adding new nix dir

7 files changed, 438 insertions, 0 deletions

diff --git a/nix/nixops/README.md b/nix/nixops/README.md
new file mode 100644
index 0000000..ce2ae46
--- /dev/null
+++ b/nix/nixops/README.md
@@ -0,0 +1,23 @@
+WARNING: Be careful about assumptions made by this script,
+as /dev/sda beeing the target disk etc..
+
+nix-shell -p nixos-generators nixops
+
+Adapt config-iso.nix/ config-extra.nix (public key & /dev/sdX)
+
+cp $(nixos-generate -c config-iso.nix -f iso) my-nixos.iso
+
+boot the iso in fresh vm (e.g. 25G HDD, 1024 RAM)
+
+ssh into vm
+
+run : miguel-quick-install [desired-hostname]
+reboot into new nixos
+
+back on host: 
+adapt nixops.nix
+
+run:    (optionally with "-d label" after each)
+	nixops create nixops.nix # only first time
+	nixops deploy .. etc
+	nixops ssh-for-each -- uptime
diff --git a/nix/nixops/comet/configuration.nix b/nix/nixops/comet/configuration.nix
new file mode 100644
index 0000000..9f5a255
--- /dev/null
+++ b/nix/nixops/comet/configuration.nix
@@ -0,0 +1,275 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+let my_ssh_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69";
+in
+{
+
+  # HARDWARE SCAN RESULTS
+  imports =
+    [ 
+      ./hardware-configuration.nix
+    ];
+ 
+
+  # SYS PACKAGES
+  environment.systemPackages = with pkgs; [mc highlight adminer icinga2 monitoring-plugins tmux];
+
+
+  # compare with nginx etc and publish this shit (along instructions how to run with mariadb+icingaweb2 admin
+  environment.etc = with pkgs;
+  	let defaultIcinga2Const= builtins.readFile "${icinga2}/etc/icinga2/constants.conf";
+	in
+	{
+		"icinga2/features-available".source="${icinga2}/etc/icinga2/features-available";
+		"icinga2/scripts".source="${icinga2}/etc/icinga2/scripts";
+		"icinga2/zones.d".source="${icinga2}/etc/icinga2/zones.d";
+		"icinga2/conf.d".source="${icinga2}/etc/icinga2/conf.d";
+		"icinga2/constants.conf".text=builtins.replaceStrings ["bin"] ["${monitoring-plugins}/bin"] defaultIcinga2Const;
+		"icinga2/icinga2.conf".source="${icinga2}/etc/icinga2/icinga2.conf";
+		"icinga2/zones.conf".source="${icinga2}/etc/icinga2/zones.conf";
+		"icinga2/features-enabled/checker.conf".source="${icinga2}/etc/icinga2/features-available/checker.conf";
+		"icinga2/features-enabled/mainlog.conf".source="${icinga2}/etc/icinga2/features-available/mainlog.conf";
+		"icinga2/features-enabled/notification.conf".source="${icinga2}/etc/icinga2/features-available/notification.conf";
+		"icinga2/features-enabled/ido-mysql.conf".text='' object IdoMysqlConnection "ido-mysql" { user = "icinga", password = "8fg$1%X58G4geX", host = "comet.softwarefools.com", database = "ICINGA_IDO" } '';
+	};
+   systemd.services.icinga2 = {
+     enable = true;
+     description = "Icinga host/service/network monitoring system";
+     #After=postgresql.service mariadb.service carbon-cache.service mysql.service yslog.target
+ 
+     serviceConfig = with pkgs; {
+ 	Type="simple";
+ 	User="icinga2";
+ 	Group="icinga2";
+ 	UMask=0007; #what is this good for?
+ 	ExecStart="${icinga2}/bin/icinga2 daemon -c /etc/icinga2/icinga2.conf";
+ 	ExecReload="${icinga2}/lib/icinga2/safe-reload /usr/lib/icinga2/icinga2";
+ 	PIDFile="/run/icinga2/icinga2.pid";
+ 	RuntimeDirectory="icinga2";
+ 	CacheDirectory="icinga2";
+ 	LogsDirectory="icinga2";
+ 	StateDirectory="icinga2";
+     };
+ 
+     wantedBy=[ "multi-user.target" ];
+   };
+
+  # AUTOMATIC uPGRADES
+  system.autoUpgrade.enable = true;
+  system.autoUpgrade.allowReboot = true;
+
+  # USERS / GROUPS / SSH
+  services.openssh = {
+	enable = true;
+  	permitRootLogin = "yes";
+  	passwordAuthentication = false;
+  };
+
+  users.mutableUsers = false;
+
+  users.users.miguel = {
+	isNormalUser = true;
+	home = "/home/miguel";
+	description = "Miguel";
+	extraGroups = [ "wheel" "networkmanager" ];
+  	openssh.authorizedKeys.keys = [ my_ssh_pub_key ];
+	uid = 1000;
+  };  
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.extraUsers.root.openssh.authorizedKeys.keys = [ my_ssh_pub_key ];
+
+  users.groups.icinga2 = {};
+  users.users.icinga2 = {
+        isSystemUser = true;
+	extraGroups = ["icinga2"];
+  };
+
+  # NEOVIM
+  programs.neovim.enable = true;
+  programs.neovim.vimAlias = true;
+  programs.neovim.viAlias = true;
+
+  # MARIADB
+  services.mysql.enable = true;
+  services.mysql.package = pkgs.mariadb;
+  services.mysql.bind = "0.0.0.0";
+
+  # XMPP
+  services.ejabberd.enable = true;
+  services.ejabberd.configFile = "/etc/ejabberd.yaml";
+
+  # GITOLITE
+  services.gitolite.enable = true;
+  services.gitolite.extraGitoliteRc = "$RC{UMASK} = 0027;
+				       push( @{$RC{ENABLE}}, 'D' );
+		                      "; 
+  services.gitolite.adminPubkey = my_ssh_pub_key;
+
+  # GITWEB
+  services.gitweb.projectroot = "/var/lib/gitolite/repositories";
+  services.gitweb.gitwebTheme = true;
+  services.gitweb.extraConfig = ''
+				$site_name = "Gitweb of the Fools";
+				$logo_label = "Gitweb of the Fools";
+				$logo_url = "./";
+				$feature{'highlight'}{'default'} = [1];
+				$projects_list = "/var/lib/gitolite/projects.list";
+	     	                $strict_export = true;
+                                $per_request_config = 1;
+				our %highlight_basename;
+				$highlight_basename{'Dockerfile'} = 'Dockerfile';
+				$highlight_basename{'Makefile'} = 'Makefile';
+				our %highlight_ext;
+				$highlight_ext{'hs'} = 'haskell';
+				$highlight_ext{'go'} = 'go';
+				$highlight_ext{'yaml'} = 'yaml';
+				$highlight_ext{'md'} = 'markdown';
+				$highlight_ext{'lua'} = 'lua';
+				$highlight_ext{'modinfo'} = 'xml';
+				push @stylesheets, "https://comet.softwarefools.com/highlight.css";
+				'';
+
+  # CERTS
+  security.acme.acceptTerms = true;
+  security.acme.email = "m.i@gmx.at";
+
+  # NGINX
+  services.nginx.enable = true;
+  services.nginx.appendHttpConfig = "server_names_hash_bucket_size 64;";
+
+  services.nginx.virtualHosts."comet.softwarefools.com" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "/var/www/comet.softwarefools.com";
+  };
+
+  # ICINGA
+   services.icingaweb2.enable = true;
+   services.icingaweb2.modules.monitoring.enable = false;
+   services.icingaweb2.virtualHost = "icinga.softwarefools.com";
+   services.nginx.virtualHosts."icinga.softwarefools.com" = {
+     forceSSL = true;
+     enableACME = true;
+   };
+
+
+  # DOKUWIKI
+  services.dokuwiki."dokuwiki.softwarefools.com" = {
+   	enable = true;
+  	nginx = {
+  		forceSSL = true;
+  		enableACME = true;
+  	};
+  };
+  services.nginx.virtualHosts."dokuwiki.softwarefools.com" = {
+    forceSSL = true;
+    enableACME = true;
+    root = "/var/www/dokuwiki.softwarefools.com";
+  };
+
+  # GITWEB
+  services.nginx.gitweb.enable = true;
+  services.nginx.gitweb.group = "gitolite";
+  services.nginx.gitweb.virtualHost = "gitweb.softwarefools.com";
+  services.nginx.gitweb.location = "";
+
+  services.nginx.virtualHosts."gitweb.softwarefools.com" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/static/" = {
+	extraConfig = "expires 5m;";
+    };
+  };
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking.hostName = "comet"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  # };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Warsaw";
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  # environment.systemPackages = with pkgs; [
+  #   wget vim
+  # ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  #   pinentryFlavor = "gnome3";
+  # };
+
+  # FIREWALL
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 5222 5223 5269 3306 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+  # services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+  # services.xserver.displayManager.sddm.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.03"; # Did you read the comment?
+}
diff --git a/nix/nixops/comet/hardware-configuration.nix b/nix/nixops/comet/hardware-configuration.nix
new file mode 100644
index 0000000..7f5eb56
--- /dev/null
+++ b/nix/nixops/comet/hardware-configuration.nix
@@ -0,0 +1,24 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3c4969ad-b9cb-4265-8e14-92145f8a133a";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+}
diff --git a/nix/nixops/config-extra.nix b/nix/nixops/config-extra.nix
new file mode 100644
index 0000000..92b2f33
--- /dev/null
+++ b/nix/nixops/config-extra.nix
@@ -0,0 +1,9 @@
+{
+  imports = [./config-iso.nix];
+  fileSystems."/" = {
+    device="/dev/sda1";
+    fsType="ext4";
+  };
+
+  boot.loader.grub.enable = true;
+} # no newline afer this !
diff --git a/nix/nixops/config-iso.nix b/nix/nixops/config-iso.nix
new file mode 100644
index 0000000..e31915b
--- /dev/null
+++ b/nix/nixops/config-iso.nix
@@ -0,0 +1,34 @@
+# This config generates a basic NixOS ISO meant to quickly bootstrap a NixOs 
+# system with a single custom command: miguel-quick-install [hostname]
+#
+# Build ISO like that: cp ${nixos-generate -c config-iso.nix -f iso} my-nixos.iso
+#
+
+{config,pkgs,...}:
+
+# FIXME: use proper derivation instead of this custom mess.
+let miguel-quick-installer =
+            with pkgs; derivation{ name        = "miguel-quick-install";
+                                   builder     = "${bash}/bin/bash";
+                                   bash        = bash;
+                                   args        = [./miguel-quick-install.sh];
+                                   coreutils   = coreutils;
+                                   configextra = ./config-extra.nix;
+                                   configiso   = ./config-iso.nix;
+                                   system      = builtins.currentSystem; };
+in {
+  boot.initrd.availableKernelModules = ["ata_piix" "floppy" "sd_mod" "sr_mod"];
+  virtualisation.hypervGuest.enable = true;
+
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  environment.systemPackages = with pkgs; [mc vim miguel-quick-installer parted];
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "prohibit-password";
+    passwordAuthentication = false;
+  };
+  users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69" ];
+}
diff --git a/nix/nixops/miguel-quick-install.sh b/nix/nixops/miguel-quick-install.sh
new file mode 100644
index 0000000..3c3e7cb
--- /dev/null
+++ b/nix/nixops/miguel-quick-install.sh
@@ -0,0 +1,47 @@
+PATH="$coreutils/bin"
+mkdir -p $out/bin
+cat >> $out/bin/miguel-quick-install << EOL
+#!$bash/bin/bash
+
+set -e # stop on error
+set -u # stop on undefined var
+
+echo
+echo =========================================================================
+echo == Welcome to Miguels Custom NixOS Quick Install ... Please Standby ==
+echo =========================================================================
+echo
+
+echo desired hosname = \$1
+echo
+
+echo 1. Create Target Partitions
+parted /dev/sda -- mklabel msdos
+parted /dev/sda -- mkpart primary 1MiB -8GiB
+mkfs.ext4 -L nixos /dev/sda1
+
+echo 2. Mount Target Partitions
+mkdir -p /mnt
+mount /dev/sda1 /mnt
+
+echo 3. Update Nix Channel
+nix-channel --update
+
+echo 4. Generate Configs
+nixos-generate-config --root /mnt
+cp $configextra /mnt/etc/nixos/config-extra.nix
+cp $configiso   /mnt/etc/nixos/config-iso.nix
+cp $0           /mnt/etc/nixos/miguel-quick-install.sh
+cat $configextra | head -n -1       > /mnt/etc/nixos/configuration.nix
+echo "networking.hostName=\"\$1\";}" >> /mnt/etc/nixos/configuration.nix
+
+echo 5. Start NixOS Installer!
+nixos-install --no-root-passwd
+
+echo 6. Finished
+echo Please remove the installation media and reboot into your fresh NixOS!
+
+#reboot
+
+EOL
+chmod +x  $out/bin/miguel-quick-install
diff --git a/nix/nixops/nixops.nix b/nix/nixops/nixops.nix
new file mode 100644
index 0000000..1bf10ba
--- /dev/null
+++ b/nix/nixops/nixops.nix
@@ -0,0 +1,26 @@
+{
+  network.description = "My first NixOS cluster";
+  network.enableRollback = true;
+
+  comet = {
+    imports = [ ./comet/configuration.nix ];
+    deployment.targetHost = "comet.softwarefools.com";
+  };
+
+  nixos-01 = {config, pkgs,...}:
+  {
+    imports = [ ./config-extra.nix ];
+    environment.systemPackages = with pkgs; [mc];
+    deployment.targetHost = "nixos-01";
+  };
+
+  nixos-02 = {
+    imports = [ ./config-extra.nix ];
+    deployment.targetHost = "nixos-02";
+  };
+
+  nixos-03 = {
+    imports = [ ./config-extra.nix ];
+    deployment.targetHost = "nixos-03";
+  };
+}