Skynet/nixos
6
1
Fork 0
Code Issues 42 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: added a formatter and some instructions

Browse source
This commit is contained in:
silver 2023-09-17 20:51:08 +01:00
parent 14ae0a9065
commit 7f3dc8946e
39 changed files with 1739 additions and 1348 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -87,6 +87,13 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next
nix flake lock --update-input nixpkgs
```
### Formatting
Formatting helps keep everything nice and consistent.
```shell
nix fmt
```

14
applications/acme.nix
View file

@ -1,13 +1,17 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.skynet_acme;
in {
in {
imports = [];
options.skynet_acme = {
domains = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of domains to use for this server.

15
applications/discord.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.discord_bot;
in {
in {
imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux"
];
@ -13,7 +17,6 @@
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age;

281
applications/dns.nix
View file

@ -1,5 +1,10 @@
{ lib, pkgs, config, nodes, ... }:
let
{
lib,
pkgs,
config,
nodes,
...
}: let
cfg = config.skynet_dns;
# reads that date to a string (will need to be fixed in 2038)
@ -11,7 +16,11 @@ let
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;};
process_ptr_sub = record: {
record = builtins.substring 9 3 record.record;
r_type = "PTR";
value = record.value;
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
@ -26,8 +35,7 @@ let
padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix
fixedWidthString_post = width: filler: str:
let
fixedWidthString_post = width: filler: str: let
strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler);
in
@ -36,13 +44,12 @@ let
then str
else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
get_config_file = (domain:
''$TTL 60 ; 1 minute
; hostmaster@${domain} is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
get_config_file = (
domain: ''
$TTL 60 ; 1 minute
; hostmaster@${domain} is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
@ -51,53 +58,53 @@ let
3600 ; Minimum (1 hour)
)
@ NS ns1.${domain}.
@ NS ns2.${domain}.
@ NS ns1.${domain}.
@ NS ns2.${domain}.
; @ stands for teh root domain so teh A record below is where ${domain} points to
;@ A 193.1.99.76
;@ MX 5 ${domain}.
;@ A 193.1.99.76
;@ MX 5 ${domain}.
; can have multiple mailserves
@ MX 10 mail.${domain}.
; can have multiple mailserves
@ MX 10 mail.${domain}.
; ------------------------------------------
; Server Names (A Records)
; ------------------------------------------
${format_records sort_records_server 11}
; ------------------------------------------
; Server Names (A Records)
; ------------------------------------------
${format_records sort_records_server 11}
; ------------------------------------------
; A (non server names
; ------------------------------------------
${format_records sort_records_a 18}
; ------------------------------------------
; A (non server names
; ------------------------------------------
${format_records sort_records_a 18}
; ------------------------------------------
; CNAMES
; ------------------------------------------
${format_records sort_records_cname 31}
; ------------------------------------------
; CNAMES
; ------------------------------------------
${format_records sort_records_cname 31}
; ------------------------------------------
; TXT
; ------------------------------------------
${format_records (filter_records_type "TXT") 29}
; ------------------------------------------
; TXT
; ------------------------------------------
${format_records (filter_records_type "TXT") 29}
; ------------------------------------------
; SRV
; ------------------------------------------
${format_records sort_records_srv 17}
; ------------------------------------------
; SRV
; ------------------------------------------
${format_records sort_records_srv 17}
''
''
);
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working)
get_config_file_rev = (domain:
''$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
get_config_file_rev = (
domain: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
@ -106,21 +113,22 @@ $TTL 60 ; 1 minute
3600 ; Minimum (1 hour)
)
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
; ------------------------------------------
; PTR
; ------------------------------------------
${format_records sort_records_ptr 3}
''
; ------------------------------------------
; PTR
; ------------------------------------------
${format_records sort_records_ptr 3}
''
);
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
get_config_file_old_domains = (domain:
''$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
get_config_file_old_domains = (
domain: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${current_date}
600 ; Refresh (10 minutes)
@ -129,38 +137,37 @@ ${format_records sort_records_ptr 3}
3600 ; Minimum (1 hour)
)
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
''
''
);
# arrys of teh two nameservers
tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"];
primaries = (if cfg.server.primary then
primaries = (
if cfg.server.primary
then
# primary servers have no primaries (ones they listen to)
[]
else
if builtins.elem cfg.server.ip tmp1 then
tmp2
else
tmp1
else if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
);
secondaries = (if cfg.server.primary then
if builtins.elem cfg.server.ip tmp1 then
tmp2
else
tmp1
else
[]
secondaries = (
if cfg.server.primary
then
if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
else []
);
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) );
create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: {
@ -175,27 +182,25 @@ ${format_records sort_records_ptr 3}
text = text;
};
};
# (text.owned "csn.ul.ie")
# (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type:
if type == "owned" then
create_entry_etc_sub domain (text.owned domain)
else if type == "reverse" then
create_entry_etc_sub domain (text.reverse domain)
else if type == "old" then
create_entry_etc_sub domain (text.old domain)
else
{};
if type == "owned"
then create_entry_etc_sub domain (text.owned domain)
else if type == "reverse"
then create_entry_etc_sub domain (text.reverse domain)
else if type == "old"
then create_entry_etc_sub domain (text.old domain)
else {};
create_entry_zone = (domain: extraConfig: {
create_entry_zone = domain: extraConfig: {
"${domain}" = {
extraConfig = ''
${extraConfig}
// for bumping the config
// ${current_date}
'';
${extraConfig}
// for bumping the config
// ${current_date}
'';
# really wish teh nixos config didnt use master/slave
master = cfg.server.primary;
masters = primaries;
@ -205,7 +210,7 @@ ${extraConfig}
file = "/etc/skynet/dns/${domain}";
# no leading whitespace for first line
};
});
};
text = {
owned = domain: get_config_file domain;
@ -215,15 +220,14 @@ ${extraConfig}
extraConfig = {
owned =
if cfg.server.primary then
''
allow-update { key rfc2136key.skynet.ie.; };
if cfg.server.primary
then ''
allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default;
inline-signing yes;
''
else
"";
dnssec-policy default;
inline-signing yes;
''
else "";
# no extra config for reverse
reverse = "";
@ -232,30 +236,52 @@ inline-signing yes;
};
records = builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
let
lib.attrsets.mapAttrsToList (
key: value: let
details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records;
