add nixbus with wip muccc-api

ea768664 · fpletz · 5fc96a3b · ea768664 · ea768664 · ea768664
Commit ea768664 authored Jan 15, 2022 by fpletz 🚧
--- a/briafzentrum.nix
+++ b/briafzentrum.nix
@@ -27,8 +27,6 @@ with lib;
  nix.maxJobs = 3;
  nix.buildCores = 2;

-  services.openssh.enable = true;
-
  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs/VM56N9OsG/hK7LEwheHwptClBNPdBl/tIW8URWyQPsE0dN2FYAERsHom3I3IvAS3phfhYtLOwrQ+MqEt7u5f/E3CgdfvEFRER12arxlT/q3gSh5rUdq508fTjkUNmJr6Vul+BCZ7VeESa2yvvTesFqvdVP9NtpGbAusX/JCrXwQciygJ0hDuMdLFW8MmRzljDoBsyjz18MDaMzsGQddQuE+3uAzJ1NXZpNh+M+C6eLNe+QJQMb9VTPGB3Pc0cU0GWyXYpWTVkpJqJVe180ldMU9x2c2sBBcRM3N/UDn2MF3XQi3TdGO93AIcUHNCLmUvIdqz+DPdKzCt3c3HvHh fpletz@lolnovo"
@@ -388,7 +386,4 @@ with lib;
      ''}"
    '';
  };
-
-  security.acme.email = "fpletz@muc.ccc.de";
-  security.acme.acceptTerms = true;
 }
--- a/flake.lock
+++ b/flake.lock
 {
  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "muccc-api": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1642276612,
+        "narHash": "sha256-TLhIlWptDWnX6Vok0tCS3d3YOWugbPSWzKJiqQgeVps=",
+        "ref": "master",
+        "rev": "a135d5a89d2e2baf83937bed709120775a2eacb1",
+        "revCount": 16,
+        "type": "git",
+        "url": "https://gitlab.muc.ccc.de/fpletz/muccc-api"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://gitlab.muc.ccc.de/fpletz/muccc-api"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1641870998,
@@ -18,6 +54,7 @@
    },
    "root": {
      "inputs": {
+        "muccc-api": "muccc-api",
        "nixpkgs": "nixpkgs",
        "utils": "utils"
      }

--- a/flake.nix
+++ b/flake.nix
@@ -4,9 +4,11 @@
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
    utils.url = "github:numtide/flake-utils";
+    muccc-api.url = "git+https://gitlab.muc.ccc.de/fpletz/muccc-api";
+    muccc-api.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, utils, ... }: let
+  outputs = { self, nixpkgs, utils, muccc-api, ... }: let
    supportedSystems = utils.lib.defaultSystems;
  in utils.lib.eachSystem supportedSystems (system: let
    pkgs = import nixpkgs { inherit system; };
@@ -20,31 +22,46 @@
      meta.nixpkgs = import nixpkgs { };

      defaults = { name, pkgs, lib, ... }: {
-        deployment.targetHost = "${name}.muc.ccc.de";
+        deployment.targetHost = lib.mkDefault "${name}.muc.ccc.de";
        networking.hostName = lib.mkDefault name;
        time.timeZone = "UTC";
        boot.kernelPackages = pkgs.linuxPackages_latest;
+        boot.tmpOnTmpfs = true;
        environment.systemPackages = with pkgs; [
          wget curl htop iftop tmux
        ];
        programs.bash.enableCompletion = true;
        programs.vim.defaultEditor = true;
+        programs.zsh.enable = true;
+        programs.mtr.enable = true;
        services.openssh.enable = true;
        services.fail2ban.enable = true;
        zramSwap.enable = true;
        nixpkgs.system = "x86_64-linux";
+        nixpkgs.overlays = [ muccc-api.overlay ];

        # include git rev of this repo/flake into the nixos-version
        system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
-        # set nixpkgs flake of the target to the nixpkgs verion of the deployment
+        # set nixpkgs on the target to the nixpkgs version of the deployment
        nix.registry.nixpkgs.flake = nixpkgs;
        nix.nixPath = lib.mkForce [ "nixpkgs=${nixpkgs}" "nixos-config=/dontuse" ];
+
+        security.acme.email = "fpletz@muc.ccc.de";
+        security.acme.acceptTerms = true;
      };

      briafzentrum = { name, nodes, pkgs, ... }: {
        imports = [
-           "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-           ./briafzentrum.nix
+          "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+          ./briafzentrum.nix
+        ];
+      };
+
+      nixbus = { name, nodes, pkgs, ... }: {
+        deployment.targetHost = "83.133.178.67"; # "${name}.club.muc.ccc.de";
+        imports = [
+          "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+          ./nixbus.nix
        ];
      };
    };

