Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -87,6 +87,13 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next
nix flake lock --update-input nixpkgs
```
### Formatting
Formatting helps keep everything nice and consistent.
```shell
nix fmt
```

10
applications/acme.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.skynet_acme;
in {
imports = [];

13
applications/discord.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.discord_bot;
in {
imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux"
];
@ -13,7 +17,6 @@
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age;

175
applications/dns.nix
View file

@ -1,5 +1,10 @@
{ lib, pkgs, config, nodes, ... }:
let
{
lib,
pkgs,
config,
nodes,
...
}: let
cfg = config.skynet_dns;
# reads that date to a string (will need to be fixed in 2038)
@ -11,7 +16,11 @@ let
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;};
process_ptr_sub = record: {
record = builtins.substring 9 3 record.record;
r_type = "PTR";
value = record.value;
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
@ -26,8 +35,7 @@ let
padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix
fixedWidthString_post = width: filler: str:
let
fixedWidthString_post = width: filler: str: let
strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler);
in
@ -36,11 +44,10 @@ let
then str
else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
get_config_file = (domain:
''$TTL 60 ; 1 minute
get_config_file = (
domain: ''
$TTL 60 ; 1 minute
; hostmaster@${domain} is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
@ -90,11 +97,11 @@ ${format_records sort_records_srv 17}
''
);
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working)
get_config_file_rev = (domain:
''$ORIGIN 64-64.99.1.193.in-addr.arpa.
get_config_file_rev = (
domain: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
@ -117,8 +124,9 @@ ${format_records sort_records_ptr 3}
);
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
get_config_file_old_domains = (domain:
''$TTL 60 ; 1 minute
get_config_file_old_domains = (
domain: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
@ -139,28 +147,27 @@ ${format_records sort_records_ptr 3}
tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"];
primaries = (if cfg.server.primary then
primaries = (
if cfg.server.primary
then
# primary servers have no primaries (ones they listen to)
[]
else
if builtins.elem cfg.server.ip tmp1 then
tmp2
else
tmp1
else if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
);
secondaries = (if cfg.server.primary then
if builtins.elem cfg.server.ip tmp1 then
tmp2
else
tmp1
else
[]
secondaries = (
if cfg.server.primary
then
if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
else []
);
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) );
create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: {
@ -177,19 +184,17 @@ ${format_records sort_records_ptr 3}
};
# (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type:
if type == "owned" then
create_entry_etc_sub domain (text.owned domain)
else if type == "reverse" then
create_entry_etc_sub domain (text.reverse domain)
else if type == "old" then
create_entry_etc_sub domain (text.old domain)
else
{};
if type == "owned"
then create_entry_etc_sub domain (text.owned domain)
else if type == "reverse"
then create_entry_etc_sub domain (text.reverse domain)
else if type == "old"
then create_entry_etc_sub domain (text.old domain)
else {};
create_entry_zone = (domain: extraConfig: {
create_entry_zone = domain: extraConfig: {
"${domain}" = {
extraConfig = ''
${extraConfig}
@ -205,7 +210,7 @@ ${extraConfig}
file = "/etc/skynet/dns/${domain}";
# no leading whitespace for first line
};
});
};
text = {
owned = domain: get_config_file domain;
@ -215,15 +220,14 @@ ${extraConfig}
extraConfig = {
owned =
if cfg.server.primary then
''
if cfg.server.primary
then ''
allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default;
inline-signing yes;
''
else
"";
else "";
# no extra config for reverse
reverse = "";
@ -232,30 +236,52 @@ inline-signing yes;
};
records = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
let
lib.attrsets.mapAttrsToList (
key: value: let
details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records;
