Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Klub-RZ:master
Branches Tags
Klub-RZ:master
Klub-RZ:serveur-photo
Klub-RZ:mrf-whitelist
Klub-RZ:deploy_dokuwiki
Klub-RZ:headscale
Klub-RZ:public-cof
Klub-RZ:rm-HackENS-keys
Klub-RZ:raito/add-remote-builders
Klub-RZ:remote-builder-01
..
compare: Klub-RZ:headscale
Branches Tags
Klub-RZ:master
Klub-RZ:serveur-photo
Klub-RZ:mrf-whitelist
Klub-RZ:deploy_dokuwiki
Klub-RZ:headscale
Klub-RZ:public-cof
Klub-RZ:rm-HackENS-keys
Klub-RZ:raito/add-remote-builders
Klub-RZ:remote-builder-01

13 commits
master ... headscale

Author SHA1 Message Date
Raito Bezarius
dcddd19fb4 core01(keycloak): remove useless file 2022-06-26 23:45:11 +02:00
Raito Bezarius
28c3ad2429 public-cof: upgrade to NC24 2022-06-26 23:45:11 +02:00
Raito Bezarius
3b1338043c public-cof: disable cryptpad 2022-06-26 23:45:11 +02:00
Raito Bezarius
2e09ceabf7 core01(keycloak): bump to nixos-unstable 2022-06-26 23:45:11 +02:00
Raito Bezarius
173cdedb7c core01(keycloak): bump to nixpkgs-unstable who has the patch 2022-06-26 23:45:11 +02:00
Raito Bezarius
deda24e3ae core01(keycloak): oops 2022-06-26 23:45:11 +02:00
Raito Bezarius
aa328045a7 core01(keycloak): try a zlib upstream patch 2022-06-26 23:45:11 +02:00
Raito Bezarius
6f52987d5f core01(keycloak): remove customizations 2022-06-26 23:45:11 +02:00
Raito Bezarius
4d5ea04099 nixpkgs: try 22.11 unreleased 2022-06-26 23:45:11 +02:00
Raito Bezarius
22996eddff nixpkgs: update to 22.05 release 2022-06-26 23:45:11 +02:00
Raito Bezarius
4df131d59b core01: update to 22.05-beta 2022-06-26 23:45:11 +02:00
Raito Bezarius
cce562ac9a core01: update to latest nixpkgs, fix up keycloak 2022-06-26 23:45:11 +02:00
Raito Bezarius
7fefcc0d54 core01: add headscale support 2022-06-26 23:45:11 +02:00
91 changed files with 528 additions and 1980 deletions
Show stats Expand all files Collapse all files

1
.envrc
View file

@ -1 +0,0 @@
use nix

1
.gitignore vendored
View file

@ -1,2 +1 @@
result result
.direnv

1
CONTRIBUTING.md
View file

@ -1 +0,0 @@
Maurice écoute les conventions de Ryan

3
README.md
View file

@ -5,8 +5,7 @@
Refer to wiki for details. Refer to wiki for details.
- `core-services-01` - `core-services-01`
- `public-cof` - `remote-builder-01`
- `remote-builder-01`: **discontinued**.
## How to deploy a machine? ## How to deploy a machine?

62
hive.nix
View file

@ -1,62 +0,0 @@
let
sources = import ./npins;
metadata = import ./meta;
lib = import (sources.nix-lib + "/src/trivial.nix");
mkNode = node: { name, nodes, ... }: {
# Import the base configuration for each node
imports = builtins.map (lib.mkRel ./machines/${node}) [
"_configuration.nix"
"_hardware-configuration.nix"
];
# Include default secrets
# dgn-secrets.sources = [ ./machines/${node}/secrets ];
# Deployment config is specified in meta.nodes.${node}.deployment
inherit (metadata.nodes.${node}) deployment;
# Set NIX_PATH to the patched version of nixpkgs
nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ];
# Use the stateVersion declared in the metadata
system.stateVersion = metadata.nodes.${node}.stateVersion;
};
mkNixpkgs = node:
let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in
(import sources.${version} { }).applyPatches {
name = "${version}-patched";
src = sources.${version};
patches = (import ./nix-patches).${version} or [ ];
};
mkNixpkgs' = node: import (mkNixpkgs node) { };
mkArgs = node:
let lib' = (mkNixpkgs' node).lib;
in {
lib = import sources.nix-lib {
lib = lib';
keysRoot = ./keys;
};
};
nodes = builtins.attrNames metadata.nodes;
in
{
meta = {
nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
specialArgs = { inherit sources; meta = metadata; };
nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
};
defaults = { ... }: {
# Import the default modules
imports = [ ./modules ];
};
} // (lib.mapSingleFuse mkNode nodes)

1
keys/hubrecht.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl

1
keys/sinavir.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o

35
krops.nix Normal file
View file

@ -0,0 +1,35 @@
let
krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; };
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" { };
source = machine:
lib.evalSource [{
config.file = toString ./machines;
nixos-config.symlink = "config/${machine}/configuration.nix";
nixpkgs.git = {
clean.exclude = [ "/.version-suffix" ];
ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable
url = "https://github.com/NixOS/nixpkgs";
};
}];
mkTestConfig = hostname: {
name = "test-${hostname}";
value = pkgs.krops.writeTest "test-${hostname}" {
source = source hostname;
target = lib.mkTarget {
host = "localhost";
path = "/tmp/src";
};
force = true; # force create the sentinel file.
};
};
mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames);
mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" {
source = source hostname;
inherit target;
}; };
in {}
// mkDeploy "core-services-01" "root@10.1.1.20"
// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf"
// mkDeploy "public-cof" "root@beta.rz.ens.wtf"
// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ]

97
machines/core-services-01/configuration.nix Normal file
View file

@ -0,0 +1,97 @@
{ config, pkgs, lib, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./nur.nix
./rz.nix
./monitoring.nix
./programs.nix
./system.nix
./acme-ssl.nix
./dns.nix
./netboot-server.nix
./qemu.nix
./gitea.nix
./dokuwiki.nix
./nginx.nix
./keycloak.nix
./acme-dns.nix
./backups.nix
./headscale.nix
# ./dex.nix
./oauth2_proxy.nix
./secrets
./matterbridge.nix
# TODO push to gitea
# TODO ./gotify.nix
# TODO(Raito): ./backups.nix
# TODO(Raito): ./snmp.nix
# TODO(Raito): ./sflow.nix?
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ];
networking.hostName = "core-services-01";
networking.hostId = "64838310";
time.timeZone = "Europe/Paris";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
# Adieu, hackENS — networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
# List services that you want to enable:
services.zfs.autoScrub.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles = [
./pubkeys/gdd.keys
./pubkeys/raito.keys
./pubkeys/mrf.keys
];
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}

28
machines/core-services-01/dokuwiki.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, ... }:
let
my = config.my;
in
{
services.dokuwiki.sites."wiki.${my.subZone}" = {
enable = true;
acl = ''
* @ALL 1
* @admin 16
'';
};
/*
services.nginx = {
enable = true;
virtualHosts."wiki.${my.subZone}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "htttp://127.0.0.1:${toString port}";
};
};
};
*/
}

51
machines/core-services-01/fix-crc-computation.patch Normal file
View file

@ -0,0 +1,51 @@
From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Wed, 30 Mar 2022 11:14:53 -0700
Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
The previous releases of zlib were not sensitive to incorrect CRC
inputs with bits set above the low 32. This commit restores that
behavior, so that applications with such bugs will continue to
operate as before.
---
crc32.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crc32.c b/crc32.c
index a1bdce5c2..451887bc7 100644
--- a/crc32.c
+++ b/crc32.c
@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
/* Compute the CRC up to a word boundary. */
while (len && ((z_size_t)buf & 7) != 0) {
@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
#ifdef W
@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
}
/* ========================================================================= */
@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
uLong crc2;
uLong op;
{
- return multmodp(op, crc1) ^ crc2;
+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
}

5
machines/core-services-01/gitea.nix
View file

@ -13,11 +13,8 @@ in
httpAddress = "127.0.0.1"; httpAddress = "127.0.0.1";
httpPort = port; httpPort = port;
database.type = "postgres"; database.type = "postgres";
disableRegistration = false;
settings = { settings = {
service.DISABLE_REGISTRATION = false;
log = {
level = "Warn";
};
openid = { openid = {
ENABLE_OPENID_SIGNUP = true; ENABLE_OPENID_SIGNUP = true;
}; };

0
machines/core-services-01/_hardware-configuration.nix → machines/core-services-01/hardware-configuration.nix
View file

7
machines/core-services-01/keycloak.nix
View file

@ -32,13 +32,6 @@ in
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
# For large authentication-authorization headers
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
'';
}; };
}; };
} }

2
machines/core-services-01/matterbridge.nix
View file

@ -28,7 +28,7 @@ let
startScript = pkgs.writeShellScriptBin "start" '' startScript = pkgs.writeShellScriptBin "start" ''
${manageSecrets ${manageSecrets
./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml" ./matterbridge.toml "$CREDENTIALS_DIRECTORY/secrets" "$RUNTIME_DIRECTORY/conf.toml"
[ "SECRET_MATTERMOST_KLUBRZ_WEBHOOK" "SECRET_MATTERMOST_DGNUM_WEBHOOK" ]}/bin/preStart [ "SECRET_MATTERMOST_WEBHOOK" ]}/bin/preStart
${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml ${pkgs.matterbridge}/bin/matterbridge -conf $RUNTIME_DIRECTORY/conf.toml
''; '';
in { in {

21
machines/core-services-01/matterbridge.toml
View file

@ -7,16 +7,11 @@
PrefixMessagesWithNick=true PrefixMessagesWithNick=true
RemoteNickFormat="<{NICK}> " RemoteNickFormat="<{NICK}> "
[mattermost] [mattermost]
[mattermost.merle_klubrz] [mattermost.merle]
WebhookURL="SECRET_MATTERMOST_KLUBRZ_WEBHOOK" WebhookURL="SECRET_MATTERMOST_WEBHOOK"
WebhookBindAddress="0.0.0.0:52187" WebhookBindAddress="0.0.0.0:52187"
PrefixMessagesWithNick=false PrefixMessagesWithNick=false
RemoteNickFormat="{NICK}" RemoteNickFormat="{NICK}"
[mattermost.merle_dgnum]
WebhookURL="SECRET_MATTERMOST_DGNUM_WEBHOOK"
WebhookBindAddress="0.0.0.0:52188"
PrefixMessagesWithNick=false
RemoteNickFormat="{NICK}"
[[gateway]] [[gateway]]
name="réseau" name="réseau"
enable=true enable=true
@ -24,15 +19,5 @@ enable=true
account="irc.ulminfo" account="irc.ulminfo"
channel="#réseau" channel="#réseau"
[[gateway.inout]] [[gateway.inout]]
account="mattermost.merle_klubrz" account="mattermost.merle"
channel="town-square"
[[gateway]]
name="dgnum"
enable=true
[[gateway.inout]]
account="irc.ulminfo"
channel="#dgnum"
[[gateway.inout]]
account="mattermost.merle_dgnum"
channel="town-square" channel="town-square"

