")
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") // // (create_entry_etc "conradcollins.net" "old")
// (create_entry_etc "edelharty.net" "old");
(create_entry_etc "conradcollins.net" "old") //
(create_entry_etc "edelharty.net" "old");
# secrets required # secrets required
age.secrets.dns_dnskeys = { age.secrets.dns_dnskeys = {
@ -374,23 +394,25 @@ in {
"9.9.9.9" "9.9.9.9"
]; ];
cacheNetworks = [ cacheNetworks =
# this server itself [
"127.0.0.0/24" # this server itself
"127.0.0.0/24"
# skynet server in the dmz # skynet server in the dmz
"193.1.96.165/32" "193.1.96.165/32"
# all of skynet can use this as a resolver # all of skynet can use this as a resolver
/* /*
Origianl idea, however all external traffic had the ip of the router Origianl idea, however all external traffic had the ip of the router
"193.1.99.64/26" "193.1.99.64/26"
So to fix this we need to allow smaller ranges? - Didnt work So to fix this we need to allow smaller ranges? - Didnt work
Fallback is explisitly listing each ip we have Fallback is explisitly listing each ip we have
Now have a function for it Now have a function for it
*/ */
] ++ create_cache_networks; ]
++ create_cache_networks;
}; };
# deletes teh journal files evey start so it no longer stalls out # deletes teh journal files evey start so it no longer stalls out
@ -404,6 +426,5 @@ in {
createHome = true; createHome = true;
home = "/etc/skynet/dns"; home = "/etc/skynet/dns";
}; };
}; };
} }

106
applications/email.nix
View file

@ -1,17 +1,21 @@
{ config, pkgs, lib, inputs, ...}: with lib; {
let config,
cfg = config.services.skynet_email; pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_email;
# create teh new strings # create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
create_filter_join = (x: concatStringsSep "" x); create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (groups: create_filter_join (create_filter_array groups) );
in {
# thought you could escape racket?
create_filter = groups: create_filter_join (create_filter_array groups);
in {
imports = [ imports = [
./dns.nix ./dns.nix
./acme.nix ./acme.nix
@ -85,7 +89,6 @@
default = "cn=admin,${cfg.ldap.base}"; default = "cn=admin,${cfg.ldap.base}";
description = lib.mdDoc "where to find users"; description = lib.mdDoc "where to find users";
}; };
}; };
}; };
@ -104,40 +107,80 @@
# set up dns record for it # set up dns record for it
skynet_dns.records = [ skynet_dns.records = [
# basic one # basic one
{record="mail"; r_type="A"; value=cfg.host.ip;} {
record = "mail";
r_type = "A";
value = cfg.host.ip;
}
# TXT records, all tehse are inside escaped strings to allow using "" # TXT records, all tehse are inside escaped strings to allow using ""
# SPF record # SPF record
{record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';} {
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys # DKIM keys
{record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';} {
{record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';} record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC # DMARC
{record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';} {
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
value = ''"v=DMARC1; p=none"'';
}
# reverse pointer # reverse pointer
{record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";} {
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406 # https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be: # response should be:
# _imap._tcp SRV 0 1 143 imap.example.com. # _imap._tcp SRV 0 1 143 imap.example.com.
{record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";} {
{record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";} record = "_imaps._tcp";
{record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";} r_type = "SRV";
{record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";} value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
]; ];
# to provide the certs # to provide the certs
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.sub}.${cfg.domain}" = { "${cfg.sub}.${cfg.domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";
# override the inbuilt nginx config # override the inbuilt nginx config
enableACME = false; enableACME = false;
serverName = "${cfg.sub}.${cfg.domain}"; serverName = "${cfg.sub}.${cfg.domain}";
}; };
}; };
@ -145,11 +188,11 @@
users.groups.nginx = {}; users.groups.nginx = {};
users.groups.roundcube = {}; users.groups.roundcube = {};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of # this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver # the mailserver
hostName = "${cfg.sub}.${cfg.domain}"; hostName = "${cfg.sub}.${cfg.domain}";
extraConfig = '' extraConfig = ''
# starttls needed for authentication, so the fqdn required to match # starttls needed for authentication, so the fqdn required to match
# the certificate # the certificate
$config['smtp_server'] = "ssl://${cfg.sub}.${cfg.domain}"; $config['smtp_server'] = "ssl://${cfg.sub}.${cfg.domain}";
@ -207,7 +250,7 @@
userAttrs = "quotaEmail=quota_rule=*:bytes=%$,=quota_rule2=Trash:storage=+100M"; userAttrs = "quotaEmail=quota_rule=*:bytes=%$,=quota_rule2=Trash:storage=+100M";
# accept emails in, but only allow access to paid up members # accept emails in, but only allow access to paid up members
passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))"; passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))";
}; };
postfix = { postfix = {
@ -215,14 +258,11 @@
uidAttribute = "skMail"; uidAttribute = "skMail";
mailAttribute = "skMail"; mailAttribute = "skMail";
}; };
}; };
# feckin spammers # feckin spammers
rejectRecipients = [ rejectRecipients = [
]; ];
}; };
# tune the spam filter # tune the spam filter

34
applications/firewall.nix
View file

@ -1,5 +1,9 @@
{lib, pkgs, config, ...}: { {
lib,
pkgs,
config,
...
}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = { options = {
skynet_firewall = { skynet_firewall = {
@ -10,7 +14,7 @@
type = lib.types.bool; type = lib.types.bool;
}; };
forward = lib.mkOption { forward = lib.mkOption {
default = [ ]; default = [];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = '' description = ''
A list of routes to forward A list of routes to forward
@ -19,16 +23,16 @@
own = { own = {
ip = lib.mkOption { ip = lib.mkOption {
default = "127.0.0.1"; default = "127.0.0.1";
type = lib.types.str; type = lib.types.str;
description = '' description = ''
IP of the firewall IP of the firewall
''; '';
}; };
ports = { ports = {
tcp = lib.mkOption { tcp = lib.mkOption {
default = [ ]; default = [];
type = lib.types.listOf lib.types.int; type = lib.types.listOf lib.types.int;
description = '' description = ''
A list of TCP ports for the machiene running the firewall A list of TCP ports for the machiene running the firewall
@ -36,15 +40,13 @@
}; };
udp = lib.mkOption { udp = lib.mkOption {
default = [ ]; default = [];
type = lib.types.listOf lib.types.int; type = lib.types.listOf lib.types.int;
description = '' description = ''
A list of UDP ports for the machiene running the firewall A list of UDP ports for the machiene running the firewall
''; '';
}; };
}; };
}; };
}; };
}; };
@ -56,8 +58,7 @@
# fules for the firewall # fules for the firewall
# beware of EOL conversion. # beware of EOL conversion.
networking.nftables.ruleset = networking.nftables.ruleset = ''
''
# using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide # using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide
# Clear out any existing rules # Clear out any existing rules
@ -164,9 +165,6 @@
} }
} }
''; '';
}; };
} }