in
if builtins.hasAttr "skynet_dns" value.config
then (
then
(
# got to handle habing a dns record for the dns serves themselves.
if details_server.enable
then (
then
(
if details_server.primary
then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ]
else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ]
then
details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
) nodes
)
nodes
);
nameserver = if cfg.server.primary then "ns1" else "ns2";
nameserver =
if cfg.server.primary
then "ns1"
else "ns2";
in {
imports = [
../applications/firewall.nix
];
@ -284,7 +310,8 @@ in {
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = with lib.types; listOf (submodule {
type = with lib.types;
listOf (submodule {
options = {
record = lib.mkOption {
type = str;
@ -303,12 +330,10 @@ in {
};
});
};
};
};
config = lib.mkIf cfg.server.enable {
# open the firewall for this
skynet_firewall.forward = [
"ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept"
@ -316,25 +341,20 @@ in {
];
services.bind.zones =
(create_entry_zone "csn.ul.ie" extraConfig.owned ) //
(create_entry_zone "skynet.ie" extraConfig.owned ) //
(create_entry_zone "ulcompsoc.ie" extraConfig.owned ) //
(create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) //
(create_entry_zone "conradcollins.net" extraConfig.old )//
(create_entry_zone "edelharty.net" extraConfig.old );
(create_entry_zone "csn.ul.ie" extraConfig.owned)
// (create_entry_zone "skynet.ie" extraConfig.owned)
// (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
// (create_entry_zone "conradcollins.net" extraConfig.old)
// (create_entry_zone "edelharty.net" extraConfig.old);
environment.etc =
(create_entry_etc "csn.ul.ie" "owned") //
(create_entry_etc "skynet.ie" "owned") //
(create_entry_etc "ulcompsoc.ie" "owned") //
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") //
(create_entry_etc "conradcollins.net" "old") //
(create_entry_etc "edelharty.net" "old");
(create_entry_etc "csn.ul.ie" "owned")
// (create_entry_etc "skynet.ie" "owned")
// (create_entry_etc "ulcompsoc.ie" "owned")
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
// (create_entry_etc "conradcollins.net" "old")
// (create_entry_etc "edelharty.net" "old");
# secrets required
age.secrets.dns_dnskeys = {
@ -374,7 +394,8 @@ in {
"9.9.9.9"
];
cacheNetworks = [
cacheNetworks =
[
# this server itself
"127.0.0.0/24"
@ -390,7 +411,8 @@ in {
Now have a function for it
*/
] ++ create_cache_networks;
]
++ create_cache_networks;
};
# deletes teh journal files evey start so it no longer stalls out
@ -404,6 +426,5 @@ in {
createHome = true;
home = "/etc/skynet/dns";
};
};
}

82
applications/email.nix
View file

@ -1,17 +1,21 @@
{ config, pkgs, lib, inputs, ...}: with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_email;
# create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
create_filter_join = (x: concatStringsSep "" x);
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (groups: create_filter_join (create_filter_array groups) );
in {
create_filter = groups: create_filter_join (create_filter_array groups);
in {
imports = [
./dns.nix
./acme.nix
@ -85,7 +89,6 @@
default = "cn=admin,${cfg.ldap.base}";
description = lib.mdDoc "where to find users";
};
};
};
@ -104,30 +107,70 @@
# set up dns record for it
skynet_dns.records = [
# basic one
{record="mail"; r_type="A"; value=cfg.host.ip;}
{
record = "mail";
r_type = "A";
value = cfg.host.ip;
}
# TXT records, all tehse are inside escaped strings to allow using ""
# SPF record
{record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';}
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys
{record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';}
{record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';}
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC
{record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';}
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
value = ''"v=DMARC1; p=none"'';
}
# reverse pointer
{record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";}
{
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";}
{record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";}
{record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";}
{record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";}
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
];
# to provide the certs
@ -215,14 +258,11 @@
uidAttribute = "skMail";
mailAttribute = "skMail";
};
};
# feckin spammers
rejectRecipients = [
];
};
# tune the spam filter

22
applications/firewall.nix
View file

@ -1,5 +1,9 @@
{lib, pkgs, config, ...}: {
{
lib,
pkgs,
config,
...
