Commit bdad5065 authored by fpletz's avatar fpletz 🚧
Browse files

luftschleuse: production \o/

parent 5531b191
...@@ -2,11 +2,11 @@ ...@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1644229661, "lastModified": 1648297722,
"narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=", "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797", "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
"type": "github" "type": "github"
}, },
"original": { "original": {
...@@ -22,11 +22,11 @@ ...@@ -22,11 +22,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1647979468, "lastModified": 1648303888,
"narHash": "sha256-mavkG6rOyM5NPcb/hEmZQwRZaJeaa7XFfWTWf0TNCo0=", "narHash": "sha256-SEetW7ijelQtGQJXNGkLBYvyc9Xe1Ig4qfFPBuPrZe8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "48a1584d8ba427dd9d74e2b2b842c70a6dd9c4fa", "rev": "2f58d0a3de97f4c20efcc6ba00878acfd7b5665d",
"type": "github" "type": "github"
}, },
"original": { "original": {
...@@ -45,11 +45,11 @@ ...@@ -45,11 +45,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1646003582, "lastModified": 1648332461,
"narHash": "sha256-nAFjJCY0Puqa+kyKdKBbMyyOJHoqrU2JgOTrninNj0o=", "narHash": "sha256-FNS3a5lbFyvRm0KWm2LvAQhUH9KnW1DT+p3OeJOjBHY=",
"owner": "muccc", "owner": "muccc",
"repo": "luftschleuse2", "repo": "luftschleuse2",
"rev": "497be66fd4b6d5b55f237a70156d66d1008b041d", "rev": "9d343858345fa72babe872a89060248dec0dcad8",
"type": "github" "type": "github"
}, },
"original": { "original": {
...@@ -69,11 +69,11 @@ ...@@ -69,11 +69,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1647970947, "lastModified": 1647992073,
"narHash": "sha256-WjiXKTVorMVA0NegUwoQartN7MAzNrxuF3xs+QxAjNQ=", "narHash": "sha256-+OBxGGl3faw/45towpylZN19rz3wd3Mvabo50FhB5Fc=",
"ref": "master", "ref": "master",
"rev": "ede4e4fd69aa1dbd62cf3a227e235189340128c5", "rev": "957e4065a8db0e149db47282e8f22dc0968aee07",
"revCount": 20, "revCount": 21,
"type": "git", "type": "git",
"url": "https://gitlab.muc.ccc.de/muCCC/api" "url": "https://gitlab.muc.ccc.de/muCCC/api"
}, },
...@@ -120,11 +120,11 @@ ...@@ -120,11 +120,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1647447644, "lastModified": 1648141026,
"narHash": "sha256-Di7ZCXjQKEys+jxgl8Mp7a8nowRSeAbzH8c9QNYkw2k=", "narHash": "sha256-h8e3+5EZFbYHTMb0DN2ACuQTJBNHpqigvmEV1w2WIuE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "32f61571b486efc987baca553fb35df22532ba63", "rev": "feceb4d24f582817d8f6e737cd40af9e162dee05",
"type": "github" "type": "github"
}, },
"original": { "original": {
...@@ -136,11 +136,11 @@ ...@@ -136,11 +136,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1647800324, "lastModified": 1648069223,
"narHash": "sha256-rjwoxrk16zfrcO5Torh6CbAd5GHsHrXw+EwxOvh9AUI=", "narHash": "sha256-BXzQV8p/RR440EB9qY0ULYfTH0zSW1stjUCYeP4SF+E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9bc841fec1c0e8b9772afa29f934d2c7ce57da8e", "rev": "1d08ea2bd83abef174fb43cbfb8a856b8ef2ce26",
"type": "github" "type": "github"
}, },
"original": { "original": {
......
...@@ -78,6 +78,7 @@ ...@@ -78,6 +78,7 @@
}; };
luftschleuse = { name, nodes, pkgs, ... }: { luftschleuse = { name, nodes, pkgs, ... }: {
deployment.targetHost = "luftschleuse.club.muc.ccc.de";
deployment.allowLocalDeployment = true; deployment.allowLocalDeployment = true;
nixpkgs.system = "aarch64-linux"; nixpkgs.system = "aarch64-linux";
imports = [ imports = [
......