69
applications/games.nix
View file

@ -1,52 +1,57 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_games; lib,
in { ...
}:
with lib; let
cfg = config.services.skynet_games;
in {
imports = [ imports = [
./dns.nix ./dns.nix
./games/minecraft.nix ./games/minecraft.nix
]; ];
options.services.skynet_games = { options.services.skynet_games = {
enable = mkEnableOption "Skynet Games"; enable = mkEnableOption "Skynet Games";
host = { host = {
ip = mkOption { ip = mkOption {
type = types.str; type = types.str;
};
name = mkOption {
type = types.str;
};
}; };
domain = { name = mkOption {
tld = mkOption { type = types.str;
type = types.str; };
default = "ie"; };
};
base = mkOption { domain = {
type = types.str; tld = mkOption {
default = "skynet"; type = types.str;
}; default = "ie";
sub = mkOption {
type = types.str;
default = "games";
};
}; };
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = "games";
};
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
skynet_dns.records = [ skynet_dns.records = [
# need a base domain # need a base domain
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
# the minecraft servers # the minecraft servers
@ -62,7 +67,5 @@
sub = "minecraft.${cfg.domain.sub}"; sub = "minecraft.${cfg.domain.sub}";
}; };
}; };
}; };
} }

61
applications/games/minecraft.nix
View file

@ -1,12 +1,16 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_games_minecraft; lib,
inputs,
# got tired of how long this is so I created a var for it. ...
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; }:
in { with lib; let
cfg = config.services.skynet_games_minecraft;
# got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [ imports = [
../acme.nix ../acme.nix
../dns.nix ../dns.nix
@ -54,21 +58,41 @@
]; ];
skynet_acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
skynet_dns.records = [ skynet_dns.records = [
# the minecraft (web) config server # the minecraft (web) config server
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# our own minecraft hosts # our own minecraft hosts
{record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
{record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# gsoc servers # gsoc servers
{record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} {
{record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -77,7 +101,6 @@
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
# https://config.minecraft.games.skynet.ie # https://config.minecraft.games.skynet.ie
"config.${short_domain}" = { "config.${short_domain}" = {
forceSSL = true; forceSSL = true;
@ -94,7 +117,6 @@
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/"; locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
}; };
}; };
# arion is one way to use docker on nixos # arion is one way to use docker on nixos
@ -103,12 +125,11 @@
virtualisation.arion = { virtualisation.arion = {
backend = "docker"; backend = "docker";
projects = { projects = {
minecraft.settings.services = { minecraft.settings.services = {
mc_proxy.service = { mc_proxy.service = {
image = "itzg/mc-router:1.18.0"; image = "itzg/mc-router:1.18.0";
ports = [ "25565:25565/tcp" ]; ports = ["25565:25565/tcp"];
expose = [ "25565" ]; expose = ["25565"];
command = [ command = [
"--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003" "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003"
]; ];
@ -118,7 +139,7 @@
image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1"; image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1";
environment = { environment = {
TZ="Etc/UTC"; TZ = "Etc/UTC";
}; };
volumes = [ volumes = [

35
applications/gitlab.nix
View file

@ -1,8 +1,12 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_gitlab; lib,
in { ...
}:
with lib; let
cfg = config.services.skynet_gitlab;
in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -52,9 +56,7 @@
default = "dc=skynet,dc=ie"; default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server"; description = lib.mdDoc "The base address in the ldap server";
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -97,14 +99,22 @@
skynet_acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
# Lets Encrypt seems to have a 4 levels limit for certs # Lets Encrypt seems to have a 4 levels limit for certs
"*.pages.${cfg.domain.base}.${cfg.domain.tld}" "*.pages.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
# for gitlab pages # for gitlab pages
{record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;} {
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A";
value = cfg.host.ip;
}
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -112,7 +122,7 @@
2222 2222
]; ];
services.openssh.ports = [ 22 2222 ]; services.openssh.ports = [22 2222];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
# main site # main site
@ -163,7 +173,6 @@
auth-server = "https://gitlab.example.com"; auth-server = "https://gitlab.example.com";
*/ */
}; };
}; };
#smtp = { #smtp = {
# enable = true; # enable = true;
@ -200,7 +209,7 @@
name = "cn"; name = "cn";
}; };
group_base= "ou=groups,${cfg.ldap.base}"; group_base = "ou=groups,${cfg.ldap.base}";
admin_group = "skynet-admins"; admin_group = "skynet-admins";
sync_ssh_keys = "sshPublicKey"; sync_ssh_keys = "sshPublicKey";

27
applications/gitlab_runner.nix
View file

@ -1,10 +1,13 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_gitlab_runner; lib,
in { ...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner;
in {
imports = [ imports = [
]; ];
options.services.skynet_gitlab_runner = { options.services.skynet_gitlab_runner = {
@ -44,7 +47,7 @@
config = mkIf cfg.enable { config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner. # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = [ environment.systemPackages = [
pkgs.gitlab-runner pkgs.gitlab-runner
]; ];
age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age; age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
@ -53,7 +56,7 @@
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128 # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = [ "/run/docker.sock" "127.0.0.1:2375" ]; virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
@ -68,7 +71,7 @@
runner_nix = { runner_nix = {
cloneUrl = cfg.runner.gitlab; cloneUrl = cfg.runner.gitlab;
description = "For Nix only"; description = "For Nix only";
registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_01_nix.path; registrationConfigFile = config.age.secrets.runner_01_nix.path;
dockerImage = cfg.runner.docker.image; dockerImage = cfg.runner.docker.image;
@ -92,7 +95,7 @@
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3 ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs ${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
''; '';
environmentVariables = { environmentVariables = {
ENV = "/etc/profile"; ENV = "/etc/profile";
@ -101,13 +104,13 @@
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
}; };
tagList = [ "nix" ]; tagList = ["nix"];
}; };
runner_general = { runner_general = {
cloneUrl = cfg.runner.gitlab; cloneUrl = cfg.runner.gitlab;
description = "General Runner"; description = "General Runner";
registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_02_general.path; registrationConfigFile = config.age.secrets.runner_02_general.path;
dockerImage = cfg.runner.docker.image; dockerImage = cfg.runner.docker.image;
}; };