}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = {
skynet_firewall = {
@ -10,7 +14,7 @@
type = lib.types.bool;
};
forward = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of routes to forward
@ -28,7 +32,7 @@
ports = {
tcp = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.int;
description = ''
A list of TCP ports for the machiene running the firewall
@ -36,15 +40,13 @@
};
udp = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.int;
description = ''
A list of UDP ports for the machiene running the firewall
'';
};
};
};
};
};
@ -56,8 +58,7 @@
# fules for the firewall
# beware of EOL conversion.
networking.nftables.ruleset =
''
networking.nftables.ruleset = ''
# using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide
# Clear out any existing rules
@ -165,8 +166,5 @@
}
}
'';
};
}

23
applications/games.nix
View file

@ -1,15 +1,18 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_games;
in {
in {
imports = [
./dns.nix
./games/minecraft.nix
];
options.services.skynet_games = {
enable = mkEnableOption "Skynet Games";
@ -39,14 +42,16 @@
default = "games";
};
};
};
config = mkIf cfg.enable {
skynet_dns.records = [
# need a base domain
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
# the minecraft servers
@ -62,7 +67,5 @@
sub = "minecraft.${cfg.domain.sub}";
};
};
};
}

53
applications/games/minecraft.nix
View file

@ -1,12 +1,16 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_games_minecraft;
# got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
in {
imports = [
../acme.nix
../dns.nix
@ -60,15 +64,35 @@
skynet_dns.records = [
# the minecraft (web) config server
{record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# our own minecraft hosts
{record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# gsoc servers
{record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;}
{
record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [
@ -77,7 +101,6 @@
];
services.nginx.virtualHosts = {
# https://config.minecraft.games.skynet.ie
"config.${short_domain}" = {
forceSSL = true;
@ -94,7 +117,6 @@
useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
};
};
# arion is one way to use docker on nixos
@ -103,12 +125,11 @@
virtualisation.arion = {
backend = "docker";
projects = {
minecraft.settings.services = {
mc_proxy.service = {
image = "itzg/mc-router:1.18.0";
ports = [ "25565:25565/tcp" ];
expose = [ "25565" ];
ports = ["25565:25565/tcp"];
expose = ["25565"];
command = [
"--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003"
];
@ -118,7 +139,7 @@
image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1";
environment = {
TZ="Etc/UTC";
TZ = "Etc/UTC";
};
volumes = [

31
applications/gitlab.nix
View file

@ -1,8 +1,12 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab;
in {
in {
imports = [
./acme.nix
./dns.nix
@ -52,9 +56,7 @@
default = "dc=skynet,dc=ie";
description = lib.mdDoc "The base address in the ldap server";
};
};
};
config = mkIf cfg.enable {
@ -102,9 +104,17 @@
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
# for gitlab pages
{record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;}
{
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A";
value = cfg.host.ip;
}
];
networking.firewall.allowedTCPPorts = [
@ -112,7 +122,7 @@
2222
];
services.openssh.ports = [ 22 2222 ];
services.openssh.ports = [22 2222];
services.nginx.virtualHosts = {
# main site
@ -163,7 +173,6 @@
auth-server = "https://gitlab.example.com";
*/
};
};
#smtp = {
# enable = true;
@ -200,7 +209,7 @@
name = "cn";
};
group_base= "ou=groups,${cfg.ldap.base}";
group_base = "ou=groups,${cfg.ldap.base}";
admin_group = "skynet-admins";
sync_ssh_keys = "sshPublicKey";

23
applications/gitlab_runner.nix
View file

@ -1,10 +1,13 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner;
in {
in {
imports = [
];
options.services.skynet_gitlab_runner = {
@ -53,7 +56,7 @@
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = [ "/run/docker.sock" "127.0.0.1:2375" ];
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
services.gitlab-runner = {
enable = true;
@ -68,7 +71,7 @@
runner_nix = {
cloneUrl = cfg.runner.gitlab;
description = "For Nix only";
registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ];
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_01_nix.path;
dockerImage = cfg.runner.docker.image;
@ -92,7 +95,7 @@
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
'';
environmentVariables = {
ENV = "/etc/profile";
@ -101,13 +104,13 @@
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
tagList = ["nix"];
};
runner_general = {
cloneUrl = cfg.runner.gitlab;
description = "General Runner";
registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ];
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_02_general.path;
dockerImage = cfg.runner.docker.image;
};

42
applications/ldap/backend.nix
View file

@ -1,10 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
in {
imports = [
../acme.nix
../dns.nix
@ -44,7 +48,6 @@
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
@ -56,7 +59,11 @@
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
@ -64,9 +71,9 @@
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:${port_backend}";
# extraConfig = ''
# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}";
# '';
# extraConfig = ''
# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}";
# '';
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
'';
@ -99,7 +106,8 @@
];
lifetime = [];
banned = [];
restricted = [
restricted =
[
# usernames folks arent allowed to use
"contact"
"dnsadm"
@ -109,8 +117,8 @@
"pro"
"sysadmin"
"root"
] ++ [
]
++ [
# basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444
# start off with compsoc stuff first
"competition_www"
@ -127,7 +135,8 @@
"test20203"
"tmp"
"webadm"
] ++ [
]
++ [
# clubs and socs (as far as I can tell
"aerosoc"
"aikido"
@ -170,7 +179,8 @@
"ulssc"
"ultennis"
"viking"
] ++ [
]
++ [
# remaining, most likely usernames
"_9thwonder"
"abc"
@ -405,9 +415,7 @@
"yvonne"
"zrahman"
];
};
};
};
}

82
applications/ldap/client.nix
View file

@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }:
with lib;
let
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access
create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);
create_filter_check_admin = x:
if !(builtins.elem "skynet-admins" x)
then x ++ ["skynet-admins"]
else x;
# create teh new strings
create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");
create_filter_join = (x: concatStringsSep "" x);
create_filter_join = x: concatStringsSep "" x;
