From d904d73ec3ee0e075bbe154ce4711f298bfd3fcd Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 14 May 2020 17:52:57 +0200 Subject: [PATCH 01/16] nix: add default.nix for debugging builds --- default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 default.nix diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..ba8a592 --- /dev/null +++ b/default.nix @@ -0,0 +1,9 @@ +# Useful to debug a package +# by droping into its build environment: +# $ nix-shell . -A $package +{ system ? builtins.currentSystem +, config ? {} +, overlays ? import ./overlays.nix +, pkgs ? import { inherit system config overlays; } +}: +pkgs -- 2.44.1 From 76750b1c07f339ae8799744ee5c6adadcded8f62 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 15 May 2020 03:53:46 +0200 Subject: [PATCH 02/16] nix: add tests.nix --- tests.nix | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 tests.nix diff --git a/tests.nix b/tests.nix new file mode 100644 index 0000000..b6428c5 --- /dev/null +++ b/tests.nix @@ -0,0 +1,43 @@ +# Run with : nix -L run -f tests.nix +# Debug with : nix run -f tests.nix driver nixos-test-driver +{ system ? builtins.currentSystem, + config ? {}, + overlays ? import ./overlays.nix, + pkgs ? import { inherit system config overlays; }, + lib ? pkgs.lib, +}: + +let nixosTest = + (import (pkgs.path + /nixos/lib/testing-python.nix)) { + inherit system pkgs; + extraConfigurations = [ + ({ lib, ... }: { + # Propagate pkgs and its overlays to the VM, + # instead of reloading nixpkgs. + config.nixpkgs.pkgs = lib.mkDefault pkgs; + config.documentation.enable = false; + }) + ]; + }; + deployment = "staging"; +in + +nixosTest.makeTest { + nodes = { + mermet = {pkgs, ...}@attrs: {}; + }; + + #enableOCR = true; + #skipLint = true; + testScript = '' + # start_all() + mermet.start() + mermet.wait_for_unit("multi-user.target") + mermet.succeed( + "mkdir /tmp/test", + "mount -t tmpfs none /tmp/test", + "touch /tmp/test/hello", + "test -f /tmp/test/hello", + ) + ''; +} -- 2.44.1 From e4dd04fac68d6aa687c53f915f63e328b34ff146 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 15 May 2020 22:15:25 +0200 Subject: [PATCH 03/16] gnupg: remove use-tor for now --- servers/mermet/gitolite | 2 +- shell/modules/tools/security/gnupg.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/servers/mermet/gitolite b/servers/mermet/gitolite index 4a346f3..5f88a04 160000 --- a/servers/mermet/gitolite +++ b/servers/mermet/gitolite @@ -1 +1 @@ -Subproject commit 4a346f30bc7a1690648e360c453c2635b54e1dbf +Subproject commit 5f88a04005a1c4f80f614ba89a5e18716702ab6a diff --git a/shell/modules/tools/security/gnupg.nix b/shell/modules/tools/security/gnupg.nix index 6897921..4c2f3b1 100644 --- a/shell/modules/tools/security/gnupg.nix +++ b/shell/modules/tools/security/gnupg.nix @@ -388,7 +388,7 @@ options.gnupg = { allow-ocsp hkp-cacert ${gnupg.keyserverPEM} keyserver hkps://keys.mayfirst.org - use-tor + #use-tor #log-file ${gnupg.gnupgHome}/dirmngr.log #standard-resolver ''; -- 2.44.1 From f9934edf56fd595ce2f37c3eb17f127111a866e0 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 May 2020 03:55:02 +0200 Subject: [PATCH 04/16] acme: fix reloading of services, using postRun --- servers/mermet/dovecot/autogeree.net.nix | 8 +++++--- servers/mermet/dovecot/sourcephile.fr.nix | 8 +++++--- servers/mermet/nginx/sourcephile.fr.nix | 8 ++++++++ servers/mermet/postfix/autogeree.net.nix | 10 +++++++--- servers/mermet/postfix/sourcephile.fr.nix | 10 +++++++--- 5 files changed, 32 insertions(+), 12 deletions(-) diff --git a/servers/mermet/dovecot/autogeree.net.nix b/servers/mermet/dovecot/autogeree.net.nix index 7244747..a8afb2e 100644 --- a/servers/mermet/dovecot/autogeree.net.nix +++ b/servers/mermet/dovecot/autogeree.net.nix @@ -33,10 +33,12 @@ services.dovecot2.extraConfig = skip = authenticated } ''; -systemd.services.dovecot2.after = [ - "acme-${domain}.service" -]; +security.acme.certs."${domain}" = { + postRun = "systemctl reload dovecot2"; +}; systemd.services.dovecot2 = { + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; preStart = '' install -D -d -m 1770 \ -o "${dovecot2.user}" \ diff --git a/servers/mermet/dovecot/sourcephile.fr.nix b/servers/mermet/dovecot/sourcephile.fr.nix index 6b83d15..eb5d692 100644 --- a/servers/mermet/dovecot/sourcephile.fr.nix +++ b/servers/mermet/dovecot/sourcephile.fr.nix @@ -33,10 +33,12 @@ services.dovecot2.extraConfig = skip = authenticated } ''; -systemd.services.dovecot2.after = [ - "acme-${domain}.service" -]; +security.acme.certs."${domain}" = { + postRun = "systemctl reload dovecot2"; +}; systemd.services.dovecot2 = { + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; preStart = '' install -D -d -m 1770 \ -o "${dovecot2.user}" \ diff --git a/servers/mermet/nginx/sourcephile.fr.nix b/servers/mermet/nginx/sourcephile.fr.nix index 3774681..a1450d3 100644 --- a/servers/mermet/nginx/sourcephile.fr.nix +++ b/servers/mermet/nginx/sourcephile.fr.nix @@ -1,4 +1,5 @@ { pkgs, lib, config, ... }: +let domain = "sourcephile.fr"; in { imports = [ sourcephile.fr/www.nix @@ -6,4 +7,11 @@ imports = [ sourcephile.fr/lemoutona5pattes.nix sourcephile.fr/covid19.nix ]; +security.acme.certs."${domain}" = { + postRun = "systemctl reload nginx"; +}; +systemd.services.dovecot2 = { + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; +}; } diff --git a/servers/mermet/postfix/autogeree.net.nix b/servers/mermet/postfix/autogeree.net.nix index 73f3148..9609404 100644 --- a/servers/mermet/postfix/autogeree.net.nix +++ b/servers/mermet/postfix/autogeree.net.nix @@ -58,7 +58,11 @@ services.postfix = { ]; }; }; -systemd.services.postfix.after = [ - "acme-${domain}.service" -]; +security.acme.certs."${domain}" = { + postRun = "systemctl reload postfix"; +}; +systemd.services.postfix = { + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; +}; } diff --git a/servers/mermet/postfix/sourcephile.fr.nix b/servers/mermet/postfix/sourcephile.fr.nix index 9fcfb50..d82a1d4 100644 --- a/servers/mermet/postfix/sourcephile.fr.nix +++ b/servers/mermet/postfix/sourcephile.fr.nix @@ -58,7 +58,11 @@ services.postfix = { ]; }; }; -systemd.services.postfix.after = [ - "acme-${domain}.service" -]; +security.acme.certs."${domain}" = { + postRun = "systemctl reload postfix"; +}; +systemd.services.postfix = { + wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"]; + after = [ "acme-selfsigned-${domain}.service" ]; +}; } -- 2.44.1 From ad98de8c0ef5bd8d541e17abb66081d4fdf6e513 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 May 2020 03:59:08 +0200 Subject: [PATCH 05/16] nix: split configuration.nix into alternative toplevels --- base/apu2e4.nix | 14 +- base/zfs.nix | 10 +- defaults.nix | 11 +- servers.nix | 20 ++- servers/losurdo/Makefile | 4 +- servers/losurdo/configuration.nix | 64 -------- servers/losurdo/debug.nix | 10 ++ .../losurdo/{production => }/fileSystems.nix | 33 +--- servers/losurdo/hardware.nix | 37 +++++ servers/losurdo/netdata.nix | 6 + .../losurdo/{production => }/networking.nix | 6 + servers/losurdo/production.nix | 44 ++++- servers/losurdo/prometheus.nix | 6 + servers/losurdo/{production => }/sanoid.nix | 0 .../losurdo/{production => }/shorewall.nix | 0 servers/losurdo/staging.nix | 7 - servers/losurdo/staging/shorewall.nix | 153 ------------------ servers/losurdo/{production => }/syncoid.nix | 0 servers/losurdo/system.nix | 24 +++ servers/losurdo/test.nix | 10 ++ servers/mermet/Makefile | 5 +- servers/mermet/configuration.nix | 67 -------- servers/mermet/debug.nix | 10 ++ .../mermet/{production => }/fileSystems.nix | 7 +- servers/mermet/gitolite | 2 +- servers/mermet/hardware.nix | 35 ++++ .../lesptts.nix => networking.nix} | 9 +- servers/mermet/postfix.nix | 14 +- servers/mermet/production.nix | 33 +++- servers/mermet/production/apu2e4.nix | 30 ---- servers/mermet/{production => }/sanoid.nix | 0 servers/mermet/{production => }/shorewall.nix | 0 servers/mermet/staging.nix | 7 - servers/mermet/staging/shorewall.nix | 153 ------------------ servers/mermet/system.nix | 24 +++ servers/mermet/test.nix | 10 ++ 36 files changed, 303 insertions(+), 562 deletions(-) delete mode 100644 servers/losurdo/configuration.nix create mode 100644 servers/losurdo/debug.nix rename servers/losurdo/{production => }/fileSystems.nix (55%) create mode 100644 servers/losurdo/hardware.nix create mode 100644 servers/losurdo/netdata.nix rename servers/losurdo/{production => }/networking.nix (96%) create mode 100644 servers/losurdo/prometheus.nix rename servers/losurdo/{production => }/sanoid.nix (100%) rename servers/losurdo/{production => }/shorewall.nix (100%) delete mode 100644 servers/losurdo/staging.nix delete mode 100644 servers/losurdo/staging/shorewall.nix rename servers/losurdo/{production => }/syncoid.nix (100%) create mode 100644 servers/losurdo/system.nix create mode 100644 servers/losurdo/test.nix delete mode 100644 servers/mermet/configuration.nix create mode 100644 servers/mermet/debug.nix rename servers/mermet/{production => }/fileSystems.nix (84%) create mode 100644 servers/mermet/hardware.nix rename servers/mermet/{production/lesptts.nix => networking.nix} (96%) delete mode 100644 servers/mermet/production/apu2e4.nix rename servers/mermet/{production => }/sanoid.nix (100%) rename servers/mermet/{production => }/shorewall.nix (100%) delete mode 100644 servers/mermet/staging.nix delete mode 100644 servers/mermet/staging/shorewall.nix create mode 100644 servers/mermet/system.nix create mode 100644 servers/mermet/test.nix diff --git a/base/apu2e4.nix b/base/apu2e4.nix index 837e850..68de7f1 100644 --- a/base/apu2e4.nix +++ b/base/apu2e4.nix @@ -62,8 +62,8 @@ boot.initrd = { "igb" ]; }; -boot.kernelModules = [ ]; -boot.extraModulePackages = [ ]; +boot.kernelModules = []; +boot.extraModulePackages = []; boot.kernelParams = [ "gfxpayload=text" #"console=tty0" @@ -72,10 +72,8 @@ boot.kernelParams = [ "zfs.zfs_arc_max=${toString (500 * 1024 * 1024)}" # bytes ]; -environment = { - systemPackages = with pkgs; [ - pciutils - flashrom - ]; -}; +environment.systemPackages = [ + pkgs.pciutils + pkgs.flashrom +]; } diff --git a/base/zfs.nix b/base/zfs.nix index fe8b7fa..75bb8c1 100644 --- a/base/zfs.nix +++ b/base/zfs.nix @@ -20,10 +20,8 @@ boot.zfs.requestEncryptionCredentials = true; # Enables periodic scrubbing of ZFS pools. services.zfs.autoScrub.enable = true; -environment = { - systemPackages = [ - pkgs.mbuffer - pkgs.zfs - ]; -}; +environment.systemPackages = [ + pkgs.mbuffer + pkgs.zfs +]; } diff --git a/defaults.nix b/defaults.nix index f8df4a5..9a0b0cd 100644 --- a/defaults.nix +++ b/defaults.nix @@ -6,7 +6,15 @@ imports = [ ./modules.nix defaults/predictable-interface-names.nix ]; - +options = { + /* + deployment.name = lib.mkOption { + type = types.enum ["production"]; + default = "production"; + }; + */ +}; +config = { nix = { #binaryCaches = lib.mkForce []; extraOptions = '' @@ -160,4 +168,5 @@ programs = { mosh.enable = true; mtr.enable = true; }; +}; } diff --git a/servers.nix b/servers.nix index 2e1a6e6..40950ac 100644 --- a/servers.nix +++ b/servers.nix @@ -9,6 +9,22 @@ #imports = [ ./defaults.nix ]; }; - mermet = import servers/mermet/configuration.nix; - losurdo = import servers/losurdo/configuration.nix; + mermet = import servers/mermet/production.nix; + losurdo = import servers/losurdo/production.nix; + /* + mermet = {pkgs, ...}: { + imports = [ servers/mermet/configuration.nix ]; + config = { + #deployment.name = builtins.getEnv "MERMET_DEPLOYMENT"; + #_module.args.deployment = builtins.getEnv "MERMET_DEPLOYMENT"; + }; + }; + losurdo = {pkgs, ...}: { + imports = [ servers/losurdo/configuration.nix ]; + config = { + #deployment.name = builtins.getEnv "LOSURDO_DEPLOYMENT"; + #_module.args.deployment = builtins.getEnv "LOSURDO_DEPLOYMENT"; + }; + }; + */ } diff --git a/servers/losurdo/Makefile b/servers/losurdo/Makefile index c500629..9474270 100644 --- a/servers/losurdo/Makefile +++ b/servers/losurdo/Makefile @@ -8,6 +8,7 @@ rpool := $(server)_nvme cipher := aes-128-gcm autotrim := on reservation := 1G +#unicode_normalization := formD wipe-sd: sudo modprobe zfs @@ -42,6 +43,7 @@ format-rpool: -O keyformat=passphrase \ -O keylocation=prompt) \ -O normalization=formD \ + $(if $(unicode_normalization),-O normalization=$(unicode_normalization) \ -R /mnt/$(server) $(rpool) /dev/disk/by-partlabel/$(server)_nvme_root sudo zpool set \ autotrim=$(autotrim) \ @@ -143,7 +145,7 @@ bootstrap: mount chmod o+rw $$GPG_TTY $$XAUTHORITY sudo --preserve-env \ - NIXOS_CONFIG="$$PWD/configuration.nix" \ + NIXOS_CONFIG="$$PWD/install.nix" \ $$(which nixos-install) \ --root /mnt/$(server) \ --no-root-passwd \ diff --git a/servers/losurdo/configuration.nix b/servers/losurdo/configuration.nix deleted file mode 100644 index d1b83c3..0000000 --- a/servers/losurdo/configuration.nix +++ /dev/null @@ -1,64 +0,0 @@ -# This is the root configuration of the target machine. -# Usable by nixos-install and used by nixops. -# It is NOT copied nor usable on the target machine, -# only the resulting closure is copied to the target machine. -{ pkgs, lib, config, options, ... }@attrs: -let - inherit (builtins) getEnv hasAttr readFile; - inherit (builtins.extraBuiltins) pass pass-chomp; - inherit (config.users) users; -in -{ -# This value determines the NixOS release with which your system is to be -# compatible, in order to avoid breaking some software such as database servers. -# You should change this only after NixOS release notes say you should. -system.stateVersion = "19.09"; # Did you read the comment? - -imports = [ - (./. + ("/" + getEnv "LOSURDO_DEPLOYMENT" + ".nix")) - ../../defaults.nix - ../../base/unbound.nix - ./users.nix - ./transmission.nix - #./netdata.nix - #./prometheus.nix -] ++ lib.optionals (! hasAttr "nodes" attrs) [ - - -]; - -networking = rec { - hostName = "losurdo"; - domainBase = "sourcephile"; - domain = "${domainBase}.fr"; -}; - -/* -environment.etc."sudo.conf".text = '' - Debug sudo /var/log/sudo_debug.log all@debug - Debug sudoers.so /var/log/sudo_debug.log all@debug -''; -*/ - -systemd.coredump.enable = true; - -environment = { - enableDebugInfo = true; - systemPackages = with pkgs; [ - cryptsetup - direnv - file - fio - gdb - git - gptfdisk - #hey - home-manager - lm_sensors - rsync - smartctl-tbw - socat - sanoid - ]; -}; -} diff --git a/servers/losurdo/debug.nix b/servers/losurdo/debug.nix new file mode 100644 index 0000000..21493eb --- /dev/null +++ b/servers/losurdo/debug.nix @@ -0,0 +1,10 @@ +{ +systemd.coredump.enable = true; +environment.enableDebugInfo = true; +/* +environment.etc."sudo.conf".text = '' + Debug sudo /var/log/sudo_debug.log all@debug + Debug sudoers.so /var/log/sudo_debug.log all@debug +''; +*/ +} diff --git a/servers/losurdo/production/fileSystems.nix b/servers/losurdo/fileSystems.nix similarity index 55% rename from servers/losurdo/production/fileSystems.nix rename to servers/losurdo/fileSystems.nix index e0b5597..ff23eba 100644 --- a/servers/losurdo/production/fileSystems.nix +++ b/servers/losurdo/fileSystems.nix @@ -1,14 +1,9 @@ { pkgs, lib, config, ... }: { imports = [ - ../../../base/zfs.nix + ../../base/zfs.nix ]; -# The 32-bit host id of the machine, formatted as 8 hexadecimal characters. -# You should try to make this id unique among your machines. -# Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2 -networking.hostId = "e18f71a6"; - /* # Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service. services.zfs.autoSnapshot = { @@ -21,32 +16,6 @@ services.zfs.autoSnapshot = { }; */ -boot.loader.grub.devices = [ - #"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T" - #"/dev/disk/by-id/usb-Generic-_Multi-Card_20071114173400000-0:0" - "/dev/disk/by-id/mmc-SB32G_0xdb5e2237" -]; - -fileSystems."/boot" = - { device = "/dev/disk/by-partlabel/losurdo_sd_boot"; - fsType = "ext2"; - }; - -fileSystems."/boot/efi" = - { device = "/dev/disk/by-partlabel/losurdo_sd_efi"; - fsType = "vfat"; - }; - -swapDevices = - [ { device = "/dev/disk/by-partlabel/losurdo_nvme_swap"; - randomEncryption = { - enable = true; - cipher = "aes-xts-plain64"; - source = "/dev/urandom"; - }; - } - ]; - fileSystems."/" = { device = "losurdo_nvme/root"; fsType = "zfs"; diff --git a/servers/losurdo/hardware.nix b/servers/losurdo/hardware.nix new file mode 100644 index 0000000..3eb2a76 --- /dev/null +++ b/servers/losurdo/hardware.nix @@ -0,0 +1,37 @@ +{ pkgs, lib, config, ... }: +{ +imports = [ + ../../base/dl10j.nix +]; + +# The 32-bit host id of the machine, formatted as 8 hexadecimal characters. +# You should try to make this id unique among your machines. +# Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2 +networking.hostId = "e18f71a6"; + +boot.loader.grub.devices = [ + #"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_250GB_S4EUNJ0N211426T" + #"/dev/disk/by-id/usb-Generic-_Multi-Card_20071114173400000-0:0" + "/dev/disk/by-id/mmc-SB32G_0xdb5e2237" +]; + +fileSystems."/boot" = + { device = "/dev/disk/by-partlabel/losurdo_sd_boot"; + fsType = "ext2"; + }; + +fileSystems."/boot/efi" = + { device = "/dev/disk/by-partlabel/losurdo_sd_efi"; + fsType = "vfat"; + }; + +swapDevices = [ + { device = "/dev/disk/by-partlabel/losurdo_nvme_swap"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + source = "/dev/urandom"; + }; + } +]; +} diff --git a/servers/losurdo/netdata.nix b/servers/losurdo/netdata.nix new file mode 100644 index 0000000..e2af434 --- /dev/null +++ b/servers/losurdo/netdata.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: +{ +services.netdata = { + enable = true; +}; +} diff --git a/servers/losurdo/production/networking.nix b/servers/losurdo/networking.nix similarity index 96% rename from servers/losurdo/production/networking.nix rename to servers/losurdo/networking.nix index 4ca5bfc..9e744c1 100644 --- a/servers/losurdo/production/networking.nix +++ b/servers/losurdo/networking.nix @@ -99,7 +99,13 @@ boot.kernel.sysctl = { "net.ipv6.conf.enp5s0.disable_ipv6" = 1; }; +deployment.targetHost = lanIPv4; + networking = { + hostName = "losurdo"; + domainBase = "sourcephile"; + domain = "${config.networking.domainBase}.fr"; + useDHCP = false; defaultGateway = { address = lanIPv4Gateway; diff --git a/servers/losurdo/production.nix b/servers/losurdo/production.nix index 8b2269a..157f8e2 100644 --- a/servers/losurdo/production.nix +++ b/servers/losurdo/production.nix @@ -1,20 +1,48 @@ +# This is the configuration.nix +# of the target machine in production. +# Used by NixOps. +# It is NOT copied nor usable on the target machine, +# only the resulting closure is copied to the target machine. { pkgs, lib, config, ... }: let inherit (builtins.extraBuiltins) pass; - inherit (config) networking; + #inherit (config) networking; + mapImportedConfigRecursively = mapConfig: + map (m: modArgs: + let mod = + if builtins.isFunction m + || builtins.isAttrs m + then lib.unifyModuleSyntax null null + (lib.applyIfFunction null m modArgs) + else lib.unifyModuleSyntax (toString m) (toString m) + (lib.applyIfFunction (toString m) (import m) modArgs); + in + mod // { + imports = mapImportedConfigRecursively mapConfig mod.imports; + config = mapConfig mod.config; + } + ); in { imports = [ - ../../base/dl10j.nix - production/networking.nix - production/fileSystems.nix - production/shorewall.nix - production/syncoid.nix - production/sanoid.nix + ../../base/unbound.nix + ../../defaults.nix + ./debug.nix + ./fileSystems.nix + ./hardware.nix + #./netdata.nix + ./networking.nix + #./prometheus.nix + ./sanoid.nix + ./shorewall.nix + ./syncoid.nix + ./system.nix + ./transmission.nix + ./users.nix ]; deployment = { targetEnv = "none"; - targetHost = (builtins.elemAt networking.interfaces.enp5s0.ipv4.addresses 0).address; + #targetHost = (builtins.elemAt networking.interfaces.enp5s0.ipv4.addresses 0).address; keys = { "id_ed25519" = { text = pass "servers/losurdo/root/ssh/id_ed25519"; diff --git a/servers/losurdo/prometheus.nix b/servers/losurdo/prometheus.nix new file mode 100644 index 0000000..377da8f --- /dev/null +++ b/servers/losurdo/prometheus.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: +{ +services.prometheus = { + enable = true; +}; +} diff --git a/servers/losurdo/production/sanoid.nix b/servers/losurdo/sanoid.nix similarity index 100% rename from servers/losurdo/production/sanoid.nix rename to servers/losurdo/sanoid.nix diff --git a/servers/losurdo/production/shorewall.nix b/servers/losurdo/shorewall.nix similarity index 100% rename from servers/losurdo/production/shorewall.nix rename to servers/losurdo/shorewall.nix diff --git a/servers/losurdo/staging.nix b/servers/losurdo/staging.nix deleted file mode 100644 index be918a9..0000000 --- a/servers/losurdo/staging.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, lib, config, ... }: -{ -imports = [ - staging/shorewall.nix -]; -nix.maxJobs = 2; -} diff --git a/servers/losurdo/staging/shorewall.nix b/servers/losurdo/staging/shorewall.nix deleted file mode 100644 index 71e95d5..0000000 --- a/servers/losurdo/staging/shorewall.nix +++ /dev/null @@ -1,153 +0,0 @@ -{ pkgs, lib, config, ... }: -let - inherit (builtins) hasAttr readFile; - inherit (pkgs.lib) unlinesAttrs; - inherit (config.services) shorewall shorewall6; - fw2net = '' - # By protocol - Ping(ACCEPT) $FW net - - # By port - DNS(ACCEPT) $FW net - Git(ACCEPT) $FW net - HTTP(ACCEPT) $FW net - HTTPS(ACCEPT) $FW net - SMTP(ACCEPT) $FW net - SMTPS(ACCEPT) $FW net - SSH(ACCEPT) $FW net - ''; - net2fw = '' - # By protocol - Ping(ACCEPT) net $FW - - # By port - #HTTPS(ACCEPT) net $FW - DNS(ACCEPT) net $FW - IMAPS(ACCEPT) net $FW - Mosh(ACCEPT) net $FW - POP3S(ACCEPT) net $FW - SMTP(ACCEPT) net $FW - SMTPS(ACCEPT) net $FW - SSH(ACCEPT) net $FW - ''; - fw2lan = '' - Ping(ACCEPT) $FW lan - DNS(ACCEPT) $FW lan - HTTPS(ACCEPT) $FW lan - ''; - lan2fw = '' - Ping(ACCEPT) lan $FW - SSH(ACCEPT) lan $FW - HTTP(ACCEPT) lan $FW - HTTPS(ACCEPT) lan $FW - DNS(ACCEPT) lan $FW - ''; - macros = { - "macro.Git" = '' - ?FORMAT 2 - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - PARAM - - tcp 9418 - ''; - "macro.Mosh" = '' - ?FORMAT 2 - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - PARAM - - udp 60000-61000 - ''; - }; -in -{ - services.shorewall = { - enable = true; - configs = macros // { - "shorewall.conf" = '' - ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv4 - lan ipv4 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp0s3 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp - lan enp0s8 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW - - ${fw2net} - ${net2fw} - - ${fw2lan} - ${lan2fw} - ''; - }; - }; - services.shorewall6 = { - enable = true; - configs = macros // { - "shorewall6.conf" = '' - ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv6 - lan ipv6 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp0s3 nosmurfs,tcpflags - lan enp0s8 nosmurfs,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW - - ${fw2net} - ${net2fw} - - ${fw2lan} - ${lan2fw} - ''; - }; - }; -} diff --git a/servers/losurdo/production/syncoid.nix b/servers/losurdo/syncoid.nix similarity index 100% rename from servers/losurdo/production/syncoid.nix rename to servers/losurdo/syncoid.nix diff --git a/servers/losurdo/system.nix b/servers/losurdo/system.nix new file mode 100644 index 0000000..b8427c1 --- /dev/null +++ b/servers/losurdo/system.nix @@ -0,0 +1,24 @@ +{ pkgs, lib, config, ... }: +{ +# This value determines the NixOS release with which your system is to be +# compatible, in order to avoid breaking some software such as database servers. +# You should change this only after NixOS release notes say you should. +system.stateVersion = "19.09"; # Did you read the comment? + +environment.systemPackages = with pkgs; [ + cryptsetup + direnv + file + fio + gdb + git + gptfdisk + #hey + home-manager + lm_sensors + rsync + smartctl-tbw + socat + sanoid +]; +} diff --git a/servers/losurdo/test.nix b/servers/losurdo/test.nix new file mode 100644 index 0000000..2c929f3 --- /dev/null +++ b/servers/losurdo/test.nix @@ -0,0 +1,10 @@ +{ +imports = [ + + + ../../base/unbound.nix + ../../defaults.nix + ./users.nix + ./system.nix +]; +} diff --git a/servers/mermet/Makefile b/servers/mermet/Makefile index 49c03be..c2cc2d3 100644 --- a/servers/mermet/Makefile +++ b/servers/mermet/Makefile @@ -6,6 +6,7 @@ mermet_cipher := aes-128-gcm mermet_autotrim := mermet_reservation := 1G #mermet_channel := $$(nix-env -p /nix/var/nix/profiles/per-user/$$USER/channels -q nixpkgs --no-name --out-path) +#mermet_unicode_normalization := formD echo: echo $(MAKEFILES) @@ -89,7 +90,7 @@ format: $(if $(mermet_cipher),-O encryption=$(mermet_cipher) \ -O keyformat=passphrase \ -O keylocation=prompt) \ - -O normalization=formD \ + $(if $(mermet_unicode_normalization),-O normalization=$(mermet_unicode_normalization) \ -R /mnt/mermet rpool $(mermet_disk)-part5 sudo zfs set \ acltype=posixacl \ @@ -220,7 +221,7 @@ bootstrap: mount LANG="$$LANG" \ LC_CTYPE="$$LC_CTYPE" \ MERMET_DEPLOYMENT="$$MERMET_DEPLOYMENT" \ - NIXOS_CONFIG="$$(readlink -e ../configuration.nix)" \ + NIXOS_CONFIG="$$(readlink -e ../install.nix)" \ NIX_CONF_DIR="$$NIX_CONF_DIR" \ NIX_PATH="$$NIX_PATH" \ PASSWORD_STORE_DIR="$$PASSWORD_STORE_DIR" \ diff --git a/servers/mermet/configuration.nix b/servers/mermet/configuration.nix deleted file mode 100644 index af4abfc..0000000 --- a/servers/mermet/configuration.nix +++ /dev/null @@ -1,67 +0,0 @@ -# This is the root configuration of the target machine. -# Usable by nixos-install and used by nixops. -# It is NOT copied nor usable on the target machine, -# only the resulting closure is copied to the target machine. -{ pkgs, lib, config, options, ... }@attrs: -let - inherit (builtins) getEnv hasAttr readFile; - inherit (builtins.extraBuiltins) pass pass-chomp; -in -{ -# This value determines the NixOS release with which your system is to be -# compatible, in order to avoid breaking some software such as database servers. -# You should change this only after NixOS release notes say you should. -system.stateVersion = "19.09"; # Did you read the comment? - -imports = [ - (./. + ("/" + getEnv "MERMET_DEPLOYMENT" + ".nix")) - ../../defaults.nix - ../../base/unbound.nix - ./users.nix - #./nsd.nix - ./knot.nix - ./openldap.nix - ./gitolite.nix - ./nginx.nix - ./postfix.nix - ./dovecot.nix - ./redis.nix - ./rspamd.nix -] ++ lib.optional (hasAttr "nodes" attrs) - (pkgs.nixops + "/share/nix/nixops/options.nix"); - -networking = rec { - hostName = "mermet"; - domainBase = "sourcephile"; - domain = "${domainBase}.fr"; -}; - -/* -environment.etc."sudo.conf".text = '' - Debug sudo /var/log/sudo_debug.log all@debug - Debug sudoers.so /var/log/sudo_debug.log all@debug -''; -*/ - -systemd.coredump.enable = true; - -environment = { - enableDebugInfo = true; - systemPackages = with pkgs; [ - cryptsetup - direnv - file - fio - gdb - git - gptfdisk - #hey - home-manager - lm_sensors - rsync - smartctl-tbw - socat - thttpd - ]; -}; -} diff --git a/servers/mermet/debug.nix b/servers/mermet/debug.nix new file mode 100644 index 0000000..21493eb --- /dev/null +++ b/servers/mermet/debug.nix @@ -0,0 +1,10 @@ +{ +systemd.coredump.enable = true; +environment.enableDebugInfo = true; +/* +environment.etc."sudo.conf".text = '' + Debug sudo /var/log/sudo_debug.log all@debug + Debug sudoers.so /var/log/sudo_debug.log all@debug +''; +*/ +} diff --git a/servers/mermet/production/fileSystems.nix b/servers/mermet/fileSystems.nix similarity index 84% rename from servers/mermet/production/fileSystems.nix rename to servers/mermet/fileSystems.nix index 09ce043..008793f 100644 --- a/servers/mermet/production/fileSystems.nix +++ b/servers/mermet/fileSystems.nix @@ -1,14 +1,9 @@ { pkgs, lib, config, ... }: { imports = [ - ../../../base/zfs.nix + ../../base/zfs.nix ]; -# The 32-bit host id of the machine, formatted as 8 hexadecimal characters. -# You should try to make this id unique among your machines. -# Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2 -networking.hostId = "69c40b03"; - /* # Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service. services.zfs.autoSnapshot = { diff --git a/servers/mermet/gitolite b/servers/mermet/gitolite index 5f88a04..4a346f3 160000 --- a/servers/mermet/gitolite +++ b/servers/mermet/gitolite @@ -1 +1 @@ -Subproject commit 5f88a04005a1c4f80f614ba89a5e18716702ab6a +Subproject commit 4a346f30bc7a1690648e360c453c2635b54e1dbf diff --git a/servers/mermet/hardware.nix b/servers/mermet/hardware.nix new file mode 100644 index 0000000..b6d01b9 --- /dev/null +++ b/servers/mermet/hardware.nix @@ -0,0 +1,35 @@ +{ pkgs, lib, config, ... }: +{ +imports = [ + ../../base/apu2e4.nix +]; + +# The 32-bit host id of the machine, formatted as 8 hexadecimal characters. +# You should try to make this id unique among your machines. +# Manually generated with : head -c4 /dev/urandom | od -A none -t x4 | cut -d ' ' -f 2 +networking.hostId = "69c40b03"; + +boot.loader.grub.devices = [ + "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R" +]; + +fileSystems."/boot" = + { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07"; + fsType = "ext2"; + }; + +fileSystems."/boot/efi" = + { device = "/dev/disk/by-uuid/62E6-E65F"; + fsType = "vfat"; + }; + +swapDevices = [ + { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + source = "/dev/urandom"; + }; + } +]; +} diff --git a/servers/mermet/production/lesptts.nix b/servers/mermet/networking.nix similarity index 96% rename from servers/mermet/production/lesptts.nix rename to servers/mermet/networking.nix index 2854a7b..1f7ca3c 100644 --- a/servers/mermet/production/lesptts.nix +++ b/servers/mermet/networking.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, nodes, ... }: +{ pkgs, lib, config, ... }: with builtins; let inherit (builtins.extraBuiltins) pass pass-to-file; @@ -115,7 +115,14 @@ services.knot.extraConfig = lib.mkBefore '' listen: ${netIPv4}@53 #listen: ::@53 ''; + +deployment.targetHost = netIPv4; + networking = { + hostName = "mermet"; + domainBase = "sourcephile"; + domain = "${config.networking.domainBase}.fr"; + useDHCP = false; defaultGateway = { address = netIPv4Gateway; diff --git a/servers/mermet/postfix.nix b/servers/mermet/postfix.nix index a7006a5..b65370c 100644 --- a/servers/mermet/postfix.nix +++ b/servers/mermet/postfix.nix @@ -6,12 +6,13 @@ let inherit (pkgs.lib) loadFile unlines unwords unlinesAttrs; inherit (config) networking users; inherit (config.services) postfix dovecot2 openldap; + domains = [ + "sourcephile.fr" + "autogeree.net" + ]; in { -imports = [ - postfix/sourcephile.fr.nix - postfix/autogeree.net.nix -]; +imports = map (domain: (./postfix + "/${domain}.nix")) domains; options = { services.postfix = { tls_server_sni_maps = lib.mkOption { @@ -26,6 +27,7 @@ options = { config = { users.groups.acme.members = [ postfix.user ]; systemd.services.postfix = { + wants = ["openldap.service"]; after = ["openldap.service"]; preStart = '' install -m 400 -o root -g root ${postfix.tls_server_sni_maps} /run/keys/postfix-sni @@ -45,8 +47,8 @@ services.postfix = { ]; postmasterAlias = "root"; rootAlias = "root@${networking.domain}"; - sslCert = loadFile (../../../sec/openssl + "/${networking.domain}/cert.self-signed.pem"); - sslKey = "/run/keys/${networking.domain}.key.pem"; + sslKey = "/var/lib/acme/${networking.domain}/key.pem"; + sslCert = "/var/lib/acme/${networking.domain}/fullchain.pem"; networks = [ "127.0.0.0/8" "[::1]/128" diff --git a/servers/mermet/production.nix b/servers/mermet/production.nix index c264ac3..8596176 100644 --- a/servers/mermet/production.nix +++ b/servers/mermet/production.nix @@ -1,16 +1,35 @@ +# This is the configuration.nix +# of the target machine in production. +# Used by NixOps. +# It is NOT copied nor usable on the target machine, +# only the resulting closure is copied to the target machine. { pkgs, lib, config, ... }: -let inherit (config) networking; in +let + #inherit (builtins.extraBuiltins) pass pass-chomp; +in { imports = [ - production/apu2e4.nix - production/lesptts.nix - production/fileSystems.nix - production/sanoid.nix - production/shorewall.nix + ../../base/unbound.nix + ../../defaults.nix + ./debug.nix + ./dovecot.nix + ./fileSystems.nix + ./gitolite.nix + ./hardware.nix + ./knot.nix + ./networking.nix + ./nginx.nix + ./openldap.nix + ./postfix.nix + ./redis.nix + ./rspamd.nix + ./sanoid.nix + ./shorewall.nix + ./system.nix + ./users.nix ]; deployment = { targetEnv = "none"; - targetHost = (builtins.elemAt networking.interfaces.enp1s0.ipv4.addresses 0).address; keys = { }; }; diff --git a/servers/mermet/production/apu2e4.nix b/servers/mermet/production/apu2e4.nix deleted file mode 100644 index d317b15..0000000 --- a/servers/mermet/production/apu2e4.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ pkgs, lib, config, ... }: -{ -imports = [ - ../../../base/apu2e4.nix -]; - -boot.loader.grub.devices = [ - "/dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_S1DBNSAF340110R" -]; - -fileSystems."/boot" = - { device = "/dev/disk/by-uuid/dc3c5387-17d2-43b3-bfa2-bf73afacca07"; - fsType = "ext2"; - }; - -fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/62E6-E65F"; - fsType = "vfat"; - }; - -swapDevices = - [ { device = "/dev/disk/by-partuuid/6b1eaa35-776b-4e60-b21e-7bcee535dd8b"; - randomEncryption = { - enable = true; - cipher = "aes-xts-plain64"; - source = "/dev/urandom"; - }; - } - ]; -} diff --git a/servers/mermet/production/sanoid.nix b/servers/mermet/sanoid.nix similarity index 100% rename from servers/mermet/production/sanoid.nix rename to servers/mermet/sanoid.nix diff --git a/servers/mermet/production/shorewall.nix b/servers/mermet/shorewall.nix similarity index 100% rename from servers/mermet/production/shorewall.nix rename to servers/mermet/shorewall.nix diff --git a/servers/mermet/staging.nix b/servers/mermet/staging.nix deleted file mode 100644 index be918a9..0000000 --- a/servers/mermet/staging.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, lib, config, ... }: -{ -imports = [ - staging/shorewall.nix -]; -nix.maxJobs = 2; -} diff --git a/servers/mermet/staging/shorewall.nix b/servers/mermet/staging/shorewall.nix deleted file mode 100644 index 71e95d5..0000000 --- a/servers/mermet/staging/shorewall.nix +++ /dev/null @@ -1,153 +0,0 @@ -{ pkgs, lib, config, ... }: -let - inherit (builtins) hasAttr readFile; - inherit (pkgs.lib) unlinesAttrs; - inherit (config.services) shorewall shorewall6; - fw2net = '' - # By protocol - Ping(ACCEPT) $FW net - - # By port - DNS(ACCEPT) $FW net - Git(ACCEPT) $FW net - HTTP(ACCEPT) $FW net - HTTPS(ACCEPT) $FW net - SMTP(ACCEPT) $FW net - SMTPS(ACCEPT) $FW net - SSH(ACCEPT) $FW net - ''; - net2fw = '' - # By protocol - Ping(ACCEPT) net $FW - - # By port - #HTTPS(ACCEPT) net $FW - DNS(ACCEPT) net $FW - IMAPS(ACCEPT) net $FW - Mosh(ACCEPT) net $FW - POP3S(ACCEPT) net $FW - SMTP(ACCEPT) net $FW - SMTPS(ACCEPT) net $FW - SSH(ACCEPT) net $FW - ''; - fw2lan = '' - Ping(ACCEPT) $FW lan - DNS(ACCEPT) $FW lan - HTTPS(ACCEPT) $FW lan - ''; - lan2fw = '' - Ping(ACCEPT) lan $FW - SSH(ACCEPT) lan $FW - HTTP(ACCEPT) lan $FW - HTTPS(ACCEPT) lan $FW - DNS(ACCEPT) lan $FW - ''; - macros = { - "macro.Git" = '' - ?FORMAT 2 - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - PARAM - - tcp 9418 - ''; - "macro.Mosh" = '' - ?FORMAT 2 - #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ - # PORT(S) PORT(S) LIMIT GROUP - PARAM - - udp 60000-61000 - ''; - }; -in -{ - services.shorewall = { - enable = true; - configs = macros // { - "shorewall.conf" = '' - ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv4 - lan ipv4 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp0s3 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp - lan enp0s8 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW - - ${fw2net} - ${net2fw} - - ${fw2lan} - ${lan2fw} - ''; - }; - }; - services.shorewall6 = { - enable = true; - configs = macros // { - "shorewall6.conf" = '' - ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv6 - lan ipv6 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp0s3 nosmurfs,tcpflags - lan enp0s8 nosmurfs,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW - - ${fw2net} - ${net2fw} - - ${fw2lan} - ${lan2fw} - ''; - }; - }; -} diff --git a/servers/mermet/system.nix b/servers/mermet/system.nix new file mode 100644 index 0000000..b65bd73 --- /dev/null +++ b/servers/mermet/system.nix @@ -0,0 +1,24 @@ +{ pkgs, lib, config, ... }: +{ +# This value determines the NixOS release with which your system is to be +# compatible, in order to avoid breaking some software such as database servers. +# You should change this only after NixOS release notes say you should. +system.stateVersion = "19.09"; # Did you read the comment? + +environment.systemPackages = with pkgs; [ + cryptsetup + direnv + file + fio + gdb + git + gptfdisk + #hey + home-manager + lm_sensors + rsync + smartctl-tbw + socat + thttpd +]; +} diff --git a/servers/mermet/test.nix b/servers/mermet/test.nix new file mode 100644 index 0000000..2c929f3 --- /dev/null +++ b/servers/mermet/test.nix @@ -0,0 +1,10 @@ +{ +imports = [ + + + ../../base/unbound.nix + ../../defaults.nix + ./users.nix + ./system.nix +]; +} -- 2.44.1 From e3dce9e1f7e080927f07d1a990535a9e0fbf11d9 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 May 2020 04:17:47 +0200 Subject: [PATCH 06/16] nix: remove old conf --- servers/mermet/keys.nix | 25 ------------------------- servers/mermet/localhost.nix | 16 ---------------- 2 files changed, 41 deletions(-) delete mode 100644 servers/mermet/keys.nix delete mode 100644 servers/mermet/localhost.nix diff --git a/servers/mermet/keys.nix b/servers/mermet/keys.nix deleted file mode 100644 index 2fedeec..0000000 --- a/servers/mermet/keys.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, config, ... }: -let - inherit (builtins) readFile; - inherit (builtins.extraBuiltins) pass; -in -{ -deployment.keys = { - /* - "sourcephile.fr.key.pem" = { - text = pass "x509/sourcephile.fr/key.pem"; - user = "root"; - group = "root"; - destDir = "/run/keys/"; - permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true - }; - "autogeree.net.key.pem" = { - text = pass "x509/autogeree.net/key.pem"; - user = "root"; - group = "root"; - destDir = "/run/keys/"; - permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true - }; - */ -}; -} diff --git a/servers/mermet/localhost.nix b/servers/mermet/localhost.nix deleted file mode 100644 index 8f647d9..0000000 --- a/servers/mermet/localhost.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ pkgs, lib, config, options, nodes, ... }: -let ipv4 = if options.networking.privateIPv4.isDefined - then config.networking.privateIPv4 - else "X.X.X.X"; -in -{ -} -// lib.mkIf (builtins.hasAttr "mermet" nodes) { - networking = { - interfaces."enp0s8" = { - #macAddress = "00:11:22:33:44:55"; - #ipv4.addresses = [ { address = ipv4; prefixLength = 32; } ]; - ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ]; - }; - }; -} -- 2.44.1 From 4278ede43f1d8a97c6f2ff2257d20da7510f02ee Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 May 2020 04:28:46 +0200 Subject: [PATCH 07/16] nginx: factorize domain --- servers/mermet/nginx/sourcephile.fr.nix | 2 +- servers/mermet/nginx/sourcephile.fr/covid19.nix | 2 +- servers/mermet/nginx/sourcephile.fr/git.nix | 2 +- servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix | 2 +- servers/mermet/nginx/sourcephile.fr/www.nix | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/servers/mermet/nginx/sourcephile.fr.nix b/servers/mermet/nginx/sourcephile.fr.nix index a1450d3..3ccc339 100644 --- a/servers/mermet/nginx/sourcephile.fr.nix +++ b/servers/mermet/nginx/sourcephile.fr.nix @@ -1,7 +1,7 @@ { pkgs, lib, config, ... }: let domain = "sourcephile.fr"; in { -imports = [ +imports = map (m: import m {inherit domain;}) [ sourcephile.fr/www.nix sourcephile.fr/git.nix sourcephile.fr/lemoutona5pattes.nix diff --git a/servers/mermet/nginx/sourcephile.fr/covid19.nix b/servers/mermet/nginx/sourcephile.fr/covid19.nix index 0bcb18c..7eed7f3 100644 --- a/servers/mermet/nginx/sourcephile.fr/covid19.nix +++ b/servers/mermet/nginx/sourcephile.fr/covid19.nix @@ -1,7 +1,7 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) nginx; - domain = "sourcephile.fr"; srv = "covid19"; in { diff --git a/servers/mermet/nginx/sourcephile.fr/git.nix b/servers/mermet/nginx/sourcephile.fr/git.nix index 8a3294c..3e73369 100644 --- a/servers/mermet/nginx/sourcephile.fr/git.nix +++ b/servers/mermet/nginx/sourcephile.fr/git.nix @@ -1,8 +1,8 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) gitweb gitolite nginx; - domain = "sourcephile.fr"; srv = "git"; gitwebSocket = "/run/gitweb/gitweb.sock"; in diff --git a/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix b/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix index 032424c..5083bc8 100644 --- a/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix +++ b/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix @@ -1,7 +1,7 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) nginx; - domain = "sourcephile.fr"; srv = "lemoutona5pattes"; in { diff --git a/servers/mermet/nginx/sourcephile.fr/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix index c2576dc..3ad2b90 100644 --- a/servers/mermet/nginx/sourcephile.fr/www.nix +++ b/servers/mermet/nginx/sourcephile.fr/www.nix @@ -1,7 +1,7 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.services) nginx; - domain = "sourcephile.fr"; srv = "www"; in { -- 2.44.1 From 0fcf4014ddc9f70bdc6d1e9b09069899d291961e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 17 May 2020 04:32:39 +0200 Subject: [PATCH 08/16] nix: remove boring indent --- servers/losurdo/shorewall.nix | 174 ++++++------- .../mermet/nginx/sourcephile.fr/covid19.nix | 28 +-- servers/mermet/nginx/sourcephile.fr/git.nix | 238 +++++++++--------- .../nginx/sourcephile.fr/lemoutona5pattes.nix | 40 +-- servers/mermet/nginx/sourcephile.fr/www.nix | 46 ++-- servers/mermet/shorewall.nix | 182 +++++++------- 6 files changed, 354 insertions(+), 354 deletions(-) diff --git a/servers/losurdo/shorewall.nix b/servers/losurdo/shorewall.nix index 6281c07..4b43143 100644 --- a/servers/losurdo/shorewall.nix +++ b/servers/losurdo/shorewall.nix @@ -61,95 +61,95 @@ let }; in { - services.shorewall = { - enable = true; - configs = macros // { - "shorewall.conf" = '' - ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv4 - wet ipv4 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient - wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - net all DROP none - wet all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW - - ${fw2net} - ACCEPT $FW net:192.168.0.0/16 - ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP - ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent - ${net2fw} - ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent - ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent - ''; - }; +services.shorewall = { + enable = true; + configs = macros // { + "shorewall.conf" = '' + ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} + # + ## Custom config + ### + STARTUP_ENABLED=Yes + ZONE2ZONE=2 + ''; + zones = '' + # DOC: shorewall-zones(5) + fw firewall + net ipv4 + wet ipv4 + ''; + interfaces = '' + # DOC: shorewall-interfaces(5) + ?FORMAT 2 + net enp5s0 arp_filter,nosmurfs,routefilter=1,tcpflags,upnpclient + wet wlp4s0 arp_filter,nosmurfs,routefilter=1,tcpflags + ''; + policy = '' + # DOC: shorewall-policy(5) + $FW all DROP + net all DROP none + wet all DROP none + # WARNING: the following policy must be last + all all REJECT none + ''; + rules = '' + # DOC: shorewall-rules(5) + #SECTION ALL + #SECTION ESTABLISHED + #SECTION RELATED + ?SECTION NEW + + ${fw2net} + ACCEPT $FW net:192.168.0.0/16 + ACCEPT $FW net:224.0.0.0/4 udp 1900 # UPnP + ACCEPT $FW net udp {user=${users.transmission.name}} # BitTorrent + ${net2fw} + ACCEPT net $FW tcp ${toString transmission.settings.peer-port} # BitTorrent + ACCEPT net $FW udp ${toString transmission.settings.peer-port} # BitTorrent + ''; }; - services.shorewall6 = { - enable = true; - configs = macros // { - "shorewall6.conf" = '' - ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv6 - wet ipv6 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp5s0 nosmurfs,tcpflags - wet wlp4s0 nosmurfs,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - net all DROP none - wet all DROP none - # WARNING: the following policy must be last - all all REJECT none +}; +services.shorewall6 = { + enable = true; + configs = macros // { + "shorewall6.conf" = '' + ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} + # + ## Custom config + ### + STARTUP_ENABLED=Yes + ZONE2ZONE=2 ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW + zones = '' + # DOC: shorewall-zones(5) + fw firewall + net ipv6 + wet ipv6 + ''; + interfaces = '' + # DOC: shorewall-interfaces(5) + ?FORMAT 2 + net enp5s0 nosmurfs,tcpflags + wet wlp4s0 nosmurfs,tcpflags + ''; + policy = '' + # DOC: shorewall-policy(5) + $FW all DROP + net all DROP none + wet all DROP none + # WARNING: the following policy must be last + all all REJECT none + ''; + rules = '' + # DOC: shorewall-rules(5) + #SECTION ALL + #SECTION ESTABLISHED + #SECTION RELATED + ?SECTION NEW - ${fw2net} - ${net2fw} - ''; - }; + ${fw2net} + ${net2fw} + ''; }; +}; } diff --git a/servers/mermet/nginx/sourcephile.fr/covid19.nix b/servers/mermet/nginx/sourcephile.fr/covid19.nix index 7eed7f3..2ea244c 100644 --- a/servers/mermet/nginx/sourcephile.fr/covid19.nix +++ b/servers/mermet/nginx/sourcephile.fr/covid19.nix @@ -5,19 +5,19 @@ let inherit (config) networking; srv = "covid19"; in { - services.nginx = { - virtualHosts."${srv}" = { - serverName = "${srv}.${domain}"; - forceSSL = true; - useACMEHost = domain; - root = "/home/julm/www/${srv}"; - extraConfig = '' - access_log off; - error_log off; - ''; - locations."/".extraConfig = '' - index index.html; - ''; - }; +services.nginx = { + virtualHosts."${srv}" = { + serverName = "${srv}.${domain}"; + forceSSL = true; + useACMEHost = domain; + root = "/home/julm/www/${srv}"; + extraConfig = '' + access_log off; + error_log off; + ''; + locations."/".extraConfig = '' + index index.html; + ''; }; +}; } diff --git a/servers/mermet/nginx/sourcephile.fr/git.nix b/servers/mermet/nginx/sourcephile.fr/git.nix index 3e73369..a40bc40 100644 --- a/servers/mermet/nginx/sourcephile.fr/git.nix +++ b/servers/mermet/nginx/sourcephile.fr/git.nix @@ -7,129 +7,129 @@ let gitwebSocket = "/run/gitweb/gitweb.sock"; in { - services.nginx = { - commonHttpConfig = '' - fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache:${domain}:${srv} - keys_zone=${domain}/${srv}:2M - inactive=10m - levels=1:2 - max_size=32M; +services.nginx = { + commonHttpConfig = '' + fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache:${domain}:${srv} + keys_zone=${domain}/${srv}:2M + inactive=10m + levels=1:2 + max_size=32M; + ''; + virtualHosts."${srv}" = { + serverName = "${srv}.${domain}"; + forceSSL = true; + useACMEHost = domain; + extraConfig = '' + access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; + error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; ''; - virtualHosts."${srv}" = { - serverName = "${srv}.${domain}"; - forceSSL = true; - useACMEHost = domain; - extraConfig = '' - access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; - error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; - ''; - locations = { - "/" = { - extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; - ${nginx.configs.https_add_headers} - add_header X-Cache $upstream_cache_status; - fastcgi_cache ${domain}/${srv}; - fastcgi_cache_valid 200 1m; - fastcgi_cache_valid 404 30m; - fastcgi_max_temp_file_size 1M; - # Used by gitweb's pathinfo feature - fastcgi_param PATH_INFO $fastcgi_script_name; - fastcgi_param GITWEB_CONFIG ${gitweb.gitwebConfigFile}; - fastcgi_pass unix:${gitwebSocket}; - ''; - }; - "/static/" = { - alias = "${pkgs.gitweb}/static/"; - extraConfig = '' - access_log off; - ''; - }; - "/static-custom/" = { - root = pkgs.writeTextDir "static-custom/style.css" '' - .project_list { - width:100%; - } - ''; - extraConfig = '' - access_log off; - ''; - }; - "/robots.txt" = { - root = pkgs.writeTextDir "robots.txt" '' - User-agent: * - Disallow: /*/blame/* - Disallow: /*/blobdiff/* - Disallow: /*/commitdiff/* - Disallow: /*/commitdiff_plain/* - Disallow: /*/patch/* - Disallow: /*/search/* - Disallow: /*/snapshot/* - Disallow: /*a=blame* - Disallow: /*a=blobdiff* - Disallow: /*a=commitdiff* - Disallow: /*a=commitdiff_plain* - Disallow: /*a=patch* - Disallow: /*a=search* - Disallow: /*a=snapshot* - ''; - extraConfig = '' - access_log off; - ''; - }; + locations = { + "/" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + ${nginx.configs.https_add_headers} + add_header X-Cache $upstream_cache_status; + fastcgi_cache ${domain}/${srv}; + fastcgi_cache_valid 200 1m; + fastcgi_cache_valid 404 30m; + fastcgi_max_temp_file_size 1M; + # Used by gitweb's pathinfo feature + fastcgi_param PATH_INFO $fastcgi_script_name; + fastcgi_param GITWEB_CONFIG ${gitweb.gitwebConfigFile}; + fastcgi_pass unix:${gitwebSocket}; + ''; + }; + "/static/" = { + alias = "${pkgs.gitweb}/static/"; + extraConfig = '' + access_log off; + ''; + }; + "/static-custom/" = { + root = pkgs.writeTextDir "static-custom/style.css" '' + .project_list { + width:100%; + } + ''; + extraConfig = '' + access_log off; + ''; + }; + "/robots.txt" = { + root = pkgs.writeTextDir "robots.txt" '' + User-agent: * + Disallow: /*/blame/* + Disallow: /*/blobdiff/* + Disallow: /*/commitdiff/* + Disallow: /*/commitdiff_plain/* + Disallow: /*/patch/* + Disallow: /*/search/* + Disallow: /*/snapshot/* + Disallow: /*a=blame* + Disallow: /*a=blobdiff* + Disallow: /*a=commitdiff* + Disallow: /*a=commitdiff_plain* + Disallow: /*a=patch* + Disallow: /*a=search* + Disallow: /*a=snapshot* + ''; + extraConfig = '' + access_log off; + ''; }; }; }; - systemd.services.nginx.preStart = lib.mkBefore '' - install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ - ''; - systemd.services.gitweb = { - description = "GitWeb FastCGI service"; - script = "${pkgs.gitweb}/gitweb.cgi --fastcgi --nproc=1"; - environment = { - FCGI_SOCKET_PATH = gitwebSocket; - FCGI_SOCKET_PERM = "432"; # decimal of 660 in octal, since current CGI::Fast doesn't use perl's oct() - }; - serviceConfig = { - User = gitolite.user; - Group = nginx.group; - RuntimeDirectory = [ "gitweb" ]; - Restart = "always"; - RestartSec = 10; - }; - wantedBy = [ "multi-user.target" ]; +}; +systemd.services.nginx.preStart = lib.mkBefore '' + install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ +''; +systemd.services.gitweb = { + description = "GitWeb FastCGI service"; + script = "${pkgs.gitweb}/gitweb.cgi --fastcgi --nproc=1"; + environment = { + FCGI_SOCKET_PATH = gitwebSocket; + FCGI_SOCKET_PERM = "432"; # decimal of 660 in octal, since current CGI::Fast doesn't use perl's oct() }; - services.gitweb = { - gitwebTheme = false; - projectroot = "${gitolite.dataDir}/repositories"; - extraConfig = '' - use utf8; - my $s = $cgi->https() ? "s" : ""; - @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${domain}"]); - $site_name = "Git — Sourcephile"; - $home_link_str = "git"; - $projects_list = "${gitolite.dataDir}/projects.list"; - $projects_list_description_width = 50; - $projects_list_group_categories = 1; - $default_projects_order = "age"; - $default_text_plain_charset = 'utf-8'; - #$fallback_encoding = "utf-8"; - $omit_owner = 1; - $export_ok = "git-daemon-export-ok"; - $prevent_xss = 0; - @git_base_url_list = - ( "git://${srv}.${domain}" - , "git\@${srv}.${domain}:" - ); - # NOTE: more readable URL. - $feature{'pathinfo'}{'default'} = [1]; - @stylesheets = ( "/static/gitweb.css" - , "/static-custom/style.css" - ); - $logo = "/static/git-logo.png"; - $favicon = "/static/git-favicon.png"; - $javascript = "/static/gitweb.js"; - $feature{'highlight'}{'default'} = [1]; - ''; + serviceConfig = { + User = gitolite.user; + Group = nginx.group; + RuntimeDirectory = [ "gitweb" ]; + Restart = "always"; + RestartSec = 10; }; + wantedBy = [ "multi-user.target" ]; +}; +services.gitweb = { + gitwebTheme = false; + projectroot = "${gitolite.dataDir}/repositories"; + extraConfig = '' + use utf8; + my $s = $cgi->https() ? "s" : ""; + @extra_breadcrumbs = (["${networking.domainBase}" => "http''${s}://${domain}"]); + $site_name = "Git — Sourcephile"; + $home_link_str = "git"; + $projects_list = "${gitolite.dataDir}/projects.list"; + $projects_list_description_width = 50; + $projects_list_group_categories = 1; + $default_projects_order = "age"; + $default_text_plain_charset = 'utf-8'; + #$fallback_encoding = "utf-8"; + $omit_owner = 1; + $export_ok = "git-daemon-export-ok"; + $prevent_xss = 0; + @git_base_url_list = + ( "git://${srv}.${domain}" + , "git\@${srv}.${domain}:" + ); + # NOTE: more readable URL. + $feature{'pathinfo'}{'default'} = [1]; + @stylesheets = ( "/static/gitweb.css" + , "/static-custom/style.css" + ); + $logo = "/static/git-logo.png"; + $favicon = "/static/git-favicon.png"; + $javascript = "/static/gitweb.js"; + $feature{'highlight'}{'default'} = [1]; + ''; +}; } diff --git a/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix b/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix index 5083bc8..0124463 100644 --- a/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix +++ b/servers/mermet/nginx/sourcephile.fr/lemoutona5pattes.nix @@ -5,25 +5,25 @@ let inherit (config) networking; srv = "lemoutona5pattes"; in { - services.nginx = { - virtualHosts."${srv}" = { - serverName = "${srv}.${domain}"; - forceSSL = true; - useACMEHost = domain; - root = "/home/julm/www/${srv}"; - extraConfig = '' - access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; - error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; - ''; - locations."/".extraConfig = '' - #autoindex on; - fancyindex on; - fancyindex_name_length 255; - fancyindex_exact_size off; - ''; - }; +services.nginx = { + virtualHosts."${srv}" = { + serverName = "${srv}.${domain}"; + forceSSL = true; + useACMEHost = domain; + root = "/home/julm/www/${srv}"; + extraConfig = '' + access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; + error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; + ''; + locations."/".extraConfig = '' + #autoindex on; + fancyindex on; + fancyindex_name_length 255; + fancyindex_exact_size off; + ''; }; - systemd.services.nginx.preStart = lib.mkBefore '' - install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ - ''; +}; +systemd.services.nginx.preStart = lib.mkBefore '' + install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ +''; } diff --git a/servers/mermet/nginx/sourcephile.fr/www.nix b/servers/mermet/nginx/sourcephile.fr/www.nix index 3ad2b90..e865d19 100644 --- a/servers/mermet/nginx/sourcephile.fr/www.nix +++ b/servers/mermet/nginx/sourcephile.fr/www.nix @@ -5,28 +5,28 @@ let inherit (config) networking; srv = "www"; in { - services.nginx = { - virtualHosts."${srv}" = { - serverName = "${srv}.${domain}"; - serverAliases = [ domain ]; - forceSSL = true; - useACMEHost = domain; - root = "/home/julm/work/sourcephile/txt"; - extraConfig = '' - access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; - error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; - ''; - locations."/".extraConfig = '' - #autoindex on; - fancyindex on; - fancyindex_name_length 255; - fancyindex_exact_size off; - ''; - locations."/git".return = "302 http://git.${domain}"; - locations."/codes_sources".return = "302 http://git.${domain}"; - }; +services.nginx = { + virtualHosts."${srv}" = { + serverName = "${srv}.${domain}"; + serverAliases = [ domain ]; + forceSSL = true; + useACMEHost = domain; + root = "/home/julm/work/sourcephile/txt"; + extraConfig = '' + access_log ${nginx.logDir}/${domain}/${srv}/access.log json buffer=32k; + error_log ${nginx.logDir}/${domain}/${srv}/error.log warn; + ''; + locations."/".extraConfig = '' + #autoindex on; + fancyindex on; + fancyindex_name_length 255; + fancyindex_exact_size off; + ''; + locations."/git".return = "302 http://git.${domain}"; + locations."/codes_sources".return = "302 http://git.${domain}"; }; - systemd.services.nginx.preStart = lib.mkBefore '' - install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ - ''; +}; +systemd.services.nginx.preStart = lib.mkBefore '' + install -D -d -m 750 -o ${nginx.user} -g ${nginx.group} ${nginx.logDir}/${domain}/${srv}/ +''; } diff --git a/servers/mermet/shorewall.nix b/servers/mermet/shorewall.nix index 90b5dc5..6408eb9 100644 --- a/servers/mermet/shorewall.nix +++ b/servers/mermet/shorewall.nix @@ -74,102 +74,102 @@ let }; in { - services.shorewall = { - enable = true; - configs = macros // { - "shorewall.conf" = '' - ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv4 - lan ipv4 - unused ipv4 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags - lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags - unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - unused all DROP none - # WARNING: the following policy must be last - all all REJECT none - ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW +services.shorewall = { + enable = true; + configs = macros // { + "shorewall.conf" = '' + ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"} + # + ## Custom config + ### + STARTUP_ENABLED=Yes + ZONE2ZONE=2 + ''; + zones = '' + # DOC: shorewall-zones(5) + fw firewall + net ipv4 + lan ipv4 + unused ipv4 + ''; + interfaces = '' + # DOC: shorewall-interfaces(5) + ?FORMAT 2 + net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags + lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags + unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags + ''; + policy = '' + # DOC: shorewall-policy(5) + $FW all DROP + lan all DROP none + net all DROP none + unused all DROP none + # WARNING: the following policy must be last + all all REJECT none + ''; + rules = '' + # DOC: shorewall-rules(5) + #SECTION ALL + #SECTION ESTABLISHED + #SECTION RELATED + ?SECTION NEW - ${fw2net} - ${net2fw} + ${fw2net} + ${net2fw} - ${fw2lan} - ${lan2fw} - ''; - }; + ${fw2lan} + ${lan2fw} + ''; }; - services.shorewall6 = { - enable = true; - configs = macros // { - "shorewall6.conf" = '' - ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} - # - ## Custom config - ### - STARTUP_ENABLED=Yes - ZONE2ZONE=2 - ''; - zones = '' - # DOC: shorewall-zones(5) - fw firewall - net ipv6 - lan ipv6 - unused ipv6 - ''; - interfaces = '' - # DOC: shorewall-interfaces(5) - ?FORMAT 2 - net enp1s0 nosmurfs,tcpflags - lan enp2s0 nosmurfs,tcpflags - unused enp3s0 nosmurfs,tcpflags - ''; - policy = '' - # DOC: shorewall-policy(5) - $FW all DROP - lan all DROP none - net all DROP none - unused all DROP none - # WARNING: the following policy must be last - all all REJECT none +}; +services.shorewall6 = { + enable = true; + configs = macros // { + "shorewall6.conf" = '' + ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"} + # + ## Custom config + ### + STARTUP_ENABLED=Yes + ZONE2ZONE=2 ''; - rules = '' - # DOC: shorewall-rules(5) - #SECTION ALL - #SECTION ESTABLISHED - #SECTION RELATED - ?SECTION NEW + zones = '' + # DOC: shorewall-zones(5) + fw firewall + net ipv6 + lan ipv6 + unused ipv6 + ''; + interfaces = '' + # DOC: shorewall-interfaces(5) + ?FORMAT 2 + net enp1s0 nosmurfs,tcpflags + lan enp2s0 nosmurfs,tcpflags + unused enp3s0 nosmurfs,tcpflags + ''; + policy = '' + # DOC: shorewall-policy(5) + $FW all DROP + lan all DROP none + net all DROP none + unused all DROP none + # WARNING: the following policy must be last + all all REJECT none + ''; + rules = '' + # DOC: shorewall-rules(5) + #SECTION ALL + #SECTION ESTABLISHED + #SECTION RELATED + ?SECTION NEW - ${fw2net} - ${net2fw} + ${fw2net} + ${net2fw} - ${fw2lan} - ${lan2fw} - ''; - }; + ${fw2lan} + ${lan2fw} + ''; }; +}; } -- 2.44.1 From 720e0c8f8a53d4dece3fb49c5699a9bc25d72c32 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 00:19:49 +0200 Subject: [PATCH 09/16] nix: comment .envrc --- .envrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.envrc b/.envrc index 0a6e192..d515909 100644 --- a/.envrc +++ b/.envrc @@ -87,7 +87,9 @@ else mkdir -p "$cache" { flock --exclusive 3 - # Register the derivation as a root for the garbage-collector, + # Register as a roots for the garbage-collector, + # the --references of shell.nix's derivation + # (non-buildable due to mkShell), # then cache a dump of the environment from within the nix-shell, # then unregister previous derivations, # then load the cached environment. -- 2.44.1 From c272cbad0f6709bcd59559ef577a729719e6d0ce Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 00:20:30 +0200 Subject: [PATCH 10/16] nix: deploy without nixops --- servers/losurdo.nix | 15 +++++++++++++++ servers/losurdo/deploy.sh | 14 ++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 servers/losurdo.nix create mode 100755 servers/losurdo/deploy.sh diff --git a/servers/losurdo.nix b/servers/losurdo.nix new file mode 100644 index 0000000..6d45891 --- /dev/null +++ b/servers/losurdo.nix @@ -0,0 +1,15 @@ +import { + system = "x86_64-linux"; + modules = [ + losurdo/production.nix + { key = "nixops-stuff"; + imports = [ + + + ]; + } + ]; + extraArgs = { + name = "losurdo"; + }; +} diff --git a/servers/losurdo/deploy.sh b/servers/losurdo/deploy.sh new file mode 100755 index 0000000..9815514 --- /dev/null +++ b/servers/losurdo/deploy.sh @@ -0,0 +1,14 @@ +#!/bin/sh +set -eux +target=${target:-root@losurdo.sourcephile.fr} +# Compile the derivation of the new system +system=$(nix-instantiate "${0%/*}".nix -A config.system.build.toplevel) +# Compile the build products of the new system +nix-store --realise "$system" +# Send the system +nix-copy-closure --to "$target" --use-substitutes --gzip "$system" +# Register the new system +ssh "$target" nix-env --profile /nix/var/nix/profiles/system --set "$system" \ + '&&' nix-env --profile /nix/var/nix/profiles/system --delete-generations +5 +# Switch to the new system +ssh "$target" /nix/var/nix/profiles/system/bin/switch-to-configuration switch -- 2.44.1 From 23963dd96a7698c7eb26c03249165aad431fbf42 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 02:01:15 +0200 Subject: [PATCH 11/16] nix: replace nixops by shell scripts --- .config/nixpkgs-channel/nixos-19.09-small.nix | 1 - .config/nixpkgs-channel/nixos-19.09.nix | 1 - .../nixpkgs-channel/nixos-unstable-small.nix | 2 +- README.md | 10 +++++ defaults.nix | 6 --- servers.nix | 30 ------------- servers/losurdo.nix | 6 --- servers/losurdo/deploy.sh | 11 +++-- servers/losurdo/networking.nix | 2 - servers/losurdo/production.nix | 13 ------ servers/losurdo/system.nix | 4 ++ servers/mermet.nix | 9 ++++ servers/mermet/deploy.sh | 25 +++++++++++ servers/mermet/networking.nix | 2 - servers/mermet/production.nix | 5 --- servers/mermet/rspamd.nix | 6 +-- servers/mermet/rspamd/autogeree.net.nix | 9 +--- servers/mermet/rspamd/sourcephile.fr.nix | 9 +--- servers/production.nix | 4 -- shell.nix | 45 +++++-------------- tests.nix | 1 - 21 files changed, 73 insertions(+), 128 deletions(-) delete mode 100644 .config/nixpkgs-channel/nixos-19.09-small.nix delete mode 100644 .config/nixpkgs-channel/nixos-19.09.nix create mode 100644 README.md delete mode 100644 servers.nix create mode 100644 servers/mermet.nix create mode 100755 servers/mermet/deploy.sh delete mode 100644 servers/production.nix diff --git a/.config/nixpkgs-channel/nixos-19.09-small.nix b/.config/nixpkgs-channel/nixos-19.09-small.nix deleted file mode 100644 index a448427..0000000 --- a/.config/nixpkgs-channel/nixos-19.09-small.nix +++ /dev/null @@ -1 +0,0 @@ -builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/c5aabb0d603e2c1ea05f5a93b3be82437f5ebf31.tar.gz"; sha256="15fwszhn6078sbrb8qk83g8afvh4qnmvff0qbkbvq3cm1fxni2w1";} diff --git a/.config/nixpkgs-channel/nixos-19.09.nix b/.config/nixpkgs-channel/nixos-19.09.nix deleted file mode 100644 index a3d6321..0000000 --- a/.config/nixpkgs-channel/nixos-19.09.nix +++ /dev/null @@ -1 +0,0 @@ -builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/d1265562b4c3cca8922f680ee504fa6bd875cae6.tar.gz"; sha256="0qdyiasjdzamlr7jf311wslsvz2cy15cnn8gjj4dr7pwb0wdysp2";} diff --git a/.config/nixpkgs-channel/nixos-unstable-small.nix b/.config/nixpkgs-channel/nixos-unstable-small.nix index aa4cad1..7934190 100644 --- a/.config/nixpkgs-channel/nixos-unstable-small.nix +++ b/.config/nixpkgs-channel/nixos-unstable-small.nix @@ -1 +1 @@ -builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/342eaba9ebbc68923c1028a56be1c94e74862832.tar.gz"; sha256="1wsyk2b73h2f9ljmygqsjqmxxcb1gvs3q6km50y551760na14rqq";} +builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/6feee80de0920fbff16305f9c3a3f93d4f38e5da.tar.gz"; sha256="06rcv6p2bqpz3i9n9chjfxsz21yl0lqmamvmdpaj0lcb3ihc4pir";} diff --git a/README.md b/README.md new file mode 100644 index 0000000..d4a63da --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# Sourcephile Nix infrastructure + +Example. Deployment of NixOS to mermet: + + servers/mermet/deploy.sh + +Example. Computing and printing a configuration option: + + nix-instantiate servers/mermet.nix \ + --eval -A config.networking.hostName diff --git a/defaults.nix b/defaults.nix index 9a0b0cd..e57691c 100644 --- a/defaults.nix +++ b/defaults.nix @@ -7,12 +7,6 @@ imports = [ defaults/predictable-interface-names.nix ]; options = { - /* - deployment.name = lib.mkOption { - type = types.enum ["production"]; - default = "production"; - }; - */ }; config = { nix = { diff --git a/servers.nix b/servers.nix deleted file mode 100644 index 40950ac..0000000 --- a/servers.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - network = { - description = "Sourcephile"; - #enableRollback = true; - enableRollback = true; - }; - - defaults = { - #imports = [ ./defaults.nix ]; - }; - - mermet = import servers/mermet/production.nix; - losurdo = import servers/losurdo/production.nix; - /* - mermet = {pkgs, ...}: { - imports = [ servers/mermet/configuration.nix ]; - config = { - #deployment.name = builtins.getEnv "MERMET_DEPLOYMENT"; - #_module.args.deployment = builtins.getEnv "MERMET_DEPLOYMENT"; - }; - }; - losurdo = {pkgs, ...}: { - imports = [ servers/losurdo/configuration.nix ]; - config = { - #deployment.name = builtins.getEnv "LOSURDO_DEPLOYMENT"; - #_module.args.deployment = builtins.getEnv "LOSURDO_DEPLOYMENT"; - }; - }; - */ -} diff --git a/servers/losurdo.nix b/servers/losurdo.nix index 6d45891..ac83369 100644 --- a/servers/losurdo.nix +++ b/servers/losurdo.nix @@ -2,12 +2,6 @@ import { system = "x86_64-linux"; modules = [ losurdo/production.nix - { key = "nixops-stuff"; - imports = [ - - - ]; - } ]; extraArgs = { name = "losurdo"; diff --git a/servers/losurdo/deploy.sh b/servers/losurdo/deploy.sh index 9815514..6af28a9 100755 --- a/servers/losurdo/deploy.sh +++ b/servers/losurdo/deploy.sh @@ -8,7 +8,12 @@ nix-store --realise "$system" # Send the system nix-copy-closure --to "$target" --use-substitutes --gzip "$system" # Register the new system -ssh "$target" nix-env --profile /nix/var/nix/profiles/system --set "$system" \ - '&&' nix-env --profile /nix/var/nix/profiles/system --delete-generations +5 +profile=/nix/var/nix/profiles/system +ssh "$target" nix-env --profile "$profile" --set "$system" \ + '&&' nix-env --profile "$profile" --delete-generations +5 +# Send secrets +pass "servers/losurdo/root/ssh/id_ed25519" | +ssh "$target" install -m 0400 -o root -g root /dev/stdin \ + /root/.ssh/id_ed25519 # Switch to the new system -ssh "$target" /nix/var/nix/profiles/system/bin/switch-to-configuration switch +ssh "$target" "$profile"/bin/switch-to-configuration switch diff --git a/servers/losurdo/networking.nix b/servers/losurdo/networking.nix index 9e744c1..50926c9 100644 --- a/servers/losurdo/networking.nix +++ b/servers/losurdo/networking.nix @@ -99,8 +99,6 @@ boot.kernel.sysctl = { "net.ipv6.conf.enp5s0.disable_ipv6" = 1; }; -deployment.targetHost = lanIPv4; - networking = { hostName = "losurdo"; domainBase = "sourcephile"; diff --git a/servers/losurdo/production.nix b/servers/losurdo/production.nix index 157f8e2..add1e5c 100644 --- a/servers/losurdo/production.nix +++ b/servers/losurdo/production.nix @@ -40,17 +40,4 @@ imports = [ ./transmission.nix ./users.nix ]; -deployment = { - targetEnv = "none"; - #targetHost = (builtins.elemAt networking.interfaces.enp5s0.ipv4.addresses 0).address; - keys = { - "id_ed25519" = { - text = pass "servers/losurdo/root/ssh/id_ed25519"; - user = "root"; - group = "root"; - destDir = "/root/.ssh"; - permissions = "0400"; - }; - }; -}; } diff --git a/servers/losurdo/system.nix b/servers/losurdo/system.nix index b8427c1..8a9a07d 100644 --- a/servers/losurdo/system.nix +++ b/servers/losurdo/system.nix @@ -5,6 +5,10 @@ # You should change this only after NixOS release notes say you should. system.stateVersion = "19.09"; # Did you read the comment? +# Avoid the use of systemd-run --user --scope tmux +# and let mosh work smoothly. +services.logind.killUserProcesses = false; + environment.systemPackages = with pkgs; [ cryptsetup direnv diff --git a/servers/mermet.nix b/servers/mermet.nix new file mode 100644 index 0000000..d3c0ec1 --- /dev/null +++ b/servers/mermet.nix @@ -0,0 +1,9 @@ +import { + system = "x86_64-linux"; + modules = [ + mermet/production.nix + ]; + extraArgs = { + name = "mermet"; + }; +} diff --git a/servers/mermet/deploy.sh b/servers/mermet/deploy.sh new file mode 100755 index 0000000..20fc473 --- /dev/null +++ b/servers/mermet/deploy.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eux +target=${target:-root@mermet.sourcephile.fr} +# Compile the derivation of the new system +system=$(nix-instantiate "${0%/*}".nix \ + -A config.system.build.toplevel \ + ${TRACE:+--show-trace} \ +) +# Compile the build products of the new system +nix-store --realise "$system" +# Send the system +nix-copy-closure --to "$target" --use-substitutes --gzip "$system" +# Register the new system +profile=/nix/var/nix/profiles/system +ssh "$target" nix-env --profile "$profile" --set "$system" \ + '&&' nix-env --profile "$profile" --delete-generations +5 +# Send secrets +pass "dkim/sourcephile.fr/20200101.key" | +ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ + /run/keys/"dkim.sourcephile.fr.20200101.key" +pass "dkim/autogeree.net/20200101.key" | +ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ + /run/keys/"dkim.autogeree.net.20200101.key" +# Switch to the new system +ssh "$target" "$profile"/bin/switch-to-configuration switch diff --git a/servers/mermet/networking.nix b/servers/mermet/networking.nix index 1f7ca3c..cf41f63 100644 --- a/servers/mermet/networking.nix +++ b/servers/mermet/networking.nix @@ -116,8 +116,6 @@ services.knot.extraConfig = lib.mkBefore '' #listen: ::@53 ''; -deployment.targetHost = netIPv4; - networking = { hostName = "mermet"; domainBase = "sourcephile"; diff --git a/servers/mermet/production.nix b/servers/mermet/production.nix index 8596176..40c16b1 100644 --- a/servers/mermet/production.nix +++ b/servers/mermet/production.nix @@ -28,9 +28,4 @@ imports = [ ./system.nix ./users.nix ]; -deployment = { - targetEnv = "none"; - keys = { - }; -}; } diff --git a/servers/mermet/rspamd.nix b/servers/mermet/rspamd.nix index 07ef0d0..ee42122 100644 --- a/servers/mermet/rspamd.nix +++ b/servers/mermet/rspamd.nix @@ -8,9 +8,9 @@ let inherit (config.users) users; in { -imports = [ - rspamd/sourcephile.fr.nix - rspamd/autogeree.net.nix +imports = map (d: import (./rspamd + "/${d}.nix") {domain=d;}) [ + "sourcephile.fr" + "autogeree.net" ]; options = { services.rspamd.dkimSelectorMap = lib.mkOption { diff --git a/servers/mermet/rspamd/autogeree.net.nix b/servers/mermet/rspamd/autogeree.net.nix index 9ad5219..a1cc60c 100644 --- a/servers/mermet/rspamd/autogeree.net.nix +++ b/servers/mermet/rspamd/autogeree.net.nix @@ -1,18 +1,11 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (builtins.extraBuiltins) pass; inherit (config.services) rspamd; - domain = "autogeree.net"; selector = "20200101"; in { -deployment.keys."dkim.${domain}.${selector}.key" = { - text = pass "dkim/${domain}/${selector}.key"; - user = rspamd.user; - group = "root"; - destDir = "/run/keys/"; - permissions = "0400"; -}; systemd.services.rspamd.after = [ "dkim.${domain}.${selector}.key-key.service" ]; services.rspamd.dkimSelectorMap = '' diff --git a/servers/mermet/rspamd/sourcephile.fr.nix b/servers/mermet/rspamd/sourcephile.fr.nix index b499264..3c5d926 100644 --- a/servers/mermet/rspamd/sourcephile.fr.nix +++ b/servers/mermet/rspamd/sourcephile.fr.nix @@ -1,19 +1,12 @@ +{ domain, ... }: { pkgs, lib, config, ... }: let inherit (builtins.extraBuiltins) pass; inherit (lib) types; inherit (config.services) rspamd; - domain = "sourcephile.fr"; selector = "20200101"; in { -deployment.keys."dkim.${domain}.${selector}.key" = { - text = pass "dkim/${domain}/${selector}.key"; - user = rspamd.user; - group = "root"; - destDir = "/run/keys/"; - permissions = "0400"; -}; systemd.services.rspamd.after = [ "dkim.${domain}.${selector}.key-key.service" ]; services.rspamd.dkimSelectorMap = '' diff --git a/servers/production.nix b/servers/production.nix deleted file mode 100644 index f9947ef..0000000 --- a/servers/production.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - mermet = import mermet/production.nix; - losurdo = import losurdo/production.nix; -} diff --git a/shell.nix b/shell.nix index 8c4021d..89316e3 100644 --- a/shell.nix +++ b/shell.nix @@ -1,8 +1,9 @@ let nixpkgs_channel = builtins.getEnv "nixpkgs_channel"; - originNixpkgs = import (.config/nixpkgs-channel + ("/" + nixpkgs_channel + ".nix")); + # Bootstraping Nixpkgs to get tools to patch it. + originNixpkgs = import (.config/nixpkgs-channel + ("/${nixpkgs_channel}.nix")); originPkgs = import originNixpkgs { - config = {}; # Make the config pure, ignoring user's config. + config = {}; # Make the config pure, ignoring user's config. overlays = []; }; remoteNixpkgsPatches = [ @@ -24,9 +25,9 @@ let } ]; localNixpkgsPatches = [ - patches/direnv.diff #patches/fts_xapian.diff ]; + # Build nixpkgs with some patches. nixpkgs = originPkgs.applyPatches { name = "nixpkgs-patched"; src = originNixpkgs; @@ -38,6 +39,7 @@ let echo "+patch-$patch" >.version-suffix ''; }; + # Final pkgs with custom overlays. pkgs = import nixpkgs { config = {}; # Make the config pure, ignoring user's config. overlays = import ./overlays.nix; @@ -46,6 +48,7 @@ let lib = pkgs.lib; nixos = pkgs.nixos {}; # Configuration of shell/modules/ + # to expand shellHook and buildInputs of this shell.nix configuration = {config, ...}: { imports = [ ]; @@ -72,23 +75,22 @@ let certificates = import shell/x509.nix; }; openssh = { - # WARNING: nixops uses its own ssh, not this one. enable = true; sshConf = '' Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr Compression no #CompressionLevel 4 ControlMaster auto - ControlPath ${builtins.toString ../sec/ssh}/ssh-%h-%p-%r.socket + ControlPath ${toString ../sec/ssh}/ssh-%h-%p-%r.socket HashKnownHosts no #SSAPIAuthentication no SendEnv LANG LC_* StrictHostKeyChecking yes - UserKnownHostsFile ${builtins.toString ../sec/ssh/known_hosts} + UserKnownHostsFile ${toString ../sec/ssh/known_hosts} ''; }; virtualbox = { - enable = true; + enable = false; }; }; @@ -101,16 +103,7 @@ let modules = [ configuration ]; }).config; - # Utility to query the Nix files like nixops show-option - # but without requiring a nixops database, and not limited to config entries. pwd = toString (./. + ""); - sourcephile-nix-get = pkgs.writeShellScriptBin "sourcephile-nix-get" '' - nix-instantiate --read-write-mode \ - --arg networkExprs "[${pwd}/servers.nix ${pwd}/servers/production.nix]" \ - --arg args '{}' --argstr "uuid" whatever \ - --argstr deploymentName production "" \ - --eval-only --strict --arg checkConfigurationOptions false -A "$@" - ''; sourcephile-shred-tmp = pkgs.writeShellScriptBin "sourcephile-shred-tmp" '' # This is done when entering the nix-shell # because direnv already hooks trap EXIT. @@ -127,7 +120,6 @@ pkgs.mkShell { #preferLocalBuild = true; #allowSubstitutes = false; buildInputs = modules.nix-shell.buildInputs ++ [ - sourcephile-nix-get sourcephile-shred-tmp nixos.nixos-generate-config nixos.nixos-install @@ -158,7 +150,7 @@ pkgs.mkShell { pkgs.gptfdisk pkgs.ncdu pkgs.ncurses - pkgs.nixops + #pkgs.nixops #pkgs.openssl pkgs.pass pkgs.procps @@ -188,7 +180,7 @@ pkgs.mkShell { # Nix PATH=$NIX_SHELL_PATH:$PATH - export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays.nix:nixops=${toString pkgs.nixops}/share/nix/nixops" + export NIX_PATH="nixpkgs=${toString pkgs.path}:nixpkgs-overlays="$PWD"/overlays.nix" # Since the .envrc calls this shellHook # the EXIT trap cannot be freely used @@ -204,20 +196,5 @@ pkgs.mkShell { # gpg export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null - - # nixops - #export NIXOPS_DEPLOYMENT="staging" - export MERMET_DEPLOYMENT=production - export LOSURDO_DEPLOYMENT=production - export NIXOPS_STATE="$PWD"/../sec/nixops/state.nixops - NIXOPS_OPTS+=" --show-trace" - export NIXOPS_OPTS - - # disnix - #export DISNIXOS_USE_NIXOPS=1 - #export DISNIX_CLIENT_INTERFACE=disnix-nixops-client - #export DISNIX_PROFILE=default - #export DISNIX_TARGET_PROPERTY=hostname - #export DYSNOMIA_STATEDIR="$PWD"/../sec/dysnomia ''; } diff --git a/tests.nix b/tests.nix index b6428c5..0a6faf2 100644 --- a/tests.nix +++ b/tests.nix @@ -19,7 +19,6 @@ let nixosTest = }) ]; }; - deployment = "staging"; in nixosTest.makeTest { -- 2.44.1 From 3a01a8e9153f3b7319fa2dd76964dffab5b4aa21 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 03:24:28 +0200 Subject: [PATCH 12/16] nix: polish deployment scripts --- servers/losurdo/deploy.sh | 19 ++++++++++--------- servers/mermet/deploy.sh | 20 +++++++++----------- 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/servers/losurdo/deploy.sh b/servers/losurdo/deploy.sh index 6af28a9..49137c0 100755 --- a/servers/losurdo/deploy.sh +++ b/servers/losurdo/deploy.sh @@ -2,18 +2,19 @@ set -eux target=${target:-root@losurdo.sourcephile.fr} # Compile the derivation of the new system -system=$(nix-instantiate "${0%/*}".nix -A config.system.build.toplevel) +systemDrv=$(nix-instantiate "${0%/*}".nix \ + -A config.system.build.toplevel \ + ${TRACE:+--show-trace} ) # Compile the build products of the new system -nix-store --realise "$system" +system=$(nix-store --realise "$systemDrv") # Send the system -nix-copy-closure --to "$target" --use-substitutes --gzip "$system" -# Register the new system -profile=/nix/var/nix/profiles/system -ssh "$target" nix-env --profile "$profile" --set "$system" \ - '&&' nix-env --profile "$profile" --delete-generations +5 +nix copy --to ssh://"$target" --substitute-on-destination "$system" # Send secrets pass "servers/losurdo/root/ssh/id_ed25519" | ssh "$target" install -m 0400 -o root -g root /dev/stdin \ /root/.ssh/id_ed25519 -# Switch to the new system -ssh "$target" "$profile"/bin/switch-to-configuration switch +# Register and switch to the new system +profile=/nix/var/nix/profiles/system +ssh "$target" nix-env --profile "$profile" --set "$system" \ + '&&' nix-env --profile "$profile" --delete-generations +5 \ + '&&' "$profile"/bin/switch-to-configuration "${switch:-switch}" diff --git a/servers/mermet/deploy.sh b/servers/mermet/deploy.sh index 20fc473..0092aa9 100755 --- a/servers/mermet/deploy.sh +++ b/servers/mermet/deploy.sh @@ -2,18 +2,13 @@ set -eux target=${target:-root@mermet.sourcephile.fr} # Compile the derivation of the new system -system=$(nix-instantiate "${0%/*}".nix \ +systemDrv=$(nix-instantiate "${0%/*}".nix \ -A config.system.build.toplevel \ - ${TRACE:+--show-trace} \ -) + ${TRACE:+--show-trace} ) # Compile the build products of the new system -nix-store --realise "$system" +system=$(nix-store --realise "$systemDrv") # Send the system -nix-copy-closure --to "$target" --use-substitutes --gzip "$system" -# Register the new system -profile=/nix/var/nix/profiles/system -ssh "$target" nix-env --profile "$profile" --set "$system" \ - '&&' nix-env --profile "$profile" --delete-generations +5 +nix copy --to ssh://"$target" --substitute-on-destination "$system" # Send secrets pass "dkim/sourcephile.fr/20200101.key" | ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ @@ -21,5 +16,8 @@ ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ pass "dkim/autogeree.net/20200101.key" | ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ /run/keys/"dkim.autogeree.net.20200101.key" -# Switch to the new system -ssh "$target" "$profile"/bin/switch-to-configuration switch +# Register and switch to the new system +profile=/nix/var/nix/profiles/system +ssh "$target" nix-env --profile "$profile" --set "$system" \ + '&&' nix-env --profile "$profile" --delete-generations +5 \ + '&&' "$profile"/bin/switch-to-configuration "${switch:-switch}" -- 2.44.1 From b5bc73babf4a1f664a12c3cb28396e91433756c0 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 03:26:04 +0200 Subject: [PATCH 13/16] nginx: fix error_log off no longer working and remove boring indent --- servers/mermet/nginx.nix | 367 +++++++++--------- .../mermet/nginx/sourcephile.fr/covid19.nix | 2 +- servers/mermet/nginx/sourcephile.fr/git.nix | 2 +- 3 files changed, 185 insertions(+), 186 deletions(-) diff --git a/servers/mermet/nginx.nix b/servers/mermet/nginx.nix index 2ad2557..89d2f81 100644 --- a/servers/mermet/nginx.nix +++ b/servers/mermet/nginx.nix @@ -14,14 +14,14 @@ imports = [ ]; options = { services.nginx = { - x509Dir = lib.mkOption { - type = types.str; - default = "/var/lib/nginx/x509"; - }; webDir = lib.mkOption { type = types.str; default = "/var/www"; }; + cacheDir = lib.mkOption { + type = types.str; + default = "/dev/shm/nginx"; + }; logDir = lib.mkOption { type = types.str; default = "/var/log/nginx"; @@ -39,198 +39,197 @@ options = { }; }; config = { - systemd.services.nginx = { - preStart = lib.mkBefore '' - install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \ - ${nginx.x509Dir} \ - ${nginx.webDir} \ - ${nginx.logDir} - ''; +systemd.services.nginx = { + preStart = lib.mkBefore '' + install -D -d -o ${nginx.user} -g ${nginx.group} -m 0700 \ + ${nginx.cacheDir} \ + ${nginx.logDir} \ + ${nginx.webDir} + ''; +}; +users.groups."acme".members = [nginx.user]; +services.nginx = { + enable = true; + package = pkgs.nginx.override { + modules = with pkgs.nginxModules; [ + fancyindex + ]; }; - users.groups."acme".members = [nginx.user]; - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }; - stateDir = "/dev/shm/nginx"; - eventsConfig = '' - multi_accept on; - use epoll; - worker_connections 1024; - ''; - clientMaxBodySize = "20m"; - recommendedGzipSettings = true; - recommendedOptimisation = false; - recommendedProxySettings = true; - recommendedTlsSettings = true; - resolver = { - addresses = [ "127.0.0.1:53" ]; - valid = ""; - ipv6 = networking.defaultGateway6 != null; - }; - serverTokens = false; - # Only allow PFS-enabled ciphers with AES256 - #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; - #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; - sslDhparam = ../../../sec/openssl/dh.pem; - sslProtocols = "TLSv1.3 TLSv1.2"; - configs = rec { - http_add_headers = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server - add_header Strict-Transport-Security $hsts_header; + eventsConfig = '' + multi_accept on; + use epoll; + worker_connections 1024; + ''; + clientMaxBodySize = "20m"; + recommendedGzipSettings = true; + recommendedOptimisation = false; + recommendedProxySettings = true; + recommendedTlsSettings = true; + resolver = { + addresses = [ "127.0.0.1:53" ]; + valid = ""; + ipv6 = networking.defaultGateway6 != null; + }; + serverTokens = false; + # Only allow PFS-enabled ciphers with AES256 + #sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + #sslCiphers = "HIGH:!ADH:!MD5:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; + #sslCiphers = "EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"; + sslDhparam = ../../../sec/openssl/dh.pem; + sslProtocols = "TLSv1.3 TLSv1.2"; + configs = rec { + http_add_headers = '' + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + # DOC: https://blog.qualys.com/securitylabs/2016/03/28/the-importance-of-a-proper-http-strict-transport-security-implementation-on-your-web-server + add_header Strict-Transport-Security $hsts_header; - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; - # Disable embedding as a frame - add_header X-Frame-Options DENY; + # Disable embedding as a frame + add_header X-Frame-Options DENY; - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - ''; - https_add_headers = '' - ${http_add_headers} - ''; - }; - commonHttpConfig = '' - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + ''; + https_add_headers = '' + ${http_add_headers} + ''; + }; + commonHttpConfig = '' + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; - log_format json escape=json - '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"status": "$status",' - '"request":"$request",' - '"body_bytes_sent":"$body_bytes_sent",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent",' - '"remote_user":"$remote_user",' - '"request_time":"$request_time"' - '}'; - charset UTF-8; - types { - text/html html5; - text/plain md; - } - '' + - lib.concatStringsSep "\n" (lib.attrValues { - default = '' - default_type application/octet-stream; - root ${nginx.webDir}; - ''; - security = '' - #error_page 403 = 404; + log_format json escape=json + '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"status": "$status",' + '"request":"$request",' + '"body_bytes_sent":"$body_bytes_sent",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent",' + '"remote_user":"$remote_user",' + '"request_time":"$request_time"' + '}'; + charset UTF-8; + types { + text/html html5; + text/plain md; + } + '' + + lib.concatStringsSep "\n" (lib.attrValues { + default = '' + default_type application/octet-stream; + root ${nginx.webDir}; + ''; + security = '' + #error_page 403 = 404; - ${nginx.configs.http_add_headers} + ${nginx.configs.http_add_headers} - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - log = '' - access_log ${nginx.logDir}/access.log main buffer=32k; - error_log ${nginx.logDir}/error.log warn; - open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; - ''; - proxy = '' - proxy_cache_use_stale updating; - proxy_temp_path ${nginx.stateDir}/proxy_temp 1 2; - ''; - fastcgi = '' - # DOC: http://wiki.nginx.org/HttpFastcgiModule - fastcgi_buffer_size 128k; - fastcgi_buffers 256 4k; - fastcgi_busy_buffers_size 256k; - fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; - fastcgi_connect_timeout 60; - fastcgi_ignore_client_abort off; - fastcgi_intercept_errors on; - fastcgi_max_temp_file_size 2M; - #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_temp_path ${nginx.stateDir}/fastcgi_temp 1 2; - ''; - connection = '' - sendfile on; - # If the client stops reading data, - # free up the stale client connection after this much time. - send_timeout 60; - # Causes nginx to attempt to send its HTTP response head - # in one packet, instead of using partial frames. - # This is useful for prepending headers before calling sendfile, - # or for throughput optimization. - tcp_nopush on; - # Don't buffer data-sends (disable Nagle algorithm). - # Good for sending frequent small bursts of data in real time. - tcp_nodelay on; - keepalive_timeout 20; - reset_timedout_connection on; - types_hash_max_size 4096; - server_names_hash_bucket_size 128; - ''; - map = '' - map $time_iso8601 $date { - default 'date-not-found'; - '~^(?\d{4})-(?\d{2})-(?\d{2})' $year-$month-$day; - } + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ''; + log = '' + access_log ${nginx.logDir}/access.log main buffer=32k; + error_log ${nginx.logDir}/error.log warn; + open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; + ''; + proxy = '' + proxy_cache_use_stale updating; + proxy_temp_path ${nginx.cacheDir}/proxy_temp 1 2; + ''; + fastcgi = '' + # DOC: http://wiki.nginx.org/HttpFastcgiModule + fastcgi_buffer_size 128k; + fastcgi_buffers 256 4k; + fastcgi_busy_buffers_size 256k; + fastcgi_cache_key "$request_method $scheme://$http_host$request_uri"; + fastcgi_connect_timeout 60; + fastcgi_ignore_client_abort off; + fastcgi_intercept_errors on; + fastcgi_max_temp_file_size 2M; + #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_temp_path ${nginx.cacheDir}/fastcgi_temp 1 2; + ''; + connection = '' + sendfile on; + # If the client stops reading data, + # free up the stale client connection after this much time. + send_timeout 60; + # Causes nginx to attempt to send its HTTP response head + # in one packet, instead of using partial frames. + # This is useful for prepending headers before calling sendfile, + # or for throughput optimization. + tcp_nopush on; + # Don't buffer data-sends (disable Nagle algorithm). + # Good for sending frequent small bursts of data in real time. + tcp_nodelay on; + keepalive_timeout 20; + reset_timedout_connection on; + types_hash_max_size 4096; + server_names_hash_bucket_size 128; + ''; + map = '' + map $time_iso8601 $date { + default 'date-not-found'; + '~^(?\d{4})-(?\d{2})-(?\d{2})' $year-$month-$day; + } - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } - # User agents that are to be blocked. - #map $http_user_agent $bad_bot { - # default 0; - # libwww-perl 1; - # ~(?i)(httrack|htmlparser|libwww) 1; - #} - # Referrers that are to be blocked. - #map $http_referer $bad_referer { - # default 0; - # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; - #} - #geo $not_local { - # default 1; - # 127.0.0.1 0; - #} - ''; - cache = '' - client_body_buffer_size 4K; - # getconf PAGESIZE - # 4096 - client_body_temp_path ${nginx.stateDir}/client_body_temp 1 2; - client_body_timeout 60; - client_header_buffer_size 1k; - client_header_timeout 60; - large_client_header_buffers 4 8k; + # User agents that are to be blocked. + #map $http_user_agent $bad_bot { + # default 0; + # libwww-perl 1; + # ~(?i)(httrack|htmlparser|libwww) 1; + #} + # Referrers that are to be blocked. + #map $http_referer $bad_referer { + # default 0; + # ~(?i)(babes|casino|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|replica|sex|teen|webcam|zippo) 1; + #} + #geo $not_local { + # default 1; + # 127.0.0.1 0; + #} + ''; + cache = '' + client_body_buffer_size 4K; + # getconf PAGESIZE + # 4096 + client_body_temp_path ${nginx.cacheDir}/client_body_temp 1 2; + client_body_timeout 60; + client_header_buffer_size 1k; + client_header_timeout 60; + large_client_header_buffers 4 8k; - open_file_cache max=200000 inactive=20s; - open_file_cache_errors on; - open_file_cache_min_uses 2; - open_file_cache_valid 30s; - ''; - }); - appendConfig = '' - worker_processes ${toString config.nix.maxJobs}; - ''; - virtualHosts."_" = { - forceSSL = true; - useACMEHost = networking.domain; - }; + open_file_cache max=200000 inactive=20s; + open_file_cache_errors on; + open_file_cache_min_uses 2; + open_file_cache_valid 30s; + ''; + }); + appendConfig = '' + worker_processes ${toString config.nix.maxJobs}; + ''; + virtualHosts."_" = { + forceSSL = true; + useACMEHost = networking.domain; }; }; +}; } diff --git a/servers/mermet/nginx/sourcephile.fr/covid19.nix b/servers/mermet/nginx/sourcephile.fr/covid19.nix index 2ea244c..4aa30e9 100644 --- a/servers/mermet/nginx/sourcephile.fr/covid19.nix +++ b/servers/mermet/nginx/sourcephile.fr/covid19.nix @@ -13,7 +13,7 @@ services.nginx = { root = "/home/julm/www/${srv}"; extraConfig = '' access_log off; - error_log off; + error_log /dev/null crit; ''; locations."/".extraConfig = '' index index.html; diff --git a/servers/mermet/nginx/sourcephile.fr/git.nix b/servers/mermet/nginx/sourcephile.fr/git.nix index a40bc40..648c868 100644 --- a/servers/mermet/nginx/sourcephile.fr/git.nix +++ b/servers/mermet/nginx/sourcephile.fr/git.nix @@ -9,7 +9,7 @@ in { services.nginx = { commonHttpConfig = '' - fastcgi_cache_path ${nginx.stateDir}/fastcgi_cache:${domain}:${srv} + fastcgi_cache_path ${nginx.cacheDir}/fastcgi_cache:${domain}:${srv} keys_zone=${domain}/${srv}:2M inactive=10m levels=1:2 -- 2.44.1 From a3afd7a3c9a6f48d9b252e42eec12ecf2a1b433e Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 03:40:19 +0200 Subject: [PATCH 14/16] gitolite: update --- servers/mermet/gitolite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/servers/mermet/gitolite b/servers/mermet/gitolite index 4a346f3..acc8fdb 160000 --- a/servers/mermet/gitolite +++ b/servers/mermet/gitolite @@ -1 +1 @@ -Subproject commit 4a346f30bc7a1690648e360c453c2635b54e1dbf +Subproject commit acc8fdbe56f3e15532b5a6a4ba922a5aa023e521 -- 2.44.1 From a546d24e430ffe4cba3bd969616c3d695d2cd057 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 05:14:32 +0200 Subject: [PATCH 15/16] nix: rewrite deploy.sh into an install nix attribute --- base/install.nix | 11 +++++ servers/losurdo.nix | 55 ++++++++++++++++++--- servers/losurdo/deploy.sh | 20 -------- servers/losurdo/production.nix | 43 ----------------- servers/losurdo/users.nix | 6 +++ servers/mermet.nix | 61 +++++++++++++++++++++--- servers/mermet/deploy.sh | 23 --------- servers/mermet/production.nix | 31 ------------ servers/mermet/rspamd/autogeree.net.nix | 5 ++ servers/mermet/rspamd/sourcephile.fr.nix | 5 ++ servers/staging.nix | 4 -- tests.nix | 4 +- 12 files changed, 131 insertions(+), 137 deletions(-) create mode 100644 base/install.nix delete mode 100755 servers/losurdo/deploy.sh delete mode 100644 servers/losurdo/production.nix delete mode 100755 servers/mermet/deploy.sh delete mode 100644 servers/mermet/production.nix delete mode 100644 servers/staging.nix diff --git a/base/install.nix b/base/install.nix new file mode 100644 index 0000000..df8c509 --- /dev/null +++ b/base/install.nix @@ -0,0 +1,11 @@ +{ pkgs, lib, config, ... }: +let inherit (lib) types; in +{ +options = { + install.shellHook = lib.mkOption { + type = types.lines; + default = ""; + }; + # TODO: more structured options, like NixOps' deployment.keys +}; +} diff --git a/servers/losurdo.nix b/servers/losurdo.nix index ac83369..16d79b9 100644 --- a/servers/losurdo.nix +++ b/servers/losurdo.nix @@ -1,9 +1,50 @@ -import { - system = "x86_64-linux"; - modules = [ - losurdo/production.nix - ]; - extraArgs = { - name = "losurdo"; +# NixOS configuration of losurdo.sourcephile.fr +# +# Show configuration options with, for example: +# nix-instantiate servers/losurdo.nix --eval -A config.networking.hostName +# Install/upgrade with: +# nix run install -f servers/losurdo.nix +let + system = import { + system = "x86_64-linux"; + modules = [ + ../base/install.nix + ../base/unbound.nix + ../defaults.nix + losurdo/debug.nix + losurdo/fileSystems.nix + losurdo/hardware.nix + losurdo/networking.nix + losurdo/sanoid.nix + losurdo/shorewall.nix + losurdo/syncoid.nix + losurdo/system.nix + losurdo/transmission.nix + losurdo/users.nix + ]; + extraArgs = { + name = "losurdo"; + }; }; + inherit (system.config) networking; + target = "root@${networking.hostName}.${networking.domain}"; + lib = system.pkgs.lib; +in with system; system // { +install = + let profile = "/nix/var/nix/profiles/system"; + generations = "+10"; + nixos = config.system.build.toplevel; + in + pkgs.writeShellScriptBin "bash" '' + PATH="$PATH:${with pkgs; lib.makeBinPath [nix openssh pass]}" + set -eux + nix ''${TRACE:+-L} copy \ + --to ssh://${target} --substitute-on-destination \ + ${nixos} + target="${target}" + ${config.install.shellHook} + ssh ${target} nix-env --profile "${profile}" --set "${nixos}" \ + '&&' nix-env --profile "${profile}" --delete-generations "${generations}" \ + '&&' "${profile}"/bin/switch-to-configuration "''${switch:-switch}" +''; } diff --git a/servers/losurdo/deploy.sh b/servers/losurdo/deploy.sh deleted file mode 100755 index 49137c0..0000000 --- a/servers/losurdo/deploy.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -set -eux -target=${target:-root@losurdo.sourcephile.fr} -# Compile the derivation of the new system -systemDrv=$(nix-instantiate "${0%/*}".nix \ - -A config.system.build.toplevel \ - ${TRACE:+--show-trace} ) -# Compile the build products of the new system -system=$(nix-store --realise "$systemDrv") -# Send the system -nix copy --to ssh://"$target" --substitute-on-destination "$system" -# Send secrets -pass "servers/losurdo/root/ssh/id_ed25519" | -ssh "$target" install -m 0400 -o root -g root /dev/stdin \ - /root/.ssh/id_ed25519 -# Register and switch to the new system -profile=/nix/var/nix/profiles/system -ssh "$target" nix-env --profile "$profile" --set "$system" \ - '&&' nix-env --profile "$profile" --delete-generations +5 \ - '&&' "$profile"/bin/switch-to-configuration "${switch:-switch}" diff --git a/servers/losurdo/production.nix b/servers/losurdo/production.nix deleted file mode 100644 index add1e5c..0000000 --- a/servers/losurdo/production.nix +++ /dev/null @@ -1,43 +0,0 @@ -# This is the configuration.nix -# of the target machine in production. -# Used by NixOps. -# It is NOT copied nor usable on the target machine, -# only the resulting closure is copied to the target machine. -{ pkgs, lib, config, ... }: -let - inherit (builtins.extraBuiltins) pass; - #inherit (config) networking; - mapImportedConfigRecursively = mapConfig: - map (m: modArgs: - let mod = - if builtins.isFunction m - || builtins.isAttrs m - then lib.unifyModuleSyntax null null - (lib.applyIfFunction null m modArgs) - else lib.unifyModuleSyntax (toString m) (toString m) - (lib.applyIfFunction (toString m) (import m) modArgs); - in - mod // { - imports = mapImportedConfigRecursively mapConfig mod.imports; - config = mapConfig mod.config; - } - ); -in -{ -imports = [ - ../../base/unbound.nix - ../../defaults.nix - ./debug.nix - ./fileSystems.nix - ./hardware.nix - #./netdata.nix - ./networking.nix - #./prometheus.nix - ./sanoid.nix - ./shorewall.nix - ./syncoid.nix - ./system.nix - ./transmission.nix - ./users.nix -]; -} diff --git a/servers/losurdo/users.nix b/servers/losurdo/users.nix index 3080aa2..90a993b 100644 --- a/servers/losurdo/users.nix +++ b/servers/losurdo/users.nix @@ -31,4 +31,10 @@ users = { }; }; }; + +install.shellHook = '' + pass "servers/losurdo/root/ssh/id_ed25519" | + ssh "$target" install -m 0400 -o root -g root /dev/stdin \ + /root/.ssh/id_ed25519 +''; } diff --git a/servers/mermet.nix b/servers/mermet.nix index d3c0ec1..fc57a10 100644 --- a/servers/mermet.nix +++ b/servers/mermet.nix @@ -1,9 +1,56 @@ -import { - system = "x86_64-linux"; - modules = [ - mermet/production.nix - ]; - extraArgs = { - name = "mermet"; +# NixOS configuration of mermet.sourcephile.fr +# +# Show configuration options with, for example: +# nix-instantiate servers/mermet.nix --eval -A config.networking.hostName +# Install/upgrade with: +# nix run install -f servers/mermet.nix +let + system = import { + system = "x86_64-linux"; + modules = [ + ../base/install.nix + ../base/unbound.nix + ../defaults.nix + mermet/debug.nix + mermet/dovecot.nix + mermet/fileSystems.nix + mermet/gitolite.nix + mermet/hardware.nix + mermet/knot.nix + mermet/networking.nix + mermet/nginx.nix + mermet/openldap.nix + mermet/postfix.nix + mermet/redis.nix + mermet/rspamd.nix + mermet/sanoid.nix + mermet/shorewall.nix + mermet/system.nix + mermet/users.nix + ]; + extraArgs = { + name = "mermet"; + }; }; + inherit (system.config) networking; + target = "root@${networking.hostName}.${networking.domain}"; + lib = system.pkgs.lib; +in with system; system // { +install = + let profile = "/nix/var/nix/profiles/system"; + generations = "+10"; + nixos = config.system.build.toplevel; + in + pkgs.writeShellScriptBin "bash" '' + PATH="$PATH:${with pkgs; lib.makeBinPath [nix openssh pass]}" + set -eux + nix ''${TRACE:+-L} copy \ + --to ssh://${target} --substitute-on-destination \ + ${nixos} + target="${target}" + ${config.install.shellHook} + ssh ${target} nix-env --profile "${profile}" --set "${nixos}" \ + '&&' nix-env --profile "${profile}" --delete-generations "${generations}" \ + '&&' "${profile}"/bin/switch-to-configuration "''${switch:-switch}" +''; } diff --git a/servers/mermet/deploy.sh b/servers/mermet/deploy.sh deleted file mode 100755 index 0092aa9..0000000 --- a/servers/mermet/deploy.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh -set -eux -target=${target:-root@mermet.sourcephile.fr} -# Compile the derivation of the new system -systemDrv=$(nix-instantiate "${0%/*}".nix \ - -A config.system.build.toplevel \ - ${TRACE:+--show-trace} ) -# Compile the build products of the new system -system=$(nix-store --realise "$systemDrv") -# Send the system -nix copy --to ssh://"$target" --substitute-on-destination "$system" -# Send secrets -pass "dkim/sourcephile.fr/20200101.key" | -ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ - /run/keys/"dkim.sourcephile.fr.20200101.key" -pass "dkim/autogeree.net/20200101.key" | -ssh "$target" install -D -m 0400 -o rspamd -g root /dev/stdin \ - /run/keys/"dkim.autogeree.net.20200101.key" -# Register and switch to the new system -profile=/nix/var/nix/profiles/system -ssh "$target" nix-env --profile "$profile" --set "$system" \ - '&&' nix-env --profile "$profile" --delete-generations +5 \ - '&&' "$profile"/bin/switch-to-configuration "${switch:-switch}" diff --git a/servers/mermet/production.nix b/servers/mermet/production.nix deleted file mode 100644 index 40c16b1..0000000 --- a/servers/mermet/production.nix +++ /dev/null @@ -1,31 +0,0 @@ -# This is the configuration.nix -# of the target machine in production. -# Used by NixOps. -# It is NOT copied nor usable on the target machine, -# only the resulting closure is copied to the target machine. -{ pkgs, lib, config, ... }: -let - #inherit (builtins.extraBuiltins) pass pass-chomp; -in -{ -imports = [ - ../../base/unbound.nix - ../../defaults.nix - ./debug.nix - ./dovecot.nix - ./fileSystems.nix - ./gitolite.nix - ./hardware.nix - ./knot.nix - ./networking.nix - ./nginx.nix - ./openldap.nix - ./postfix.nix - ./redis.nix - ./rspamd.nix - ./sanoid.nix - ./shorewall.nix - ./system.nix - ./users.nix -]; -} diff --git a/servers/mermet/rspamd/autogeree.net.nix b/servers/mermet/rspamd/autogeree.net.nix index a1cc60c..4da3515 100644 --- a/servers/mermet/rspamd/autogeree.net.nix +++ b/servers/mermet/rspamd/autogeree.net.nix @@ -27,4 +27,9 @@ services.nsd.zones."${domain}".data = '' "+hH+Mr/4V1wnKtdosk/7+3VIQ6clTIfWhD6PlnWd78Uo5lfWnYxTem7EMc2q7j6tzGwj+Q+b4Li9fdhLqxGuD0V64/nVZit90b0HyfiV5srln2lK6Hczrwqr0gOEBGQ4YeLjOF6ldaV01mFWR9ddr9a5/gVCqw8vw7vhqXvU7yK8VHW2rdsvkNZ0bDOa66MCveD7pH2vyljrfZq9k0T/NLHrsu8CAwEAAQ==" ) ''; +install.shellHook = '' + pass "dkim/${domain}/${selector}.key" | + ssh "$target" install -D -m 0400 -o ${rspamd.user} -g root /dev/stdin \ + /run/keys/"dkim.${domain}.${selector}.key" +''; } diff --git a/servers/mermet/rspamd/sourcephile.fr.nix b/servers/mermet/rspamd/sourcephile.fr.nix index 3c5d926..a0cc567 100644 --- a/servers/mermet/rspamd/sourcephile.fr.nix +++ b/servers/mermet/rspamd/sourcephile.fr.nix @@ -33,4 +33,9 @@ services.nsd.zones."${domain}".data = '' "rWWtSTdO8DilDqN8CAwEAAQ==" ) ''; +install.shellHook = '' + pass "dkim/${domain}/${selector}.key" | + ssh "$target" install -D -m 0400 -o ${rspamd.user} -g root /dev/stdin \ + /run/keys/"dkim.${domain}.${selector}.key" +''; } diff --git a/servers/staging.nix b/servers/staging.nix deleted file mode 100644 index 827086b..0000000 --- a/servers/staging.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - mermet = import mermet/staging.nix; - losurdo = import losurdo/staging.nix; -} diff --git a/tests.nix b/tests.nix index 0a6faf2..d801e41 100644 --- a/tests.nix +++ b/tests.nix @@ -1,5 +1,5 @@ -# Run with : nix -L run -f tests.nix -# Debug with : nix run -f tests.nix driver nixos-test-driver +# Run with : nix run -f tests.nix +# Debug with : nix -L run -f tests.nix driver -c nixos-test-driver { system ? builtins.currentSystem, config ? {}, overlays ? import ./overlays.nix, -- 2.44.1 From 1345cef3914820233268f6f8436c4b4b4d6e4218 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Mon, 18 May 2020 08:32:25 +0200 Subject: [PATCH 16/16] syncoid: fix root access and keep bookmarks to avoid destroying the dataset when there is no common snapshot --- servers/losurdo/sanoid.nix | 2 +- servers/losurdo/syncoid.nix | 5 ++++- servers/mermet/users.nix | 2 ++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/servers/losurdo/sanoid.nix b/servers/losurdo/sanoid.nix index 9700b40..0a31572 100644 --- a/servers/losurdo/sanoid.nix +++ b/servers/losurdo/sanoid.nix @@ -5,7 +5,7 @@ services.sanoid = { templates = { work = { hourly = 0; - daily = 7; + daily = 14; monthly = 0; yearly = 0; autosnap = true; diff --git a/servers/losurdo/syncoid.nix b/servers/losurdo/syncoid.nix index 3211149..3690c55 100644 --- a/servers/losurdo/syncoid.nix +++ b/servers/losurdo/syncoid.nix @@ -4,7 +4,10 @@ services.syncoid = { enable = true; interval = "*-*-* *:15:00"; sshKey = "/root/.ssh/id_ed25519"; - commonArgs = [ "--no-sync-snap" ]; + commonArgs = [ + "--no-sync-snap" + "--create-bookmark" + ]; commands = { "losurdo_nvme/home/julm/work" = { sendOptions = "raw"; diff --git a/servers/mermet/users.nix b/servers/mermet/users.nix index 0321689..13687e1 100644 --- a/servers/mermet/users.nix +++ b/servers/mermet/users.nix @@ -1,5 +1,6 @@ { pkgs, lib, config, ... }: let + inherit (builtins) readFile; inherit (builtins.extraBuiltins) pass-chomp; inherit (config.users) users; in @@ -17,6 +18,7 @@ users = { users = { root = { openssh.authorizedKeys.keys = + [ (readFile ../../../sec/ssh/losurdo/root/ssh/id_ed25519.pub) ] ++ users."julm".openssh.authorizedKeys.keys; }; julm = { -- 2.44.1