in
if builtins.hasAttr "skynet_dns" value.config
then (
then
(
# got to handle habing a dns record for the dns serves themselves.
if details_server.enable
then (
then
(
if details_server.primary
then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ]
else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ]
then
details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
) nodes
)
nodes
);
nameserver = if cfg.server.primary then "ns1" else "ns2";
nameserver =
if cfg.server.primary
then "ns1"
else "ns2";
in {
imports = [
../applications/firewall.nix
];
@ -284,7 +310,8 @@ in {
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = with lib.types; listOf (submodule {
type = with lib.types;
listOf (submodule {
options = {
record = lib.mkOption {
type = str;
@ -303,12 +330,10 @@ in {
};
});
};
};
};
config = lib.mkIf cfg.server.enable {
# open the firewall for this
skynet_firewall.forward = [
"ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept"
@ -316,25 +341,20 @@ in {
];
services.bind.zones =
(create_entry_zone "csn.ul.ie" extraConfig.owned ) //
(create_entry_zone "skynet.ie" extraConfig.owned ) //
(create_entry_zone "ulcompsoc.ie" extraConfig.owned ) //
(create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) //
(create_entry_zone "conradcollins.net" extraConfig.old )//
(create_entry_zone "edelharty.net" extraConfig.old );
(create_entry_zone "csn.ul.ie" extraConfig.owned)
// (create_entry_zone "skynet.ie" extraConfig.owned)
// (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
// (create_entry_zone "conradcollins.net" extraConfig.old)
// (create_entry_zone "edelharty.net" extraConfig.old);
environment.etc =
(create_entry_etc "csn.ul.ie" "owned") //
(create_entry_etc "skynet.ie" "owned") //
(create_entry_etc "ulcompsoc.ie" "owned") //
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") //
(create_entry_etc "conradcollins.net" "old") //
(create_entry_etc "edelharty.net" "old");
(create_entry_etc "csn.ul.ie" "owned")
// (create_entry_etc "skynet.ie" "owned")
// (create_entry_etc "ulcompsoc.ie" "owned")
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
// (create_entry_etc "conradcollins.net" "old")
// (create_entry_etc "edelharty.net" "old");
# secrets required
age.secrets.dns_dnskeys = {
@ -374,7 +394,8 @@ in {
"9.9.9.9"
];
cacheNetworks = [
cacheNetworks =
[
# this server itself
"127.0.0.0/24"
@ -390,7 +411,8 @@ in {
Now have a function for it
*/
] ++ create_cache_networks;
]
++ create_cache_networks;
};
# deletes teh journal files evey start so it no longer stalls out
@ -404,6 +426,5 @@ in {
createHome = true;
home = "/etc/skynet/dns";
};
};
}

80
applications/email.nix
View file

@ -1,17 +1,21 @@
{ config, pkgs, lib, inputs, ...}: with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_email;
# create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
create_filter_join = (x: concatStringsSep "" x);
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (groups: create_filter_join (create_filter_array groups) );
create_filter = groups: create_filter_join (create_filter_array groups);
in {
imports = [
./dns.nix
./acme.nix
@ -85,7 +89,6 @@
default = "cn=admin,${cfg.ldap.base}";
description = lib.mdDoc "where to find users";
};
};
};
@ -104,30 +107,70 @@
# set up dns record for it
skynet_dns.records = [
# basic one
{record="mail"; r_type="A"; value=cfg.host.ip;}
{
record = "mail";
r_type = "A";
value = cfg.host.ip;
}
# TXT records, all tehse are inside escaped strings to allow using ""
# SPF record
{record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';}
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys
{record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';}
{record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';}
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC
{record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';}
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
value = ''"v=DMARC1; p=none"'';
}
# reverse pointer
{record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";}
{
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";}
{record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";}
{record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";}
{record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";}
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
];
# to provide the certs
@ -215,14 +258,11 @@
uidAttribute = "skMail";
mailAttribute = "skMail";
};
};
# feckin spammers
rejectRecipients = [
];
};
# tune the spam filter

16
applications/firewall.nix
View file

@ -1,5 +1,9 @@
{lib, pkgs, config, ...}: {
{
lib,
pkgs,
config,
...