68
machines/core-services-01/monitoring.nix
View file

@ -34,21 +34,7 @@ let
}; };
in in
{ {
services.netdata = { services.netdata.enable = true;
enable = true;
#package = pkgs.netdata.overrideAttrs (old: {
# version = "1.36.0-185-nightly";
# src = pkgs.fetchFromGitHub {
# owner = "netdata";
# repo = "netdata";
# rev = "284d5450ec938b667db9985aca6d3cd02b96487f";
# sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc=";
# fetchSubmodules = true;
# };
#});
};
systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1";
# Allow WireGuard VPN # Allow WireGuard VPN
networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.allowedUDPPorts = [ 51820 ];
@ -73,23 +59,20 @@ in
]; ];
}; };
systemd.services.netdata.restartTriggers = map (v: config.environment.etc."netdata/${v}.conf".source) [
"netdata"
"stream"
"health_alarm_notify"
];
environment.etc."netdata/netdata.conf" = lib.mkForce { environment.etc."netdata/netdata.conf" = lib.mkForce {
user = "netdata"; user = "netdata";
group = "netdata"; group = "netdata";
mode = "0600"; mode = "0600";
text = '' text = ''
[db] [global]
mode = dbengine page cache size = 32
storage tiers = 3 dbengine multihost disk space = 23058
update every = 1
dbengine multihost disk space MB = 23000
dbengine page cache size MB = 384
dbengine tier 1 update every iterations = 60
dbengine tier 1 multihost disk space MB = 10000
dbengine tier 1 page cache size MB = 384
dbengine tier 2 update every iterations = 3600
dbengine tier 2 multihost disk space MB = 5000
dbengine tier 2 page cache size MB = 384
''; '';
}; };
@ -118,7 +101,7 @@ in
mode = "0600"; mode = "0600";
text = '' text = ''
# External tools # External tools
nc="${pkgs.nmap}/bin/nc --ssl" nc="${pkgs.netcat}/bin/nc"
# IRC configuration # IRC configuration
SEND_IRC="YES" SEND_IRC="YES"
@ -132,25 +115,18 @@ in
services.oauth2_proxy = { services.oauth2_proxy = {
enable = true; enable = true;
keyFile = config.age.secrets.oauth2ProxyKeyFile.path; keyFile = config.age.secrets.oauth2ProxyKeyFile.path;
provider = "keycloak-oidc"; provider = "keycloak";
email.domains = [ "*" ]; email.domains = [ "*" ];
cookie = {
name = "_oauth2_proxy_ensrz";
domain = ".rz.ens.wtf";
};
setXauthrequest = true; setXauthrequest = true;
scope = "openid"; scope = "profile";
loginURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/auth";
redeemURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/token";
profileURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
validateURL = "https://auth.${my.subZone}/auth/realms/${realm}/protocol/openid-connect/userinfo";
redirectURL = "https://monitoring.${my.subZone}/oauth2/callback"; redirectURL = "https://monitoring.${my.subZone}/oauth2/callback";
reverseProxy = true; reverseProxy = true;
passHostHeader = true; passHostHeader = true;
extraConfig = {
whitelist-domain = [ ".rz.ens.wtf" ];
oidc-issuer-url = "https://auth.${my.subZone}/auth/realms/${realm}";
# insecure-oidc-allow-unverified-email = true;
show-debug-on-error = true;
};
nginx = { nginx = {
virtualHosts = [ "monitoring.${my.subZone}" ]; virtualHosts = [ "monitoring.${my.subZone}" ];
}; };
@ -163,15 +139,7 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/".proxyPass = "http://localhost:19999";
proxyPass = "http://localhost:19999";
extraConfig = ''
# For large authentication-authorization headers
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
'';
};
}; };
}; };

20
machines/core-services-01/my.nix
View file

@ -99,4 +99,24 @@ in
example = [ "10.1.0.0/22" ]; example = [ "10.1.0.0/22" ];
}; };
}; };
config = {
# Default IPv4 exit route
networking.defaultGateway = {
address = "";
interface = "ens18";
};
networking.interfaces.ens20 = {
ipv4.addresses = map mkAddress cfg.ipv4InternalFull;
};
networking.interfaces.ens19 = {
ipv6.addresses = map mkAddress (cfg.ipv6.standardFull ++ [ cfg.ipv6.acmeFull ]);
};
networking.interfaces.ens18 = {
ipv4.addresses = map mkAddress cfg.ipv4Full;
};
};
} }

4
machines/core-services-01/netboot-server.nix
View file

@ -13,8 +13,8 @@ let
# Enable sshd wich gets disabled by netboot-minimal.nix # Enable sshd wich gets disabled by netboot-minimal.nix
systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ]; systemd.services.sshd.wantedBy = mkOverride 0 [ "multi-user.target" ];
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../pubkeys/gdd.keys ./pubkeys/gdd.keys
../pubkeys/raito.keys ./pubkeys/raito.keys
]; ];
programs.mosh.enable = true; programs.mosh.enable = true;

43
machines/core-services-01/network.nix
View file

@ -1,43 +0,0 @@
{ config, ... }:
let
inherit (config) my;
in
{
networking.useNetworkd = true;
systemd.network.networks = {
"10-ens18" = {
name = "ens18";
address = my.ipv4Full;
DHCP = "ipv4";
};
"10-ens19" = {
name = "ens19";
address = with my.ipv6; standardFull ++ [ acmeFull ];
networkConfig.IPv6AcceptRA = true;
ipv6AcceptRAConfig = {
UseOnLinkPrefix = false;
UseAutonomousPrefix = false;
};
};
"10-ens20" = {
name = "ens20";
address = my.ipv4InternalFull;
DHCP = "ipv4";
dhcpV4Config.RouteMetric = 2048;
routes = [
{
routeConfig = {
Destination = "10.0.0.0/8";
};
}
];
};
};
}

0
keys/gdd.keys → machines/core-services-01/pubkeys/gdd.keys
View file

0
keys/hackens-milieu.keys → machines/core-services-01/pubkeys/hackens-milieu.keys
View file

0
keys/mrf.keys → machines/core-services-01/pubkeys/mrf.keys
View file

0
keys/raito.keys → machines/core-services-01/pubkeys/raito.keys
View file

2
machines/core-services-01/secrets/default.nix
View file

@ -5,6 +5,4 @@
age.secrets.droneKeyFile.file = ./droneKeyFile.age; age.secrets.droneKeyFile.file = ./droneKeyFile.age;
age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age; age.secrets.dexGiteaClientSecret.file = ./dexGiteaClientSecret.age;
age.secrets.matterbridge.file = ./matterbridge.age; age.secrets.matterbridge.file = ./matterbridge.age;
age.secrets.snipeItAppKey.file = ./snipeItAppKey.age;
age.secrets.snipeItOidcClientSecret.file = ./snipeItOidcClientSecret.age;
} }

BIN
machines/core-services-01/secrets/dexGiteaClientSecret.age
View file

Binary file not shown.

BIN
machines/core-services-01/secrets/droneKeyFile.age
View file

Binary file not shown.

52
machines/core-services-01/secrets/keycloakDatabasePasswordFile.age
View file

@ -1,30 +1,26 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 lHr4YQ S/Kuy8PdLoLLRDvlDDyuDaGXGb0RMBJKo9XyHK2I0Bg
VFjemRE9hOc/fEol+2OAjM6d/5QLPeeo0ytdgcwa8Zs
-> ssh-ed25519 h6AgbA ParmcGdbVHdvihrEuV+nLBLDnTwKR+zoxc/O0LdrUhA
L1kL6sr4ak1DTTaui9k6tpPJ1p86bKAoOcPwCJu7vr0
-> ssh-ed25519 Wu8JLQ hTPuIn+IogmX6U16p3EQ/9C/L+X7dZaQaBrEAdq4twM
QhnuGbpuqpFFujNlXSDUDMEGHK875Sr5hHX/q2ShkhU
-> ssh-ed25519 cvTB5g P8av9KTsR9ccIRPz0TABQF3EfeO+cyn+Od+shxeatEk
GnExLTBOicvRs7neFPL/GLxE6hqpdqNV8P4nWRbMjKU
-> ssh-ed25519 /vwQcQ WE0fxso39H7ZyYwJ8eNnmrLgf0xL5AdpHZ1mrvbiPyQ
y4GjFZuYtiGg6cY8ZTOKHbYjjFJoFI5W4IF7np/OB/8
-> ssh-ed25519 reTIKw LxM4ihcAb5u6rKqtrOUZ7/4XXoMVbf/HHhby/i9Xbn4
O8KkO/99T2lBttsADSTJE/18ljFrUjrJWhK7peehei8
-> ssh-ed25519 85WiGg +GtCSdOR7TTwu+zTvwOoRhOE0iLwB7JuFaZkP8cP+Fk
0GCjcBgOPeynvAUDmEioWPJMhZWGchKKukGGXHCBEUU
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
2Ak0HJ0WoUuCQkjBPjRgrFQmHSBP7Lzhwp8JZ22lSDLO4OzGLuyGnmI6f+x3mhSM bSk43qTcHFgrS7AeXTzUbx5FO/1YrLuRlm58lcXpTTKcRMZWKmFbPTVNdIvkT4xt
UP4X4fz98ygYaPTKHzgs+ALgoe0ZOzIRcrBYKyAmI92iuVk8QJrGBaFsi2e/quur B6HW0OqV/Ks1pbeJUCPRdLwYHYULEC4quRGlgeToXoUQ8zCvcPT6uikpK0Hzne7e
oRaQybPXCqbGeaFhLY74RHmtbby5zzbQnw8f5DRKn3oFDYgCUMOKdTPI3vsUDd6t WI5MLdS3vvAPljlSSaPN8gb3yiPgA2IPrHjqIsMNkotGFjUQ/oIyJ8YcDsSfGE2T
dLmFCWEhGFMwI9bve7bVeu2yKMWpOIIsVgkabSy9EQ0gEUwoXkrGNpc+QqqR2qbJ Z8+TOj4ZNxPda2hX7mL2x2dJmmQW5FkOVtSpSyvwpkOqPOi6b5vZaWu/GtXzGEhD
qaLok3zO+giVKrzl6+/Z/tzHQ66mUTIZAD7HmRFMqBRBqo2heCtviGyu7NPXhb/T SD6SALiqmWkCHb8n588XDqKj8Lj/741R24f8IM8qW9cBz4QClh3Bnrl4gendsUCp
vTVzgL7fsrkaYd59O7BCSg PkQPjniidi/aF6sHhfrSNg
-> ssh-ed25519 85WiGg UgubbGKRmcFV5N/Vyo/HEBtGG0GOvZS5dSDnYoWzeSk -> |#4-grease y%'e^I RB nBNinf \dob
N2CZ/ZJJLRTdwBDCVNrXGp8ic0T7ZHx+DfPcXLeEvXQ L2HkuH7S3KtuQN9AWLBL99nJPxVw
-> ssh-ed25519 reTIKw zl6eZh6NG2Y21AElt+Ag7gzDmtzXP0h1RjhVzaiHUg0 --- +QOdyAz8FR0RecYvvkzxv2IzJ9yt89/xePALK3l7sjs
PJU/i8Za/JwrCLXcH0vtG8CDxv3MDHCzEYiNIhperC4 ¥&,ÙN—pJ<70>î~ê ƅߘ*,؆5:i W}Žÿm"„Q¦-FJm
-> ssh-ed25519 /vwQcQ RS4rv5dnajCSAdcFj96HOcMBHySk5yBrmepNdlOcsWg
M+dCeQCP3rl4oT8IrkParBnaaTfUNbWpgvbLou/qSp0
-> ssh-ed25519 cvTB5g ZR5ayyiP10Dec6Tg2HYcl5q0dkLSvOgRxeeVxC1Plj8
aiY/6wY4rmB75NRzcbFPKu7nTLKZhgqOuqAZm+9UnTs
-> ssh-ed25519 Wu8JLQ 4nFItVARcWbkkuyaUcgdesLSOmiomY0Ht2LxXX1/L0A
dK2/4X6OFbn4Y3gVK5zKRV3KySiCHzGnGewhZmqETrE
-> ssh-ed25519 vXYJfA k1ANIqwNaMjipiCobpBWMlhbCyudoy7vpuajDK7mLiQ
uudD1Bk1+EWmL3o7VH6YSbv1WRCw6tsDV0HoQ/zwXwg
-> ssh-ed25519 h6AgbA EvhvmT6dx3HAqioaFvT5u94cTk8okjhGgzyxXZF8LyE
R/xTeW/rJEl50kG8e0n3NOGpX9XI13Ftq7ULYNHVaCM
-> ssh-ed25519 lHr4YQ WyG8hEoGZuNvroTdmC8RST7l/Tu7UUXgeG3AfLA0p2o
qk7YeUkrOsRbqnYXFXZAkiOaW6rvKnSaZGSiBw30b5E
-> V9T>@4JS-grease @h!7BAa9
nPtMdfgbktgg20WlJBrQlhTDMI8/i31JEDnZjF4u7RidDSJ5lxzH8zI+411CQ+K5
exQ
--- YY6c8/qxiWxaK31KW+3QP6240bmnDJZ9EXrG7dnyJcE
NÝÖ|JýÎ
Z·ù…ZŠÔ6ÿÝ#kyHš—ô;ú<>Í ì

BIN
machines/core-services-01/secrets/matterbridge.age
View file

Binary file not shown.