648
applications/ldap/backend.nix
View file

@ -1,10 +1,14 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
cfg = config.services.ldap_backend; lib,
port_backend = "8087"; inputs,
in { ...
}:
with lib; let
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
imports = [ imports = [
../acme.nix ../acme.nix
../dns.nix ../dns.nix
@ -44,7 +48,6 @@
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age; age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
@ -56,7 +59,11 @@
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
@ -64,9 +71,9 @@
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:${port_backend}"; locations."/".proxyPass = "http://localhost:${port_backend}";
# extraConfig = '' # extraConfig = ''
# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}"; # add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}";
# ''; # '';
extraConfig = '' extraConfig = ''
add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Origin "*";
''; '';
@ -99,315 +106,316 @@
]; ];
lifetime = []; lifetime = [];
banned = []; banned = [];
restricted = [ restricted =
# usernames folks arent allowed to use [
"contact" # usernames folks arent allowed to use
"dnsadm" "contact"
"president" "dnsadm"
"treasurer" "president"
"secretary" "treasurer"
"pro" "secretary"
"sysadmin" "pro"
"root" "sysadmin"
"root"
] ++ [ ]
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444 ++ [
# start off with compsoc stuff first # basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
"competition_www" # start off with compsoc stuff first
"demo1" "competition_www"
"demouser" "demo1"
"ftp" "demouser"
"lost+found" "ftp"
"postfix" "lost+found"
"skynews.old" "postfix"
"system_backup" "skynews.old"
"test" "system_backup"
"test12" "test"
"test20202" "test12"
"test20203" "test20202"
"tmp" "test20203"
"webadm" "tmp"
] ++ [ "webadm"
# clubs and socs (as far as I can tell ]
"aerosoc" ++ [
"aikido" # clubs and socs (as far as I can tell
"anfocal" "aerosoc"
"bics" "aikido"
"boarding" "anfocal"
"cns" "bics"
"dev" "boarding"
"filmsoc" "cns"
"gaa" "dev"
"german" "filmsoc"
"golfsoc" "gaa"
"handball" "german"
"hispanic" "golfsoc"
"history" "handball"
"hockey" "hispanic"
"home" "history"
"legosoc" "hockey"
"lifesave" "home"
"mens_gfc" "legosoc"
"musicsoc" "lifesave"
"pagansoc" "mens_gfc"
"peacesoc" "musicsoc"
"physics" "pagansoc"
"poker" "peacesoc"
"prolife" "physics"
"radio" "poker"
"ragweek" "prolife"
"sinnfein" "radio"
"soccer" "ragweek"
"ulbs" "sinnfein"
"ulcamogie" "soccer"
"ulcc" "ulbs"
"ulgaa" "ulcamogie"
"ulils" "ulcc"
"ulladiesfootball" "ulgaa"
"ullaughinsoc" "ulils"
"ulrfc" "ulladiesfootball"
"ulriders" "ullaughinsoc"
"ulssc" "ulrfc"
"ultennis" "ulriders"
"viking" "ulssc"
] ++ [ "ultennis"
# remaining, most likely usernames "viking"
"_9thwonder" ]
"abc" ++ [
"activate" # remaining, most likely usernames
"aiesec" "_9thwonder"
"air" "abc"
"aladdin" "activate"
"alaric" "aiesec"
"aldozzie" "air"
"allenli" "aladdin"
"amg" "alaric"
"amgl" "aldozzie"
"annette" "allenli"
"annlad" "amg"
"ards_backup" "amgl"
"arisquez" "annette"
"arthur" "annlad"
"austin" "ards_backup"
"beta" "arisquez"
"bh" "arthur"
"bigdave" "austin"
"bios" "beta"
"bizarroal" "bh"
"bmacaree" "bigdave"
"boardy" "bios"
"boddah" "bizarroal"
"bogus.anime.fakh" "bmacaree"
"bogus.bhudt.dacf" "boardy"
"bogus.citoge.baym" "boddah"
"bogus.electro.ba0a" "bogus.anime.fakh"
"bogus.fencing.baw5" "bogus.bhudt.dacf"
"bogus.harry.ba8f" "bogus.citoge.baym"
"bogus.hui.hong.baci" "bogus.electro.ba0a"
"bogus.ironman.baqib" "bogus.fencing.baw5"
"bogus.joe.bach" "bogus.harry.ba8f"
"bogus.kenny.bas6" "bogus.hui.hong.baci"
"bogus.kerswin.baybb" "bogus.ironman.baqib"
"bogus.kravmaga.ba0w" "bogus.joe.bach"
"bogus.methi.baq5" "bogus.kenny.bas6"
"bogus.nelsonmw.bauc" "bogus.kerswin.baybb"
"bogus.poshea.ba0m" "bogus.kravmaga.ba0w"
"bogus.redwolf.bawn" "bogus.methi.baq5"
"bogus.romanov.baat" "bogus.nelsonmw.bauc"
"bogus.ryan.bae-" "bogus.poshea.ba0m"
"bogus.rynnea.bask" "bogus.redwolf.bawn"
"bogus.sea.af" "bogus.romanov.baat"
"bogus.shane.c.ba8z" "bogus.ryan.bae-"
"bogus.t1000.baggb" "bogus.rynnea.bask"
"bogus.ullrugby.ba8p" "bogus.sea.af"
"brendan" "bogus.shane.c.ba8z"
"bubba" "bogus.t1000.baggb"
"c_material_removed" "bogus.ullrugby.ba8p"
"ca_worm" "brendan"
"cactus" "bubba"
"carticus" "c_material_removed"
"cathalc" "ca_worm"
"cathald-broken" "cactus"
"cdschedule" "carticus"
"celtic" "cathalc"
"christine" "cathald-broken"
"cian" "cdschedule"
"ciara" "celtic"
"ciaran" "christine"
"colin" "cian"
"cosmo" "ciara"
"counsel" "ciaran"
"creosote" "colin"
"crew" "cosmo"
"cues" "counsel"
"cur" "creosote"
"cwhelan" "crew"
"dac" "cues"
"daktulu" "cur"
"datacore" "cwhelan"
"davec" "dac"
"daverus" "daktulu"
"deano" "datacore"
"deccy" "davec"
"declanmu" "daverus"
"deiji" "deano"
"dermotmc" "deccy"
"derrick" "declanmu"
"deshocks" "deiji"
"diarmuid" "dermotmc"
"dippy" "derrick"
"djraptor" "deshocks"
"dmackey" "diarmuid"
"dmir" "dippy"
"dom" "djraptor"
"dom_mckay" "dmackey"
"donie" "dmir"
"donnacha" "dom"
"dos30" "dom_mckay"
"drazhar" "donie"
"duffman" "donnacha"
"eas" "dos30"
"electal" "drazhar"
"emc" "duffman"
"emilia" "eas"
"emma" "electal"
"emmag" "emc"
"ents" "emilia"
"envcom" "emma"
"eoinh95" "emmag"
"epgriffin" "ents"
"equest" "envcom"
"fiacc" "eoinh95"
"fint" "epgriffin"
"flanno" "equest"
"fmannix" "fiacc"
"foodcoop" "fint"
"gamenet" "flanno"
"ganainm" "fmannix"
"gar" "foodcoop"
"ger88" "gamenet"
"ghama" "ganainm"
"ging" "gar"
"goborobo" "ger88"
"gooner" "ghama"
"greekweek" "ging"
"hawking" "goborobo"
"hb" "gooner"
"homer" "greekweek"
"hoshi" "hawking"
"ian" "hb"
"ianrice" "homer"
"ilug" "hoshi"
"infinity" "ian"
"ingenuus" "ianrice"
"internat" "ilug"
"jamessy" "infinity"
"jamiebarry" "ingenuus"
"jbravo" "internat"
"jdonegan" "jamessy"
"joedredd" "jamiebarry"
"johann" "jbravo"
"jokill" "jdonegan"
"jsoccer" "joedredd"
"jules" "johann"
"kate" "jokill"
"katie" "jsoccer"
"kellyj" "jules"
"kiely" "kate"
"koo" "katie"
"l_d_ablo" "kellyj"
"lakes" "kiely"
"laura" "koo"
"lebowski" "l_d_ablo"
"liabraid" "lakes"
"lynn" "laura"
"mal" "lebowski"
"manuel" "liabraid"
"maraz" "lynn"
"marieke" "mal"
"marky" "manuel"
"mature" "maraz"
"mbyrne" "marieke"
"meanturtle" "marky"
"mickaful" "mature"
"mickasul" "mbyrne"
"mikado" "meanturtle"
"mikeh" "mickaful"
"mikkel" "mickasul"
"mixiezme" "mikado"
"mmc" "mikeh"
"molly" "mikkel"
"moochie" "mixiezme"
"moonser" "mmc"
"mopic" "molly"
"mp" "moochie"
"nastros" "moonser"
"neutrino" "mopic"
"new" "mp"
"nezzy" "nastros"
"nkdc" "neutrino"
"nmcenroy" "new"
"noelle" "nezzy"
"nugget" "nkdc"
"ob" "nmcenroy"
"omega" "noelle"
"oneillbeano" "nugget"
"pamela" "ob"
"peterj" "omega"
"photyl" "oneillbeano"
"plake" "pamela"
"pmcg1986" "peterj"
"pyro" "photyl"
"qubeat" "plake"
"rachel" "pmcg1986"
"rachelg" "pyro"
"ralmeida" "qubeat"
"raymond" "rachel"
"razzlero" "rachelg"
"red" "ralmeida"
"rmacm" "raymond"
"rmorrissey" "razzlero"
"robson" "red"
"selena" "rmacm"
"shark" "rmorrissey"
"shayscannell" "robson"
"shazlove" "selena"
"shelley" "shark"
"shelly" "shayscannell"
"silver.old" "shazlove"
"sirhc" "shelley"
"sithlord" "shelly"
"sk" "silver.old"
"sligoer" "sirhc"
"slowey" "sithlord"
"smallp" "sk"
"smurfy" "sligoer"
"sordfish" "slowey"
"soul98" "smallp"
"soular" "smurfy"
"st" "sordfish"
"stefanovich" "soul98"
"svp" "soular"
"szczerba" "st"
"tangsoodo" "stefanovich"
"tc" "svp"
"tenfor" "szczerba"
"teslacut" "tangsoodo"
"theematt" "tc"
"thomasl" "tenfor"
"tockman" "teslacut"
"ugm" "theematt"
"vanzan" "thomasl"
"volleyb" "tockman"
"warren" "ugm"
"weather" "vanzan"
"wiles" "volleyb"
"yvonne" "warren"
"zrahman" "weather"
]; "wiles"
"yvonne"
"zrahman"
];
}; };
}; };
}; };
} }