}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = {
skynet_firewall = {
@ -42,9 +46,7 @@
A list of UDP ports for the machiene running the firewall
'';
};
};
};
};
};
@ -56,8 +58,7 @@
# fules for the firewall
# beware of EOL conversion.
networking.nftables.ruleset =
''
networking.nftables.ruleset = ''
# using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide
# Clear out any existing rules
@ -165,8 +166,5 @@
}
}
'';
};
}

21
applications/games.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_games;
in {
imports = [
@ -9,7 +13,6 @@
./games/minecraft.nix
];
options.services.skynet_games = {
enable = mkEnableOption "Skynet Games";
@ -39,14 +42,16 @@
default = "games";
};
};
};
config = mkIf cfg.enable {
skynet_dns.records = [
# need a base domain
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
# the minecraft servers
@ -62,7 +67,5 @@
sub = "minecraft.${cfg.domain.sub}";
};
};
};
}

45
applications/games/minecraft.nix
View file

@ -1,12 +1,16 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_games_minecraft;
# got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
../acme.nix
../dns.nix
@ -60,15 +64,35 @@
skynet_dns.records = [
# the minecraft (web) config server
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# our own minecraft hosts
{record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# gsoc servers
{record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [
@ -77,7 +101,6 @@
];
services.nginx.virtualHosts = {
# https://config.minecraft.games.skynet.ie
"config.${short_domain}" = {
forceSSL = true;
@ -94,7 +117,6 @@
useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
};
};
# arion is one way to use docker on nixos
@ -103,7 +125,6 @@
virtualisation.arion = {
backend = "docker";
projects = {
minecraft.settings.services = {
mc_proxy.service = {
image = "itzg/mc-router:1.18.0";

25
applications/gitlab.nix
View file

@ -1,6 +1,10 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab;
in {
imports = [
@ -52,9 +56,7 @@
default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server";
};
};
};
config = mkIf cfg.enable {
@ -102,9 +104,17 @@
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
# for gitlab pages
{record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;}
{
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A";
value = cfg.host.ip;
}
];
networking.firewall.allowedTCPPorts = [
@ -163,7 +173,6 @@
auth-server = "https://gitlab.example.com";
*/
};
};
#smtp = {
# enable = true;

11
applications/gitlab_runner.nix
View file

@ -1,10 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner;
in {
imports = [
];
options.services.skynet_gitlab_runner = {

34
applications/ldap/backend.nix
View file

@ -1,10 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
imports = [
../acme.nix
../dns.nix
@ -44,7 +48,6 @@
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
@ -56,7 +59,11 @@
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
@ -99,7 +106,8 @@
];
lifetime = [];
banned = [];
restricted = [
restricted =
[
# usernames folks arent allowed to use
"contact"
"dnsadm"
@ -109,8 +117,8 @@
"pro"
"sysadmin"
"root"
] ++ [
]
++ [
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
# start off with compsoc stuff first
"competition_www"
@ -127,7 +135,8 @@
"test20203"
"tmp"
"webadm"
] ++ [
]
++ [
# clubs and socs (as far as I can tell
"aerosoc"
"aikido"
@ -170,7 +179,8 @@
"ulssc"
"ultennis"
"viking"
] ++ [
]
++ [
# remaining, most likely usernames
"_9thwonder"
"abc"
@ -405,9 +415,7 @@
"yvonne"
"zrahman"
];
};
};
};
}

34
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x);
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in {
# these are needed for teh program in question
imports = [];
@ -46,7 +51,6 @@
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
};
config = mkIf cfg.enable {
@ -54,9 +58,16 @@
security.sudo.extraRules = [
# admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
{
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# give users a home dir
security.pam.services.sshd.makeHomeDir = true;
@ -112,6 +123,5 @@ domains = skynet.ie
[autofs]
'';
};
};
}

47
applications/ldap/server.nix
View file

@ -1,13 +1,16 @@
/*
Gonna use a priper nixos module for this
*/
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_ldap;
in {
# these are needed for teh program in question
imports = [
../acme.nix
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
./backend.nix
];
options.services.skynet_ldap = {
# options that need to be passed in to make this work
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
};
config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
# firewall on teh computer itself
@ -122,14 +127,18 @@ Gonna use a priper nixos module for this
enable = true;
/* enable plain and secure connections */
/*
enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"];
settings = {
attrs = {
olcLogLevel = "conns config";
/* settings for acme ssl */
/*
settings for acme ssl
*/
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
@ -154,7 +163,6 @@ Gonna use a priper nixos module for this
./skMemberOf.ldif
];
"cn=modules".attrs = {
objectClass = ["olcModuleList"];
cn = "modules";
@ -176,14 +184,18 @@ Gonna use a priper nixos module for this
olcSuffix = cfg.base;
