diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/.envrc | 1 | ||||
| -rw-r--r-- | nix/TODO.md | 13 | ||||
| -rw-r--r-- | nix/nixops/README.md | 23 | ||||
| -rw-r--r-- | nix/nixops/comet/configuration.nix | 275 | ||||
| -rw-r--r-- | nix/nixops/comet/hardware-configuration.nix | 24 | ||||
| -rw-r--r-- | nix/nixops/config-extra.nix | 9 | ||||
| -rw-r--r-- | nix/nixops/config-iso.nix | 34 | ||||
| -rw-r--r-- | nix/nixops/miguel-quick-install.sh | 47 | ||||
| -rw-r--r-- | nix/nixops/nixops.nix | 26 | ||||
| -rw-r--r-- | nix/shell.nix | 6 |
10 files changed, 458 insertions, 0 deletions
diff --git a/nix/.envrc b/nix/.envrc new file mode 100644 index 0000000..1d953f4 --- /dev/null +++ b/nix/.envrc @@ -0,0 +1 @@ +use nix diff --git a/nix/TODO.md b/nix/TODO.md new file mode 100644 index 0000000..5e14a32 --- /dev/null +++ b/nix/TODO.md @@ -0,0 +1,13 @@ +wtf is this? + +# SSH +* ssh: key-only-auth + +# GIT +* selective encrypted files +* fat file storage +* gitolite: ban 'push -f' +* git-app for mobile +* lock gitolite write access and backup (once daily?) +* pull/push backups to other storage +* verify backups diff --git a/nix/nixops/README.md b/nix/nixops/README.md new file mode 100644 index 0000000..ce2ae46 --- /dev/null +++ b/nix/nixops/README.md @@ -0,0 +1,23 @@ +WARNING: Be careful about assumptions made by this script, +as /dev/sda beeing the target disk etc.. + +nix-shell -p nixos-generators nixops + +Adapt config-iso.nix/ config-extra.nix (public key & /dev/sdX) + +cp $(nixos-generate -c config-iso.nix -f iso) my-nixos.iso + +boot the iso in fresh vm (e.g. 25G HDD, 1024 RAM) + +ssh into vm + +run : miguel-quick-install [desired-hostname] +reboot into new nixos + +back on host: +adapt nixops.nix + +run: (optionally with "-d label" after each) + nixops create nixops.nix # only first time + nixops deploy .. etc + nixops ssh-for-each -- uptime diff --git a/nix/nixops/comet/configuration.nix b/nix/nixops/comet/configuration.nix new file mode 100644 index 0000000..9f5a255 --- /dev/null +++ b/nix/nixops/comet/configuration.nix @@ -0,0 +1,275 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +let my_ssh_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69"; +in +{ + + # HARDWARE SCAN RESULTS + imports = + [ + ./hardware-configuration.nix + ]; + + + # SYS PACKAGES + environment.systemPackages = with pkgs; [mc highlight adminer icinga2 monitoring-plugins tmux]; + + + # compare with nginx etc and publish this shit (along instructions how to run with mariadb+icingaweb2 admin + environment.etc = with pkgs; + let defaultIcinga2Const= builtins.readFile "${icinga2}/etc/icinga2/constants.conf"; + in + { + "icinga2/features-available".source="${icinga2}/etc/icinga2/features-available"; + "icinga2/scripts".source="${icinga2}/etc/icinga2/scripts"; + "icinga2/zones.d".source="${icinga2}/etc/icinga2/zones.d"; + "icinga2/conf.d".source="${icinga2}/etc/icinga2/conf.d"; + "icinga2/constants.conf".text=builtins.replaceStrings ["bin"] ["${monitoring-plugins}/bin"] defaultIcinga2Const; + "icinga2/icinga2.conf".source="${icinga2}/etc/icinga2/icinga2.conf"; + "icinga2/zones.conf".source="${icinga2}/etc/icinga2/zones.conf"; + "icinga2/features-enabled/checker.conf".source="${icinga2}/etc/icinga2/features-available/checker.conf"; + "icinga2/features-enabled/mainlog.conf".source="${icinga2}/etc/icinga2/features-available/mainlog.conf"; + "icinga2/features-enabled/notification.conf".source="${icinga2}/etc/icinga2/features-available/notification.conf"; + "icinga2/features-enabled/ido-mysql.conf".text='' object IdoMysqlConnection "ido-mysql" { user = "icinga", password = "8fg$1%X58G4geX", host = "comet.softwarefools.com", database = "ICINGA_IDO" } ''; + }; + systemd.services.icinga2 = { + enable = true; + description = "Icinga host/service/network monitoring system"; + #After=postgresql.service mariadb.service carbon-cache.service mysql.service yslog.target + + serviceConfig = with pkgs; { + Type="simple"; + User="icinga2"; + Group="icinga2"; + UMask=0007; #what is this good for? + ExecStart="${icinga2}/bin/icinga2 daemon -c /etc/icinga2/icinga2.conf"; + ExecReload="${icinga2}/lib/icinga2/safe-reload /usr/lib/icinga2/icinga2"; + PIDFile="/run/icinga2/icinga2.pid"; + RuntimeDirectory="icinga2"; + CacheDirectory="icinga2"; + LogsDirectory="icinga2"; + StateDirectory="icinga2"; + }; + + wantedBy=[ "multi-user.target" ]; + }; + + # AUTOMATIC uPGRADES + system.autoUpgrade.enable = true; + system.autoUpgrade.allowReboot = true; + + # USERS / GROUPS / SSH + services.openssh = { + enable = true; + permitRootLogin = "yes"; + passwordAuthentication = false; + }; + + users.mutableUsers = false; + + users.users.miguel = { + isNormalUser = true; + home = "/home/miguel"; + description = "Miguel"; + extraGroups = [ "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ my_ssh_pub_key ]; + uid = 1000; + }; + + security.sudo.wheelNeedsPassword = false; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ my_ssh_pub_key ]; + + users.groups.icinga2 = {}; + users.users.icinga2 = { + isSystemUser = true; + extraGroups = ["icinga2"]; + }; + + # NEOVIM + programs.neovim.enable = true; + programs.neovim.vimAlias = true; + programs.neovim.viAlias = true; + + # MARIADB + services.mysql.enable = true; + services.mysql.package = pkgs.mariadb; + services.mysql.bind = "0.0.0.0"; + + # XMPP + services.ejabberd.enable = true; + services.ejabberd.configFile = "/etc/ejabberd.yaml"; + + # GITOLITE + services.gitolite.enable = true; + services.gitolite.extraGitoliteRc = "$RC{UMASK} = 0027; + push( @{$RC{ENABLE}}, 'D' ); + "; + services.gitolite.adminPubkey = my_ssh_pub_key; + + # GITWEB + services.gitweb.projectroot = "/var/lib/gitolite/repositories"; + services.gitweb.gitwebTheme = true; + services.gitweb.extraConfig = '' + $site_name = "Gitweb of the Fools"; + $logo_label = "Gitweb of the Fools"; + $logo_url = "./"; + $feature{'highlight'}{'default'} = [1]; + $projects_list = "/var/lib/gitolite/projects.list"; + $strict_export = true; + $per_request_config = 1; + our %highlight_basename; + $highlight_basename{'Dockerfile'} = 'Dockerfile'; + $highlight_basename{'Makefile'} = 'Makefile'; + our %highlight_ext; + $highlight_ext{'hs'} = 'haskell'; + $highlight_ext{'go'} = 'go'; + $highlight_ext{'yaml'} = 'yaml'; + $highlight_ext{'md'} = 'markdown'; + $highlight_ext{'lua'} = 'lua'; + $highlight_ext{'modinfo'} = 'xml'; + push @stylesheets, "https://comet.softwarefools.com/highlight.css"; + ''; + + # CERTS + security.acme.acceptTerms = true; + security.acme.email = "m.i@gmx.at"; + + # NGINX + services.nginx.enable = true; + services.nginx.appendHttpConfig = "server_names_hash_bucket_size 64;"; + + services.nginx.virtualHosts."comet.softwarefools.com" = { + forceSSL = true; + enableACME = true; + root = "/var/www/comet.softwarefools.com"; + }; + + # ICINGA + services.icingaweb2.enable = true; + services.icingaweb2.modules.monitoring.enable = false; + services.icingaweb2.virtualHost = "icinga.softwarefools.com"; + services.nginx.virtualHosts."icinga.softwarefools.com" = { + forceSSL = true; + enableACME = true; + }; + + + # DOKUWIKI + services.dokuwiki."dokuwiki.softwarefools.com" = { + enable = true; + nginx = { + forceSSL = true; + enableACME = true; + }; + }; + services.nginx.virtualHosts."dokuwiki.softwarefools.com" = { + forceSSL = true; + enableACME = true; + root = "/var/www/dokuwiki.softwarefools.com"; + }; + + # GITWEB + services.nginx.gitweb.enable = true; + services.nginx.gitweb.group = "gitolite"; + services.nginx.gitweb.virtualHost = "gitweb.softwarefools.com"; + services.nginx.gitweb.location = ""; + + services.nginx.virtualHosts."gitweb.softwarefools.com" = { + forceSSL = true; + enableACME = true; + locations."/static/" = { + extraConfig = "expires 5m;"; + }; + }; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "comet"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # }; + + # Set your time zone. + time.timeZone = "Europe/Warsaw"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # wget vim + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; + + # FIREWALL + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 5222 5223 5269 3306 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable touchpad support. + # services.xserver.libinput.enable = true; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.sddm.enable = true; + # services.xserver.desktopManager.plasma5.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? +} diff --git a/nix/nixops/comet/hardware-configuration.nix b/nix/nixops/comet/hardware-configuration.nix new file mode 100644 index 0000000..7f5eb56 --- /dev/null +++ b/nix/nixops/comet/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/3c4969ad-b9cb-4265-8e14-92145f8a133a"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 4; +} diff --git a/nix/nixops/config-extra.nix b/nix/nixops/config-extra.nix new file mode 100644 index 0000000..92b2f33 --- /dev/null +++ b/nix/nixops/config-extra.nix @@ -0,0 +1,9 @@ +{ + imports = [./config-iso.nix]; + fileSystems."/" = { + device="/dev/sda1"; + fsType="ext4"; + }; + + boot.loader.grub.enable = true; +} # no newline afer this ! diff --git a/nix/nixops/config-iso.nix b/nix/nixops/config-iso.nix new file mode 100644 index 0000000..e31915b --- /dev/null +++ b/nix/nixops/config-iso.nix @@ -0,0 +1,34 @@ +# This config generates a basic NixOS ISO meant to quickly bootstrap a NixOs +# system with a single custom command: miguel-quick-install [hostname] +# +# Build ISO like that: cp ${nixos-generate -c config-iso.nix -f iso} my-nixos.iso +# + +{config,pkgs,...}: + +# FIXME: use proper derivation instead of this custom mess. +let miguel-quick-installer = + with pkgs; derivation{ name = "miguel-quick-install"; + builder = "${bash}/bin/bash"; + bash = bash; + args = [./miguel-quick-install.sh]; + coreutils = coreutils; + configextra = ./config-extra.nix; + configiso = ./config-iso.nix; + system = builtins.currentSystem; }; +in { + boot.initrd.availableKernelModules = ["ata_piix" "floppy" "sd_mod" "sr_mod"]; + virtualisation.hypervGuest.enable = true; + + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + + environment.systemPackages = with pkgs; [mc vim miguel-quick-installer parted]; + + services.openssh = { + enable = true; + permitRootLogin = "prohibit-password"; + passwordAuthentication = false; + }; + users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69" ]; +} diff --git a/nix/nixops/miguel-quick-install.sh b/nix/nixops/miguel-quick-install.sh new file mode 100644 index 0000000..3c3e7cb --- /dev/null +++ b/nix/nixops/miguel-quick-install.sh @@ -0,0 +1,47 @@ +PATH="$coreutils/bin" +mkdir -p $out/bin +cat >> $out/bin/miguel-quick-install << EOL +#!$bash/bin/bash + +set -e # stop on error +set -u # stop on undefined var + +echo +echo ========================================================================= +echo == Welcome to Miguels Custom NixOS Quick Install ... Please Standby == +echo ========================================================================= +echo + +echo desired hosname = \$1 +echo + +echo 1. Create Target Partitions +parted /dev/sda -- mklabel msdos +parted /dev/sda -- mkpart primary 1MiB -8GiB +mkfs.ext4 -L nixos /dev/sda1 + +echo 2. Mount Target Partitions +mkdir -p /mnt +mount /dev/sda1 /mnt + +echo 3. Update Nix Channel +nix-channel --update + +echo 4. Generate Configs +nixos-generate-config --root /mnt +cp $configextra /mnt/etc/nixos/config-extra.nix +cp $configiso /mnt/etc/nixos/config-iso.nix +cp $0 /mnt/etc/nixos/miguel-quick-install.sh +cat $configextra | head -n -1 > /mnt/etc/nixos/configuration.nix +echo "networking.hostName=\"\$1\";}" >> /mnt/etc/nixos/configuration.nix + +echo 5. Start NixOS Installer! +nixos-install --no-root-passwd + +echo 6. Finished +echo Please remove the installation media and reboot into your fresh NixOS! + +#reboot + +EOL +chmod +x $out/bin/miguel-quick-install diff --git a/nix/nixops/nixops.nix b/nix/nixops/nixops.nix new file mode 100644 index 0000000..1bf10ba --- /dev/null +++ b/nix/nixops/nixops.nix @@ -0,0 +1,26 @@ +{ + network.description = "My first NixOS cluster"; + network.enableRollback = true; + + comet = { + imports = [ ./comet/configuration.nix ]; + deployment.targetHost = "comet.softwarefools.com"; + }; + + nixos-01 = {config, pkgs,...}: + { + imports = [ ./config-extra.nix ]; + environment.systemPackages = with pkgs; [mc]; + deployment.targetHost = "nixos-01"; + }; + + nixos-02 = { + imports = [ ./config-extra.nix ]; + deployment.targetHost = "nixos-02"; + }; + + nixos-03 = { + imports = [ ./config-extra.nix ]; + deployment.targetHost = "nixos-03"; + }; +} diff --git a/nix/shell.nix b/nix/shell.nix new file mode 100644 index 0000000..b1b4b16 --- /dev/null +++ b/nix/shell.nix @@ -0,0 +1,6 @@ +{ pkgs ? import <nixpkgs> {} }: +with pkgs; +mkShell { + # nativeBuildInputs is usually what you want -- tools you need to run + nativeBuildInputs = [ nixops nixos-generators ]; +} |