--- a/nixbus.nix
+++ b/nixbus.nix
+{ pkgs, ... }:
+
+{
+  imports = [ ./nixbus/user.nix ];
+
+  boot = {
+    loader.grub = {
+      device = "/dev/vda";
+      splashImage = null;
+    };
+    supportedFilesystems = [
+      "xfs"
+    ];
+    kernelParams = [ "console=ttyS0" "console=tty0" ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/vda2";
+      fsType = "xfs";
+      options = [
+        "noatime"
+        "nodiratime"
+        "logbufs=8"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/vda3"; }
+  ]; 
+
+  nix = {
+    buildCores = 2;
+    maxJobs = 5;
+  };
+ 
+  networking = {
+    hostName = "nixbus";
+    domain = "club.muc.ccc.de";
+    hostId = "14e4f63f";
+    usePredictableInterfaceNames = false;
+    extraHosts = ''
+      # host
+      2001:7f0:3003:beef::67 nixbus.club.muc.ccc.de nixbus 
+      83.133.178.67 nixbus.club.muc.ccc.de nixbus
+    '';
+    firewall = {
+      enable = true;
+      allowPing = true;
+      checkReversePath = true;
+      allowedTCPPorts = [
+        22
+        80
+        443
+        #11000
+        #11001
+        #34197
+        #46631
+        #5984
+      ];
+    };
+    useDHCP = false;
+    interfaces = {
+      "eth0" = {
+        ipv6.addresses = [
+          { address = "2001:7f0:3003:beef::67"; prefixLength = 64; }
+        ];
+        ipv4.addresses = [ 
+          { address = "83.133.178.67"; prefixLength = 26; }
+        ];
+      };
+      "eth0.2396" = {
+        ipv6.addresses = [
+          { address = "2001:7f0:3003:235e::98"; prefixLength = 64; }
+        ];
+#        ip4 = [ 
+#          { address = "83.133.179.98"; prefixLength = 27; }
+#        ];
+      };
+      "eth0.2428" = {
+        ipv6.addresses = [
+          { address = "2001:7f0:3003:235f::130"; prefixLength = 64; }
+        ];
+#        ip4 = [ 
+#          { address = "83.133.179.130"; prefixLength = 25; }
+#        ];
+      };
+    };
+    vlans = {
+      "eth0.2396" = {
+        id = 2396;
+        interface = "eth0";
+      };
+      "eth0.2428" = {
+        id = 2428;
+        interface = "eth0";
+      };
+    };
+    nameservers = [
+      "2001:7f0:3003:beef::65"
+      "83.133.178.65"
+    ];
+    defaultGateway6 = "2001:7f0:3003:beef::65";
+    defaultGateway = "83.133.178.65";
+    localCommands = ''
+      #${pkgs.iproute}/bin/ip -6 rule add from 2001:7f0:3003:235e::/64 table 2
+      #${pkgs.iproute}/bin/ip -6 route add table 2 2001:7f0:3003:235e::/64 dev eth0.2396
+      #${pkgs.iproute}/bin/ip -6 route add table 2 default via 2001:7f0:3003:235e::97 dev eth0.2396
+      #${pkgs.iproute}/bin/ip -4 rule add from 83.133.179.96/27 table 2
+      #${pkgs.iproute}/bin/ip -4 route add table 2 83.133.179.96/27 dev eth0.2396 
+      #${pkgs.iproute}/bin/ip -4 route add table 2 default via 83.133.179.97 dev eth0.2396
+      #${pkgs.iproute}/bin/ip -6 rule add from 2001:7f0:3003:235f::/64 table 3
+      #${pkgs.iproute}/bin/ip -6 route add table 3 2001:7f0:3003:235f::/64 dev eth0.2428
+      #${pkgs.iproute}/bin/ip -6 route add table 3 default via 2001:7f0:3003:235f::129 dev eth0.2428
+      #${pkgs.iproute}/bin/ip -4 rule add from 83.133.179.128/25 table 3
+      #${pkgs.iproute}/bin/ip -4 route add table 3 83.133.179.128/25 dev eth0.2428