94
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_ldap_client; lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access # always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x); create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings # create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x); create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
in {
# thought you could escape racket?
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in {
# these are needed for teh program in question # these are needed for teh program in question
imports = []; imports = [];
@ -46,7 +51,6 @@
]; ];
description = lib.mdDoc "Groups we want to allow access to the server"; description = lib.mdDoc "Groups we want to allow access to the server";
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -54,10 +58,17 @@
security.sudo.extraRules = [ security.sudo.extraRules = [
# admin group has sudo access # admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } {
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
]; ];
# give users a home dir # give users a home dir
security.pam.services.sshd.makeHomeDir = true; security.pam.services.sshd.makeHomeDir = true;
@ -68,7 +79,7 @@
# tell users where tehy cna setup their ssh key # tell users where tehy cna setup their ssh key
banner = '' banner = ''
If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address} If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
''; '';
}; };
services.sssd = { services.sssd = {
@ -77,41 +88,40 @@
sshAuthorizedKeysIntegration = true; sshAuthorizedKeysIntegration = true;
config = '' config = ''
[domain/skynet.ie] [domain/skynet.ie]
id_provider = ldap id_provider = ldap
auth_provider = ldap auth_provider = ldap
sudo_provider = ldap sudo_provider = ldap
ldap_uri = ldaps://${cfg.address}:636 ldap_uri = ldaps://${cfg.address}:636
ldap_search_base = ${cfg.base} ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base} ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_group_nesting_level = 5 ldap_group_nesting_level = 5
cache_credentials = false cache_credentials = false
entry_cache_timeout = 1 entry_cache_timeout = 1
ldap_user_member_of = skMemberOf ldap_user_member_of = skMemberOf
[sssd] [sssd]
config_file_version = 2 config_file_version = 2
services = nss, pam, sudo, ssh services = nss, pam, sudo, ssh
domains = skynet.ie domains = skynet.ie
[nss] [nss]
# override_homedir = /home/%u # override_homedir = /home/%u
[pam] [pam]
[sudo] [sudo]
[autofs] [autofs]
''; '';
}; };
}; };
} }

99
applications/ldap/server.nix
View file

@ -1,13 +1,16 @@
/* /*
Gonna use a priper nixos module for this Gonna use a priper nixos module for this
*/ */
{
{ config, pkgs, lib, inputs, ... }: config,
with lib; pkgs,
let lib,
cfg = config.services.skynet_ldap; inputs,
in { ...
}:
with lib; let
cfg = config.services.skynet_ldap;
in {
# these are needed for teh program in question # these are needed for teh program in question
imports = [ imports = [
../acme.nix ../acme.nix
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
./backend.nix ./backend.nix
]; ];
options.services.skynet_ldap = { options.services.skynet_ldap = {
# options that need to be passed in to make this work # options that need to be passed in to make this work
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# passthrough to the backend # passthrough to the backend
services.ldap_backend = { services.ldap_backend = {
enable = true; enable = true;
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
# firewall on teh computer itself # firewall on teh computer itself
@ -111,25 +116,29 @@ Gonna use a priper nixos module for this
# using https://nixos.wiki/wiki/OpenLDAP for base config # using https://nixos.wiki/wiki/OpenLDAP for base config
systemd.services.openldap = { systemd.services.openldap = {
wants = [ "acme-${cfg.domain.base}.service" ]; wants = ["acme-${cfg.domain.base}.service"];
after = [ "acme-${cfg.domain.base}.service" ]; after = ["acme-${cfg.domain.base}.service"];
}; };
users.groups.acme.members = [ "openldap" ]; users.groups.acme.members = ["openldap"];
services.openldap = { services.openldap = {
# backup /var/lib/openldap/slapd.d # backup /var/lib/openldap/slapd.d
enable = true; enable = true;
/* enable plain and secure connections */ /*
urlList = [ "ldap:///" "ldaps:///" ]; enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"];
settings = { settings = {
attrs = { attrs = {
olcLogLevel = "conns config"; olcLogLevel = "conns config";
/* settings for acme ssl */ /*
settings for acme ssl
*/
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
@ -154,67 +163,70 @@ Gonna use a priper nixos module for this
./skMemberOf.ldif ./skMemberOf.ldif
]; ];
"cn=modules".attrs = { "cn=modules".attrs = {
objectClass = [ "olcModuleList" ]; objectClass = ["olcModuleList"];
cn = "modules"; cn = "modules";
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"]; olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
}; };
"olcDatabase={-1}frontend".attrs = { "olcDatabase={-1}frontend".attrs = {
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; objectClass = ["olcDatabaseConfig" "olcFrontendConfig"];
olcPasswordHash = "{SSHA512}"; olcPasswordHash = "{SSHA512}";
}; };
"olcDatabase={1}mdb" = { "olcDatabase={1}mdb" = {
attrs = { attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb"; olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data"; olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = cfg.base; olcSuffix = cfg.base;
/* your admin account, do not use writeText on a production system */ /*
your admin account, do not use writeText on a production system
*/
olcRootDN = "cn=admin,${cfg.base}"; olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path; olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof"; #olcOverlay = "memberof";
olcAccess = [ olcAccess = [
/* custom access rules for userPassword attributes */ /*
''{0}to attrs=userPassword custom access rules for userPassword attributes
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage */
by self write '' {0}to attrs=userPassword
by anonymous auth by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * none'' by self write
by anonymous auth
by * none''
''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord '' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write by self write
by * read'' by * read''
/* allow read on anything else */ /*
''{2}to * allow read on anything else
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage */
by * read'' '' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
]; ];
}; };
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
children = { children = {
"olcOverlay=dynlist".attrs = { "olcOverlay=dynlist".attrs = {
objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; objectClass = ["olcOverlayConfig" "olcDynamicList"];
olcOverlay = "dynlist"; olcOverlay = "dynlist";
olcDlAttrSet = "skPerson labeledURI skMemberOf"; olcDlAttrSet = "skPerson labeledURI skMemberOf";
}; };
"olcOverlay=memberof".attrs = { "olcOverlay=memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ]; objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"];
olcOverlay = "memberof"; olcOverlay = "memberof";
olcMemberOfDangling = "ignore"; olcMemberOfDangling = "ignore";
olcMemberOfRefInt = "TRUE"; olcMemberOfRefInt = "TRUE";
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
olcMemberOfMemberOfAD = "memberOf"; olcMemberOfMemberOfAD = "memberOf";
}; };
}; };
}; };
}; };
}; };
}; };

