Commit ea768664 authored by fpletz's avatar fpletz 🚧
Browse files

add nixbus with wip muccc-api

parent 5fc96a3b
...@@ -27,8 +27,6 @@ with lib; ...@@ -27,8 +27,6 @@ with lib;
nix.maxJobs = 3; nix.maxJobs = 3;
nix.buildCores = 2; nix.buildCores = 2;
services.openssh.enable = true;
users.extraUsers.root = { users.extraUsers.root = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs/VM56N9OsG/hK7LEwheHwptClBNPdBl/tIW8URWyQPsE0dN2FYAERsHom3I3IvAS3phfhYtLOwrQ+MqEt7u5f/E3CgdfvEFRER12arxlT/q3gSh5rUdq508fTjkUNmJr6Vul+BCZ7VeESa2yvvTesFqvdVP9NtpGbAusX/JCrXwQciygJ0hDuMdLFW8MmRzljDoBsyjz18MDaMzsGQddQuE+3uAzJ1NXZpNh+M+C6eLNe+QJQMb9VTPGB3Pc0cU0GWyXYpWTVkpJqJVe180ldMU9x2c2sBBcRM3N/UDn2MF3XQi3TdGO93AIcUHNCLmUvIdqz+DPdKzCt3c3HvHh fpletz@lolnovo" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs/VM56N9OsG/hK7LEwheHwptClBNPdBl/tIW8URWyQPsE0dN2FYAERsHom3I3IvAS3phfhYtLOwrQ+MqEt7u5f/E3CgdfvEFRER12arxlT/q3gSh5rUdq508fTjkUNmJr6Vul+BCZ7VeESa2yvvTesFqvdVP9NtpGbAusX/JCrXwQciygJ0hDuMdLFW8MmRzljDoBsyjz18MDaMzsGQddQuE+3uAzJ1NXZpNh+M+C6eLNe+QJQMb9VTPGB3Pc0cU0GWyXYpWTVkpJqJVe180ldMU9x2c2sBBcRM3N/UDn2MF3XQi3TdGO93AIcUHNCLmUvIdqz+DPdKzCt3c3HvHh fpletz@lolnovo"
...@@ -388,7 +386,4 @@ with lib; ...@@ -388,7 +386,4 @@ with lib;
''}" ''}"
''; '';
}; };
security.acme.email = "fpletz@muc.ccc.de";
security.acme.acceptTerms = true;
} }
{ {
"nodes": { "nodes": {
"flake-utils": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"muccc-api": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1642276612,
"narHash": "sha256-TLhIlWptDWnX6Vok0tCS3d3YOWugbPSWzKJiqQgeVps=",
"ref": "master",
"rev": "a135d5a89d2e2baf83937bed709120775a2eacb1",
"revCount": 16,
"type": "git",
"url": "https://gitlab.muc.ccc.de/fpletz/muccc-api"
},
"original": {
"type": "git",
"url": "https://gitlab.muc.ccc.de/fpletz/muccc-api"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1641870998, "lastModified": 1641870998,
...@@ -18,6 +54,7 @@ ...@@ -18,6 +54,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"muccc-api": "muccc-api",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"utils": "utils" "utils": "utils"
} }
......