50
machines/core-services-01/secrets/oauth2ProxyKeyFile.age
View file

@ -1,28 +1,26 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 lHr4YQ f3xLHRyIx6oPATsv5yBq+pWpDkwJ2xt3axevMNjIUgA
RK2bLPZ1dwDExqbQ1Mft2Z9xGHpxSTDuTv0AgplnFzw
-> ssh-ed25519 h6AgbA fPy5Lv6ZcYB9xDyeHNTueRKTvvC6OyCrkHzF85dmhh8
VzMkn6iaC+gwDXkaCzh7ILTdWMBqUYvYmrQPbiB+82k
-> ssh-ed25519 Wu8JLQ BSn5p0Wuv8CuiHJ6AdLuBLOst/2/mK1fs+zmgYao6kg
m/NfBqLzcyTad8UbiDSMI3EmcHWccpgV/wRKKeSO6bQ
-> ssh-ed25519 cvTB5g GP3EP+t8uJFKGAKBwwO7CmXa3JGTFePTANSINPdQuAA
DoGUKpuZTQ36hM4B7eqwbfGGKM+pxsYtoL5UjEeVdD0
-> ssh-ed25519 /vwQcQ K8J9qbUjPPhuYZ4/2rGZWX4Fb60WZACwmFPGXUT9Yjw
N6lTZVDVxTfZTSagaOi4dbVzylljwGWAd06GbeVloRY
-> ssh-ed25519 reTIKw +7n56fmzzYOkArtH0Zeh26zHlE/lWz1gqyoCZEMMRDA
E6/dLGVaryFfqf+7DmwKghtGmtUUGpMFFwaZc3OvJ/c
-> ssh-ed25519 85WiGg aHBishjeSTuv/TYVcZQzALC8DHPbYHf9dj+igMnkkn4
HwmPoIqV3Y/34Azf892K9nGJ1hh2KWAh3IzLiGVKeOs
-> ssh-rsa krWCLQ -> ssh-rsa krWCLQ
U2lxIvw7gRCjMGutUFyq+qGiCIFlbsPdbfzqy7b27d17aSjXds3WwMPUQajHMGXl A2IHEB1lR/eHwOM1adPnvYZUmJ9Gf8ADZvOpzHmxVC54VP5EZLnzpcdzIKlM4qOe
tmM/gDCOV8aY+EkM8nQIKdSGNZPwWHlqFyBpH7b18xTT+sWLBZnKcQqVzdF5n1yH vYs7PdGJ56iGd3JS2khyc5oCc/NEYu85i4eyK8Y8JMqSFyYVNpH5rVY1IuHhIwW4
s6LjbcstDiCy3h20hfOjoi+qvK8AGbWnLueDI4g/BWCLBUmAC6zPX04GFAstzg8e biLSvPhKejtcjGkJZGebm2yA3TuhS5peZRUBh2v0sf+PjblsULrpupSRYAs1IndZ
b8wcTCsaeVJkEVvI9caJsFpoxKttbjWUOb2jOzquyi1vIc50vWBNLlulzf0Cd523 1/Brrub4BfFihZh/uCN1iq+lWxUG5K1AR4UhrX7s/qq21sIP+hlhsTzwj5WoeSPV
niyjvtEyVRmHjTqs2D97DLuKEE0U8x1ecI7FUwyDQWFj4RmmoKm7TOvGva+alol/ rrYzi7E1v8nP6YsP965PjNFq5yJYKRZdw/QosmElRF4Ar3PP+fROFLfA45LmQpLh
mclOlWBaMuji0SWwR4GQyQ z2P/QZKQ7BaANqtz1ryIZQ
-> ssh-ed25519 85WiGg oTAqEjy2kEYw0EEDFzmv3EYWY3gKNDGsWbztSN6DG3o -> :N*xgmZ-grease S 6b.gme t1.-?(l6
+Q5hzzJVgdtFiNtbC37n9tZsNK+onqp4P0myPLpGU0g JJi5KPF7Y07dJexK5CNlZVeYnM+DaRUqYjChAQO041COvkfVF1CvwLTYZAsZbw
-> ssh-ed25519 reTIKw SOCoiYn2OZ0WbtgQFsJE6m5lbeat36SVF8Om6NHha1I --- RKQ3nSQxdSjoVBEtg4TrEL30ooOTpyZAXT5TcOM4qWE
BLsO5DrNci2ShXI3wBb6u6Advjc7sOCXEBd6mSawkEs zƦ6®JRURâhòé/ &©5ßcKGˆ•%¢”ö¶hñp£I;á—ƒÆü.ñÓÔÆNQ”q"hÙq|†¡7n¨C9Íâ´2/Ó"ɳ…ËÏÀ&uKŸÊªñm€CBùÈ-åYÜÌ«jTkk ‡K±íÈÛ‹]}´Ë¤iÞƒF}ÙŸÞ- §©·82N}ÈœÒé¢(Ÿ—ëJÍAÈ×Ýd_ŠHÑi0Tò"Ë8±}QÏ$Šæç
-> ssh-ed25519 /vwQcQ zXWEMSbRm2mI4KoMj2tbqP26LTAcxeyLUv5b/UzTaiY
HMOyH5OV0XmQsLOtzIsHf3UFYKUoEswt1a6JOu/gl8w
-> ssh-ed25519 cvTB5g 1HPXsPtGaCCHPHEXQKVNLRGXb28S3hXUAyT26No80gE
NwPkRoRdd2juOWHyJV2aNwVQzGvwpf29mKtcyKSUHKc
-> ssh-ed25519 Wu8JLQ tio1Sb9rHwAvoDRH783Ts9S+mS2MWnsqw/L4/To1lgc
Tfx0a/UKGiiMsp8rkhbaLpsS4JJIgMeWCDRZ1CxWSHc
-> ssh-ed25519 vXYJfA GnXJG4bbDQxls3yLVd22CHmrrkAZYQNbXcpr0iH/8HY
uyr6VTHwfU7FjA29IJM9EP37K+QyiWIrG6CUpWyi4o0
-> ssh-ed25519 h6AgbA p/FApRwDrQNMdSPYV2U+CyGqdYZG+enC/TJ+Ht5RtCE
T6e2S9gZVi24ayGzKGHL19Ezv//f/0+BUAnkCf6g8No
-> ssh-ed25519 lHr4YQ JQXWGrVi8YLfI0DWfdyuxKPGVa+SvHIm95YGzsyvdho
yvQpw/1GuVOqBBFwflDXvcIhuw0ABqqwByJH/VPRICg
-> J9VGuOkA-grease
--- aKOWgh7PjxocWWeImr1UYJhhFMlzDJXvP+Jfbrl3Zzc
7T0。<EFBFBD>Hョ48<EFBFBD>ntjlァ<EFBFBD>}Jィウロ_<EFBE9B>霸Mw%<25><><1D>=サ<>ナ[+nbeH`ム惣Me\ァ<>U7德モオL截 フヤ2スヨo]靃c、蓄榕ァ2テC5Mツトy<EFBE84>オクオミbi6咄卆2~<7E>裴シ<08>:<>BFh1Bク'lmト`冉イ<E58689>Kvsy%コテ<EFBDBA>!ャ2~$\<5C>^<5E>

6
machines/core-services-01/secrets/secrets.nix
View file

@ -1,8 +1,8 @@
let let
pkgs = import <nixpkgs> {}; pkgs = import <nixpkgs> {};
lib = pkgs.lib; lib = pkgs.lib;
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht") ++ (readPubkeys "mrf"); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "mrf");
core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU"; core-services-01 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILrnZxP4OUGDzd1uykMghzFNLH0Fg42hH+0qxif6O6oU";
systems = [ core-services-01 ]; systems = [ core-services-01 ];
in in
@ -12,7 +12,5 @@ in
"droneKeyFile.age".publicKeys = superadmins ++ systems; "droneKeyFile.age".publicKeys = superadmins ++ systems;
"dexGiteaClientSecret.age".publicKeys = superadmins ++ systems; "dexGiteaClientSecret.age".publicKeys = superadmins ++ systems;
"matterbridge.age".publicKeys = superadmins ++ systems; "matterbridge.age".publicKeys = superadmins ++ systems;
"snipeItAppKey.age".publicKeys = superadmins ++ systems;
"snipeItOidcClientSecret.age".publicKeys = superadmins ++ systems;
} }

28
machines/core-services-01/secrets/snipeItAppKey.age
View file

@ -1,28 +0,0 @@
age-encryption.org/v1
-> ssh-rsa krWCLQ
gBB9yfHVs4Zgm30rbXOkQNZjOuQVFt9Mos4gBoM09M2psLLxWzsoQopWVcvbV+sY
oZAThV5F2E+RbOP2e9+o5P+rxCcJa8aAXovtmH2BZvr87jNi8tebH1l0Gjn0I85C
B+vv2/m1KCzisCR3p6yaqBiqyETacWRCuILVxKbpnKfVX5ymb//9U0tRbz3BIFH1
i3bAD8j8H4V/5SC5RmYwVeBhdGqEaNX0Qehh8AhDkxoqMT3Xeie93eIK6tyAZuyO
oQezqkUmozq+uvo6PHZvY/auTYb17QTY0s0xf30NnQoqwtVXnyu6xPx+qlj+M99Q
Y/s8SFF+STLrAgK9MN0i8Q
-> ssh-ed25519 85WiGg zkLuTpJaBr8T0XjuC9i9NTxYUPhix9nLlShohTtgmyA
QwdgD0ihIpJF8D54x2Lg+6CE2yV9nLBZ1oOf/iwUKi4
-> ssh-ed25519 reTIKw wB2xC902eZiPXXU9n+oQSocx6J9h5IK0jU4GqmB1XUI
awLSPDqOAOM2g7Wrg6uCMeDRVljl2cdZ40gHDON4DCU
-> ssh-ed25519 /vwQcQ adFZcuzNWIhLFDhF+FjfnMGTpijt4IKO266M8xpZTHs
WR3ig0R6ZgtYLxhN7bm5SNJ3klYvEkMlLeuC/GBxi0U
-> ssh-ed25519 cvTB5g 8Gl7qbc7VZvkjjHesgfgdvtsCntNCxyUU3hwXMaIJUA
uEJwhJJa87+EjpTE/+3jPnNtgFTHNZkah78URULI1nM
-> ssh-ed25519 Wu8JLQ buWP/UWAYd7nAAdIqJjkKq2q3Kcj/TtTm9MacGkoMh4
g9ngALRdWC96t7FLES79gKQNK34WbKHqdw4OCryGx74
-> ssh-ed25519 vXYJfA KT8pRDwADkV4ySKY6HejWKp57aQUWpor7x67x1Sc3wM
th+47fUL5KOak1tEeHslVg9KSxw5DPIO6T/UtfEK6kY
-> ssh-ed25519 h6AgbA 8kWKdngdG4RbvQHnkHpygz1fhzMXpGafXltQNa64mAU
hZZTmthndfMdMZiaW0bLxfiySzFgnKmd6t4u1PxLG9s
-> ssh-ed25519 lHr4YQ JBCRJtCaEH/Dp2em66/ckqFva6JpyeUAHJidVysAsmw
SGyzp26GIo+D4VQdzJZEBUZYvAhc/SZy6rdd6HXOawY
-> 1-grease
niVrY0FwL41sfeE9fB6hg+z0LWMXwce194f+IIL/F8JMIfTnFB0CRAn1OGQ
--- pMIf8bANx+QsRTqnWxPmnJm6DVMmJBEO+emeOdLeeec
.Aîç±z¢JQ[å)s!´ö´­2m õ¤<bÛ\yÝ^7"J¢k<C2A2>Æ_Õ<½Œéoñ¿{ÿ÷»e­¢ïø© Û8×:˜O%

30
machines/core-services-01/secrets/snipeItOidcClientSecret.age
View file

@ -1,30 +0,0 @@
age-encryption.org/v1
-> ssh-rsa krWCLQ
LCJxUzS4Be2QQABzubSP5M9Ridg3Srytbb6+SLITgnRqb0fT5XkG7z4ae2lLMVxT
zJxrZX1crlg/nyibZychMwZDqNofGGKX/zSKyF6u42hqjAtaDneg6jB/T690sSpD
LcuTHUcPLw53bww4amLU5FmFcnGWMHTjmXj6oQ5lks3t3KO9izA+gDJO5kFIYgQa
Z0kMrlH21m2TdyGW7Er72qAlT0euwCKlWGGc1NAaSWyu/2gimTHJ4p+KCOpi1D7/
cIxMEtXHUoS/vtINi1lZypETVZf9C3xfqZGCnu1xTpFcF8pBLskI/Uz4cxQGLAk3
xd5fKuNVBnLc0Ku+oFR3zA
-> ssh-ed25519 85WiGg N5HOphuKLUksJTA29E/KHZAdyvTelqq0Lai3KtsGNi0
6PilN36eZH8KYzQwqeLPX3wuiW4THuFef+ttoJh0BUo
-> ssh-ed25519 reTIKw epotGRShr91lRc2IKDkgfaDd4EhkDtF1jayFv/YW5nE
mMFKyzH1q8ZsUXfLnqFfHT88iz/i4WXVVuWqe3z9vx4
-> ssh-ed25519 /vwQcQ DvVlWcbAA/xPTgDtpMmSyC2wxrnOM4H/dC1Vhh5Rmhg
JCq1yS057vqOFKZL11YhC4/rxYIRGAUI0y97Uch4tS4
-> ssh-ed25519 cvTB5g EQ/YM5UYYp3+fS+6u+CwZxUn8Sm8vdqj5xHQf0U0MGc
mVhpObNYWSrAlh8kfADzGnhOw9O2r07v2RJH7DZhFkg
-> ssh-ed25519 Wu8JLQ k91dq2XwhgvE2Y75KAJWzFlPLXv+8+kTvH7sELmsViw
gpnxsNgbeuCYBYUt8j3mGm10rOGAoN9NDYVbObE2zXc
-> ssh-ed25519 vXYJfA fOpqzkovWF/hLUrsjrDwFUsKG3Pa7LQQ2QTiYWT4Ux0
AM1EdbC+Sg37PZzXf6vsmeXSMMjXRVQT3mq000cmPw8
-> ssh-ed25519 h6AgbA LWhZtBUJXu15GEIwSyKraXkaO8CO7/TuLSxsnbagQTk
1/It/vtykYe2NzG4r2J53yW+ZS2rgtUVNv8hlWYQnwY
-> ssh-ed25519 lHr4YQ zEMhvSZsUOiM+XEpuTljfKE1MqyxqxuL0yuKTj6E1Vc
J/pYqeaTK9NLIhSKeB0CFSFNLkVeV2C5enKVIRy5+Po
-> #Oj-grease fdq ltL1r ohAHn[aU QF%DKt
G2xXhW58AunOBXwtl1mD/DqdsHRoyjMvVl310MPWNFSSmLhG/UG7pQf3GUNsfThQ
lCvckvUfcYRen/hrEFhtyg
--- zwJ1Ma9A8rDbUQLAFpDNLs+2Iv6RQvEGlDFj9HVDRRg
;>qg4ü*¬ÄbŽˆ~G+x8ÃÞü
Œ,¦5õç!ãŠöž•ê4ñŸÀ¼:Ö<C396>\­g¬Ê‡î<E280A1>ßÐo