1
applications/nginx.nix
View file

@ -1,5 +1,4 @@
# using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix # using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix
{pkgs, ...}: { {pkgs, ...}: {
services.nginx = { services.nginx = {
enable = true; enable = true;

279
applications/restic.nix
View file

@ -1,154 +1,154 @@
# nodes is all the nodes # nodes is all the nodes
{ lib, config, nodes, pkgs, ...}: with lib; {
let lib,
cfg = config.services.skynet_backup; config,
nodes,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_backup;
# since they should all have the same config we can do this
base = {
paths = cfg.normal.backups;
exclude = cfg.normal.exclude;
initialize = true;
passwordFile = config.age.secrets.restic.path;
# since they should all have the same config we can do this pruneOpts = [
base = { #"--keep-within 0y2m0d0h"
paths = cfg.normal.backups; #"--keep-monthly 2"
exclude = cfg.normal.exclude; ];
initialize = true;
passwordFile = config.age.secrets.restic.path;
pruneOpts = [ timerConfig = {
#"--keep-within 0y2m0d0h" OnCalendar = "daily";
#"--keep-monthly 2" Persistent = true;
]; RandomizedDelaySec = "5h";
timerConfig = {
OnCalendar = "daily";
Persistent = true;
RandomizedDelaySec = "5h";
};
}; };
};
# takes nodes, # takes nodes,
# for each check if iut has teh abckup attribute, # for each check if iut has teh abckup attribute,
# then if the server is enabled, # then if the server is enabled,
# then pull relevant dtails # then pull relevant dtails
ownServers = builtins.listToAttrs (builtins.concatLists ( ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
let key: value: let
backup = value.config.services.skynet_backup; backup = value.config.services.skynet_backup;
in in
if ( if
(builtins.hasAttr "skynet_backup" value.config.services) (
&& backup.server.enable (builtins.hasAttr "skynet_backup" value.config.services)
&& backup.host.name != cfg.host.name && backup.server.enable
&& !backup.server.appendOnly && backup.host.name != cfg.host.name
) && !backup.server.appendOnly
)
then [ then [
{ {
name = backup.host.name; name = backup.host.name;
value = base // { value =
repositoryFile = "/etc/skynet/restic/${backup.host.name}"; base
// {
repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = '' backupPrepareCommand = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -euo pipefail set -euo pipefail
baseDir="/etc/skynet/restic" baseDir="/etc/skynet/restic"
mkdir -p $baseDir mkdir -p $baseDir
cd $baseDir cd $baseDir
echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name} echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name}
# read in teh password # read in teh password
#PW = `cat ${config.age.secrets.restic.path}` #PW = `cat ${config.age.secrets.restic.path}`
line=$(head -n 1 ${config.age.secrets.restic.path}) line=$(head -n 1 ${config.age.secrets.restic.path})
sed -i "s/password/$line/g" ${backup.host.name} sed -i "s/password/$line/g" ${backup.host.name}
''; '';
};
};
} }
] ]
else [ ] else []
) nodes )
)); nodes
));
in {
imports = [
];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
# will eb enabled on every server
options.services.skynet_backup = {
# backup is enabled by default
# enable = mkEnableOption "Skynet backup";
# what folders to backup
in { normal = {
backups = lib.mkOption {
imports = [ default = [];
type = lib.types.listOf lib.types.str;
]; description = ''
A list of paths to backup.
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base '';
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
# will eb enabled on every server
options.services.skynet_backup = {
# backup is enabled by default
# enable = mkEnableOption "Skynet backup";
# what folders to backup
normal = {
backups = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to backup.
'';
};
exclude = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to exclide .
'';
};
}; };
# append only data so space limited exclude = lib.mkOption {
secure = { default = [];
backups = lib.mkOption { type = lib.types.listOf lib.types.str;
default = [ ]; description = ''
type = lib.types.listOf lib.types.str; A list of paths to exclide .
description = '' '';
A list of paths to backup.
'';
};
exclude = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to exclide .
'';
};
}; };
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
server = {
enable = mkEnableOption "Skynet backup Server";
port = mkOption {
type = types.port;
default = 8765;
};
appendOnly = mkOption {
type = types.bool;
default = false;
};
};
}; };
# append only data so space limited
secure = {
backups = lib.mkOption {
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to backup.
'';
};
exclude = lib.mkOption {
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to exclide .
'';
};
};
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
server = {
enable = mkEnableOption "Skynet backup Server";
port = mkOption {
type = types.port;
default = 8765;
};
appendOnly = mkOption {
type = types.bool;
default = false;
};
};
};
config = { config = {
# these values are anabled for every client # these values are anabled for every client
@ -162,21 +162,22 @@
# nix-shell -p apacheHttpd # nix-shell -p apacheHttpd
# htpasswd -nbB "" "password" | cut -d: -f2 # htpasswd -nbB "" "password" | cut -d: -f2
age.secrets.restic.file = ../secrets/backup/restic.age; age.secrets.restic.file = ../secrets/backup/restic.age;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
cfg.server.port cfg.server.port
]; ];
services.restic.backups = ownServers // { services.restic.backups =
# merge teh two configs together ownServers
# backblaze = base // { // {
# # backupos for each server are stored in a folder under their name # merge teh two configs together
# repository = "b2:NixOS-Main2:/${cfg.host.name}"; # backblaze = base // {
# #environmentFile = config.age.secrets.backblaze.path; # # backupos for each server are stored in a folder under their name
# }; # repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path;
}; # };
};
age.secrets.restic_pw = mkIf cfg.server.enable { age.secrets.restic_pw = mkIf cfg.server.enable {
file = ../secrets/backup/restic_pw.age; file = ../secrets/backup/restic_pw.age;
@ -187,13 +188,11 @@
group = "restic"; group = "restic";
}; };
services.restic.server = mkIf cfg.server.enable{ services.restic.server = mkIf cfg.server.enable {
enable = true; enable = true;
listenAddress = "${cfg.host.ip}:${toString cfg.server.port}"; listenAddress = "${cfg.host.ip}:${toString cfg.server.port}";
appendOnly = cfg.server.appendOnly; appendOnly = cfg.server.appendOnly;
privateRepos = true; privateRepos = true;
}; };
}; };
} }

34
applications/skynet.ie.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet; lib,
in { inputs,
...
}:
with lib; let
cfg = config.services.skynet;
in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -29,9 +33,21 @@
skynet_dns.records = [ skynet_dns.records = [
# means root domain, so skynet.ie # means root domain, so skynet.ie
{record="@"; r_type="A"; value=cfg.host.ip;} {
{record="2016"; r_type="CNAME"; value=cfg.host.name;} record = "@";
{record="discord"; r_type="CNAME"; value=cfg.host.name;} r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];

33
applications/skynet_users.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }: {
with lib; config,
let pkgs,
cfg = config.services.skynet_users; lib,
in { inputs,
...
}:
with lib; let
cfg = config.services.skynet_users;
in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -32,22 +36,29 @@
]; ];
}; };
# Website config # Website config
skynet_acme.domains = [ skynet_acme.domains = [
"users.skynet.ie" "users.skynet.ie"
"*.users.skynet.ie" "*.users.skynet.ie"
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record ="users"; r_type="CNAME"; value=cfg.host.name;} {
{record="*.users"; r_type="CNAME"; value=cfg.host.name;} record = "users";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "*.users";
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];
# normally services cannot read home dirs # normally services cannot read home dirs
systemd.services.nginx.serviceConfig.ProtectHome="read-only"; systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
# main site # main site

73
applications/ulfm.nix
View file

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }: {
with lib; config,
let lib,
cfg = config.services.skynet_ulfm; pkgs,
in { ...
}:
with lib; let
cfg = config.services.skynet_ulfm;
in {
imports = [ imports = [
./acme.nix ./acme.nix
./dns.nix ./dns.nix
@ -12,34 +15,34 @@
]; ];
options.services.skynet_ulfm = { options.services.skynet_ulfm = {
enable = mkEnableOption "ULFM service"; enable = mkEnableOption "ULFM service";
host = { host = {
ip = mkOption { ip = mkOption {
type = types.str; type = types.str;
}; };
name = mkOption { name = mkOption {
type = types.str; type = types.str;
}; };
}; };
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
default = "ie"; default = "ie";
}; };
base = mkOption { base = mkOption {
type = types.str; type = types.str;
default = "skynet"; default = "skynet";
}; };
sub = mkOption { sub = mkOption {
type = types.str; type = types.str;
default = "ulfm"; default = "ulfm";
}; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -55,7 +58,11 @@
]; ];
skynet_dns.records = [ skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} {
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
]; ];
skynet_firewall.forward = [ skynet_firewall.forward = [
@ -74,9 +81,9 @@
}; };
systemd.services.icecast = { systemd.services.icecast = {
after = [ "network.target" ]; after = ["network.target"];
description = "Icecast Network Audio Streaming Server"; description = "Icecast Network Audio Streaming Server";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast"; preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast";
serviceConfig = { serviceConfig = {
@ -91,7 +98,5 @@
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000"; locations."/".proxyPass = "http://localhost:8000";
}; };
}; };
} }

79
flake.lock
View file

@ -20,6 +20,29 @@
"type": "github" "type": "github"
} }
}, },
"alejandra": {
"inputs": {
"fenix": "fenix",
"flakeCompat": "flakeCompat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1660510326,
"narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=",
"owner": "kamadorueda",
"repo": "alejandra",
"rev": "ef03f7ef74ec97fd91a016a51c9c9667fb315652",
"type": "github"
},
"original": {
"owner": "kamadorueda",
"ref": "3.0.0",
"repo": "alejandra",
"type": "github"
}
},
"arion": { "arion": {
"inputs": { "inputs": {
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
@ -78,6 +101,28 @@
"type": "github" "type": "github"
} }
}, },
"fenix": {
"inputs": {
"nixpkgs": [
"alejandra",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1657607339,
"narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -133,6 +178,22 @@
"type": "github" "type": "github"
} }
}, },
"flakeCompat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"haskell-flake": { "haskell-flake": {
"locked": { "locked": {
"lastModified": 1675296942, "lastModified": 1675296942,
@ -401,6 +462,7 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"alejandra": "alejandra",
"arion": "arion", "arion": "arion",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
@ -412,6 +474,23 @@
"skynet_website_2016": "skynet_website_2016" "skynet_website_2016": "skynet_website_2016"
} }
}, },
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1657557289,
"narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "caf23f29144b371035b864a1017dbc32573ad56d",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"simple-nixos-mailserver": { "simple-nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",

33
flake.nix
View file

@ -1,5 +1,4 @@
{ {
description = "Deployment for skynet"; description = "Deployment for skynet";
inputs = { inputs = {
@ -10,13 +9,17 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion"; arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
# email # email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
# account.skynet.ie # account.skynet.ie
skynet_ldap_backend.url = "gitlab:compsoc1%2Fskynet%2Fldap/backend?host=gitlab.skynet.ie"; skynet_ldap_backend.url = "gitlab:compsoc1%2Fskynet%2Fldap/backend?host=gitlab.skynet.ie";
skynet_ldap_frontend.url = "gitlab:compsoc1%2Fskynet%2Fldap/frontend?host=gitlab.skynet.ie"; skynet_ldap_frontend.url = "gitlab:compsoc1%2Fskynet%2Fldap/frontend?host=gitlab.skynet.ie";
skynet_website.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2023?host=gitlab.skynet.ie"; skynet_website.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2023?host=gitlab.skynet.ie";
@ -27,19 +30,25 @@
nixConfig.bash-prompt-suffix = "[Skynet Dev] "; nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
outputs = { self, nixpkgs, agenix, ... } @inputs: outputs = {
let self,
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; nixpkgs,
in { agenix,
alejandra,
...
} @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
in {
formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux";
devShells.x86_64-linux.default = pkgs.mkShell { devShells.x86_64-linux.default = pkgs.mkShell {
name = "Skynet build env"; name = "Skynet build env";
nativeBuildInputs = [ nativeBuildInputs = [
pkgs.buildPackages.git pkgs.buildPackages.git
pkgs.buildPackages.colmena pkgs.buildPackages.colmena
pkgs.buildPackages.nmap pkgs.buildPackages.nmap
]; ];
buildInputs = [ agenix.packages.x86_64-linux.default ]; buildInputs = [agenix.packages.x86_64-linux.default];
shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"''; shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"'';
}; };
@ -55,7 +64,7 @@
}; };
# installed for each machine # installed for each machine
defaults = import ./machines/_base.nix ; defaults = import ./machines/_base.nix;
# firewall machiene # firewall machiene
agentjones = import ./machines/agentjones.nix; agentjones = import ./machines/agentjones.nix;
@ -92,8 +101,6 @@
# Main skynet sites # Main skynet sites
earth = import ./machines/earth.nix; earth = import ./machines/earth.nix;
}; };
}; };
} }

13
machines/_base.nix
View file

@ -1,6 +1,11 @@
{ pkgs, modulesPath, config, options, inputs, ... }:
{ {
pkgs,
modulesPath,
config,
options,
inputs,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
@ -21,7 +26,7 @@
]; ];
# flakes are essensial # flakes are essensial
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = ["nix-command" "flakes"];
system.stateVersion = "22.11"; system.stateVersion = "22.11";
@ -69,7 +74,7 @@
}; };
# time on vendetta is strangely out of sync # time on vendetta is strangely out of sync
networking.timeServers = options.networking.timeServers.default ++ [ "ie.pool.ntp.org" ]; networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
services.ntp.enable = true; services.ntp.enable = true;
# use teh above nameservers as the fallback dns # use teh above nameservers as the fallback dns