# thought you could escape racket?
create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );
in {
create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x));
in {
# these are needed for teh program in question
imports = [];
@ -46,7 +51,6 @@
];
description = lib.mdDoc "Groups we want to allow access to the server";
};
};
config = mkIf cfg.enable {
@ -54,9 +58,16 @@
security.sudo.extraRules = [
# admin group has sudo access
{ groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
{
groups = ["skynet-admins-linux"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# give users a home dir
security.pam.services.sshd.makeHomeDir = true;
@ -77,41 +88,40 @@
sshAuthorizedKeysIntegration = true;
config = ''
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://${cfg.address}:636
ldap_uri = ldaps://${cfg.address}:636
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}
ldap_group_nesting_level = 5
ldap_group_nesting_level = 5
cache_credentials = false
entry_cache_timeout = 1
cache_credentials = false
entry_cache_timeout = 1
ldap_user_member_of = skMemberOf
ldap_user_member_of = skMemberOf
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie
[nss]
# override_homedir = /home/%u
[nss]
# override_homedir = /home/%u
[pam]
[pam]
[sudo]
[sudo]
[autofs]
[autofs]
'';
};
};
}

73
applications/ldap/server.nix
View file

@ -1,13 +1,16 @@
/*
Gonna use a priper nixos module for this
*/
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_ldap;
in {
in {
# these are needed for teh program in question
imports = [
../acme.nix
@ -16,7 +19,6 @@ Gonna use a priper nixos module for this
./backend.nix
];
options.services.skynet_ldap = {
# options that need to be passed in to make this work
@ -61,7 +63,6 @@ Gonna use a priper nixos module for this
};
config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
@ -82,7 +83,11 @@ Gonna use a priper nixos module for this
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
# firewall on teh computer itself
@ -111,25 +116,29 @@ Gonna use a priper nixos module for this
# using https://nixos.wiki/wiki/OpenLDAP for base config
systemd.services.openldap = {
wants = [ "acme-${cfg.domain.base}.service" ];
after = [ "acme-${cfg.domain.base}.service" ];
wants = ["acme-${cfg.domain.base}.service"];
after = ["acme-${cfg.domain.base}.service"];
};
users.groups.acme.members = [ "openldap" ];
users.groups.acme.members = ["openldap"];
services.openldap = {
# backup /var/lib/openldap/slapd.d
enable = true;
/* enable plain and secure connections */
urlList = [ "ldap:///" "ldaps:///" ];
/*
enable plain and secure connections
*/
urlList = ["ldap:///" "ldaps:///"];
settings = {
attrs = {
olcLogLevel = "conns config";
/* settings for acme ssl */
/*
settings for acme ssl
*/
olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem";
@ -154,66 +163,69 @@ Gonna use a priper nixos module for this
./skMemberOf.ldif
];
"cn=modules".attrs = {
objectClass = [ "olcModuleList" ];
objectClass = ["olcModuleList"];
cn = "modules";
olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"];
};
"olcDatabase={-1}frontend".attrs = {
objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ];
objectClass = ["olcDatabaseConfig" "olcFrontendConfig"];
olcPasswordHash = "{SSHA512}";
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = cfg.base;
/* your admin account, do not use writeText on a production system */
/*
your admin account, do not use writeText on a production system
*/
olcRootDN = "cn=admin,${cfg.base}";
olcRootPW.path = config.age.secrets.ldap_pw.path;
#olcOverlay = "memberof";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
/*
custom access rules for userPassword attributes
*/
'' {0}to attrs=userPassword
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by anonymous auth
by * none''
''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
'' {1}to attrs=mail,sshPublicKey,cn,sn,skDiscord
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by self write
by * read''
/* allow read on anything else */
''{2}to *
/*
allow read on anything else
*/
'' {2}to *
by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage
by * read''
];
};
# https://blog.oddbit.com/post/2013-07-22-generating-a-membero/
children = {
"olcOverlay=dynlist".attrs = {
objectClass = [ "olcOverlayConfig" "olcDynamicList" ];
objectClass = ["olcOverlayConfig" "olcDynamicList"];
olcOverlay = "dynlist";
olcDlAttrSet = "skPerson labeledURI skMemberOf";
};
"olcOverlay=memberof".attrs = {
objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ];
objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"];
olcOverlay = "memberof";
olcMemberOfDangling = "ignore";
@ -223,10 +235,7 @@ Gonna use a priper nixos module for this
olcMemberOfMemberOfAD = "memberOf";
};
};
};
};
};
};

1
applications/nginx.nix
View file

@ -1,5 +1,4 @@
# using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix
{pkgs, ...}: {
services.nginx = {
enable = true;

65
applications/restic.nix
View file

@ -1,10 +1,14 @@
# nodes is all the nodes
{ lib, config, nodes, pkgs, ...}: with lib;
let
{
lib,
config,
nodes,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_backup;
# since they should all have the same config we can do this
base = {
paths = cfg.normal.backups;
@ -29,11 +33,12 @@
# then if the server is enabled,
# then pull relevant dtails
ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList (key: value:
let
lib.attrsets.mapAttrsToList (
key: value: let
backup = value.config.services.skynet_backup;
in
if (
if
(
(builtins.hasAttr "skynet_backup" value.config.services)
&& backup.server.enable
&& backup.host.name != cfg.host.name
@ -42,7 +47,9 @@
then [
{
name = backup.host.name;
value = base // {
value =
base
// {
repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = ''
@ -62,20 +69,15 @@
sed -i "s/password/$line/g" ${backup.host.name}
'';
};
}
]
else [ ]
) nodes
else []
)
nodes
));
in {
in {
imports = [
];
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -88,7 +90,7 @@
# what folders to backup
normal = {
backups = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to backup.
@ -96,7 +98,7 @@
};
exclude = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to exclide .
@ -107,7 +109,7 @@
# append only data so space limited
secure = {
backups = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to backup.
@ -115,7 +117,7 @@
};
exclude = lib.mkOption {
default = [ ];
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of paths to exclide .
@ -146,10 +148,8 @@
default = false;
};
};
};
config = {
# these values are anabled for every client
@ -168,14 +168,15 @@
cfg.server.port
];
services.restic.backups = ownServers // {
services.restic.backups =
ownServers
// {
# merge teh two configs together
# backblaze = base // {
# # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path;
# };
# backblaze = base // {
# # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path;
# };
};
age.secrets.restic_pw = mkIf cfg.server.enable {
@ -187,13 +188,11 @@
group = "restic";
};
services.restic.server = mkIf cfg.server.enable{
services.restic.server = mkIf cfg.server.enable {
enable = true;
listenAddress = "${cfg.host.ip}:${toString cfg.server.port}";
appendOnly = cfg.server.appendOnly;
privateRepos = true;
};
};
}

32
applications/skynet.ie.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet;
in {
in {
imports = [
./acme.nix
./dns.nix
@ -29,9 +33,21 @@
skynet_dns.records = [
# means root domain, so skynet.ie
{record="@"; r_type="A"; value=cfg.host.ip;}
{record="2016"; r_type="CNAME"; value=cfg.host.name;}
{record="discord"; r_type="CNAME"; value=cfg.host.name;}
{
record = "@";
r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];

29
applications/skynet_users.nix
View file

@ -1,9 +1,13 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet_users;
in {
in {
imports = [
./acme.nix
./dns.nix
@ -32,7 +36,6 @@
];
};
# Website config
skynet_acme.domains = [
"users.skynet.ie"
@ -40,14 +43,22 @@
];
skynet_dns.records = [
{record ="users"; r_type="CNAME"; value=cfg.host.name;}
{record="*.users"; r_type="CNAME"; value=cfg.host.name;}
{
record = "users";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "*.users";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];
# normally services cannot read home dirs
systemd.services.nginx.serviceConfig.ProtectHome="read-only";
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx.virtualHosts = {
# main site

25
applications/ulfm.nix
View file

@ -1,9 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.skynet_ulfm;
in {
in {
imports = [
./acme.nix
./dns.nix
@ -55,7 +58,11 @@
];
skynet_dns.records = [
{record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;}
{
record = cfg.domain.sub;
r_type = "CNAME";
value = cfg.host.name;
}
];
skynet_firewall.forward = [
@ -74,9 +81,9 @@
};
systemd.services.icecast = {
after = [ "network.target" ];
after = ["network.target"];
description = "Icecast Network Audio Streaming Server";
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast";
serviceConfig = {
@ -91,7 +98,5 @@
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000";
};
};
}

79
flake.lock
View file

@ -20,6 +20,29 @@
"type": "github"
}
},
"alejandra": {
"inputs": {
"fenix": "fenix",
"flakeCompat": "flakeCompat",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1660510326,
"narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=",
"owner": "kamadorueda",
"repo": "alejandra",
"rev": "ef03f7ef74ec97fd91a016a51c9c9667fb315652",
"type": "github"
},
"original": {
"owner": "kamadorueda",
"ref": "3.0.0",
"repo": "alejandra",
"type": "github"
}
},
"arion": {
"inputs": {
"flake-parts": "flake-parts",
@ -78,6 +101,28 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"alejandra",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1657607339,
"narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -133,6 +178,22 @@
"type": "github"
}
},
"flakeCompat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1675296942,
@ -401,6 +462,7 @@
"root": {
"inputs": {
"agenix": "agenix",
"alejandra": "alejandra",
"arion": "arion",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3",
@ -412,6 +474,23 @@
"skynet_website_2016": "skynet_website_2016"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1657557289,
"narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "caf23f29144b371035b864a1017dbc32573ad56d",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",

21
flake.nix
View file

@ -1,5 +1,4 @@
{
description = "Deployment for skynet";
inputs = {
@ -10,6 +9,10 @@
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
# email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
@ -27,10 +30,16 @@
nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
outputs = { self, nixpkgs, agenix, ... } @inputs:
let
outputs = {
self,
nixpkgs,
agenix,
alejandra,
...