+      #${pkgs.iproute}/bin/ip -4 route add table 3 default via 83.133.179.129 dev eth0.2428
+    '';
+  };
+
+  # MuCCC API
+  services.nginx = {
+    enable = true;
+    virtualHosts."nixbus.club.muc.ccc.de" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/".extraConfig = "return 204;";
+      locations."/spaceapi.json".proxyPass = "http://[::1]:8020";
+      locations."/schleuse.json".proxyPass = "http://[::1]:8020";
+    };
+  };
+
+  systemd.services.muccc-api = {
+    wantedBy = [ "multi-user.target" ];
+    description = "MuCCC API";
+    serviceConfig = {
+      ExecStart = "${pkgs.muccc-api}/bin/muccc-api";
+      DynamicUser = true;
+      PrivateTmp = true;
+    };
+  };
+}
--- a/nixbus/user.nix
+++ b/nixbus/user.nix
+{ config, pkgs, ... }:
+
+{
+  users = {
+    mutableUsers = false;
+    extraUsers = {
+
+      root = {
+        subUidRanges = [ { count = 65536; startUid = 100000; } ];
+        subGidRanges = [ { count = 65536; startGid = 100000; } ];
+      };
+
+      argv = {
+        uid = 1000;
+        group = "users";
+        home = "/home/argv";
+        createHome = true;
+        isNormalUser = true;
+        description = "argv";
+        extraGroups = [
+          "wheel"
+        ];
+        shell = "${pkgs.zsh}/bin/zsh";
+      };
+
+      fpletz = {
+        uid = 1001;
+        group = "users";
+        home = "/home/fpletz";
+        createHome = true;
+        isNormalUser = true;
+        description = "fpletz";
+        extraGroups = [
+          "wheel"
+        ];
+        shell = "${pkgs.zsh}/bin/zsh";
+      };
+
+      alice = {
+        uid = 1002;
+        group = "users";
+        home = "/home/alice";
+        createHome = true;
+        isNormalUser = true;
+        description = "alice";
+        extraGroups = [
+          "wheel"
+        ];
+        shell = "${pkgs.zsh}/bin/zsh";
+      };
+    };
+
+    users.root = {
+      hashedPassword = "$6$7zZRFBRJu$g2speYth4OYO0cJMpG5mZA6ACAB9TZSnsu8h6Oe4sM/Am6doJAABzzPXNl5zDvONnyP9eR39JgKNjHblHgE3z0";
+    };
+
+    users.argv = {
+      hashedPassword = "$6$8FeyDBiQpP$BgUBmSEWi1F/Fyg5dbE3o8/Ca8w5E5pImPWJLln3U300gwDcpmeYksQjS.4HnBCSwU6xWiktFRFFwTIoeyHzq.";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdjwnVKIRqf4PP5GQLmqEy3FoVcN6DqPGJlLinCMaiA argv@sheld0r"
+      ];
+    };
+
+    users.fpletz = {
+      hashedPassword = "$6$yiNdYNjs7$oguasC/f8AUbXt0vEGwuhcx3rEja9r5yIs1lKb1md/3y//W1rX7cWqWInMmXaLFFIUNHt.G1rhzMleKJ6SYa30";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs/VM56N9OsG/hK7LEwheHwptClBNPdBl/tIW8URWyQPsE0dN2FYAERsHom3I3IvAS3phfhYtLOwrQ+MqEt7u5f/E3CgdfvEFRER12arxlT/q3gSh5rUdq508fTjkUNmJr6Vul+BCZ7VeESa2yvvTesFqvdVP9NtpGbAusX/JCrXwQciygJ0hDuMdLFW8MmRzljDoBsyjz18MDaMzsGQddQuE+3uAzJ1NXZpNh+M+C6eLNe+QJQMb9VTPGB3Pc0cU0GWyXYpWTVkpJqJVe180ldMU9x2c2sBBcRM3N/UDn2MF3XQi3TdGO93AIcUHNCLmUvIdqz+DPdKzCt3c3HvHh fpletz@lolnovo"
+      ];
+    };
+
+    users.alice = {
+      hashedPassword = "$6$x0H0hv4/D$sVU7UFZJB2IB2OfJZmA0VcRI3WqjxDrS4sfEfv1Pnf14lVkKIzqm147VQL8mPtPzRYaPqcHjGx20hQkDyQu8G1";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEY+j1gTRzOZU2QyeTQ4zgrf0ihJtCpAXzTpvJWH4O/ alice@ai"
+      ];
+    };
+  };
+}