/* your admin account, do not use writeText on a production system */
/*
your admin account, do not use writeText on a production system
*/
olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof";
olcAccess = [
/* custom access rules for userPassword attributes */
/*
custom access rules for userPassword attributes
*/
'' {0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
@ -195,13 +207,13 @@ Gonna use a priper nixos module for this
by self write
by * read''
/* allow read on anything else */
/*
allow read on anything else
*/
'' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
];
};
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
olcMemberOfMemberOfAD = "memberOf";
};
};
};
};
};
};

1
applications/nginx.nix
View file

@ -1,5 +1,4 @@
# using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix
{pkgs, ...}: {
services.nginx = {
enable = true;

41
applications/restic.nix
View file

@ -1,10 +1,14 @@
# nodes is all the nodes
{ lib, config, nodes, pkgs, ...}: with lib;
let
{
lib,
config,
nodes,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_backup;
# since they should all have the same config we can do this
base = {
paths = cfg.normal.backups;
@ -29,11 +33,12 @@
# then if the server is enabled,
# then pull relevant dtails
ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
let
lib.attrsets.mapAttrsToList (
key: value: let
backup = value.config.services.skynet_backup;
in
if (
if
(
(builtins.hasAttr "skynet_backup" value.config.services)
&& backup.server.enable
&& backup.host.name != cfg.host.name
@ -42,7 +47,9 @@
then [
{
name = backup.host.name;
value = base // {
value =
base
// {
repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = ''
@ -62,20 +69,15 @@
sed -i "s/password/$line/g" ${backup.host.name}
'';
};
}
]
else []
) nodes
)
nodes
));
in {
imports = [
];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -146,10 +148,8 @@
default = false;
};
};
};
config = {
# these values are anabled for every client
@ -168,14 +168,15 @@
cfg.server.port
];
services.restic.backups = ownServers // {
services.restic.backups =
ownServers
// {
# merge teh two configs together
# backblaze = base // {
# # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path;
# };
};
age.secrets.restic_pw = mkIf cfg.server.enable {
@ -193,7 +194,5 @@
appendOnly = cfg.server.appendOnly;
privateRepos = true;
};
};
}

30
applications/skynet.ie.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet;
in {
imports = [
./acme.nix
./dns.nix
@ -29,9 +33,21 @@
skynet_dns.records = [
# means root domain, so skynet.ie
{record="@"; r_type="A"; value=cfg.host.ip;}
{record="2016"; r_type="CNAME"; value=cfg.host.name;}
{record="discord"; r_type="CNAME"; value=cfg.host.name;}
{
record = "@";
r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];

25
applications/skynet_users.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_users;
in {
imports = [
./acme.nix
./dns.nix
@ -32,7 +36,6 @@
];
};
# Website config
skynet_acme.domains = [
"users.skynet.ie"
@ -40,8 +43,16 @@
];
skynet_dns.records = [
{record ="users"; r_type="CNAME"; value=cfg.host.name;}
{record="*.users"; r_type="CNAME"; value=cfg.host.name;}
{
record = "users";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "*.users";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];

19
applications/ulfm.nix
View file

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_ulfm;
in {
imports = [
./acme.nix
./dns.nix
@ -55,7 +58,11 @@
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
skynet_firewall.forward = [
@ -91,7 +98,5 @@
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000";
};
};
}

79
flake.lock
View file

@ -20,6 +20,29 @@
"type": "github"
}
},
"alejandra": {
"inputs": {
"fenix": "fenix",
"flakeCompat": "flakeCompat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1660510326,
"narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=",
"owner": "kamadorueda",
"repo": "alejandra",
"rev": "ef03f7ef74ec97fd91a016a51c9c9667fb315652",
"type": "github"
},
"original": {
"owner": "kamadorueda",
"ref": "3.0.0",
"repo": "alejandra",
"type": "github"
}
},
"arion": {
"inputs": {
"flake-parts": "flake-parts",
@ -78,6 +101,28 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"alejandra",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1657607339,
"narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -133,6 +178,22 @@
"type": "github"
}
},
"flakeCompat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1675296942,
@ -401,6 +462,7 @@
"root": {
"inputs": {
"agenix": "agenix",
"alejandra": "alejandra",
"arion": "arion",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
@ -412,6 +474,23 @@
"skynet_website_2016": "skynet_website_2016"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1657557289,
"narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "caf23f29144b371035b864a1017dbc32573ad56d",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",

17
flake.nix
View file

@ -1,5 +1,4 @@
{
description = "Deployment for skynet";
inputs = {
@ -10,6 +9,10 @@
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
# email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
@ -27,10 +30,16 @@
nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
outputs = { self, nixpkgs, agenix, ... } @inputs:
let
outputs = {
self,
nixpkgs,
agenix,
alejandra,
...