34
machines/core-services-01/snipe-it.nix
View file

@ -1,34 +0,0 @@
{ pkgs, config, ... }:
{
age.secrets.snipeItAppKey = {
owner = config.services.snipe-it.user;
group = config.services.snipe-it.group;
};
age.secrets.snipeItOidcClientSecret = {
owner = config.services.snipe-it.user;
group = config.services.snipe-it.group;
};
services.snipe-it = {
enable = true;
hostName = "inventory.rz.ens.wtf";
database.createLocally = true;
appKeyFile = config.age.secrets.snipeItAppKey.path;
nginx = {
enableACME = true;
forceSSL = true;
};
config = {
AUTH_METHOD = "oidc";
OIDC_NAME = "Keycloak";
OIDC_DISPLAY_NAME_CLAIMS = "name";
OIDC_CLIENT_ID = "snipe-it";
OIDC_CLIENT_SECRET = { _secret = config.age.secrets.snipeItOidcClientSecret.path; };
OIDC_ISSUER = "https://auth.rz.ens.wtf/auth/realms/ClubReseau";
OIDC_ISSUER_DISCOVER = true;
};
};
}

45
machines/core-services-01/subZone.nix
View file

@ -3,16 +3,15 @@
with dns.lib.combinators; with dns.lib.combinators;
let let
my = config.my; my = config.my;
web01 = {
CNAME = ["web01.dmi01.infra.dgnum.eu."];
};
public-cof-ips = { public-cof-ips = {
A = [ "45.13.104.27" ]; A = [ "45.13.104.27" ];
AAAA = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ]; AAAA = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5" ];
}; };
delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; }; delegateACMEDNSChallenge = acme: { _acme-challenge.CNAME = [ acme ]; };
mkProxyRecord = AAAA: { inherit AAAA; A = [ "45.13.104.29" ]; }; remoteBuilders = {
nix01 = [ "2001:470:1f13:187:1e07:c670:3958:f8f1" ];
};
dualstack = { dualstack = {
A = my.ipv4; A = my.ipv4;
AAAA = my.ipv6.standard; AAAA = my.ipv6.standard;
@ -22,7 +21,7 @@ dualstack // {
SOA = { SOA = {
nameServer = "ns1.${my.subZone}."; nameServer = "ns1.${my.subZone}.";
adminEmail = my.email; adminEmail = my.email;
serial = 2023122101; # Y M D Version serial = 2021111400; # Y M D Version
}; };
NS = [ NS = [
@ -32,21 +31,17 @@ dualstack // {
CAA = letsEncrypt my.email; CAA = letsEncrypt my.email;
subdomains = { subdomains = {
git = web01; git = dualstack;
drone = dualstack; drone = dualstack;
wiki = dualstack;
monitoring = dualstack; monitoring = dualstack;
auth = dualstack; auth = dualstack;
push = dualstack; push = dualstack;
tailscale = dualstack;
core01 = dualstack; core01 = dualstack;
ns1 = dualstack; ns1 = dualstack;
# Non-beta service builders.subdomains = lib.mapAttrs (n: AAAA: { inherit AAAA; }) remoteBuilders;
# Outline
notion = web01;
# S3 API
s3 = web01;
# CDN API
cdn = web01;
gdd = { gdd = {
NS = [ "ns1.gdd.${my.subZone}." ]; NS = [ "ns1.gdd.${my.subZone}." ];
@ -62,22 +57,19 @@ dualstack // {
beta = public-cof-ips // { beta = public-cof-ips // {
subdomains = { subdomains = {
traque = mkProxyRecord [ "2001:470:1f13:187:f053:94ff:fe46:9664" ]; nuage = public-cof-ips;
nuage = web01; minecraft = public-cof-ips;
todo = web01; factorio = public-cof-ips;
minecraft = web01; home = public-cof-ips;
factorio = web01; pads = public-cof-ips // {
home = web01;
pads = web01 // {
subdomains = { subdomains = {
api = web01; api = public-cof-ips;
files = web01; files = public-cof-ips;
sandbox = web01; sandbox = public-cof-ips;
}; };
}; };
docs = web01; docs = public-cof-ips;
jurisprudens = web01; jurisprudens = public-cof-ips;
rstudio = web01;
}; };
}; };
@ -86,7 +78,6 @@ dualstack // {
# Routers # Routers
router01.A = [ "10.1.1.1" ]; router01.A = [ "10.1.1.1" ];
router02.A = [ "10.1.1.1" ]; router02.A = [ "10.1.1.1" ];
router03.A = [ "10.1.1.120" ];
# Hypervisors # Hypervisors
pve01 = { pve01 = {

2
machines/core-services-01/system.nix
View file

@ -8,7 +8,7 @@
# Auto GC and store optimizations # Auto GC and store optimizations
nix = { nix = {
settings.trusted-users = [ "root" "gab" ]; trustedUsers = [ "root" "gab" ];
gc = { gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";

19
machines/core-services-01/tunnels.nix
View file

@ -1,19 +0,0 @@
{ ... }: {
networking.wireguard.interfaces.wgalpha = {
privateKeyFile = "/etc/secrets/wireguard/wgalpha";
listenPort = 9999;
ips = [
"fdee:a536:13fa:53ab::2/128"
];
peers = [
{
publicKey = "yAdQRTHn9Yko2r24j8tlxWBz0nYzHRxryPFq8t44Xw4=";
allowedIPs = [ "fdee:a536:13fa:53ab::1/128" ];
}
];
};
networking.firewall.allowedUDPPorts = [ 9999 ];
}

1
machines/pubkeys/hubrecht.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl

1
machines/pubkeys/remote-builders.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key

1
machines/pubkeys/sinavir.keys
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o

2
machines/public-cof/acme.nix
View file

@ -1,5 +1,5 @@
{ ... }: { ... }:
{ {
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; security.acme.email = "club-reseau@lists.ens.psl.eu";
} }

16
machines/public-cof/_configuration.nix → machines/public-cof/configuration.nix
View file

@ -3,32 +3,26 @@
{ {
imports = imports =
[ [
./hardware-configuration.nix
./programs.nix ./programs.nix
./system.nix ./system.nix
./acme.nix ./acme.nix
./networking.nix ./networking.nix
./monitoring.nix ./monitoring.nix
./garage.nix
./nextcloud.nix ./nextcloud.nix
./outline.nix
./lychee.nix
./minecraft.nix ./minecraft.nix
# ./rstudio-server
./nur.nix ./nur.nix
# ./factorio.nix # TODO # ./factorio.nix # TODO
./nginx.nix ./nginx.nix
# ./cryptpad.nix # ./cryptpad.nix
./hedgedoc.nix ./hedgedoc.nix
# ./kanboard.nix
./secrets ./secrets
./v6proxy
# TODO monitoring # TODO monitoring
]; ];
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server" "minecraft-server"
"factorio-headless" "factorio-headless"
"outline"
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -48,5 +42,13 @@
enableSSHSupport = true; enableSSHSupport = true;
}; };
# Enable the OpenSSH daemon.
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles = [
./pubkeys/gdd.keys
./pubkeys/raito.keys
./pubkeys/mrf.keys
];
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

47
machines/public-cof/garage.nix
View file

@ -1,47 +0,0 @@
{ pkgs, ... }:
{
security.acme.certs."cdn.rz.ens.wtf" = {
dnsProvider = "acme-dns";
credentialsFile = pkgs.writeText "acme-dns-env" ''
ACME_DNS_API_BASE=https://acme.rz.ens.wtf
ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json
'';
extraDomainNames = [ "*.cdn.rz.ens.wtf" ];
group = "nginx";
};
services.nginx.virtualHosts."s3.rz.ens.wtf" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3900";
};
services.nginx.virtualHosts."cdn.rz.ens.wtf" = {
serverAliases = [ "*.cdn.rz.ens.wtf" ];
useACMEHost = "cdn.rz.ens.wtf";
forceSSL = true;
locations."/".proxyPass = "http://[::1]:3902";
};
services.garage = {
enable = true;
package = pkgs.garage_0_8;
settings = {
replication_mode = "none";
compression_level = 7;
rpc_bind_addr = "10.1.1.21:3901";
rpc_public_addr = "10.1.1.21:3901";
rpc_secret = "76c2746530a4a27d188530a6bbf6c4613ccb8d8f129863d8c21462b84d5b998f";
s3_api = {
s3_region = "ens";
api_bind_addr = "[::]:3900";
root_domain = ".s3.rz.ens.wtf";
};
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".cdn.rz.ens.wtf";
index = "index.html";
};
};
};
}

0
machines/public-cof/_hardware-configuration.nix → machines/public-cof/hardware-configuration.nix
View file

8
machines/public-cof/hedgedoc.nix
View file

@ -5,11 +5,11 @@ in
{ {
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
settings = { configuration = {
protocolUseSSL = true; protocolUseSSL = true;
# scp =; # TODO # scp =; # TODO
domain = "docs.beta.rz.ens.wtf"; domain = "docs.beta.rz.ens.wtf";
host = "127.0.0.1"; host = "localhost";
port = port; port = port;
db = { db = {
dialect = "sqlite"; dialect = "sqlite";
@ -25,11 +25,13 @@ in
enableACME = true; enableACME = true;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ 433 80 ];
} }