} @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
in {
formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux";
devShells.x86_64-linux.default = pkgs.mkShell {
name = "Skynet build env";
@ -39,7 +48,7 @@
pkgs.buildPackages.colmena
pkgs.buildPackages.nmap
];
buildInputs = [ agenix.packages.x86_64-linux.default ];
buildInputs = [agenix.packages.x86_64-linux.default];
shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"'';
};
@ -55,7 +64,7 @@
};
# installed for each machine
defaults = import ./machines/_base.nix ;
defaults = import ./machines/_base.nix;
# firewall machiene
agentjones = import ./machines/agentjones.nix;
@ -92,8 +101,6 @@
# Main skynet sites
earth = import ./machines/earth.nix;
};
};
}

13
machines/_base.nix
View file

@ -1,6 +1,11 @@
{ pkgs, modulesPath, config, options, inputs, ... }:
{
pkgs,
modulesPath,
config,
options,
inputs,
...
}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
@ -21,7 +26,7 @@
];
# flakes are essensial
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.experimental-features = ["nix-command" "flakes"];
system.stateVersion = "22.11";
@ -69,7 +74,7 @@
};
# time on vendetta is strangely out of sync
networking.timeServers = options.networking.timeServers.default ++ [ "ie.pool.ntp.org" ];
networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
services.ntp.enable = true;
# use teh above nameservers as the fallback dns

48
machines/agentjones.nix
View file

@ -1,22 +1,23 @@
/*
Name: https://matrix.fandom.com/wiki/Agent_Jones
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically)
Name: https://matrix.fandom.com/wiki/Agent_Jones
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: Firewall
Notes: Used to have Agent Smith as a partner but it died (Ironically)
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "agentjones";
ip_pub = "193.1.99.72";
ip_priv = "193.1.99.125";
hostname = "${name}.skynet.ie";
in {
imports = [
./hardware/_base.nix
@ -29,12 +30,21 @@ in {
targetUser = "root";
# somehow ssh from runner to this fails
tags = [ "active-firewall" ];
tags = ["active-firewall"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -92,18 +102,20 @@ in {
# gonna have to get all the
forward = builtins.concatLists (
# using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list
lib.attrsets.mapAttrsToList (key: value:
lib.attrsets.mapAttrsToList (
key: value:
# make sure that anything running this firewall dosent count (recursion otherewise)
# firewall may want to open ports in itself but can deal with that later
if builtins.hasAttr "skynet_firewall" value.config
then (
then
(
if value.config.skynet_firewall.enable
then []
else value.config.skynet_firewall.forward
)
else []
) nodes
)
nodes
);
};
}

42
machines/earth.nix
View file

@ -1,21 +1,23 @@
/*
Name: https://hitchhikers.fandom.com/wiki/Earth
Why: Our home(page)
Type: VM
Hardware: -
From: 2023
Role: Webserver
Notes:
Name: https://hitchhikers.fandom.com/wiki/Earth
Why: Our home(page)
Type: VM
Hardware: -
From: 2023
Role: Webserver
Notes:
*/
{ pkgs, lib, nodes, inputs, ... }:
let
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "earth";
ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/skynet.ie.nix
@ -26,13 +28,22 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-core" ];
tags = ["active-core"];
};
# it has two network devices so two
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -48,5 +59,4 @@ in {
name = name;
};
};
}

40
machines/galatea.nix
View file

@ -1,17 +1,20 @@
/*
Name: https://en.wikipedia.org/wiki/Galatea_(mythology)
Why: Created as a product of artistic expression
Type: VM
Hardware: -
From: 2023
Role: Icecast server for ULFM
Notes:
Name: https://en.wikipedia.org/wiki/Galatea_(mythology)
Why: Created as a product of artistic expression
Type: VM
Hardware: -
From: 2023
Role: Icecast server for ULFM
Notes:
*/
{ pkgs, lib, nodes, config, ... }:
let
{
pkgs,
lib,
nodes,
config,
...