} @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
in {
formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux";
devShells.x86_64-linux.default = pkgs.mkShell {
name = "Skynet build env";
@ -92,8 +101,6 @@
# Main skynet sites
earth = import ./machines/earth.nix;
};
};
}

9
machines/_base.nix
View file

@ -1,6 +1,11 @@
{ pkgs, modulesPath, config, options, inputs, ... }:
{
pkgs,
modulesPath,
config,
options,
inputs,
...
}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")

34
machines/agentjones.nix
View file

@ -6,17 +6,18 @@
From: 2011 (?)
Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "agentjones";
ip_pub = "193.1.99.72";
ip_priv = "193.1.99.125";
hostname = "${name}.skynet.ie";
in {
imports = [
./hardware/_base.nix
@ -33,8 +34,17 @@ in {
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -92,18 +102,20 @@ in {
# gonna have to get all the
forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value:
lib.attrsets.mapAttrsToList (
key: value:
# make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config
then (
then
(
if value.config.skynet_firewall.enable
then []
else value.config.skynet_firewall.forward
)
else []
) nodes
)
nodes
);
};
}

26
machines/earth.nix
View file

@ -7,15 +7,17 @@
From: 2023
Role: Webserver
Notes:
*/
{ pkgs, lib, nodes, inputs, ... }:
let
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "earth";
ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/skynet.ie.nix
@ -31,8 +33,17 @@ in {
# it has two network devices so two
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -48,5 +59,4 @@ in {
name = name;
};
};
}

24
machines/galatea.nix
View file

@ -7,11 +7,14 @@
From: 2023
Role: Icecast server for ULFM
Notes:
*/
{ pkgs, lib, nodes, config, ... }:
let
{
pkgs,
lib,
nodes,
config,
...
}: let
# name of the server, sets teh hostname and record for it
name = "galatea";
ip_pub = "193.1.99.111";
@ -30,8 +33,17 @@ in {
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

24
machines/gir.nix
View file

@ -7,17 +7,18 @@
From: 2023
Role: Email Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "gir";
ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie";
#hostname = ip_pub;
in {
imports = [
../applications/email.nix
@ -33,8 +34,17 @@ in {
# add this server to dns
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

26
machines/glados.nix
View file

@ -8,16 +8,17 @@
Role: Git server
Notes: Each user has roughly 20gb os storage
20 * 100 = 2000gb
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "glados";
ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/gitlab.nix
@ -31,10 +32,18 @@ in {
tags = ["active-gitlab"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -51,5 +60,4 @@ in {
name = name;
};
};
}

24
machines/hardware/RM001.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fileSystems."/" = {
device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/41AD-70AF";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/41AD-70AF";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; }
swapDevices = [
{device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

24
machines/hardware/RM002.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fileSystems."/" = {
device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8B03-4D11";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8B03-4D11";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; }
swapDevices = [
{device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

24
machines/hardware/RM007.nix
View file

@ -1,11 +1,15 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
@ -13,18 +17,18 @@
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fileSystems."/" = {
device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/76CE-C65E";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/76CE-C65E";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; }
swapDevices = [
{device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

10
machines/hardware/_base.nix
View file

@ -1,5 +1,10 @@
{ config, options, lib, ... }: with lib;
let
{
config,
options,
lib,
...