68
machines/agentjones.nix
View file

@ -1,22 +1,23 @@
/* /*
Name: https://matrix.fandom.com/wiki/Agent_Jones Name: https://matrix.fandom.com/wiki/Agent_Jones
Type: Physical Type: Physical
Hardware: PowerEdge r210 Hardware: PowerEdge r210
From: 2011 (?) From: 2011 (?)
Role: Firewall Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically) Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "agentjones"; name = "agentjones";
ip_pub = "193.1.99.72"; ip_pub = "193.1.99.72";
ip_priv = "193.1.99.125"; ip_priv = "193.1.99.125";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
./hardware/_base.nix ./hardware/_base.nix
@ -29,12 +30,21 @@ in {
targetUser = "root"; targetUser = "root";
# somehow ssh from runner to this fails # somehow ssh from runner to this fails
tags = [ "active-firewall" ]; tags = ["active-firewall"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -92,18 +102,20 @@ in {
# gonna have to get all the # gonna have to get all the
forward = builtins.concatLists ( forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value: lib.attrsets.mapAttrsToList (
key: value:
# make sure that anything running this firewall dosent count (recursion otherewise) # make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later # firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config if builtins.hasAttr "skynet_firewall" value.config
then ( then
if value.config.skynet_firewall.enable (
then [] if value.config.skynet_firewall.enable
else value.config.skynet_firewall.forward then []
) else value.config.skynet_firewall.forward
else [] )
) nodes else []
)
nodes
); );
}; };
} }

48
machines/earth.nix
View file

@ -1,21 +1,23 @@
/* /*
Name: https://hitchhikers.fandom.com/wiki/Earth Name: https://hitchhikers.fandom.com/wiki/Earth
Why: Our home(page) Why: Our home(page)
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Webserver Role: Webserver
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, inputs, ... }: pkgs,
let lib,
name = "earth"; nodes,
ip_pub = "193.1.99.79"; inputs,
hostname = "${name}.skynet.ie"; ...
}: let
name = "earth";
ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/skynet.ie.nix ../applications/skynet.ie.nix
@ -26,13 +28,22 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-core" ]; tags = ["active-core"];
}; };
# it has two network devices so two # it has two network devices so two
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -48,5 +59,4 @@ in {
name = name; name = name;
}; };
}; };
} }

46
machines/galatea.nix
View file

@ -1,21 +1,24 @@
/* /*
Name: https://en.wikipedia.org/wiki/Galatea_(mythology) Name: https://en.wikipedia.org/wiki/Galatea_(mythology)
Why: Created as a product of artistic expression Why: Created as a product of artistic expression
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Icecast server for ULFM Role: Icecast server for ULFM
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, config, ... }: pkgs,
let lib,
nodes,
config,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "galatea"; name = "galatea";
ip_pub = "193.1.99.111"; ip_pub = "193.1.99.111";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/ulfm.nix ../applications/ulfm.nix
@ -26,12 +29,21 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active" ]; tags = ["active"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

46
machines/gir.nix
View file

@ -1,23 +1,24 @@
/* /*
Name: https://zim.fandom.com/wiki/GIR Name: https://zim.fandom.com/wiki/GIR
Why: Gir used to have this role before, servers never die Why: Gir used to have this role before, servers never die
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Email Server Role: Email Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "gir"; name = "gir";
ip_pub = "193.1.99.76"; ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
#hostname = ip_pub; #hostname = ip_pub;
in { in {
imports = [ imports = [
../applications/email.nix ../applications/email.nix
@ -28,13 +29,22 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-core" ]; tags = ["active-core"];
}; };
# add this server to dns # add this server to dns
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

50
machines/glados.nix
View file

@ -1,23 +1,24 @@
/* /*
Name: https://half-life.fandom.com/wiki/GLaDOS Name: https://half-life.fandom.com/wiki/GLaDOS
Why: Glados has a vast experence of testing and deploying. Why: Glados has a vast experence of testing and deploying.
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Git server Role: Git server
Notes: Each user has roughly 20gb os storage Notes: Each user has roughly 20gb os storage
20 * 100 = 2000gb 20 * 100 = 2000gb
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "glados"; name = "glados";
ip_pub = "193.1.99.75"; ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/gitlab.nix ../applications/gitlab.nix
@ -28,13 +29,21 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-gitlab" ]; tags = ["active-gitlab"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -51,5 +60,4 @@ in {
name = name; name = name;
}; };
}; };
} }

44
machines/hardware/RM001.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e"; device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/41AD-70AF"; device = "/dev/disk/by-uuid/41AD-70AF";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; } {device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

44
machines/hardware/RM002.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743"; device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/8B03-4D11"; device = "/dev/disk/by-uuid/8B03-4D11";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; } {device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

44
machines/hardware/RM007.nix
View file

@ -1,31 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/76CE-C65E"; device = "/dev/disk/by-uuid/76CE-C65E";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; } {device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

10
machines/hardware/_base.nix
View file

@ -1,5 +1,10 @@
{ config, options, lib, ... }: with lib; {
let config,
options,
lib,
...
}:
with lib; let
# get a list of interfaces # get a list of interfaces
interfaces = attrNames config.networking.interfaces; interfaces = attrNames config.networking.interfaces;
# check if an IP has been assigned # check if an IP has been assigned
@ -13,5 +18,4 @@ in {
} }
]; ];
}; };
} }

46
machines/kitt.nix
View file

@ -1,23 +1,24 @@
/* /*
Name: https://en.wikipedia.org/wiki/KITT Name: https://en.wikipedia.org/wiki/KITT
Why: Kitt used to have this role before (as well as email and dns) Why: Kitt used to have this role before (as well as email and dns)
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: LDAP Server Role: LDAP Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "kitt"; name = "kitt";
ip_pub = "193.1.99.74"; ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
#hostname = ip_pub; #hostname = ip_pub;
in { in {
imports = [ imports = [
../applications/ldap/server.nix ../applications/ldap/server.nix
@ -29,13 +30,22 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-core" ]; tags = ["active-core"];
}; };
# add this server to dns # add this server to dns
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

48
machines/neuromancer.nix
View file

@ -1,29 +1,29 @@
/* /*
Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI) Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI)
Why: A sibling to Wintermute, stores and archives memories. Why: A sibling to Wintermute, stores and archives memories.
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Backup Server Role: Backup Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "neuromancer"; name = "neuromancer";
ip_pub = "193.1.99.80"; ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
./hardware/_base.nix ./hardware/_base.nix
./hardware/RM007.nix ./hardware/RM007.nix
]; ];
networking.hostName = name; networking.hostName = name;
# this has to be defined for any physical servers # this has to be defined for any physical servers
# vms are defined by teh vm host # vms are defined by teh vm host
@ -39,12 +39,21 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-core" ]; tags = ["active-core"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -54,5 +63,4 @@ in {
name = name; name = name;
}; };
}; };
} }

47
machines/optimus.nix
View file

@ -1,22 +1,24 @@
/* /*
Name: https://en.wikipedia.org/wiki/Optimus_Prime Name: https://en.wikipedia.org/wiki/Optimus_Prime
Why: Created to sell toys so this vm is for games Why: Created to sell toys so this vm is for games
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Game host Role: Game host
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, arion, ... }: pkgs,
let lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "optimus"; name = "optimus";
ip_pub = "193.1.99.112"; ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/games.nix ../applications/games.nix
@ -27,12 +29,21 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active" ]; tags = ["active"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {

41
machines/retired/ash.nix
View file

@ -1,24 +1,25 @@
/* /*
Name: https://en.wikipedia.org/wiki/Ash_(Alien) Name: https://en.wikipedia.org/wiki/Ash_(Alien)
Why: Infilitrate into the network Why: Infilitrate into the network
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Wireguard (VPN) Server Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "ash"; name = "ash";
ip_pub = "193.1.99.75"; ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5"; ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie"; # hostname = "${name}.skynet.ie";
hostname = ip_pub; hostname = ip_pub;
in { in {
imports = [ imports = [
# applications for this particular server # applications for this particular server
@ -48,7 +49,6 @@ in {
]; ];
}; };
age.secrets.wireguard.file = ../secrets/wireguard.age; age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = { networking = {
@ -74,12 +74,12 @@ in {
privateKeyFile = "/run/agenix/wireguard"; privateKeyFile = "/run/agenix/wireguard";
peers = [ peers = [
{ # silver - Brendan {
# silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = [ "172.20.21.2/32" ]; allowedIPs = ["172.20.21.2/32"];
} }
]; ];
}; };
}; };
@ -87,5 +87,4 @@ in {
# needed to generate keys # needed to generate keys
pkgs.wireguard-tools pkgs.wireguard-tools
]; ];
} }

49
machines/skynet.nix
View file

@ -1,23 +1,25 @@
/* /*
Name: https://en.wikipedia.org/wiki/Skynet_(Terminator) Name: https://en.wikipedia.org/wiki/Skynet_(Terminator)
Why: Skynet is eternal Why: Skynet is eternal
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Webserver and member linux box Role: Webserver and member linux box
Notes: Does not host offical sites Notes: Does not host offical sites
*/ */
{
{ pkgs, lib, nodes, inputs, ... }: pkgs,
let lib,
name = "skynet"; nodes,
inputs,
...
}: let
name = "skynet";
# DMZ that ITD provided # DMZ that ITD provided
ip_pub = "193.1.96.165"; ip_pub = "193.1.96.165";
ip_int = "193.1.99.81"; ip_int = "193.1.99.81";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/skynet_users.nix ../applications/skynet_users.nix
@ -29,12 +31,21 @@ in {
targetUser = "root"; targetUser = "root";
# this one is manually deployed # this one is manually deployed
tags = [ "active-ext" ]; tags = ["active-ext"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup.host = { services.skynet_backup.host = {

46
machines/vendetta.nix
View file

@ -1,21 +1,23 @@
/* /*
Name: https://masseffect.fandom.com/wiki/Vendetta Name: https://masseffect.fandom.com/wiki/Vendetta
Why: Vendetta held troves of important data waiting for folks to request it. Why: Vendetta held troves of important data waiting for folks to request it.
Type: Physical Type: Physical
Hardware: PowerEdge r210 Hardware: PowerEdge r210
From: 2011 (?) From: 2011 (?)
Role: DNS Server Role: DNS Server
Notes: Using the server that used to be called Earth Notes: Using the server that used to be called Earth
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "vendetta"; name = "vendetta";
ip_pub = "193.1.99.120"; ip_pub = "193.1.99.120";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
./hardware/_base.nix ./hardware/_base.nix
@ -27,7 +29,7 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-dns" "dns" ]; tags = ["active-dns" "dns"];
}; };
networking = { networking = {
@ -61,10 +63,18 @@ in {
records = [ records = [
# vendetta IN A 193.1.99.120 # vendetta IN A 193.1.99.120
{record=name; r_type="A"; value=ip_pub; server=true;} {
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie. # 120 IN PTR vendetta.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;} {
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
}; };
} }

47
machines/vigil.nix
View file

@ -1,23 +1,24 @@
/* /*
Name: https://masseffect.fandom.com/wiki/Vigil Name: https://masseffect.fandom.com/wiki/Vigil
Why: Counterpart to Vendetta Why: Counterpart to Vendetta
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: DNS Server Role: DNS Server
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
name = "vigil"; nodes,
ip_pub = "193.1.99.109"; ...
hostname = "${name}.skynet.ie"; }: let
name = "vigil";
ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
]; ];
deployment = { deployment = {
@ -25,7 +26,7 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-dns" "dns" ]; tags = ["active-dns" "dns"];
}; };
services.skynet_backup = { services.skynet_backup = {
@ -46,10 +47,18 @@ in {
# this server will have to have dns records # this server will have to have dns records
records = [ records = [
# vigil IN A 193.1.99.109 # vigil IN A 193.1.99.109
{record=name; r_type="A"; value=ip_pub; server=true;} {
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie. # 109 IN PTR vigil.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;} {
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
}; };
} }

48
machines/wheatly.nix
View file

@ -1,22 +1,23 @@
/* /*
Name: https://theportalwiki.com/wiki/Wheatley Name: https://theportalwiki.com/wiki/Wheatley
Why: Whereever GLaDOS is Wheatly is not too far away Why: Whereever GLaDOS is Wheatly is not too far away
Type: VM Type: VM
Hardware: - Hardware: -
From: 2023 From: 2023
Role: Gitlab Runner Role: Gitlab Runner
Notes: Notes:
*/ */
{
{ pkgs, lib, nodes, ... }: pkgs,
let lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it # name of the server, sets teh hostname and record for it
name = "wheatly"; name = "wheatly";
ip_pub = "193.1.99.78"; ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
in { in {
imports = [ imports = [
../applications/gitlab_runner.nix ../applications/gitlab_runner.nix
@ -27,13 +28,21 @@ in {
targetPort = 22; targetPort = 22;
targetUser = "root"; targetUser = "root";
tags = [ "active-gitlab" ]; tags = ["active-gitlab"];
}; };
skynet_dns.records = [ skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;} {
{record=ip_pub; r_type="PTR"; value=hostname;} record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
]; ];
services.skynet_backup = { services.skynet_backup = {
@ -47,5 +56,4 @@ in {
enable = true; enable = true;
runner.name = "runner01"; runner.name = "runner01";
}; };
} }

44
secrets/secrets.nix
View file

@ -1,7 +1,7 @@
let let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"; silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb";
thenobrainer ="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
users = [ users = [
admin admin
@ -57,11 +57,12 @@ let
gir gir
]; ];
ldap = [ ldap =
kitt [
] kitt
++ gitlab ]
++ email; ++ gitlab
++ email;
gitlab = [ gitlab = [
glados glados
@ -72,19 +73,20 @@ let
]; ];
# these need dns stuff # these need dns stuff
webservers = [ webservers =
# ULFM [
galatea # ULFM
# Games galatea
optimus # Games
# skynet is a webserver for users optimus
skynet # skynet is a webserver for users
# our offical server skynet
earth # our offical server
] earth
# ldap servers are web facing ]
++ ldap # ldap servers are web facing
++ gitlab; ++ ldap
++ gitlab;
restic = [ restic = [
neuromancer neuromancer
@ -93,8 +95,7 @@ let
discord = [ discord = [
kitt kitt
]; ];
in in {
{
# nix run github:ryantm/agenix -- -e secret1.age # nix run github:ryantm/agenix -- -e secret1.age
"dns_certs.secret.age".publicKeys = users ++ webservers; "dns_certs.secret.age".publicKeys = users ++ webservers;
@ -102,7 +103,6 @@ in
"stream_ulfm.age".publicKeys = users ++ [galatea]; "stream_ulfm.age".publicKeys = users ++ [galatea];
"gitlab/pw.age".publicKeys = users ++ gitlab; "gitlab/pw.age".publicKeys = users ++ gitlab;
"gitlab/db_pw.age".publicKeys = users ++ gitlab; "gitlab/db_pw.age".publicKeys = users ++ gitlab;
"gitlab/secrets_db.age".publicKeys = users ++ gitlab; "gitlab/secrets_db.age".publicKeys = users ++ gitlab;