}: let
# name of the server, sets teh hostname and record for it
name = "galatea";
ip_pub = "193.1.99.111";
@ -26,12 +29,21 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active" ];
tags = ["active"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

40
machines/gir.nix
View file

@ -1,23 +1,24 @@
/*
Name: https://zim.fandom.com/wiki/GIR
Why: Gir used to have this role before, servers never die
Type: VM
Hardware: -
From: 2023
Role: Email Server
Notes:
Name: https://zim.fandom.com/wiki/GIR
Why: Gir used to have this role before, servers never die
Type: VM
Hardware: -
From: 2023
Role: Email Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "gir";
ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie";
#hostname = ip_pub;
in {
imports = [
../applications/email.nix
@ -28,13 +29,22 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-core" ];
tags = ["active-core"];
};
# add this server to dns
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

42
machines/glados.nix
View file

@ -1,23 +1,24 @@
/*
Name: https://half-life.fandom.com/wiki/GLaDOS
Why: Glados has a vast experence of testing and deploying.
Type: VM
Hardware: -
From: 2023
Role: Git server
Notes: Each user has roughly 20gb os storage
Name: https://half-life.fandom.com/wiki/GLaDOS
Why: Glados has a vast experence of testing and deploying.
Type: VM
Hardware: -
From: 2023
Role: Git server
Notes: Each user has roughly 20gb os storage
20 * 100 = 2000gb
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "glados";
ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/gitlab.nix
@ -28,13 +29,21 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-gitlab" ];
tags = ["active-gitlab"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -51,5 +60,4 @@ in {
name = name;
};
};
}

32
machines/hardware/RM001.nix
View file

@ -1,30 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fileSystems."/" = {
device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/41AD-70AF";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/41AD-70AF";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; }
swapDevices = [
{device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

32
machines/hardware/RM002.nix
View file

@ -1,30 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fileSystems."/" = {
device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8B03-4D11";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8B03-4D11";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; }
swapDevices = [
{device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

32
machines/hardware/RM007.nix
View file

@ -1,30 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fileSystems."/" = {
device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/76CE-C65E";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/76CE-C65E";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; }
swapDevices = [
{device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

10
machines/hardware/_base.nix
View file

@ -1,5 +1,10 @@
{ config, options, lib, ... }: with lib;
let
{
config,
options,
lib,
...
}:
with lib; let
# get a list of interfaces
interfaces = attrNames config.networking.interfaces;
# check if an IP has been assigned
@ -13,5 +18,4 @@ in {
}
];
};
}

40
machines/kitt.nix
View file

@ -1,23 +1,24 @@
/*
Name: https://en.wikipedia.org/wiki/KITT
Why: Kitt used to have this role before (as well as email and dns)
Type: VM
Hardware: -
From: 2023
Role: LDAP Server
Notes:
Name: https://en.wikipedia.org/wiki/KITT
Why: Kitt used to have this role before (as well as email and dns)
Type: VM
Hardware: -
From: 2023
Role: LDAP Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "kitt";
ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie";
#hostname = ip_pub;
in {
imports = [
../applications/ldap/server.nix
@ -29,13 +30,22 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-core" ];
tags = ["active-core"];
};
# add this server to dns
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

42
machines/neuromancer.nix
View file

@ -1,29 +1,29 @@
/*
Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI)
Why: A sibling to Wintermute, stores and archives memories.
Type: VM
Hardware: -
From: 2023
Role: Backup Server
Notes:
Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI)
Why: A sibling to Wintermute, stores and archives memories.
Type: VM
Hardware: -
From: 2023
Role: Backup Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "neuromancer";
ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie";
in {
imports = [
./hardware/_base.nix
./hardware/RM007.nix
];
networking.hostName = name;
# this has to be defined for any physical servers
# vms are defined by teh vm host
@ -39,12 +39,21 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-core" ];
tags = ["active-core"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -54,5 +63,4 @@ in {
name = name;
};
};
}

41
machines/optimus.nix
View file

@ -1,22 +1,24 @@
/*
Name: https://en.wikipedia.org/wiki/Optimus_Prime
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2023
Role: Game host
Notes:
Name: https://en.wikipedia.org/wiki/Optimus_Prime
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2023
Role: Game host
Notes:
*/
{ pkgs, lib, nodes, arion, ... }:
let
{
pkgs,
lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/games.nix
@ -27,12 +29,21 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active" ];
tags = ["active"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {

33