}:
with lib; let
# get a list of interfaces
interfaces = attrNames config.networking.interfaces;
# check if an IP has been assigned
@ -13,5 +18,4 @@ in {
}
];
};
}

24
machines/kitt.nix
View file

@ -7,17 +7,18 @@
From: 2023
Role: LDAP Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "kitt";
ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie";
#hostname = ip_pub;
in {
imports = [
../applications/ldap/server.nix
@ -34,8 +35,17 @@ in {
# add this server to dns
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

26
machines/neuromancer.nix
View file

@ -7,23 +7,23 @@
From: 2023
Role: Backup Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "neuromancer";
ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie";
in {
imports = [
./hardware/_base.nix
./hardware/RM007.nix
];
networking.hostName = name;
# this has to be defined for any physical servers
# vms are defined by teh vm host
@ -43,8 +43,17 @@ in {
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -54,5 +63,4 @@ in {
name = name;
};
};
}

25
machines/optimus.nix
View file

@ -7,16 +7,18 @@
From: 2023
Role: Game host
Notes:
*/
{ pkgs, lib, nodes, arion, ... }:
let
{
pkgs,
lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/games.nix
@ -31,8 +33,17 @@ in {
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

17
machines/retired/ash.nix
View file

@ -7,18 +7,19 @@
From: 2023
Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "ash";
ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
@ -48,7 +49,6 @@ in {
];
};
age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = {
@ -74,12 +74,12 @@ in {
privateKeyFile = "/run/agenix/wireguard";
peers = [
{ # silver - Brendan
{
# silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = ["172.20.21.2/32"];
}
];
};
};
@ -87,5 +87,4 @@ in {
# needed to generate keys
pkgs.wireguard-tools
];
}

25
machines/skynet.nix
View file

@ -7,17 +7,19 @@
From: 2023
Role: Webserver and member linux box
Notes: Does not host offical sites
*/
{ pkgs, lib, nodes, inputs, ... }:
let
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "skynet";
# DMZ that ITD provided
ip_pub = "193.1.96.165";
ip_int = "193.1.99.81";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/skynet_users.nix
@ -33,8 +35,17 @@ in {
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup.host = {

24
machines/vendetta.nix
View file

@ -7,11 +7,13 @@
From: 2011 (?)
Role: DNS Server
Notes: Using the server that used to be called Earth
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "vendetta";
ip_pub = "193.1.99.120";
@ -61,10 +63,18 @@ in {
records = [
# vendetta IN A 193.1.99.120
{record=name; r_type="A"; value=ip_pub; server=true;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

25
machines/vigil.nix
View file

@ -7,17 +7,18 @@
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
name = "vigil";
ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie";
in {
imports = [
];
deployment = {
@ -46,10 +47,18 @@ in {
# this server will have to have dns records
records = [
# vigil IN A 193.1.99.109
{record=name; r_type="A"; value=ip_pub; server=true;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

26
machines/wheatly.nix
View file

@ -7,16 +7,17 @@
From: 2023
Role: Gitlab Runner
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "wheatly";
ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/gitlab_runner.nix
@ -30,10 +31,18 @@ in {
tags = ["active-gitlab"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -47,5 +56,4 @@ in {
enable = true;
runner.name = "runner01";
};
}

10
secrets/secrets.nix
View file

@ -57,7 +57,8 @@ let
gir
];
ldap = [
ldap =
[
kitt
]
++ gitlab
@ -72,7 +73,8 @@ let
];
# these need dns stuff
webservers = [
webservers =
[
# ULFM
galatea
# Games
@ -93,8 +95,7 @@ let
discord = [
kitt
];
in
{
in {
# nix run github:ryantm/agenix -- -e secret1.age
"dns_certs.secret.age".publicKeys = users ++ webservers;
@ -102,7 +103,6 @@ in
"stream_ulfm.age".publicKeys = users ++ [galatea];
"gitlab/pw.age".publicKeys = users ++ gitlab;
"gitlab/db_pw.age".publicKeys = users ++ gitlab;
"gitlab/secrets_db.age".publicKeys = users ++ gitlab;