281
machines/public-cof/kanboard-config.php
View file

@ -1,281 +0,0 @@
<?php
/*******************************************************************/
/* Rename this file to config.php if you want to change the values */
/* */
/* Make sure all paths are absolute by using __DIR__ where needed */
/*******************************************************************/
// Require the secret file
require('@secretsPath@');
// Data folder (must be writeable by the web server user and absolute)
define('DATA_DIR', '/var/lib/kanboard/data');
// Enable/Disable debug
define('DEBUG', false);
// Available log drivers: syslog, stderr, stdout, system or file
define('LOG_DRIVER', 'file');
// Log filename if the log driver is "file"
define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');
// Plugins directory
define('PLUGINS_DIR', '@pluginsDirectory@');
// Plugins directory URL
define('PLUGIN_API_URL', 'https://kanboard.org/plugins.json');
// Enable/Disable plugin installer (Disabled by default for security reasons)
// There is no code review or any approval process to submit a plugin.
// This is up to the Kanboard instance owner to validate if a plugin is legit.
define('PLUGIN_INSTALLER', false);
// Available cache drivers are "file" and "memory"
define('CACHE_DRIVER', 'memory');
// Cache folder to use if cache driver is "file" (must be writeable by the web server user)
define('CACHE_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'cache');
// Folder for uploaded files (must be writeable by the web server user)
define('FILES_DIR', DATA_DIR.DIRECTORY_SEPARATOR.'files');
// Enable/disable email configuration from the user interface
define('MAIL_CONFIGURATION', true);
// E-mail address used for the "From" header (notifications)
define('MAIL_FROM', 'todo@dgnum.eu');
// E-mail address used for the "Bcc" header to send a copy of all notifications
define('MAIL_BCC', '');
// Mail transport available: "smtp", "sendmail", "mail" (PHP mail function), "postmark", "mailgun", "sendgrid"
define('MAIL_TRANSPORT', 'smtp');
// SMTP configuration to use when the "smtp" transport is chosen
define('MAIL_SMTP_HOSTNAME', 'kurisu.lahfa.xyz');
define('MAIL_SMTP_PORT', 587);
define('MAIL_SMTP_USERNAME', 'todo@dgnum.eu');
define('MAIL_SMTP_HELO_NAME', null); // valid: null (default), or FQDN
define('MAIL_SMTP_ENCRYPTION', "tls"); // Valid values are null (not a string "null"), "ssl" or "tls"
// Sendmail command to use when the transport is "sendmail"
define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
// Run automatically database migrations
// If set to false, you will have to run manually the SQL migrations from the CLI during the next Kanboard upgrade
// Do not run the migrations from multiple processes at the same time (example: web page + background worker)
define('DB_RUN_MIGRATIONS', true);
// Database driver: sqlite, mysql or postgres (sqlite by default)
define('DB_DRIVER', 'sqlite');
// Mysql/Postgres username
define('DB_USERNAME', 'root');
// Mysql/Postgres password
define('DB_PASSWORD', '');
// Mysql/Postgres hostname
define('DB_HOSTNAME', 'localhost');
// Mysql/Postgres database name
define('DB_NAME', 'kanboard');
// Mysql/Postgres custom port (null = default port)
define('DB_PORT', null);
// Mysql SSL key
define('DB_SSL_KEY', null);
// Mysql SSL certificate
define('DB_SSL_CERT', null);
// Mysql SSL CA
define('DB_SSL_CA', null);
// Mysql SSL server verification, set to false if you don't want the Mysql driver to validate the certificate CN
define('DB_VERIFY_SERVER_CERT', null);
// Timeout value for PDO attribute
define('DB_TIMEOUT', null);
// Enable LDAP authentication (false by default)
define('LDAP_AUTH', false);
// LDAP server protocol, hostname and port URL (ldap[s]://hostname:port)
define('LDAP_SERVER', '');
// By default, require certificate to be verified for ldaps:// style URL. Set to false to skip the verification
define('LDAP_SSL_VERIFY', true);
// Enable LDAP START_TLS
define('LDAP_START_TLS', false);
// By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
// Set to true if you want to preserve the case
define('LDAP_USERNAME_CASE_SENSITIVE', false);
// LDAP bind type: "anonymous", "user" or "proxy"
define('LDAP_BIND_TYPE', 'anonymous');
// LDAP username to use with proxy mode
// LDAP username pattern to use with user mode
define('LDAP_USERNAME', null);
// LDAP password to use for proxy mode
define('LDAP_PASSWORD', null);
// LDAP DN for users
// Example for ActiveDirectory: CN=Users,DC=kanboard,DC=local
// Example for OpenLDAP: ou=People,dc=example,dc=com
define('LDAP_USER_BASE_DN', '');
// LDAP pattern to use when searching for a user account
// Example for ActiveDirectory: '(&(objectClass=user)(sAMAccountName=%s))'
// Example for OpenLDAP: 'uid=%s'
define('LDAP_USER_FILTER', '');
// LDAP attribute for username
// Example for ActiveDirectory: 'sAMAccountName'
// Example for OpenLDAP: 'uid'
define('LDAP_USER_ATTRIBUTE_USERNAME', 'uid');
// LDAP attribute for user full name
// Example for ActiveDirectory: 'displayname'
// Example for OpenLDAP: 'cn'
define('LDAP_USER_ATTRIBUTE_FULLNAME', 'cn');
// LDAP attribute for user email
define('LDAP_USER_ATTRIBUTE_EMAIL', 'mail');
// LDAP attribute to find groups in user profile
define('LDAP_USER_ATTRIBUTE_GROUPS', 'memberof');
// LDAP attribute for user avatar image: thumbnailPhoto or jpegPhoto
define('LDAP_USER_ATTRIBUTE_PHOTO', '');
// LDAP attribute for user language, example: 'preferredlanguage'
// Put an empty string to disable language sync
define('LDAP_USER_ATTRIBUTE_LANGUAGE', '');
// Automatically create a user profile when a user authenticates via LDAP.
// If set to false, only LDAP users can log in for whom a Kanboard profile already exists.
define('LDAP_USER_CREATION', true);
// Set new user as Manager
define('LDAP_USER_DEFAULT_ROLE_MANAGER', false);
// LDAP DN for administrators
// Example: CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local
define('LDAP_GROUP_ADMIN_DN', '');
// LDAP DN for managers
// Example: CN=Kanboard Managers,CN=Users,DC=kanboard,DC=local
define('LDAP_GROUP_MANAGER_DN', '');
// Enable LDAP group provider for project permissions
// The end-user will be able to browse LDAP groups from the user interface and allow access to specified projects
define('LDAP_GROUP_PROVIDER', false);
// LDAP Base DN for groups
define('LDAP_GROUP_BASE_DN', '');
// LDAP group filter
// Example for ActiveDirectory: (&(objectClass=group)(sAMAccountName=%s*))
define('LDAP_GROUP_FILTER', '');
// LDAP user group filter
// If this filter is configured, Kanboard will search user groups in LDAP_GROUP_BASE_DN with this filter
// Example for OpenLDAP: (&(objectClass=posixGroup)(memberUid=%s))
define('LDAP_GROUP_USER_FILTER', '');
// LDAP attribute for the user in the group filter
// 'username' or 'dn'
define('LDAP_GROUP_USER_ATTRIBUTE', 'username');
// LDAP attribute for the group name
define('LDAP_GROUP_ATTRIBUTE_NAME', 'cn');
// Enable/Disable groups synchronization when external authentication is used.
define('LDAP_GROUP_SYNC', false);
// Enable/disable the reverse proxy authentication
define('REVERSE_PROXY_AUTH', false);
// Header name to use for the username
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
// Username of the admin, by default blank
define('REVERSE_PROXY_DEFAULT_ADMIN', '');
// Header name to use for the username
define('REVERSE_PROXY_EMAIL_HEADER', 'REMOTE_EMAIL');
// Default domain to use for setting the email address
define('REVERSE_PROXY_DEFAULT_DOMAIN', '');
// Enable/disable remember me authentication
define('REMEMBER_ME_AUTH', true);
// Enable or disable "Strict-Transport-Security" HTTP header
define('ENABLE_HSTS', true);
// Enable or disable "X-Frame-Options: DENY" HTTP header
define('ENABLE_XFRAME', true);
// Escape html inside markdown text
define('MARKDOWN_ESCAPE_HTML', true);
// API alternative authentication header, the default is HTTP Basic Authentication defined in RFC2617
define('API_AUTHENTICATION_HEADER', '');
// Enable/disable url rewrite
define('ENABLE_URL_REWRITE', false);
// Hide login form, useful if all your users use Google/Github/ReverseProxy authentication
define('HIDE_LOGIN_FORM', false);
// Disabling logout (useful for external SSO authentication)
define('DISABLE_LOGOUT', false);
// Enable captcha after 3 authentication failure
define('BRUTEFORCE_CAPTCHA', 3);
// Lock the account after 6 authentication failure
define('BRUTEFORCE_LOCKDOWN', 6);
// Lock account duration in minute
define('BRUTEFORCE_LOCKDOWN_DURATION', 15);
// Session duration in second (0 = until the browser is closed)
// See http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
define('SESSION_DURATION', 0);
// Session handler: db or php
define('SESSION_HANDLER', 'db');
// HTTP client proxy
define('HTTP_PROXY_HOSTNAME', '');
define('HTTP_PROXY_PORT', '3128');
define('HTTP_PROXY_USERNAME', '');
define('HTTP_PROXY_PASSWORD', '');
define('HTTP_PROXY_EXCLUDE', 'localhost');
// Set to false to allow self-signed certificates
define('HTTP_VERIFY_SSL_CERTIFICATE', true);
// TOTP (2FA) issuer name
define('TOTP_ISSUER', 'Kanboard (DGNum)');
// Comma separated list of fields to not synchronize when using external authentication providers
define('EXTERNAL_AUTH_EXCLUDE_FIELDS', 'username');
// Enable or disable displaying group-memberships in userlist (true by default)
define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST', true);
// Limit number of groups to display in userlist (The full list of group-memberships is always shown, ...
// ... when hovering the mouse over the group-icon of a given user!)
// If set to 0 ALL group-memberships will be listed (7 by default)
define('SHOW_GROUP_MEMBERSHIPS_IN_USERLIST_WITH_LIMIT', 7);

85
machines/public-cof/kanboard.nix
View file

@ -1,85 +0,0 @@
{ pkgs, lib, config, ... }:
let
mkKanboardPlugin = { name, url, hash ? null }: pkgs.fetchzip {
inherit name url;
sha256 = if hash == null then lib.fakeHash else hash;
};
plugins = map mkKanboardPlugin [
{ name = "Milestone"; url = "https://github.com/oliviermaridat/kanboard-milestone-plugin/releases/download/1.1.2/Milestone-1.1.2.zip"; hash = "sha256-NrkMvk/5NdVokKQTYoZajdNEt5athjEzXVgrSHBdQ4w="; }
{ name = "MarkdownPlus"; url = "https://github.com/creecros/MarkdownPlus/releases/download/1.1.0/MarkdownPlus-1.1.0.zip"; hash = "sha256-BMzEaj47NnLvatEgUbKeibiWf9G+B4EFlVYhDNqk+y4="; }
{ name = "MetaMagik"; url = "https://github.com/creecros/MetaMagik/releases/download/1.5.1/MetaMagik-1.5.1.zip"; hash = "sha256-8y8+YvS5MAzRt4VVECQK0vQk6oA4Jbxn+2jWQ8nP3gU="; }
{ name = "OAuth2"; url = "https://github.com/kanboard/plugin-oauth2/releases/download/v1.0.2/OAuth2-1.0.2.zip"; hash = "sha256-L0df8bwPCxHjVOCNiVp+dqVsqJ0CEuJbHzwv5sYprIU="; }
{ name = "HighlightCodeSyntax"; url = "https://github.com/kenlog/HighlightCodeSyntax/releases/download/v1.0.3/HighlightCodeSyntax-v1.0.3.zip"; hash = "sha256-c4bV1gGVNUjHOJKBI6QxsV72mAzcEgjqv8r62ebpPdU="; }
{ name = "Group_assign"; url = "https://github.com/creecros/Group_assign/releases/download/1.7.12/Group_assign-1.7.12.zip"; hash = "sha256-ijI8nIIqsK8Pr1iEfCBUeUD3dlsIfmkOP0xC39JkIAs="; }
];
pluginsDirectory = pkgs.linkFarmFromDrvs "kanboard-plugins" plugins;
secretsPath = config.age.secrets.kanboard-secrets.path;
kanboardConfig = pkgs.substituteAll {
name = "kanboard-config.php";
src = ./kanboard-config.php;
inherit secretsPath;
inherit pluginsDirectory;
};
package = pkgs.kanboard.overrideAttrs (old: {
installPhase = ''
${(old.installPhase or "")}
runHook postInstall
'';
postInstall = ''
${pkgs.xorg.lndir}/bin/lndir ${pluginsDirectory} $out/share/kanboard/plugins
'';
});
in
{
environment.systemPackages = [
];
services.phpfpm.pools.kanboard = {
user = "kanboard";
group = "kanboard";
settings = {
"listen.group" = "nginx";
"pm" = "static";
"pm.max_children" = 4;
};
};
users.users.kanboard = {
isSystemUser = true;
group = "kanboard";
};
users.groups.kanboard = {};
services.nginx = {
enable = true;
virtualHosts."todo.beta.rz.ens.wtf" = {
enableACME = true;
forceSSL = true;
root = pkgs.buildEnv {
name = "kanboard-configured";
paths = [
(pkgs.runCommand "kanboard-over" {meta.priority = 0;} ''
mkdir -p $out
for f in index.php jsonrpc.php ; do
echo "<?php require('$out/config.php');" > $out/$f
tail -n+2 ${package}/share/kanboard/$f \
| sed 's^__DIR__^"${package}/share/kanboard"^' >> $out/$f
done
ln -s /var/lib/kanboard $out/data
ln -s ${pluginsDirectory} $out/plugins
ln -s ${kanboardConfig} $out/config.php
'')
{ outPath = "${package}/share/kanboard"; meta.priority = 10; }
];
};
locations = {
"/".index = "index.php";
"~ \\.php$" = {
tryFiles = "$uri =404";
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
'';
};
};
};
};
}

17
machines/public-cof/lychee.nix
View file

@ -1,17 +0,0 @@
{ config, pkgs, ... }: {
services.lychee = {
enable = true;
package = pkgs.rz.lychee-gallery;
forceSSL = true;
enableACME = true;
website = "photos.ens.wtf";
settings.APP_URL = "https://${config.services.lychee.website}";
};
services.phpfpm.pools."photos.ens.wtf".settings = {
pm = "dynamic";
"pm.max_children" = 10;
"pm.start_servers" = 3;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
};
}