...@@ -54,11 +54,19 @@ in ...@@ -54,11 +54,19 @@ in
firewall.trustedInterfaces = [ "wlan0" "eth0" ]; firewall.trustedInterfaces = [ "wlan0" "eth0" ];
}; };
systemd.network.links."30-eth0" = {
matchConfig.PermanentMACAddress = "b8:27:eb:02:53:2c";
linkConfig = {
MACAddress = "c4:93:00:11:0d:3d";
MACAddressPolicy = "none";
};
};
systemd.network.networks."40-wlan0" = { systemd.network.networks."40-wlan0" = {
linkConfig.RequiredForOnline = false; linkConfig.RequiredForOnline = false;
}; };
systemd.network.networks."40-eth0" = { systemd.network.networks."40-eth0" = {
linkConfig.RequiredForOnline = true; linkConfig.RequiredForOnline = true;
dhcpV4Config.ClientIdentifier = "mac";
}; };
environment.systemPackages = with pkgs; [ colmena lm_sensors ]; environment.systemPackages = with pkgs; [ colmena lm_sensors ];
...@@ -68,6 +76,7 @@ in ...@@ -68,6 +76,7 @@ in
services.openssh.extraConfig = lib.concatMapStrings (t: '' services.openssh.extraConfig = lib.concatMapStrings (t: ''
Match User ${t.user} Match User ${t.user}
DisableForwarding yes DisableForwarding yes
AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u /var/lib/authorized_keys/authorized_keys
ForceCommand ${pkgs.writeScript "${t.user}.sh" '' ForceCommand ${pkgs.writeScript "${t.user}.sh" ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
set -o errexit set -o errexit
...@@ -93,17 +102,23 @@ in ...@@ -93,17 +102,23 @@ in
users.open = { users.open = {
isNormalUser = true; isNormalUser = true;
group = "users"; group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
}; };
users.openfront = { users.openfront = {
isNormalUser = true; isNormalUser = true;
group = "users"; group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
}; };
users.close = { users.close = {
isNormalUser = true; isNormalUser = true;
group = "users"; group = "users";
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys = {
keys = config.users.users.root.openssh.authorizedKeys.keys;
};
}; };
}; };
...@@ -193,9 +208,32 @@ in ...@@ -193,9 +208,32 @@ in
systemd.services.lockd = { systemd.services.lockd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = with pkgs; [ hostapd ];
serviceConfig = {
Restart = "always";
ExecStart = "${pkgs.luftschleuse2-lockd}/bin/lockd /root/lockd.cfg";
};
};
systemd.services.update-authorized-keys = {
script = ''
${pkgs.curl}/bin/curl -s -o "$STATE_DIRECTORY/authorized_keys" --etag-save "$STATE_DIRECTORY/etag" --etag-compare "$STATE_DIRECTORY/etag" --header "PRIVATE-TOKEN: $(cat /root/gitlab-deploy-token)" "https://gitlab.muc.ccc.de/api/v4/projects/169/jobs/artifacts/master/raw/authorized_keys?job=authorized_keys"
'';
serviceConfig = {
Type = "oneshot";
StateDirectory = "authorized_keys";
};
};
systemd.timers.update-authorized-keys = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "minutely";
};
systemd.services.hostapd = {
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
ExecStart = "${pkgs.luftschleuse2-lockd}/bin/lockd /etc/lockd.cfg"; RestartSec = "2s";
}; };
}; };
} }
...@@ -5,7 +5,11 @@ ...@@ -5,7 +5,11 @@
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
time.timeZone = "UTC"; time.timeZone = "UTC";
services.getty.helpLine = lib.mkForce ""; services.getty.helpLine = lib.mkForce ''
ip6: \6
ip4: \4
'';
# between mkOptionDefault and mkDefault (on in rpi flake) # between mkOptionDefault and mkDefault (on in rpi flake)
boot.kernelPackages = lib.mkOverride 1001 pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkOverride 1001 pkgs.linuxPackages_latest;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment