diff --git a/hive.nix b/hive.nix index e1ec5da..c38c402 100644 --- a/hive.nix +++ b/hive.nix @@ -4,28 +4,29 @@ let lib = import (sources.nix-lib + "/src/trivial.nix"); - mkNode = node: { name, nodes, ... }: { - # Import the base configuration for each node - imports = builtins.map (lib.mkRel ./machines/${node}) [ - "_configuration.nix" - "_hardware-configuration.nix" - ]; + mkNode = node: + { name, nodes, pkgs, ... }: { + # Import the base configuration for each node + imports = builtins.map (lib.mkRel ./machines/${node}) [ + "_configuration.nix" + "_hardware-configuration.nix" + ]; - # Include default secrets - dgn-secrets.sources = [ ./machines/${node}/secrets ]; + # Include default secrets + dgn-secrets.sources = [ ./machines/${node}/secrets ]; - # Deployment config is specified in meta.nodes.${node}.deployment - inherit (metadata.nodes.${node}) deployment; + # Deployment config is specified in meta.nodes.${node}.deployment + inherit (metadata.nodes.${node}) deployment; - # Set NIX_PATH to the patched version of nixpkgs - nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + # Set NIX_PATH to the patched version of nixpkgs + nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; - # Allow unfree packages - nixpkgs.config.allowUnfree = true; + # Allow unfree packages + nixpkgs.config.allowUnfree = true; - # Use the stateVersion declared in the metadata - system = { inherit (metadata.nodes.${node}) stateVersion; }; - }; + # Use the stateVersion declared in the metadata + system = { inherit (metadata.nodes.${node}) stateVersion; }; + }; mkNixpkgs = node: let @@ -42,23 +43,36 @@ let mkNixpkgs' = node: import (mkNixpkgs node) { }; - mkArgs = node: { - dgn-lib = import sources.nix-lib { inherit ((mkNixpkgs' node)) lib; keysRoot = ./keys; metaRoot = ./meta; }; - }; + ### + # Function to create arguments based on the node + # + mkArgs = node: + let lib' = (mkNixpkgs' node).lib; + in { + lib = lib' // { + extra = import sources.nix-lib { + lib = lib'; + keysRoot = ./keys; + metaRoot = ./meta; + }; + }; + }; nodes = builtins.attrNames metadata.nodes; -in -{ +in { meta = { nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes; - specialArgs = { inherit sources; meta = metadata; }; + specialArgs = { + inherit sources; + meta = metadata; + }; nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes; }; - defaults = { ... }: { + defaults = { pkgs, ... }: { # Import the default modules imports = [ ./modules ]; }; diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index af765f6..47c6e00 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -1,6 +1,6 @@ -{ dgn-lib, ... }: +{ lib, ... }: -dgn-lib.mkConfig { +lib.extra.mkConfig { enabledModules = [ # List of modules to enable "dgn-dns" diff --git a/machines/storage01/_configuration.nix b/machines/storage01/_configuration.nix index d9bb98f..5f216d3 100644 --- a/machines/storage01/_configuration.nix +++ b/machines/storage01/_configuration.nix @@ -1,6 +1,6 @@ -{ dgn-lib, ... }: +{ lib, ... }: -dgn-lib.mkConfig { +lib.extra.mkConfig { enabledModules = [ # List of modules to enable "dgn-web" diff --git a/machines/web01/_configuration.nix b/machines/web01/_configuration.nix index dae67b3..d592051 100644 --- a/machines/web01/_configuration.nix +++ b/machines/web01/_configuration.nix @@ -1,6 +1,6 @@ -{ dgn-lib, ... }: +{ lib, ... }: -dgn-lib.mkConfig { +lib.extra.mkConfig { enabledModules = [ # List of modules to enable "dgn-web" diff --git a/modules/default.nix b/modules/default.nix index 17be621..e3032aa 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -31,10 +31,10 @@ # pris connaissance de la licence CeCILL, et que vous en avez accepté les # termes. -{ dgn-lib, sources, ... }: +{ lib, sources, ... }: { - imports = (dgn-lib.mkImports ./. [ + imports = (lib.extra.mkImports ./. [ "dgn-access-control" "dgn-acme" "dgn-console" diff --git a/modules/dgn-access-control.nix b/modules/dgn-access-control.nix index b073a09..58394a9 100644 --- a/modules/dgn-access-control.nix +++ b/modules/dgn-access-control.nix @@ -31,7 +31,7 @@ # pris connaissance de la licence CeCILL, et que vous en avez accepté les # termes. -{ config, lib, dgn-lib, meta, name, ... }: +{ config, lib, meta, name, ... }: let inherit (lib) @@ -73,7 +73,7 @@ in dgn-access-control.users.root = mkDefault admins; users.users = builtins.mapAttrs - (u: members: { openssh.authorizedKeys.keys = dgn-lib.getAllKeys members; }) + (u: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; }) cfg.users; }; } diff --git a/modules/dgn-dns/zones/_dgnum.eu.nix b/modules/dgn-dns/zones/_dgnum.eu.nix index fde6788..7e331de 100644 --- a/modules/dgn-dns/zones/_dgnum.eu.nix +++ b/modules/dgn-dns/zones/_dgnum.eu.nix @@ -1,7 +1,7 @@ -{ dgn-lib, meta, dns, ... }: +{ lib, meta, dns, ... }: let - inherit (dgn-lib) + inherit (lib.extra) fuseAttrs mapSingleFuse; diff --git a/modules/dgn-dns/zones/default.nix b/modules/dgn-dns/zones/default.nix index 972f918..e835896 100644 --- a/modules/dgn-dns/zones/default.nix +++ b/modules/dgn-dns/zones/default.nix @@ -1,7 +1,7 @@ -args@{ dgn-lib, dns, ... }: +args@{ lib, dns, ... }: let - inherit (dgn-lib) + inherit (lib.extra) mapSingleFuse mkRel recursiveFuse; diff --git a/modules/dgn-fail2ban.nix b/modules/dgn-fail2ban.nix new file mode 100644 index 0000000..35131ab --- /dev/null +++ b/modules/dgn-fail2ban.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + mkDefault mkEnableOption mkIf mkOption + + types; + + cfg = config.dgn-fail2ban; + + settingsFormat = pkgs.formats.keyValue { }; + + configFormat = pkgs.formats.ini { }; + + jailOptions = { + options = { + enabled = mkOption { + type = types.bool; + + default = true; + description = "Wether to enable this jail."; + }; + + filter = mkOption { + type = + types.nullOr (types.submodule { freeformType = configFormat.type; }); + + description = "Content of the filter used for this jail."; + }; + + settings = mkOption { + type = types.submodule { freeformType = settingsFormat.type; }; + + default = { }; + description = "Additional configuration for the jail."; + }; + }; + }; + +in { + options.dgn-fail2ban = { + enable = mkEnableOption "fail2ban service."; + + jails = mkOption { + type = types.attrsOf (types.submodule jailOptions); + + default = { }; + description = "Set of jails defined for fail2ban."; + }; + }; + + config = mkIf cfg.enable { + dgn-fail2ban.jails = builtins.mapAttrs (_: j: j // { enabled = mkDefault false; }) + (import ./jails.nix { }); + + services.fail2ban = { + enable = true; + + inherit (cfg) jails; + + ignoreIP = [ + "10.0.0.0/8" + "125.199.0.0/16" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + "fd00::/8" + ]; + + bantime-increment = { + enable = true; + + maxtime = "48h"; + factor = "600"; + }; + + extraPackages = [ pkgs.ipset ]; + banaction = "iptables-ipset-proto6-allports"; + }; + }; +} diff --git a/modules/dgn-secrets.nix b/modules/dgn-secrets.nix index 444be9d..98feed7 100644 --- a/modules/dgn-secrets.nix +++ b/modules/dgn-secrets.nix @@ -31,7 +31,7 @@ # pris connaissance de la licence CeCILL, et que vous en avez accepté les # termes. -{ config, lib, dgn-lib, ... }: +{ config, lib, ... }: let inherit (lib) @@ -39,7 +39,7 @@ let types; - inherit (dgn-lib) getSecrets mkBaseSecrets recursiveFuse; + inherit (lib.extra) getSecrets mkBaseSecrets recursiveFuse; cfg = config.dgn-secrets; @@ -92,7 +92,7 @@ in { names = mkOption { type = with types; listOf str; - default = builtins.foldl' (acc: dir: acc ++ (dgn-lib.getSecrets dir)) [ ] + default = builtins.foldl' (acc: dir: acc ++ (getSecrets dir)) [ ] cfg.sources; description = '' List of the names of the secrets.