15
machines/public-cof/minecraft.nix
View file

@ -2,9 +2,9 @@
let let
papermc = { papermc = {
ram = 4; # In GB ram = 4; # In GB
version = "1.19.2"; version = "1.18.2";
build = 200; build = 270;
sha256 = "sha256-fhQ1Kukp0MDF0312y/DR3wS9wKXY2aKUyU5f64ELylM="; sha256 = "M3/z7lgHVDG+WqxPvyrxvfobEvkkPf90bDoN/Dq+VZY=";
}; };
port = 25565; port = 25565;
rconPort = 25575; rconPort = 25575;
@ -42,15 +42,6 @@ in
Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905"; Sup3Legacy = "575ecb9f-bf28-46cb-bc50-cb6bb340c905";
Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d"; Pollux3737 = "ffa65818-b022-4830-aa90-7f3211c8ee3d";
CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849"; CiterinRemy = "2f6a0c0a-4c0e-4e6c-beb4-237600fba849";
clem197 = "7461bfdf-4dca-44c2-b035-b49d5740dfc5";
Clashis = "499fdd85-bbcb-446f-9611-8b6bb9bf6965";
skidijo = "6a72a1f4-7448-4fb7-a252-b6d5ceff2d43";
Tifendyll = "5dc1acf3-b214-4607-a3bd-924665e07c67";
OknShield = "ef12e9cd-121f-4b39-886e-89b5b4bc5f4f";
Allygon = "964a2ee3-3a0d-49c1-b8e9-60b5e69976d3";
CheesyBiggy = "574daaed-ce9a-4b33-a3af-055e39bc32dc";
H3raklio = "576969d4-94e7-49db-ba7e-e9e57ff5a75e";
thejohncrafter = "d3959974-3a05-4ab2-8acb-d8817c140d84";
}; };
serverProperties = { serverProperties = {

65
machines/public-cof/networking.nix
View file

@ -1,38 +1,41 @@
{ lib, ... }: { lib, ... }:
let mkAddress = addr: let
{ splitted = lib.splitString "/" addr;
elemAt = builtins.elemAt splitted;
in
{ address = (elemAt 0); prefixLength = lib.toInt (elemAt 1); };
in {
networking = { networking = {
hostName = "public-cof"; hostName = "public-cof";
useNetworkd = true; # Default IPv4 exit route
defaultGateway = {
address = "";
interface = "ens20";
};
localCommands = "ip route add default dev ens20 metric 10";
firewall = { enable = true; allowedTCPPorts = [ 22 ]; }; useDHCP = false;
interfaces.ens18 = {
useDHCP = true;
ipv6.addresses = [{
address = "2001:470:1f13:187:c08e:feff:fe4d:f5f5";
prefixLength = 64;
}];
};
interfaces.ens19 = {
useDHCP = false;
ipv4.addresses = [{
address = "10.1.1.21";
prefixLength = 22;
}];
};
interfaces.ens20 = {
ipv4.addresses = map mkAddress [ "45.13.104.27/32" ];
};
firewall.allowedTCPPorts = [ 22 ];
firewall.enable = true;
}; };
systemd.network.networks = {
"10-ens18" = {
name = "ens18";
address = [ "2001:470:1f13:187:c08e:feff:fe4d:f5f5/64" ];
DHCP = "ipv4";
dhcpV4Config.RouteMetric = 10;
};
"10-ens19" = {
name = "ens19";
address = [ "10.1.1.21/22" ];
DHCP = "ipv4";
};
"10-ens20" = {
name = "ens20";
address = [ "45.13.104.27/32" "45.13.104.29/32" ];
DHCP = "ipv4";
};
};
services.nginx.defaultListenAddresses = [ "[::0]" "45.13.104.27" ];
} }

2
machines/public-cof/nextcloud.nix
View file

@ -5,7 +5,7 @@
hostName = "nuage.beta.rz.ens.wtf"; hostName = "nuage.beta.rz.ens.wtf";
https = true; https = true;
package = pkgs.nextcloud26; package = pkgs.nextcloud23;
config = { config = {
overwriteProtocol = "https"; overwriteProtocol = "https";

17
machines/public-cof/nginx.nix
View file

@ -29,15 +29,14 @@ in
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts = { virtualHosts = {
# FIXME: factorize and remove it, it has been superseded by eleves.ens.fr/calendrier "home.beta.rz.ens.wtf" = {
# "home.beta.rz.ens.wtf" = { serverAliases = [ "beta.rz.ens.wtf" ];
# serverAliases = [ "beta.rz.ens.wtf" ]; default = true;
# default = true; forceSSL = true;
# forceSSL = true; enableACME = true;
# enableACME = true; root = "/var/public-cof/home";
# root = "/var/public-cof/home"; locations = builtins.listToAttrs (map mkCloudLocation clouds);
# locations = builtins.listToAttrs (map mkCloudLocation clouds); };
# };
}; };
}; };

14
machines/public-cof/nix/sources.json
View file

@ -14,7 +14,7 @@
"klubrz-nur": { "klubrz-nur": {
"branch": "main", "branch": "main",
"repo": "https://git.rz.ens.wtf/Klub-RZ/nur", "repo": "https://git.rz.ens.wtf/Klub-RZ/nur",
"rev": "bb95bbed09ccb2ae5ab5a8e02537c4c28c46d27e", "rev": "98911e21fd58f00440dc8a5bd6568f2a349338bd",
"type": "git" "type": "git"
}, },
"niv": { "niv": {
@ -29,18 +29,6 @@
"url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixexprs": {
"branch": "master",
"description": "All my Nix expressions",
"homepage": null,
"owner": "RaitoBezarius",
"repo": "nixexprs",
"rev": "5fd6966844be775a272e932375d7982275ba2300",
"sha256": "1l5zgdgqbn7apw2ngqzid0sqrklx0rnj8sjid4ykx9156kdqjan5",
"type": "tarball",
"url": "https://github.com/RaitoBezarius/nixexprs/archive/5fd6966844be775a272e932375d7982275ba2300.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"raito-nur": { "raito-nur": {
"branch": "master", "branch": "master",
"description": "All my Nix expressions", "description": "All my Nix expressions",

22
machines/public-cof/nix/sources.nix
View file

@ -31,28 +31,8 @@ let
if spec ? branch then "refs/heads/${spec.branch}" else if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
submodules = if spec ? submodules then spec.submodules else false;
submoduleArg =
let
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning =
if submodules == true
then
builtins.trace
(
"The niv input \"${name}\" uses submodules "
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them"
)
{}
else {};
in
if nixSupportsSubmodules
then { inherit submodules; }
else emptyArgWithWarning;
in in
builtins.fetchGit builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
fetch_local = spec: spec.path; fetch_local = spec: spec.path;

5
machines/public-cof/nur.nix
View file

@ -3,17 +3,14 @@ let
nivSources = import ./nix/sources.nix; nivSources = import ./nix/sources.nix;
rz-src = nivSources.klubrz-nur; rz-src = nivSources.klubrz-nur;
rz-no-pkgs = (import nivSources.klubrz-nur {}); rz-no-pkgs = (import nivSources.klubrz-nur {});
raitobezarius-src = nivSources.nixexprs;
raitobezarius-no-pkgs = (import raitobezarius-src {});
in in
{ {
nixpkgs.config.packageOverrides = { nixpkgs.config.packageOverrides = {
rz = import rz-src { inherit pkgs; }; # rz = import rz-src { inherit pkgs; };
}; };
imports = [ imports = [
"${nivSources.agenix}/modules/age.nix" "${nivSources.agenix}/modules/age.nix"
raitobezarius-no-pkgs.modules.sniproxy
] ++ lib.attrValues rz-no-pkgs.modules; ] ++ lib.attrValues rz-no-pkgs.modules;
nixpkgs.overlays = []; nixpkgs.overlays = [];

31
machines/public-cof/outline.nix
View file

@ -1,31 +0,0 @@
{ pkgs, lib, config, ... }:
{
services.nginx.virtualHosts."notion.rz.ens.wtf" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
};
};
services.outline = {
enable = true;
publicUrl = "https://notion.rz.ens.wtf";
defaultLanguage = "fr_FR";
storage = {
accessKey = "GK8b32d276b2eafb999a53188a";
secretKeyFile = config.age.secrets.outlineS3Secrets.path;
uploadBucketUrl = "https://s3.rz.ens.wtf";
uploadBucketName = "outline";
region = "ens";
};
oidcAuthentication = {
userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo";
tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token";
authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth";
clientSecretFile = config.age.secrets.outline-oidc-client-secret.path;
displayName = "Club réseau";
clientId = "outline";
};
};
}

0
machines/pubkeys/gdd.keys → machines/public-cof/pubkeys/gdd.keys
View file

0
machines/pubkeys/mrf.keys → machines/public-cof/pubkeys/mrf.keys
View file

0
machines/pubkeys/raito.keys → machines/public-cof/pubkeys/raito.keys
View file

34
machines/public-cof/rstudio-server/default.nix
View file

@ -1,34 +0,0 @@
{ pkgs, ... }:
let
port = 19000;
in
{
services.rstudio-server = {
enable = true;
rserverExtraConfig = ''
www-port = ${toString port}
'';
package = pkgs.rstudioServerWrapper.override {
packages = with pkgs.rPackages; [
ggplot2
rmarkdown
dplyr
];
};
};
users.users.ruser = {
isNormalUser = true;
hashedPassword = "$6$pTXXVh8NfE.M8VPc$q0fFh3Y7Y0DauLCcZLgJzFciq1wkjoHmO61XpOrZLH3a1M32ZzOMbjx2XMm2QxrUncbx6hGerY/lD8rQ8InS4.";
};
services.nginx.virtualHosts."rstudio.beta.rz.ens.wtf" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
}

18
machines/public-cof/secrets/default.nix
View file

@ -10,22 +10,4 @@
group = "nextcloud"; group = "nextcloud";
file = ./nextcloudDatabasePasswordFile.age; file = ./nextcloudDatabasePasswordFile.age;
}; };
age.secrets.kanboard-secrets = {
owner = "kanboard";
group = "kanboard";
file = ./kanboard-secrets.age;
};
age.secrets.outlineS3Secrets = {
owner = "outline";
group = "outline";
file = ./outlineS3Secrets.age;
};
age.secrets.outline-oidc-client-secret = {
owner = "outline";
group = "outline";
file = ./outline-oidc-client-secret.age;
};
} }

25
machines/public-cof/secrets/kanboard-secrets.age
View file

@ -1,25 +0,0 @@
age-encryption.org/v1
-> ssh-rsa krWCLQ
jsay8IXK6RjVULRqpfvgHOr8H3ALxQyJ3BQIkmSfRrLlJXDbYWUKBCztXc7whfb/
XTc3Sa5bybIXXX3wLzYmxCYjUa1CoHgIb1UWAhM3KyTJ4XSw7pVti29VM5p74+ex
tJeb44hXlkD7V7C2yYp6CcBH1IgnvEL8ulVopkis/TBQtWi6QaGJBPX2yxEJ3QDh
uAn5czrrDenBZRsIYTaKrlbgCM/Oeh4mDFSaFKIqfX2g7ClbsC1ejF3PvbsXN6il
pk2YSZ/F5ivNBkvWFmQrNJyLjkcIrxoFvzcXOTk8yM9iu4BFlPbX7NcAMrHpbSIR
3ew59I0cGkbzRAtLI9p97w
-> ssh-ed25519 85WiGg XQK2huU0kqkKbVYf6SJFqcumOL8zDPfOuGwNy78dJm4
aP8CNgS1/wfv2RB7nXZqYnZaXDORk9I5lPZy87FVmRY
-> ssh-ed25519 reTIKw jZ57SfMYyOr9P9eNK/Q2CMAWtYtfjyV/MaTVnqEHxkU
ycPo/pwC9CtYWAcrclo1b26+mPU4Z6pCPecGPMmL3ag
-> ssh-ed25519 /vwQcQ v5bvHTvld6WErGt+Vp0mivpFH5srQPHkbPd0Nk3IDy0
27+ZreTwyaxtb5vrRpD/2C2MUT9onRcX4Yr7KHnTGOo
-> ssh-ed25519 cvTB5g gKxECDYMSja0FTqteAk39iMDsNIM+ox31sIvnY2ityk
pkUZgDWdAzuGCvuRhOE8oeazIRw+kpPhnkksF2zTjxA
-> ssh-ed25519 Wu8JLQ lMgIKw3Qzg/Lw6UtpPZWDrE0WBc71meaprrnmARqDDM
FN/S9xo22u4kMWqrPD3KmfLbDq8L0TxtfDUSBLVq+Tk
-> ssh-ed25519 xbfJnw emSflhzdsItaXULjPXre8jlnXxJuXFAaoLWGVAAej1I
4OS68AuzPr+zwp9Bqb4lYGJHjPwPMSXuprw7+8agOyU
-> Wd-grease
pdSa/JP70fd6VvSgpIJQAk8ZiZfKo8l7UpVwBib59SB9IRNVZdSbHINFUzuIozGu
Z7dyg+x6QQ
--- TjceHicjeIIKz0f7R5u7nLrCtb39MmS/vEK3w0xHbmw
¾ßQ¢ëºZ`? ZvÆ~^è¼Ø$öÒcèt§è2ÓÁÚÔ“y3Ö.+KFÊ2OC_$¤]y£³¬À³~ý¢×l%0ôÐ_ ð Ü»”à R·®EÆM4HÄ°•á™{ÑrÐ$˜çÞ¬™*<2A>1\2FÚ¬BLAK!ÜÜ&Cþ×û_Õ.Oëmœ3¬ÕÍ•©´êµV<ü z'-sø'J

26
machines/public-cof/secrets/outline-oidc-client-secret.age
View file

@ -1,26 +0,0 @@
age-encryption.org/v1
-> ssh-rsa krWCLQ
HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ
pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc
qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf
hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR
2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf
NheRvY7zUXppGiB0+mjZJg
-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs
aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI
-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I
wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88
-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY
xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng
-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE
Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s
-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA
qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA
-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM
WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ
-> TS-grease
D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw
KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg
--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps
<18>LnŸÖ4¦K¬z>­Ê(³Ù†°=f¼õ´ˆÊ·œ®PG<50>Þ<hÒçº×ø±uÓÖV³Ø#¸P
ÑÑ&¶

25
machines/public-cof/secrets/outlineS3Secrets.age
View file

@ -1,25 +0,0 @@
age-encryption.org/v1
-> ssh-rsa krWCLQ
nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV
CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh
S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O
87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc
gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz
Tp5OQJAfXZc02LsICq2I7A
-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY
dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8
-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0
AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA
-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk
k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w
-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk
DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ
-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A
KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c
-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo
WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc
-> 3P-h|3ru-grease
5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd
ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ
--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg
Z=eBÒbÀ£â[3$”Ôkâ„(õ®²2Èöx%0ž—£+18T•,;ÅÛóFÕ¬"Ke³•¶óÃZø*Òè$}ýœCp Ão9æ+À¡‡›|CJ¹-¼

7
machines/public-cof/secrets/secrets.nix
View file

@ -1,16 +1,13 @@
let let
pkgs = import <nixpkgs> {}; pkgs = import <nixpkgs> {};
lib = pkgs.lib; lib = pkgs.lib;
readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd");
public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg";
systems = [ public-cof ]; systems = [ public-cof ];
in in
{ {
"nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
"nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
"kanboard-secrets.age".publicKeys = superadmins ++ systems;
"outlineS3Secrets.age".publicKeys = superadmins ++ systems;
"outline-oidc-client-secret.age".publicKeys = superadmins ++ systems;
} }

2
machines/public-cof/system.nix
View file

@ -8,7 +8,7 @@
# Auto GC and store optimizations # Auto GC and store optimizations
nix = { nix = {
settings.trusted-users = [ "root" ]; trustedUsers = [ "root" ];
gc = { gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";

30
machines/public-cof/v6proxy/default.nix
View file

@ -1,30 +0,0 @@
{ ... }:
let
proxyIPv4 = "45.13.104.29";
in
{
networking.firewall.allowedTCPPorts = [ 443 ];
services.sniproxy = {
enable = true;
resolver = {
mode = "ipv6_first";
};
listeners = [
{
address = "${proxyIPv4}:443";
table = "vhosts";
fallback = null;
}
];
tables.vhosts = [
{
match = "traque.beta.rz.ens.wtf";
dest = "traque.beta.rz.ens.wtf";
}
];
};
}

72
machines/core-services-01/_configuration.nix → machines/remote-builder-01/configuration.nix
View file

@ -1,36 +1,13 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
{ {
imports = [ imports =
./acme-dns.nix [
./acme-ssl.nix ./hardware-configuration.nix
./backups.nix ./programs.nix
# ./dex.nix ./system.nix
./dns.nix # TODO monitoring
# ./gitea.nix ];
./headscale.nix
./keycloak.nix
./matterbridge.nix
# ./monitoring.nix
# ./netboot-server.nix
./network.nix
./nginx.nix
./nur.nix
# ./oauth2_proxy.nix
./programs.nix
./qemu.nix
./rz.nix
./secrets
./snipe-it.nix
./system.nix
./tunnels.nix
# TODO push to gitea
# TODO ./gotify.nix
# TODO(Raito): ./backups.nix
# TODO(Raito): ./snmp.nix
# TODO(Raito): ./sflow.nix?
];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -39,17 +16,17 @@
boot.initrd.supportedFilesystems = [ "zfs" ]; boot.initrd.supportedFilesystems = [ "zfs" ];
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
networking.hostName = "core-services-01"; networking.hostName = "remote-builder-01";
networking.hostId = "64838310"; networking.hostId = "11894198";
# Set your time zone.
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking.useDHCP = false; networking.useDHCP = false;
# Adieu, hackENS — networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true;
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
@ -62,6 +39,13 @@
keyMap = "us"; keyMap = "us";
}; };
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
vim
wget
];
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
# started in user sessions. # started in user sessions.
programs.mtr.enable = true; programs.mtr.enable = true;
@ -74,11 +58,27 @@
services.zfs.autoScrub.enable = true; services.zfs.autoScrub.enable = true;
# Enable the OpenSSH daemon.
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keyFiles = [
./pubkeys/gdd.keys
./pubkeys/raito.keys
./pubkeys/remote-builders.keys
];
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
networking.firewall.enable = false; networking.firewall.enable = false;
system.stateVersion = "22.05"; # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
} }

25
machines/router04/_hardware-configuration.nix → machines/remote-builder-01/hardware-configuration.nix
View file

@ -8,33 +8,28 @@
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices.c-disk = {
device = "/dev/disk/by-uuid/9c57dd15-b6e4-4496-84ca-6ffe41a9dd42";
keyFile = "/dev/zero";
keyFileSize = 1;
fallbackToPassword = true;
};
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/a48770a7-87f0-4f95-9458-50f022d20472"; { device = "rpool/root/nixos";
fsType = "ext4"; fsType = "zfs";
};
fileSystems."/home" =
{ device = "rpool/home";
fsType = "zfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1FD5-AB3E"; { device = "/dev/disk/by-uuid/3341-A3B9";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/050ed1a8-60be-47e8-9f96-146362ea5e46"; } [ { device = "/dev/disk/by-uuid/1f624fe3-1fc5-44f4-9529-812558ffba42"; }
]; ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

24
machines/remote-builder-01/programs.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, ... }:
let pkgsList = with pkgs; [
nix-prefetch-git
dnsutils
unzip
zip
ripgrep
niv
nixfmt
];
in
{
imports = [
./vim.nix
];
programs = {
tmux.enable = true;
mosh.enable = true;
};
environment.systemPackages = pkgsList;
}

2
machines/remote-builder-01/pubkeys/gdd.keys Normal file
View file

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

0
machines/pubkeys/hackens-milieu.keys → machines/remote-builder-01/pubkeys/hackens-milieu.keys
View file

4
machines/remote-builder-01/pubkeys/raito.keys Normal file
View file

@ -0,0 +1,4 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr

0
keys/remote-builders.keys → machines/remote-builder-01/pubkeys/remote-builders.keys
View file

28
machines/remote-builder-01/system.nix Normal file
View file

@ -0,0 +1,28 @@
{ pkgs, ... }:
{
# # Auto upgrades
# system.autoUpgrade = {
# enable = false; # TODO(Ryan): do not enable, it will break deployments.
# allowReboot = false;
# };
# Auto GC and store optimizations
nix = {
trustedUsers = [ "root" "gab" ];
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
optimise.automatic = true;
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
services.locate = {
enable = true;
interval = "04:05";
};
}

31
machines/remote-builder-01/vim.nix Normal file
View file

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
nixfmt
git
(neovim.override {
vimAlias = true;
configure = {
packages.myPlugins = with pkgs.vimPlugins; {
start = [ vim-lastplace vim-nix ];
opt = [];
};
customRC = ''
set encoding=utf-8
set wildmenu
set nocompatible
set backspace=indent,eol,start
set cursorline
hi CursorLine term=bold cterm=bold ctermbg=darkgrey
set number
set relativenumber
set tabstop=4
set expandtab
'';
};
}
)];
}

28
machines/router03/_configuration.nix
View file

@ -1,28 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
./router.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
networking.hostName = "router03";
networking.domain = "internal.rz.ens.wtf";
services.getty.autologinUser = "root";
services.openssh.enable = true;
system.stateVersion = "24.05"; # Did you read the comment?
}

40
machines/router03/_hardware-configuration.nix
View file

@ -1,40 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices.c-disk = {
device = "/dev/disk/by-uuid/9c57dd15-b6e4-4496-84ca-6ffe41a9dd42";
keyFile = "/dev/zero";
keyFileSize = 1;
fallbackToPassword = true;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a48770a7-87f0-4f95-9458-50f022d20472";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1FD5-AB3E";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/050ed1a8-60be-47e8-9f96-146362ea5e46"; }
];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

28
machines/router03/router.nix
View file

@ -1,28 +0,0 @@
{ config, pkgs, lib, ... }:
{
krz-router = {
enable = true;
enablePrimary = true;
routerId = 1;
vip = "129.199.146.230";
rip = "129.199.146.231";
trunkPort.macAddress = "92:E3:9C:CE:EF:14";
virtualNeighbors = [ 2 ];
};
# systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
environment.systemPackages = [ pkgs.tcpdump pkgs.wireguard-tools ];
# Zone based firewall
# Flow accounting in PostgreSQL.
services.postgresql = {
enable = true;
ensureUsers = [];
};
# services.ulogd = {
# enable = true;
# settings = {
# };
# };
}

28
machines/router04/_configuration.nix
View file

@ -1,28 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
./router.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
networking.hostName = "router04";
networking.domain = "internal.rz.ens.wtf";
services.getty.autologinUser = "root";
services.openssh.enable = true;
system.stateVersion = "24.05"; # Did you read the comment?
}

28
machines/router04/router.nix
View file

@ -1,28 +0,0 @@
{ config, pkgs, lib, ... }:
{
krz-router = {
enable = true;
enablePrimary = false;
routerId = 2;
vip = "129.199.146.230";
rip = "129.199.146.232";
trunkPort.macAddress = "92:E3:9C:CE:EF:15";
virtualNeighbors = [ 1 ];
};
# systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
environment.systemPackages = [ pkgs.tcpdump pkgs.wireguard-tools ];
# Zone based firewall
# Flow accounting in PostgreSQL.
services.postgresql = {
enable = true;
ensureUsers = [];
};
# services.ulogd = {
# enable = true;
# settings = {
# };
# };
}

5
meta/default.nix
View file

@ -1,5 +0,0 @@
let
nodes = import ./nodes.nix;
in
{ inherit nodes; }

78
meta/nodes.nix
View file

@ -1,78 +0,0 @@
###
# File specifying all the deployement options for the nodes administrated by the dgnum.
#
# Node metadata template is:
#
# NODE_NAME = {
# adminGroups = []; # List of groups that have root access
# admins = []; # List of individuals that have root access
# deployment = {}; # Colmena deployment options
# nixpkgs = "unstable" or "22.11"; # nixpkgs version
# }
let
mkNode = _: attrs: {
access = [ ];
deployment = { };
nixpkgs = "23.05";
} // attrs;
in
builtins.mapAttrs mkNode {
core-services-01 = {
admins = [
"gdd"
"hubrecht"
"mrf"
"raito"
"sinavir"
];
deployment.targetHost = "core01.rz.ens.wtf";
stateVersion = "22.05";
};
public-cof = {
admins = [
"gdd"
"hubrecht"
"mrf"
"raito"
"sinavir"
];
deployment.targetHost = "beta.rz.ens.wtf";
stateVersion = "21.05";
};
router03 = {
admins = [
"gdd"
"hubrecht"
"raito"
"sinavir"
];
deployment.targetHost = "129.199.146.231";
stateVersion = "24.05";
};
router04 = {
admins = [
"gdd"
"hubrecht"
"raito"
"sinavir"
];
deployment.targetHost = "129.199.146.232";
stateVersion = "24.05";
};
}

12
modules/default.nix
View file

@ -1,12 +0,0 @@
{ lib, sources, ... }:
{
imports = (lib.extra.mkImports ./. [
"krz-access-control"
"krz-ssh"
"krz-router"
]) ++ [
# TODO: Switch to global version of agenix via npins
# "${sources.agenix}/modules/age.nix"
];
}

46
modules/krz-access-control.nix
View file

@ -1,46 +0,0 @@
{ config, lib, meta, name, ... }:
let
inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
types;
nodeMeta = meta.nodes.${name};
inherit (nodeMeta) admins;
cfg = config.krz-access-control;
in
{
options.krz-access-control = {
enable = mkEnableOption "DGNum access control." // { default = true; };
users = mkOption {
type = with types; attrsOf (listOf str);
default = { };
description = ''
Attribute set describing which member has access to which user on the node.
Members must be declared in `meta/members.nix`.
'';
example = ''
{
user1 = [ "member1" "member2" ];
}
'';
};
};
config = mkIf cfg.enable {
# Admins have root access to the node
krz-access-control.users.root = mkDefault admins;
users.users = builtins.mapAttrs
(u: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
cfg.users;
};
}

382
modules/krz-router.nix
View file

@ -1,382 +0,0 @@
{ config, lib, ... }:
let
inherit (lib)
mkIf mkEnableOption mkOption types;
cfg = config.krz-router;
mkVLAN = name: id: {
netdevConfig = {
Kind = "vlan";
Name = name;
};
vlanConfig.Id = id;
};
mkTunnel = kind: name: { local, remote, mtu ? 1480 }: {
netdevConfig = {
Kind = kind;
Name = name;
MTUBytes = toString mtu;
};
tunnelConfig = {
Local = local;
Remote = remote;
};
};
in
{
options.krz-router = {
enable = mkEnableOption "KlubRZ router";
enablePrimary = mkEnableOption ''primary mode for this router.
This means that this router will assume the primary role by default.
Do not run on the same L2 segment the same router as primary.
'';
enableDebug = mkEnableOption "debug mode for the various subsystems";
trunkPort.macAddress = mkOption {
type = types.str;
description = "MAC address of the trunk port connected to a (virtual) switch";
};
vip = mkOption {
type = types.str;
description = "Highly-available virtual IP address of the router";
};
rip = mkOption {
type = types.str;
description = "Real IP address of the router";
};
routerId = mkOption {
type = types.int;
description = "Router ID for computing automatic IPs";
};
virtualPriority = mkOption {
type = types.int;
description = "Virtual router priority in the election";
# As recommended per RFC.
default = if cfg.enablePrimary then 100 else 50;
};
virtualNeighbors = mkOption {
type = types.listOf types.int;
description = "Virtual router neighbors in terms of router IDs";
default = [ ];
};
};
config = mkIf cfg.enable {
systemd.network.links."10-swp" = {
matchConfig.MACAddress = cfg.trunkPort.macAddress;
linkConfig.Name = "swp";
};
networking.firewall.allowedUDPPorts = [ 25351 ];
systemd.network.enable = true;
networking.dhcpcd.enable = false;
systemd.network = {
config.routeTables = {
he = 100;
mwan = 110;
};
netdevs = {
"05-admin-vpn" = {
netdevConfig = {
Kind = "wireguard";
Name = "wgadmin";
MTUBytes = "1420";
};
wireguardConfig = {
PrivateKeyFile = "/etc/secrets/wireguard/wgadmin";
ListenPort = 25351;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "obsUPq4Y1XGbl3yPUytPKkVcSP+eECpaQX+bV+ocwXg=";
AllowedIPs = [ "fd81:fb3a:50cc::100/128" ];
};
}
{
# Julien Malka, laptop X2100
wireguardPeerConfig = {
PublicKey = "P6yIXwpUtX5WABxN5wZdxjqXyb/9kDwJqhj8VGGtAW4=";
AllowedIPs = [ "fd81:fb3a:50cc::200/128" ];
};
}
];
};
"10-tun-mwan" = mkTunnel "gre" "gre-mwan" {
remote = "80.67.167.30";
local = cfg.vip;
};
"10-tun-he" = mkTunnel "sit" "sit-he" {
remote = "216.66.84.42";
local = cfg.vip;
};
# VLANs
# 401: uplink ENS
# 3500: intranet club réseau, proxy ARP et proxy arp pvlan / 10.1.1.1/22
# 3510: mgmt club réseau (administration network) / fd81:fb3a:50cc::/64
# 3605: MWAN V6 DMZ / 2a0e:e701:1120:b00c::1/64
# 3606: MWAN V4 DMZ / 45.13.104.25/29
# 3607: Club Réseau v6 DMZ (en ASN propre)
# 3608: DN42 DMZ
# 3609: HE V6 DMZ / 2001:470:1f13:187::1/64
# 3610: Free V6 DMZ
# 3620: HE.net IPv6 /48 -> DHCP-PD /60
# 3621: MWAN DMZ /48 PD delivery / 2a0e:e701:1120::1/48
# 3622: Router VRRP link / $to_be_determined.
# "10-uplink-ens" = mkVLAN "uplink-ens" 401; dysfunctional?
"10-intranet-krz" = mkVLAN "intranet-krz" 3500;
"10-admin" = mkVLAN "admin" 3510;
"10-mwan-v6" = mkVLAN "mwan-v6" 3605;
"10-mwan-dual" = mkVLAN "mwan-dual" 3606;
"10-krz-v6" = mkVLAN "krz-v6" 3607;
"10-dn42-dmz" = mkVLAN "dn42-dmz" 3608;
"10-he-dmz" = mkVLAN "he-dmz" 3609;
"10-free-dmz" = mkVLAN "free-dmz" 3610;
"10-he-pd" = mkVLAN "he-v6-pd" 3620;
"10-mwan-pd" = mkVLAN "mwan-v6-pd" 3621;
"10-vrrp-router" = mkVLAN "vrrp-router" 3622;
};
networks = {
"10-admin-vpn" = {
matchConfig.Name = "wgadmin";
networkConfig = {
Description = "VPN d'administration système de l'infrastructure";
Address = [ "fd81:fb3a:50cc::${toString (cfg.routerId + 1)}/64" ];
# Give access to the rest of the network.
IPForward = "ipv6";
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "routable";
};
"15-admin-vlan" = {
matchConfig.Name = "admin";
networkConfig = {
Description = "VLAN d'administration système de l'infrastructure";
Address = [ "fd81:fb3a:50cc:1::${toString (cfg.routerId + 1)}/48" ];
# Give access to the rest of the network.
IPForward = "ipv6";
IPv6ProxyNDP = true;
ConfigureWithoutCarrier = true;
};
linkConfig.RequiredForOnline = "routable";
};
"20-tun-mwan" = {
matchConfig.Name = "gre-mwan";
networkConfig = {
Description = "Tunnel de livraison GRE IPv4/IPv6 de MilkyWAN";
Address = [ "10.1.1.50/30" "2a0b:cbc0:1::216/126" ];
ConfigureWithoutCarrier = true;
};
routes = [
{
routeConfig = {
Gateway = "10.1.1.49";
Table = "mwan";
Scope = "global";
# FIXME(raito): Has no effect? Upstream bug?
Source = "45.13.104.25/29";
};
}
{
routeConfig = {
Destination = "::/0";
Gateway = "2a0b:cbc0:1::215";
Table = "mwan";
Scope = "global";
Source = "2a0e:e701:1120::/48";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "2a0e:e701:1120::/48";
Table = "mwan";
};
}
{
routingPolicyRuleConfig = {
From = "45.13.104.25/29";
Table = "mwan";
};
}
{
routingPolicyRuleConfig = {
To = "45.13.104.25/29";
Table = "mwan";
};
}
];
};
"20-tun-he" = {
matchConfig.Name = "sit-he";
networkConfig = {
Description = "HE.NET IPv6 Tunnel (owned by gdd)";
Address = [ "2001:470:1f12:187::2/64" ];
ConfigureWithoutCarrier = true;
};
routes = [
{
routeConfig = {
Destination = "::/0";
Table = "he";
Scope = "global";
Source = "2001:470:1f13::/48";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "2001:470:1f13::/48";
Table = "he";
};
}
];
};
"10-swp" = {
matchConfig.Name = "swp";
networkConfig = {
Description = "VLAN-aware switch port";
Address = [ "${cfg.rip}/24" ];
Gateway = "129.199.146.254";
LLDP = true;
# Only to the switch we are connected to directly, e.g. the hypervisor or the switch.
EmitLLDP = "nearest-bridge";
# For VRRP.
KeepConfiguration = true;
};
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "45.13.104.25/29";
Type = "prohibit";
};
}
];
tunnel = [
"gre-mwan"
"sit-he"
];
vlan = [
# "intranet-krz" - we don't want to keep this.
"admin"
# FIXME: "mwan-v6" - do we want to keep this?
# We can achieve v6-only by enforcing MAC address isolation for IPv4.
"mwan-dual"
# FIXME: legacy-nat-zone.
# FIXME: "krz-v6" - not ready yet.
# FIXME: "dn42-dmz" - revive this if you want.
"he-dmz"
# FIXME: "free-dmz" - not ready yet, abandoned?
# FIXME: "he-v6-pd" - require rework
# FIXME: "mwan-v6-pd" - require rework
"vrrp-router"
];
};
# TODO: SIIT/NAT64/DNS64 component to avoid IPv4 dependency.
"20-mwan-dual" = {
matchConfig.Name = "mwan-dual";
addresses = [
{
addressConfig = {
Address = "2a0e:e701:1120:b00c::1/64";
AddPrefixRoute = false;
};
}
{
addressConfig = {
Address = "45.13.104.25/29";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "2a0e:e701:1120:b00c::/64";
Metric = 256;
Table = "mwan";
};
}
{
routeConfig = {
Destination = "45.13.104.25/29";
Metric = 256;
Table = "mwan";
};
}
];
networkConfig = {
Description = "MilkyWAN dual stack public interface";
DHCPServer = true;
IPv6SendRA = true;
IPForward = true;
ConfigureWithoutCarrier = true;
};
};
"20-he-dmz" = {
matchConfig.Name = "he-dmz";
addresses = [
{
addressConfig = {
Address = "2001:470:1f13:187::1/64";
# This will add it in the wrong table.
# TODO: add to systemd a `Table` option here.
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "2001:470:1f13:187::/64";
Metric = 256;
Table = "he";
};
}
];
networkConfig = {
Description = "Hurricane Electrical's 187 /64 unfirewalled zone";
IPv6SendRA = true;
ConfigureWithoutCarrier = true;
};
};
"20-vrrp-router" = {
matchConfig.Name = "vrrp-router";
networkConfig = {
Description = "VRRP router health network";
Address = [ "10.0.0.${toString cfg.routerId}/24" "fe80::${toString cfg.routerId}/64" ];
KeepConfiguration = true;
};
};
};
};
services.keepalived = {
enable = true;
vrrpInstances.wan = {
interface = "vrrp-router";
state = if cfg.enablePrimary then "MASTER" else "BACKUP";
# We want to start in a stable state.
priority = cfg.virtualPriority;
virtualIps = [{ addr = "${cfg.vip}/24"; dev = "swp"; scope = "global"; }];
virtualRouterId = 50;
noPreempt = !cfg.enablePrimary;
unicastPeers = map (n: "10.0.0.${toString n}") cfg.virtualNeighbors;
};
vrrpInstances.admin = {
interface = "vrrp-router";
state = if cfg.enablePrimary then "MASTER" else "BACKUP";
# We want to start in a stable state.
priority = cfg.virtualPriority;
virtualIps = [
{ addr = "fd81:fb3a:50cc::1/64"; dev = "wgadmin"; }
{ addr = "fd81:fb3a:50cc:1::1/48"; dev = "admin"; }
];
virtualRouterId = 51;
noPreempt = !cfg.enablePrimary;
unicastPeers = map (n: "fe80::${toString n}") cfg.virtualNeighbors;
unicastSrcIp = "fe80::${toString cfg.routerId}";
};
};
};
}

25
modules/krz-ssh.nix
View file

@ -1,25 +0,0 @@
{ config, lib, ... }:
let
inherit (lib)
mkEnableOption
mkIf;
cfg = config.krz-ssh;
in
{
options.krz-ssh = {
enable = mkEnableOption "ssh default configuration." // { default = true; };
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
};
}

1
nix-patches/default.nix
View file

@ -1 +0,0 @@
{}

47
npins/default.nix
View file

@ -1,47 +0,0 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource = spec:
assert spec ? type; let
path =
if spec.type == "Git" then mkGitSource spec
else if spec.type == "GitRelease" then mkGitSource spec
else if spec.type == "PyPi" then mkPyPiSource spec
else if spec.type == "Channel" then mkChannelSource spec
else builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource = { repository, revision, url ? null, hash, ... }:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
})
else assert repository.type == "Git"; builtins.fetchGit {
url = repository.url;
rev = revision;
# hash = hash;
};
mkPyPiSource = { url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource = { url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 3 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

43
npins/sources.json
View file

@ -1,43 +0,0 @@
{
"pins": {
"agenix": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://github.com/ryantm/agenix"
},
"pre_releases": false,
"version_upper_bound": null,
"version": "0.13.0",
"revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795",
"url": null,
"hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54"
},
"nix-lib": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.hubrecht.ovh/hubrecht/nix-lib"
},
"pre_releases": false,
"version_upper_bound": null,
"version": "0.1.6",
"revision": "ffb3dfa4c146d48300bd4fa625acfe48e091a734",
"url": null,
"hash": "1frsja071qqx6p7rjnijzhidqfylx0ipzqpmjdvj4jl89h34vrhr"
},
"nixos-23.05": {
"type": "Channel",
"name": "nixos-23.05",
"url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz",
"hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz",
"hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9"
}
},
"version": 3
}

15
shell.nix
View file

@ -1,15 +0,0 @@
let
sources = import ./npins;
pkgs = import sources.nixpkgs { };
in
pkgs.mkShell {
packages = with pkgs; [
npins
colmena
nixos-generators
] ++ (builtins.map (p: callPackage p { }) [
]);
allowSubstitutes = false;
}