Skip to content

GitLab

Commit bdad5065 authored by fpletz's avatar fpletz 🚧
Browse files

luftschleuse: production \o/

parent 5531b191
Hide whitespace changes
Inline Side-by-side
flake.lock
View file @ bdad5065
......@@ -2,11 +2,11 @@
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1644229661,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
"lastModified": 1648297722,
"narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
"rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
"type": "github"
},
"original": {
......@@ -22,11 +22,11 @@
]
},
"locked": {
"lastModified": 1647979468,
"narHash": "sha256-mavkG6rOyM5NPcb/hEmZQwRZaJeaa7XFfWTWf0TNCo0=",
"lastModified": 1648303888,
"narHash": "sha256-SEetW7ijelQtGQJXNGkLBYvyc9Xe1Ig4qfFPBuPrZe8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "48a1584d8ba427dd9d74e2b2b842c70a6dd9c4fa",
"rev": "2f58d0a3de97f4c20efcc6ba00878acfd7b5665d",
"type": "github"
},
"original": {
......@@ -45,11 +45,11 @@
]
},
"locked": {
"lastModified": 1646003582,
"narHash": "sha256-nAFjJCY0Puqa+kyKdKBbMyyOJHoqrU2JgOTrninNj0o=",
"lastModified": 1648332461,
"narHash": "sha256-FNS3a5lbFyvRm0KWm2LvAQhUH9KnW1DT+p3OeJOjBHY=",
"owner": "muccc",
"repo": "luftschleuse2",
"rev": "497be66fd4b6d5b55f237a70156d66d1008b041d",
"rev": "9d343858345fa72babe872a89060248dec0dcad8",
"type": "github"
},
"original": {
......@@ -69,11 +69,11 @@
]
},
"locked": {
"lastModified": 1647970947,
"narHash": "sha256-WjiXKTVorMVA0NegUwoQartN7MAzNrxuF3xs+QxAjNQ=",
"lastModified": 1647992073,
"narHash": "sha256-+OBxGGl3faw/45towpylZN19rz3wd3Mvabo50FhB5Fc=",
"ref": "master",
"rev": "ede4e4fd69aa1dbd62cf3a227e235189340128c5",
"revCount": 20,
"rev": "957e4065a8db0e149db47282e8f22dc0968aee07",
"revCount": 21,
"type": "git",
"url": "https://gitlab.muc.ccc.de/muCCC/api"
},
......@@ -120,11 +120,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1647447644,
"narHash": "sha256-Di7ZCXjQKEys+jxgl8Mp7a8nowRSeAbzH8c9QNYkw2k=",
"lastModified": 1648141026,
"narHash": "sha256-h8e3+5EZFbYHTMb0DN2ACuQTJBNHpqigvmEV1w2WIuE=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "32f61571b486efc987baca553fb35df22532ba63",
"rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
"type": "github"
},
"original": {
......@@ -136,11 +136,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1647800324,
"narHash": "sha256-rjwoxrk16zfrcO5Torh6CbAd5GHsHrXw+EwxOvh9AUI=",
"lastModified": 1648069223,
"narHash": "sha256-BXzQV8p/RR440EB9qY0ULYfTH0zSW1stjUCYeP4SF+E=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9bc841fec1c0e8b9772afa29f934d2c7ce57da8e",
"rev": "1d08ea2bd83abef174fb43cbfb8a856b8ef2ce26",
"type": "github"
},
"original": {
......
flake.nix
View file @ bdad5065
......@@ -78,6 +78,7 @@
};
luftschleuse = { name, nodes, pkgs, ... }: {
deployment.targetHost = "luftschleuse.club.muc.ccc.de";
deployment.allowLocalDeployment = true;
nixpkgs.system = "aarch64-linux";
imports = [
......
luftschleuse.nix
View file @ bdad5065
......@@ -54,11 +54,19 @@ in
firewall.trustedInterfaces = [ "wlan0" "eth0" ];
};
systemd.network.links."30-eth0" = {
matchConfig.PermanentMACAddress = "b8:27:eb:02:53:2c";
linkConfig = {
MACAddress = "c4:93:00:11:0d:3d";
MACAddressPolicy = "none";
};
};
systemd.network.networks."40-wlan0" = {
linkConfig.RequiredForOnline = false;
};
systemd.network.networks."40-eth0" = {
linkConfig.RequiredForOnline = true;
dhcpV4Config.ClientIdentifier = "mac";
};
environment.systemPackages = with pkgs; [ colmena lm_sensors ];
......@@ -68,6 +76,7 @@ in
services.openssh.extraConfig = lib.concatMapStrings (t: ''
Match User ${t.user}
DisableForwarding yes
AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u /var/lib/authorized_keys/authorized_keys
ForceCommand ${pkgs.writeScript "${t.user}.sh" ''
#!${pkgs.stdenv.shell}
set -o errexit
......@@ -93,17 +102,23 @@ in
users.open = {
isNormalUser = true;
group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
users.openfront = {
isNormalUser = true;
group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
users.close = {
isNormalUser = true;
group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
};
};
......@@ -193,9 +208,32 @@ in
systemd.services.lockd = {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ hostapd ];
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.luftschleuse2-lockd}/bin/lockd /root/lockd.cfg";
};
};
systemd.services.update-authorized-keys = {
script = ''
${pkgs.curl}/bin/curl -s -o "$STATE_DIRECTORY/authorized_keys" --etag-save "$STATE_DIRECTORY/etag" --etag-compare "$STATE_DIRECTORY/etag" --header "PRIVATE-TOKEN: $(cat /root/gitlab-deploy-token)" "https://gitlab.muc.ccc.de/api/v4/projects/169/jobs/artifacts/master/raw/authorized_keys?job=authorized_keys"
'';
serviceConfig = {
Type = "oneshot";
StateDirectory = "authorized_keys";
};
};
systemd.timers.update-authorized-keys = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.services.hostapd = {
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.luftschleuse2-lockd}/bin/lockd /etc/lockd.cfg";
RestartSec = "2s";
};
};
}
modules/default.nix
View file @ bdad5065
......@@ -5,7 +5,11 @@
networking.hostName = lib.mkDefault name;
time.timeZone = "UTC";
services.getty.helpLine = lib.mkForce "";
services.getty.helpLine = lib.mkForce ''
ip6: \6
ip4: \4
'';
# between mkOptionDefault and mkDefault (on in rpi flake)
boot.kernelPackages = lib.mkOverride 1001 pkgs.linuxPackages_latest;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment