From 244c8027aa0adc6545a67f4f6d3d2e51ea40b08c Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 01/16] feat: Add sinavir's keys for `core-services-01` --- machines/core-services-01/configuration.nix | 1 + machines/pubkeys/sinavir.keys | 1 + 2 files changed, 2 insertions(+) create mode 100644 machines/pubkeys/sinavir.keys diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index d8284fb..819ad48 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -85,6 +85,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/hubrecht.keys + ../pubkeys/sinavir.keys ]; # Open ports in the firewall. diff --git a/machines/pubkeys/sinavir.keys b/machines/pubkeys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/machines/pubkeys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.1 From 66c40b1026484c8673989babc531625d7c23e40a Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 02/16] feat: Add sinavir's keys to `public-cof` and `remote-builder-01` --- machines/public-cof/configuration.nix | 1 + machines/remote-builder-01/configuration.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ae3fce3..cb19ba2 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -55,6 +55,7 @@ ../pubkeys/gdd.keys ../pubkeys/raito.keys ../pubkeys/mrf.keys + ../pubkeys/sinavir.keys ]; system.stateVersion = "21.05"; diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/configuration.nix index ad971fb..286062b 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/configuration.nix @@ -64,6 +64,7 @@ users.users.root.openssh.authorizedKeys.keyFiles = [ ../pubkeys/gdd.keys ../pubkeys/raito.keys + ../pubkeys/sinavir.keys ../pubkeys/remote-builders.keys ]; -- 2.47.1 From 3f2e795b0e1e080c90cca360c39b3fdbb26a1dc1 Mon Sep 17 00:00:00 2001 From: gabriel-doriath-dohler Date: Thu, 23 Feb 2023 23:59:59 +0000 Subject: [PATCH 03/16] chore: Rename module options --- machines/core-services-01/gitea.nix | 8 ++++---- machines/core-services-01/system.nix | 2 +- machines/public-cof/acme.nix | 2 +- machines/public-cof/hedgedoc.nix | 2 +- machines/public-cof/system.nix | 2 +- machines/remote-builder-01/system.nix | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/machines/core-services-01/gitea.nix b/machines/core-services-01/gitea.nix index ddfcbae..26402d0 100644 --- a/machines/core-services-01/gitea.nix +++ b/machines/core-services-01/gitea.nix @@ -13,11 +13,11 @@ in httpAddress = "127.0.0.1"; httpPort = port; database.type = "postgres"; - disableRegistration = false; - log = { - level = "Warn"; - }; settings = { + service.DISABLE_REGISTRATION = false; + log = { + level = "Warn"; + }; openid = { ENABLE_OPENID_SIGNUP = true; }; diff --git a/machines/core-services-01/system.nix b/machines/core-services-01/system.nix index 827bd11..3ab02d1 100644 --- a/machines/core-services-01/system.nix +++ b/machines/core-services-01/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" "gab" ]; + settings.trusted-users = [ "root" "gab" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/public-cof/acme.nix b/machines/public-cof/acme.nix index 3911368..9e03a21 100644 --- a/machines/public-cof/acme.nix +++ b/machines/public-cof/acme.nix @@ -1,5 +1,5 @@ { ... }: { security.acme.acceptTerms = true; - security.acme.email = "club-reseau@lists.ens.psl.eu"; + security.acme.defaults.email = "club-reseau@lists.ens.psl.eu"; } diff --git a/machines/public-cof/hedgedoc.nix b/machines/public-cof/hedgedoc.nix index b4235d5..23c8782 100644 --- a/machines/public-cof/hedgedoc.nix +++ b/machines/public-cof/hedgedoc.nix @@ -5,7 +5,7 @@ in { services.hedgedoc = { enable = true; - configuration = { + settings = { protocolUseSSL = true; # scp =; # TODO domain = "docs.beta.rz.ens.wtf"; diff --git a/machines/public-cof/system.nix b/machines/public-cof/system.nix index 997dbdd..b3a1d4c 100644 --- a/machines/public-cof/system.nix +++ b/machines/public-cof/system.nix @@ -8,7 +8,7 @@ # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; diff --git a/machines/remote-builder-01/system.nix b/machines/remote-builder-01/system.nix index 9bb13cf..81732ab 100644 --- a/machines/remote-builder-01/system.nix +++ b/machines/remote-builder-01/system.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { # Auto GC and store optimizations nix = { - trustedUsers = [ "root" ]; + settings.trusted-users = [ "root" ]; gc = { automatic = true; dates = "weekly"; -- 2.47.1 From deffb8e1fc45f4e43df5b5c44646084b86dd8009 Mon Sep 17 00:00:00 2001 From: sinavir Date: Fri, 24 Feb 2023 10:56:54 +0100 Subject: [PATCH 04/16] core-01: fix ipv4 routing issue --- machines/core-services-01/network.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/core-services-01/network.nix b/machines/core-services-01/network.nix index d3579be..da02165 100644 --- a/machines/core-services-01/network.nix +++ b/machines/core-services-01/network.nix @@ -29,8 +29,15 @@ in "10-ens20" = { name = "ens20"; address = my.ipv4InternalFull; - DHCP = "ipv4"; + dhcpV4Config.RouteMetric = 2048; + routes = [ + { + routeConfig = { + Destination = "10.0.0.0/8"; + }; + } + ]; }; }; } -- 2.47.1 From 2fde8ccf156c88b2200952017106a604b339bd29 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:04:42 +0200 Subject: [PATCH 05/16] deployment: upgrade to 23.05 --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 92a2cda..45c0417 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "8d3bd93e67201a7c8238e9cbde6d07aba9500636"; # nixos-unstable + ref = "23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.1 From b88167f46a824194b079410b74010a03bb823207 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:44 +0200 Subject: [PATCH 06/16] =?UTF-8?q?deployment:=20fix=20it=20for=2023.05?= =?UTF-8?q?=E2=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krops.nix b/krops.nix index 45c0417..140772d 100644 --- a/krops.nix +++ b/krops.nix @@ -9,7 +9,7 @@ let # Auto-upgrade wen? nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "23.05"; + ref = "origin/release-23.05"; url = "https://github.com/NixOS/nixpkgs"; }; }]; -- 2.47.1 From 42cd2d7b794ebd8184b98760aab945c0dc1cd5e1 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:21:54 +0200 Subject: [PATCH 07/16] public-cof: add thubrecht --- machines/public-cof/configuration.nix | 1 + machines/public-cof/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index cb19ba2..6bd8454 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -56,6 +56,7 @@ ../pubkeys/raito.keys ../pubkeys/mrf.keys ../pubkeys/sinavir.keys + ../pubkeys/hubrecht.keys ]; system.stateVersion = "21.05"; diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix index c703081..d48cb63 100644 --- a/machines/public-cof/secrets/secrets.nix +++ b/machines/public-cof/secrets/secrets.nix @@ -2,7 +2,7 @@ let pkgs = import {}; lib = pkgs.lib; readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../../pubkeys + "/${user}.keys"))); - superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd") ++ (readPubkeys "hubrecht"); public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; systems = [ public-cof ]; in -- 2.47.1 From 793e4d2aeea78b56ddfe5ca3d9d21f3906a1626f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 19 Jul 2023 00:22:03 +0200 Subject: [PATCH 08/16] public-cof: add some tuning for lychee --- machines/public-cof/lychee.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/machines/public-cof/lychee.nix b/machines/public-cof/lychee.nix index 944604b..137cd32 100644 --- a/machines/public-cof/lychee.nix +++ b/machines/public-cof/lychee.nix @@ -7,4 +7,11 @@ website = "photos.ens.wtf"; settings.APP_URL = "https://${config.services.lychee.website}"; }; + services.phpfpm.pools."photos.ens.wtf".settings = { + pm = "dynamic"; + "pm.max_children" = 10; + "pm.start_servers" = 3; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; } -- 2.47.1 From 55c7194022bcbe79b1ad6009e9a5a3c9cce7374d Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 16:55:26 +0200 Subject: [PATCH 09/16] core-01: make it work for 23.05 --- machines/core-services-01/configuration.nix | 1 - machines/core-services-01/dokuwiki.nix | 28 --------------------- machines/core-services-01/monitoring.nix | 20 +++++++-------- 3 files changed, 10 insertions(+), 39 deletions(-) delete mode 100644 machines/core-services-01/dokuwiki.nix diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index 819ad48..ac0021a 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -10,7 +10,6 @@ ./backups.nix # ./dex.nix ./dns.nix - ./dokuwiki.nix ./gitea.nix ./headscale.nix ./keycloak.nix diff --git a/machines/core-services-01/dokuwiki.nix b/machines/core-services-01/dokuwiki.nix deleted file mode 100644 index 1ad68e0..0000000 --- a/machines/core-services-01/dokuwiki.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -let - my = config.my; -in -{ - services.dokuwiki.sites."wiki.${my.subZone}" = { - enable = true; - acl = '' - * @ALL 1 - * @admin 16 - ''; - }; - - /* - services.nginx = { - enable = true; - - virtualHosts."wiki.${my.subZone}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "htttp://127.0.0.1:${toString port}"; - }; - }; - }; - */ -} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index edf0d20..7015efa 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -36,16 +36,16 @@ in { services.netdata = { enable = true; - package = pkgs.netdata.overrideAttrs (old: { - version = "1.36.0-185-nightly"; - src = pkgs.fetchFromGitHub { - owner = "netdata"; - repo = "netdata"; - rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; - sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; - fetchSubmodules = true; - }; - }); + #package = pkgs.netdata.overrideAttrs (old: { + # version = "1.36.0-185-nightly"; + # src = pkgs.fetchFromGitHub { + # owner = "netdata"; + # repo = "netdata"; + # rev = "284d5450ec938b667db9985aca6d3cd02b96487f"; + # sha256 = "sha256-QRZL1RjspiqpR1cq8TDqY0wDc4ct7BDY0vbddsvlHgc="; + # fetchSubmodules = true; + # }; + #}); }; systemd.services.netdata.environment."NETDATA_DISABLE_CLOUD" = "1"; -- 2.47.1 From 2ab0cc688587772815ddd8631ec728546a8e4bd6 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sun, 23 Jul 2023 17:52:45 +0200 Subject: [PATCH 10/16] =?UTF-8?q?public-cof:=20NC25=20=E2=86=92=20NC26?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Get us rid of RC4 encryption shenigans. --- machines/public-cof/nextcloud.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 847affd..badd243 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,14 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud25; - # OpenSSL 3.0.x breaks RC4 encryption for NextCloud - # But we enabled encryption for NextCloud - # Therefore... - phpPackage = lib.mkForce (pkgs.php81.withExtensions ({ enabled, all }: - (lib.filter (e: e != pkgs.php81.extensions.openssl) enabled) - ++ [ (all.openssl.override { buildInputs = [ pkgs.openssl_1_1 ]; }) ] - )); + package = pkgs.nextcloud26; config = { overwriteProtocol = "https"; -- 2.47.1 From 6fb8528a9950eb1a9177d28e04831b9c6bbd7d25 Mon Sep 17 00:00:00 2001 From: sinavir Date: Sun, 23 Jul 2023 17:58:44 +0200 Subject: [PATCH 11/16] public-cof: upgrade garage --- machines/public-cof/garage.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/public-cof/garage.nix b/machines/public-cof/garage.nix index 7d25b0a..e2a1321 100644 --- a/machines/public-cof/garage.nix +++ b/machines/public-cof/garage.nix @@ -22,6 +22,7 @@ }; services.garage = { enable = true; + package = pkgs.garage_0_8; settings = { replication_mode = "none"; compression_level = 7; -- 2.47.1 From 50c17c74bb457182da4e91e8a6c4031ac6cce5cf Mon Sep 17 00:00:00 2001 From: tomate Date: Sun, 23 Jul 2023 18:04:38 +0200 Subject: [PATCH 12/16] Add 'CONTRIBUTING.md' --- CONTRIBUTING.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..46ce2a1 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1 @@ +Maurice écoute les conventions de Ryan \ No newline at end of file -- 2.47.1 From 6b6470eef94acd0b64eb2fbaa600815bb3c7fc3f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:06 +0200 Subject: [PATCH 13/16] keys: Move from machines/publickeys --- keys/gdd.keys | 2 ++ keys/hackens-milieu.keys | 1 + keys/hubrecht.keys | 1 + keys/mrf.keys | 1 + keys/raito.keys | 4 ++++ keys/remote-builders.keys | 1 + keys/sinavir.keys | 1 + 7 files changed, 11 insertions(+) create mode 100644 keys/gdd.keys create mode 100644 keys/hackens-milieu.keys create mode 100644 keys/hubrecht.keys create mode 100644 keys/mrf.keys create mode 100644 keys/raito.keys create mode 100644 keys/remote-builders.keys create mode 100644 keys/sinavir.keys diff --git a/keys/gdd.keys b/keys/gdd.keys new file mode 100644 index 0000000..b5d4e40 --- /dev/null +++ b/keys/gdd.keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ diff --git a/keys/hackens-milieu.keys b/keys/hackens-milieu.keys new file mode 100644 index 0000000..c79c039 --- /dev/null +++ b/keys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3+w4+nyJG8lr2mh0S9Zf8j2/6H5smlO87s6KNLlhkF hackens@hackens-milieu diff --git a/keys/hubrecht.keys b/keys/hubrecht.keys new file mode 100644 index 0000000..07fbe76 --- /dev/null +++ b/keys/hubrecht.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIv3iSpIjeUVDf+f89Hb/L++vzMX15Ti/PZTjAAG+tFl diff --git a/keys/mrf.keys b/keys/mrf.keys new file mode 100644 index 0000000..ebbfa68 --- /dev/null +++ b/keys/mrf.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe4tx0+lNX2w7kG94c9u7U0wHuOc2A6zpHcbyAs+w/d diff --git a/keys/raito.keys b/keys/raito.keys new file mode 100644 index 0000000..0f48a59 --- /dev/null +++ b/keys/raito.keys @@ -0,0 +1,4 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKIIcqryU28FkV+UpiTnGCOfwKO5jFhkdvU7a7Ew2KoZ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMLf6B8VV//BhOWihYK8Zy1CJ3sg4w2bP0aBO0VPs4hS +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr diff --git a/keys/remote-builders.keys b/keys/remote-builders.keys new file mode 100644 index 0000000..b1b7645 --- /dev/null +++ b/keys/remote-builders.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3hCOyFwuoCLt5W9e9yQSwj9I+VspB0kNNHsoFngbgZ Raito's remote builder key diff --git a/keys/sinavir.keys b/keys/sinavir.keys new file mode 100644 index 0000000..471d054 --- /dev/null +++ b/keys/sinavir.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o -- 2.47.1 From 7f88c60cc22761935cbf0159e58283bf54d72a41 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:36:55 +0200 Subject: [PATCH 14/16] Switch from krops to colmena --- .envrc | 1 + .gitignore | 1 + hive.nix | 57 +++++++++++++++++ .../{configuration.nix => _configuration.nix} | 22 +------ ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 11 ---- ...ration.nix => _hardware-configuration.nix} | 0 .../{configuration.nix => _configuration.nix} | 20 +----- ...ration.nix => _hardware-configuration.nix} | 0 meta/default.nix | 5 ++ meta/nodes.nix | 64 +++++++++++++++++++ modules/default.nix | 11 ++++ modules/krz-access-control.nix | 46 +++++++++++++ modules/krz-ssh.nix | 25 ++++++++ nix-patches/default.nix | 1 + npins/default.nix | 47 ++++++++++++++ npins/sources.json | 43 +++++++++++++ shell.nix | 15 +++++ 18 files changed, 318 insertions(+), 51 deletions(-) create mode 100644 .envrc create mode 100644 hive.nix rename machines/core-services-01/{configuration.nix => _configuration.nix} (70%) rename machines/core-services-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/public-cof/{configuration.nix => _configuration.nix} (77%) rename machines/public-cof/{hardware-configuration.nix => _hardware-configuration.nix} (100%) rename machines/remote-builder-01/{configuration.nix => _configuration.nix} (69%) rename machines/remote-builder-01/{hardware-configuration.nix => _hardware-configuration.nix} (100%) create mode 100644 meta/default.nix create mode 100644 meta/nodes.nix create mode 100644 modules/default.nix create mode 100644 modules/krz-access-control.nix create mode 100644 modules/krz-ssh.nix create mode 100644 nix-patches/default.nix create mode 100644 npins/default.nix create mode 100644 npins/sources.json create mode 100644 shell.nix diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use nix diff --git a/.gitignore b/.gitignore index b2be92b..726d2d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +.direnv diff --git a/hive.nix b/hive.nix new file mode 100644 index 0000000..fdc3708 --- /dev/null +++ b/hive.nix @@ -0,0 +1,57 @@ +let + sources = import ./npins; + metadata = import ./meta; + + lib = import (sources.nix-lib + "/trivial.nix"); + + mkNode = node: { name, nodes, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; + + # Include default secrets + # dgn-secrets.sources = [ ./machines/${node}/secrets ]; + + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; + + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + + # Use the stateVersion declared in the metadata + system.stateVersion = metadata.nodes.${node}.stateVersion; + }; + + mkNixpkgs = node: + let version = "nixos-${metadata.nodes.${node}.nixpkgs}"; in + (import sources.${version} { }).applyPatches { + name = "${version}-patched"; + src = sources.${version}; + patches = (import ./nix-patches).${version} or [ ]; + }; + + mkNixpkgs' = node: import (mkNixpkgs node) { }; + + mkArgs = node: { + nix-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; }; + }; + + nodes = builtins.attrNames metadata.nodes; +in + +{ + meta = { + nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; + + specialArgs = { inherit sources; meta = metadata; }; + + nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; + }; + + defaults = { ... }: { + # Import the default modules + imports = [ ./modules ]; + }; +} // (lib.mapSingleFuse mkNode nodes) diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/_configuration.nix similarity index 70% rename from machines/core-services-01/configuration.nix rename to machines/core-services-01/_configuration.nix index ac0021a..9bcee06 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -2,9 +2,6 @@ { imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./acme-dns.nix ./acme-ssl.nix ./backups.nix @@ -77,28 +74,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/hubrecht.keys - ../pubkeys/sinavir.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - environment.variables.NIX_PATH = lib.mkForce "/var/src"; + system.stateVersion = "22.05"; } diff --git a/machines/core-services-01/hardware-configuration.nix b/machines/core-services-01/_hardware-configuration.nix similarity index 100% rename from machines/core-services-01/hardware-configuration.nix rename to machines/core-services-01/_hardware-configuration.nix diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/_configuration.nix similarity index 77% rename from machines/public-cof/configuration.nix rename to machines/public-cof/_configuration.nix index 6bd8454..a831791 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/_configuration.nix @@ -3,7 +3,6 @@ { imports = [ - ./hardware-configuration.nix ./programs.nix ./system.nix ./acme.nix @@ -49,15 +48,5 @@ enableSSHSupport = true; }; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/mrf.keys - ../pubkeys/sinavir.keys - ../pubkeys/hubrecht.keys - ]; - system.stateVersion = "21.05"; } diff --git a/machines/public-cof/hardware-configuration.nix b/machines/public-cof/_hardware-configuration.nix similarity index 100% rename from machines/public-cof/hardware-configuration.nix rename to machines/public-cof/_hardware-configuration.nix diff --git a/machines/remote-builder-01/configuration.nix b/machines/remote-builder-01/_configuration.nix similarity index 69% rename from machines/remote-builder-01/configuration.nix rename to machines/remote-builder-01/_configuration.nix index 286062b..d5906a8 100644 --- a/machines/remote-builder-01/configuration.nix +++ b/machines/remote-builder-01/_configuration.nix @@ -2,7 +2,6 @@ { imports = [ - ./hardware-configuration.nix ./system.nix # TODO monitoring ]; @@ -59,28 +58,11 @@ services.zfs.autoScrub.enable = true; - # Enable the OpenSSH daemon. - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../pubkeys/gdd.keys - ../pubkeys/raito.keys - ../pubkeys/sinavir.keys - ../pubkeys/remote-builders.keys - ]; - # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. networking.firewall.enable = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - + system.stateVersion = "21.05"; } - diff --git a/machines/remote-builder-01/hardware-configuration.nix b/machines/remote-builder-01/_hardware-configuration.nix similarity index 100% rename from machines/remote-builder-01/hardware-configuration.nix rename to machines/remote-builder-01/_hardware-configuration.nix diff --git a/meta/default.nix b/meta/default.nix new file mode 100644 index 0000000..a6ccb51 --- /dev/null +++ b/meta/default.nix @@ -0,0 +1,5 @@ +let + nodes = import ./nodes.nix; +in + +{ inherit nodes; } diff --git a/meta/nodes.nix b/meta/nodes.nix new file mode 100644 index 0000000..c017cc4 --- /dev/null +++ b/meta/nodes.nix @@ -0,0 +1,64 @@ +### +# File specifying all the deployement options for the nodes administrated by the dgnum. +# +# Node metadata template is: +# +# NODE_NAME = { +# adminGroups = []; # List of groups that have root access +# admins = []; # List of individuals that have root access +# deployment = {}; # Colmena deployment options +# nixpkgs = "unstable" or "22.11"; # nixpkgs version +# } + +let + mkNode = _: attrs: { + access = [ ]; + + deployment = { }; + + nixpkgs = "23.05"; + } // attrs; +in + +builtins.mapAttrs mkNode { + core-services-01 = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "core01.rz.ens.wtf"; + + stateVersion = "22.05"; + }; + + remote-builder-01 = { + admins = [ + "gdd" + "raito" + "sinavir" + "remote-builders" + ]; + + deployment.targetHost = "nix01.builders.rz.ens.wtf"; + + stateVersion = "21.05"; + }; + + public-cof = { + admins = [ + "gdd" + "hubrecht" + "mrf" + "raito" + "sinavir" + ]; + + deployment.targetHost = "beta.rz.ens.wtf"; + + stateVersion = "21.05"; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bc98724 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,11 @@ +{ nix-lib, sources, ... }: + +{ + imports = (nix-lib.mkImports ./. [ + "krz-access-control" + "krz-ssh" + ]) ++ [ + # TODO: Switch to global version of agenix via npins + # "${sources.agenix}/modules/age.nix" + ]; +} diff --git a/modules/krz-access-control.nix b/modules/krz-access-control.nix new file mode 100644 index 0000000..55fd2a3 --- /dev/null +++ b/modules/krz-access-control.nix @@ -0,0 +1,46 @@ +{ config, lib, nix-lib, meta, name, ... }: + +let + inherit (lib) + mkDefault + mkEnableOption + mkIf + mkOption + + types; + + nodeMeta = meta.nodes.${name}; + inherit (nodeMeta) admins; + + cfg = config.krz-access-control; +in + +{ + options.krz-access-control = { + enable = mkEnableOption "DGNum access control." // { default = true; }; + + users = mkOption { + type = with types; attrsOf (listOf str); + default = { }; + description = '' + Attribute set describing which member has access to which user on the node. + Members must be declared in `meta/members.nix`. + ''; + example = '' + { + user1 = [ "member1" "member2" ]; + } + ''; + }; + }; + + config = mkIf cfg.enable { + # Admins have root access to the node + krz-access-control.users.root = mkDefault admins; + + users.users = builtins.mapAttrs + (u: members: { openssh.authorizedKeys.keys = nix-lib.getAllKeys members; }) + cfg.users; + }; +} + diff --git a/modules/krz-ssh.nix b/modules/krz-ssh.nix new file mode 100644 index 0000000..4124ada --- /dev/null +++ b/modules/krz-ssh.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +let + inherit (lib) + mkEnableOption + mkIf; + + cfg = config.krz-ssh; +in + +{ + options.krz-ssh = { + enable = mkEnableOption "ssh default configuration." // { default = true; }; + }; + + config = mkIf cfg.enable { + services.openssh = { + enable = true; + + settings.PasswordAuthentication = false; + }; + + programs.mosh.enable = true; + }; +} diff --git a/nix-patches/default.nix b/nix-patches/default.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/nix-patches/default.nix @@ -0,0 +1 @@ +{} diff --git a/npins/default.nix b/npins/default.nix new file mode 100644 index 0000000..4a7c372 --- /dev/null +++ b/npins/default.nix @@ -0,0 +1,47 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else assert repository.type == "Git"; builtins.fetchGit { + url = repository.url; + rev = revision; + # hash = hash; + }; + + mkPyPiSource = { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json new file mode 100644 index 0000000..1df8536 --- /dev/null +++ b/npins/sources.json @@ -0,0 +1,43 @@ +{ + "pins": { + "agenix": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://github.com/ryantm/agenix" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.13.0", + "revision": "9c9fbfb94b2d545c7f0b78da0254ea0041595795", + "url": null, + "hash": "0k6aggy3lhqv6j11cvi4gr0i3jps8hlf262xl9ji3ffxwas46p54" + }, + "nix-lib": { + "type": "GitRelease", + "repository": { + "type": "Git", + "url": "https://git.hubrecht.ovh/hubrecht/nix-lib" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.1", + "revision": "5db2443e2cb18335375ad84ffbc066a239c054de", + "url": null, + "hash": "18xzi2yn2vk7zq79pgz8z2s1ijhyjcx5866mp21rrdi9gz37yiif" + }, + "nixos-23.05": { + "type": "Channel", + "name": "nixos-23.05", + "url": "https://releases.nixos.org/nixos/23.05/nixos-23.05.2162.6da4bc6cb07/nixexprs.tar.xz", + "hash": "198wbl9b7j3k51n0rxs09vy6x535ysqv6kbxf42d9yqr49d2n9vc" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-23.11pre506668.af8cd5ded77/nixexprs.tar.xz", + "hash": "0in8bgah6hz47lsa3ka2fslwks174maqdzy8mcmsj0q4wrv8h2s9" + } + }, + "version": 3 +} \ No newline at end of file diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..e29954b --- /dev/null +++ b/shell.nix @@ -0,0 +1,15 @@ +let + sources = import ./npins; + pkgs = import sources.nixpkgs { }; +in + +pkgs.mkShell { + packages = with pkgs; [ + npins + colmena + nixos-generators + ] ++ (builtins.map (p: callPackage p { }) [ + ]); + + allowSubstitutes = false; +} -- 2.47.1 From 29034e605695e37086e46f9cedb77af4bc132dc8 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:50:10 +0200 Subject: [PATCH 15/16] krops.nix: Delete --- krops.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 krops.nix diff --git a/krops.nix b/krops.nix deleted file mode 100644 index 140772d..0000000 --- a/krops.nix +++ /dev/null @@ -1,36 +0,0 @@ -let - krops = builtins.fetchGit { url = "https://cgit.krebsco.de/krops/"; }; - lib = import "${krops}/lib"; - pkgs = import "${krops}/pkgs" { }; - source = machine: - lib.evalSource [{ - config.file = toString ./machines; - nixos-config.symlink = "config/${machine}/configuration.nix"; - # Auto-upgrade wen? - nixpkgs.git = { - clean.exclude = [ "/.version-suffix" ]; - ref = "origin/release-23.05"; - url = "https://github.com/NixOS/nixpkgs"; - }; - }]; - mkTestConfig = hostname: { - name = "test-${hostname}"; - value = pkgs.krops.writeTest "test-${hostname}" { - source = source hostname; - target = lib.mkTarget { - host = "localhost"; - path = "/tmp/src"; - }; - force = true; # force create the sentinel file. - }; - }; - mkTestsConfig = hostnames: builtins.listToAttrs (map mkTestConfig hostnames); - mkDeploy = hostname: target: { ${hostname} = pkgs.krops.writeDeploy "deploy-${hostname}" { - source = source hostname; - inherit target; - }; }; -in {} -// mkDeploy "core-services-01" "root@core01.rz.ens.wtf" -// mkDeploy "remote-builder-01" "root@nix01.builders.rz.ens.wtf" -// mkDeploy "public-cof" "root@beta.rz.ens.wtf" -// mkTestsConfig [ "core-services-01" "remote-builder-01" "public-cof" ] -- 2.47.1 From 41fc60e1eb6fb12f896be92abb5cfd946c3480d4 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 23 Jul 2023 23:56:33 +0200 Subject: [PATCH 16/16] core-01: Disable netboot-server --- machines/core-services-01/_configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/core-services-01/_configuration.nix b/machines/core-services-01/_configuration.nix index 9bcee06..3c7162e 100644 --- a/machines/core-services-01/_configuration.nix +++ b/machines/core-services-01/_configuration.nix @@ -12,7 +12,7 @@ ./keycloak.nix ./matterbridge.nix ./monitoring.nix - ./netboot-server.nix + # ./netboot-server.nix ./network.nix ./nginx.nix ./nur.nix -- 2.47.1