...@@ -4,9 +4,11 @@ ...@@ -4,9 +4,11 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
utils.url = "github:numtide/flake-utils"; utils.url = "github:numtide/flake-utils";
muccc-api.url = "git+https://gitlab.muc.ccc.de/fpletz/muccc-api";
muccc-api.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs, utils, ... }: let outputs = { self, nixpkgs, utils, muccc-api, ... }: let
supportedSystems = utils.lib.defaultSystems; supportedSystems = utils.lib.defaultSystems;
in utils.lib.eachSystem supportedSystems (system: let in utils.lib.eachSystem supportedSystems (system: let
pkgs = import nixpkgs { inherit system; }; pkgs = import nixpkgs { inherit system; };
...@@ -20,31 +22,46 @@ ...@@ -20,31 +22,46 @@
meta.nixpkgs = import nixpkgs { }; meta.nixpkgs = import nixpkgs { };
defaults = { name, pkgs, lib, ... }: { defaults = { name, pkgs, lib, ... }: {
deployment.targetHost = "${name}.muc.ccc.de"; deployment.targetHost = lib.mkDefault "${name}.muc.ccc.de";
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
time.timeZone = "UTC"; time.timeZone = "UTC";
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.tmpOnTmpfs = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget curl htop iftop tmux wget curl htop iftop tmux
]; ];
programs.bash.enableCompletion = true; programs.bash.enableCompletion = true;
programs.vim.defaultEditor = true; programs.vim.defaultEditor = true;
programs.zsh.enable = true;
programs.mtr.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.fail2ban.enable = true; services.fail2ban.enable = true;
zramSwap.enable = true; zramSwap.enable = true;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
nixpkgs.overlays = [ muccc-api.overlay ];
# include git rev of this repo/flake into the nixos-version # include git rev of this repo/flake into the nixos-version
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
# set nixpkgs flake of the target to the nixpkgs verion of the deployment # set nixpkgs on the target to the nixpkgs version of the deployment
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
nix.nixPath = lib.mkForce [ "nixpkgs=${nixpkgs}" "nixos-config=/dontuse" ]; nix.nixPath = lib.mkForce [ "nixpkgs=${nixpkgs}" "nixos-config=/dontuse" ];
security.acme.email = "fpletz@muc.ccc.de";
security.acme.acceptTerms = true;
}; };
briafzentrum = { name, nodes, pkgs, ... }: { briafzentrum = { name, nodes, pkgs, ... }: {
imports = [ imports = [
"${nixpkgs}/nixos/modules/profiles/qemu-guest.nix" "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
./briafzentrum.nix ./briafzentrum.nix
];
};
nixbus = { name, nodes, pkgs, ... }: {
deployment.targetHost = "83.133.178.67"; # "${name}.club.muc.ccc.de";
imports = [
"${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
./nixbus.nix
]; ];
}; };
}; };
......
{ pkgs, ... }:
{
imports = [ ./nixbus/user.nix ];
boot = {
loader.grub = {
device = "/dev/vda";
splashImage = null;
};
supportedFilesystems = [
"xfs"
];
kernelParams = [ "console=ttyS0" "console=tty0" ];
};
fileSystems = {
"/" = {
device = "/dev/vda2";
fsType = "xfs";
options = [
"noatime"
"nodiratime"
"logbufs=8"
];
};
};
swapDevices = [
{ device = "/dev/vda3"; }
];
nix = {
buildCores = 2;
maxJobs = 5;
};
networking = {
hostName = "nixbus";
domain = "club.muc.ccc.de";
hostId = "14e4f63f";
usePredictableInterfaceNames = false;
extraHosts = ''
# host
2001:7f0:3003:beef::67 nixbus.club.muc.ccc.de nixbus
83.133.178.67 nixbus.club.muc.ccc.de nixbus
'';
firewall = {
enable = true;
allowPing = true;
checkReversePath = true;
allowedTCPPorts = [
22
80
443
#11000
#11001
#34197
#46631
#5984
];
};
useDHCP = false;
interfaces = {
"eth0" = {
ipv6.addresses = [
{ address = "2001:7f0:3003:beef::67"; prefixLength = 64; }
];
ipv4.addresses = [
{ address = "83.133.178.67"; prefixLength = 26; }
];
};
"eth0.2396" = {
ipv6.addresses = [
{ address = "2001:7f0:3003:235e::98"; prefixLength = 64; }
];
# ip4 = [
# { address = "83.133.179.98"; prefixLength = 27; }
# ];
};
"eth0.2428" = {
ipv6.addresses = [
{ address = "2001:7f0:3003:235f::130"; prefixLength = 64; }
];
# ip4 = [
# { address = "83.133.179.130"; prefixLength = 25; }
# ];
};
};
vlans = {
"eth0.2396" = {
id = 2396;
interface = "eth0";
};
"eth0.2428" = {
id = 2428;
interface = "eth0";
};
};
nameservers = [
"2001:7f0:3003:beef::65"
"83.133.178.65"
];
defaultGateway6 = "2001:7f0:3003:beef::65";
defaultGateway = "83.133.178.65";
localCommands = ''
#${pkgs.iproute}/bin/ip -6 rule add from 2001:7f0:3003:235e::/64 table 2
#${pkgs.iproute}/bin/ip -6 route add table 2 2001:7f0:3003:235e::/64 dev eth0.2396
#${pkgs.iproute}/bin/ip -6 route add table 2 default via 2001:7f0:3003:235e::97 dev eth0.2396
#${pkgs.iproute}/bin/ip -4 rule add from 83.133.179.96/27 table 2
#${pkgs.iproute}/bin/ip -4 route add table 2 83.133.179.96/27 dev eth0.2396
#${pkgs.iproute}/bin/ip -4 route add table 2 default via 83.133.179.97 dev eth0.2396
#${pkgs.iproute}/bin/ip -6 rule add from 2001:7f0:3003:235f::/64 table 3
#${pkgs.iproute}/bin/ip -6 route add table 3 2001:7f0:3003:235f::/64 dev eth0.2428
#${pkgs.iproute}/bin/ip -6 route add table 3 default via 2001:7f0:3003:235f::129 dev eth0.2428
#${pkgs.iproute}/bin/ip -4 rule add from 83.133.179.128/25 table 3
#${pkgs.iproute}/bin/ip -4 route add table 3 83.133.179.128/25 dev eth0.2428
#${pkgs.iproute}/bin/ip -4 route add table 3 default via 83.133.179.129 dev eth0.2428
'';
};
# MuCCC API
services.nginx = {
enable = true;
virtualHosts."nixbus.club.muc.ccc.de" = {
enableACME = true;
addSSL = true;
locations."/".extraConfig = "return 204;";
locations."/spaceapi.json".proxyPass = "http://[::1]:8020";
locations."/schleuse.json".proxyPass = "http://[::1]:8020";
};
};
systemd.services.muccc-api = {
wantedBy = [ "multi-user.target" ];
description = "MuCCC API";
serviceConfig = {
ExecStart = "${pkgs.muccc-api}/bin/muccc-api";
DynamicUser = true;
PrivateTmp = true;
};
};
}
{ config, pkgs, ... }:
{
users = {
mutableUsers = false;
extraUsers = {
root = {
subUidRanges = [ { count = 65536; startUid = 100000; } ];
subGidRanges = [ { count = 65536; startGid = 100000; } ];
};
argv = {
uid = 1000;
group = "users";
home = "/home/argv";
createHome = true;
isNormalUser = true;
description = "argv";
extraGroups = [
"wheel"
];
shell = "${pkgs.zsh}/bin/zsh";
};
fpletz = {
uid = 1001;
group = "users";
home = "/home/fpletz";
createHome = true;
isNormalUser = true;
description = "fpletz";
extraGroups = [
"wheel"
];
shell = "${pkgs.zsh}/bin/zsh";
};
alice = {
uid = 1002;
group = "users";
home = "/home/alice";
createHome = true;
isNormalUser = true;
description = "alice";
extraGroups = [
"wheel"
];
shell = "${pkgs.zsh}/bin/zsh";
};
};
users.root = {
hashedPassword = "$6$7zZRFBRJu$g2speYth4OYO0cJMpG5mZA6ACAB9TZSnsu8h6Oe4sM/Am6doJAABzzPXNl5zDvONnyP9eR39JgKNjHblHgE3z0";
};
users.argv = {
hashedPassword = "$6$8FeyDBiQpP$BgUBmSEWi1F/Fyg5dbE3o8/Ca8w5E5pImPWJLln3U300gwDcpmeYksQjS.4HnBCSwU6xWiktFRFFwTIoeyHzq.";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdjwnVKIRqf4PP5GQLmqEy3FoVcN6DqPGJlLinCMaiA argv@sheld0r"
];
};
users.fpletz = {
hashedPassword = "$6$yiNdYNjs7$oguasC/f8AUbXt0vEGwuhcx3rEja9r5yIs1lKb1md/3y//W1rX7cWqWInMmXaLFFIUNHt.G1rhzMleKJ6SYa30";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCs/VM56N9OsG/hK7LEwheHwptClBNPdBl/tIW8URWyQPsE0dN2FYAERsHom3I3IvAS3phfhYtLOwrQ+MqEt7u5f/E3CgdfvEFRER12arxlT/q3gSh5rUdq508fTjkUNmJr6Vul+BCZ7VeESa2yvvTesFqvdVP9NtpGbAusX/JCrXwQciygJ0hDuMdLFW8MmRzljDoBsyjz18MDaMzsGQddQuE+3uAzJ1NXZpNh+M+C6eLNe+QJQMb9VTPGB3Pc0cU0GWyXYpWTVkpJqJVe180ldMU9x2c2sBBcRM3N/UDn2MF3XQi3TdGO93AIcUHNCLmUvIdqz+DPdKzCt3c3HvHh fpletz@lolnovo"
];
};
users.alice = {
hashedPassword = "$6$x0H0hv4/D$sVU7UFZJB2IB2OfJZmA0VcRI3WqjxDrS4sfEfv1Pnf14lVkKIzqm147VQL8mPtPzRYaPqcHjGx20hQkDyQu8G1";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIEY+j1gTRzOZU2QyeTQ4zgrf0ihJtCpAXzTpvJWH4O/ alice@ai"
];
};
};
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment