Dustin Frisch
1 month ago
No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
16 changed files with 271 additions and 104 deletions
-
3.gitignore
-
6TODO.md
-
22machines/installer/cache.nix
-
12machines/installer/default.nix
-
4machines/installer/hardware.nix
-
15machines/ldap/default.nix
-
33machines/ldap/hardware.nix
-
48machines/ldap/ldap.nix
-
6machines/ldap/secrets/ldap.tls.crt
-
6machines/ldap/secrets/ldap.tls.key
-
22machines/ldap/secrets/ldap.yaml
-
18machines/nfs/default.nix
-
125machines/nfs/dhcp.nix
-
32machines/nfs/hardware.nix
-
13shared/network.nix
-
10sops-config.nix
@ -1,11 +1,13 @@ |
|||
# Tasks |
|||
- Configure user env on client (using envfs?) |
|||
- A fancy background image? |
|||
- Configure docker on client |
|||
- Make installer work |
|||
- Move ldap to subdomain |
|||
- Switch to HS nameservers |
|||
- Check external SSH access |
|||
- Remove x-tools like xterm |
|||
- Quota per user on homedir |
|||
- Exim recovery |
|||
- A fancy background image? |
|||
|
|||
# Issuse |
|||
- Cleartext password in sssd/ldap config |
|||
|
@ -0,0 +1,22 @@ |
|||
{ config, ... }: |
|||
|
|||
{ |
|||
services.nix-serve = { |
|||
enable = true; |
|||
secretKeyFile = config.sops.secrets."cache/key".path; |
|||
}; |
|||
|
|||
services.nginx = { |
|||
enable = true; |
|||
virtualHosts."cache.${config.networking.domain}" = { |
|||
locations."/".proxyPass = with config.services.nix-serve; |
|||
"http://${bindAddress}:${port}"; |
|||
}; |
|||
}; |
|||
|
|||
sops.secrets."cache/key" = { |
|||
sopsFile = ./secrets/cache.key; |
|||
format = "binary"; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,125 @@ |
|||
{ pkgs, config, ... }: |
|||
|
|||
{ |
|||
services.kea.dhcp4 = { |
|||
enable = true; |
|||
|
|||
settings = { |
|||
interfaces-config = { |
|||
interfaces = [ |
|||
"enp4s0f0" |
|||
"enp4s0f1" |
|||
]; |
|||
}; |
|||
|
|||
lease-database = { |
|||
name = "/var/lib/kea/dhcp4.leases"; |
|||
persist = true; |
|||
type = "memfile"; |
|||
}; |
|||
|
|||
rebind-timer = 2000; |
|||
renew-timer = 1000; |
|||
|
|||
subnet4 = [ |
|||
{ |
|||
subnet = "10.33.64.0/20"; |
|||
interface = "enp4s0f1"; |
|||
|
|||
pools = [ |
|||
{ |
|||
pool = "10.33.65.100 - 10.33.65.200"; |
|||
} |
|||
]; |
|||
|
|||
option-data = [ |
|||
{ |
|||
name = "routers"; |
|||
data = "10.33.64.1"; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-name-servers"; |
|||
data = "10.0.0.53"; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-name"; |
|||
data = config.networking.domain; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-search"; |
|||
data = config.networking.domain; |
|||
} |
|||
]; |
|||
} |
|||
{ |
|||
subnet = "10.32.44.0/24"; |
|||
interface = "enp4s0f1"; |
|||
|
|||
pools = [ |
|||
{ |
|||
pool = "10.32.44.100 - 10.32.44.200"; |
|||
} |
|||
]; |
|||
|
|||
option-data = [ |
|||
{ |
|||
name = "routers"; |
|||
data = "10.32.44.1"; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-name-servers"; |
|||
data = "10.0.0.53"; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-name"; |
|||
data = config.networking.domain; |
|||
} |
|||
|
|||
{ |
|||
name = "domain-search"; |
|||
data = config.networking.domain; |
|||
} |
|||
]; |
|||
} |
|||
]; |
|||
|
|||
valid-lifetime = 4000; |
|||
}; |
|||
}; |
|||
|
|||
networking.firewall.allowedUDPPorts = [ |
|||
67 |
|||
68 # DHCP |
|||
]; |
|||
|
|||
services.pixiecore = |
|||
let |
|||
script = pkgs.writeText "boot-local.ipxe" '' |
|||
#!ipxe |
|||
|
|||
sleep 2 |
|||
|
|||
sanboot -n -d 0x80 |
|||
|
|||
shell |
|||
''; |
|||
in |
|||
{ |
|||
enable = true; |
|||
|
|||
dhcpNoBind = true; |
|||
|
|||
port = 5080; |
|||
|
|||
mode = "boot"; |
|||
kernel = toString script; |
|||
|
|||
openFirewall = true; |
|||
}; |
|||
} |
|||
|
Write
Preview
Loading…
Cancel
Save
Reference in new issue