machines/retired/ash.nix
View file

@ -1,24 +1,25 @@
/*
Name: https://en.wikipedia.org/wiki/Ash_(Alien)
Why: Infilitrate into the network
Type: VM
Hardware: -
From: 2023
Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
Name: https://en.wikipedia.org/wiki/Ash_(Alien)
Why: Infilitrate into the network
Type: VM
Hardware: -
From: 2023
Role: Wireguard (VPN) Server
Notes: Thius vpn is for admin use only, to give access to all the servers via ssh
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "ash";
ip_pub = "193.1.99.75";
ip_priv = "172.20.20.5";
# hostname = "${name}.skynet.ie";
hostname = ip_pub;
in {
imports = [
# applications for this particular server
@ -48,7 +49,6 @@ in {
];
};
age.secrets.wireguard.file = ../secrets/wireguard.age;
networking = {
@ -74,12 +74,12 @@ in {
privateKeyFile = "/run/agenix/wireguard";
peers = [
{ # silver - Brendan
{
# silver - Brendan
publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ=";
allowedIPs = [ "172.20.21.2/32" ];
allowedIPs = ["172.20.21.2/32"];
}
];
};
};
@ -87,5 +87,4 @@ in {
# needed to generate keys
pkgs.wireguard-tools
];
}

41
machines/skynet.nix
View file

@ -1,23 +1,25 @@
/*
Name: https://en.wikipedia.org/wiki/Skynet_(Terminator)
Why: Skynet is eternal
Type: VM
Hardware: -
From: 2023
Role: Webserver and member linux box
Notes: Does not host offical sites
Name: https://en.wikipedia.org/wiki/Skynet_(Terminator)
Why: Skynet is eternal
Type: VM
Hardware: -
From: 2023
Role: Webserver and member linux box
Notes: Does not host offical sites
*/
{ pkgs, lib, nodes, inputs, ... }:
let
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "skynet";
# DMZ that ITD provided
ip_pub = "193.1.96.165";
ip_int = "193.1.99.81";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/skynet_users.nix
@ -29,12 +31,21 @@ in {
targetUser = "root";
# this one is manually deployed
tags = [ "active-ext" ];
tags = ["active-ext"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup.host = {

40
machines/vendetta.nix
View file

@ -1,17 +1,19 @@
/*
Name: https://masseffect.fandom.com/wiki/Vendetta
Why: Vendetta held troves of important data waiting for folks to request it.
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: DNS Server
Notes: Using the server that used to be called Earth
Name: https://masseffect.fandom.com/wiki/Vendetta
Why: Vendetta held troves of important data waiting for folks to request it.
Type: Physical
Hardware: PowerEdge r210
From: 2011 (?)
Role: DNS Server
Notes: Using the server that used to be called Earth
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "vendetta";
ip_pub = "193.1.99.120";
@ -27,7 +29,7 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-dns" "dns" ];
tags = ["active-dns" "dns"];
};
networking = {
@ -61,10 +63,18 @@ in {
records = [
# vendetta IN A 193.1.99.120
{record=name; r_type="A"; value=ip_pub; server=true;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

41
machines/vigil.nix
View file

@ -1,23 +1,24 @@
/*
Name: https://masseffect.fandom.com/wiki/Vigil
Why: Counterpart to Vendetta
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
Name: https://masseffect.fandom.com/wiki/Vigil
Why: Counterpart to Vendetta
Type: VM
Hardware: -
From: 2023
Role: DNS Server
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
name = "vigil";
ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie";
in {
imports = [
];
deployment = {
@ -25,7 +26,7 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-dns" "dns" ];
tags = ["active-dns" "dns"];
};
services.skynet_backup = {
@ -46,10 +47,18 @@ in {
# this server will have to have dns records
records = [
# vigil IN A 193.1.99.109
{record=name; r_type="A"; value=ip_pub; server=true;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie.
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

42
machines/wheatly.nix
View file

@ -1,22 +1,23 @@
/*
Name: https://theportalwiki.com/wiki/Wheatley
Why: Whereever GLaDOS is Wheatly is not too far away
Type: VM
Hardware: -
From: 2023
Role: Gitlab Runner
Notes:
Name: https://theportalwiki.com/wiki/Wheatley
Why: Whereever GLaDOS is Wheatly is not too far away
Type: VM
Hardware: -
From: 2023
Role: Gitlab Runner
Notes:
*/
{ pkgs, lib, nodes, ... }:
let
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "wheatly";
ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie";
in {
imports = [
../applications/gitlab_runner.nix
@ -27,13 +28,21 @@ in {
targetPort = 22;
targetUser = "root";
tags = [ "active-gitlab" ];
tags = ["active-gitlab"];
};
skynet_dns.records = [
{record=name; r_type="A"; value=ip_pub; server=true;}
{record=ip_pub; r_type="PTR"; value=hostname;}
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
@ -47,5 +56,4 @@ in {
enable = true;
runner.name = "runner01";
};
}

12
secrets/secrets.nix
View file

@ -1,7 +1,7 @@
let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb";
thenobrainer ="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
users = [
admin
@ -57,7 +57,8 @@ let
gir
];
ldap = [
ldap =
[
kitt
]
++ gitlab
@ -72,7 +73,8 @@ let
];
# these need dns stuff
webservers = [
webservers =
[
# ULFM
galatea
# Games
@ -93,8 +95,7 @@ let
discord = [
kitt
];
in
{
in {
# nix run github:ryantm/agenix -- -e secret1.age
"dns_certs.secret.age".publicKeys = users ++ webservers;
@ -102,7 +103,6 @@ in
"stream_ulfm.age".publicKeys = users ++ [galatea];
"gitlab/pw.age".publicKeys = users ++ gitlab;
"gitlab/db_pw.age".publicKeys = users ++ gitlab;
"gitlab/secrets_db.age".publicKeys = users ++ gitlab;