fooker
/
linuxlab.nix
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

More progress

main
Dustin Frisch 1 week ago
parent
4c07edf6de
commit
17b10d8366
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
16 changed files with 271 additions and 104 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .gitignore
  2. 6
      TODO.md
  3. 22
      machines/installer/cache.nix
  4. 10
      machines/installer/default.nix
  5. 2
      machines/installer/hardware.nix
  6. 15
      machines/ldap/default.nix
  7. 21
      machines/ldap/hardware.nix
  8. 12
      machines/ldap/ldap.nix
  9. 6
      machines/ldap/secrets/ldap.tls.crt
  10. 6
      machines/ldap/secrets/ldap.tls.key
  11. 22
      machines/ldap/secrets/ldap.yaml
  12. 18
      machines/nfs/default.nix
  13. 125
      machines/nfs/dhcp.nix
  14. 16
      machines/nfs/hardware.nix
  15. 11
      shared/network.nix
  16. 4
      sops-config.nix

3
.gitignore
View File

@ -5,5 +5,6 @@
/*-efi-vars.fd
# nixago: ignore-linked-files
/.sops.yaml
/.pre-commit-config.yaml

6
TODO.md
View File

@ -1,11 +1,13 @@
# Tasks
- Configure user env on client (using envfs?)
- A fancy background image?
- Configure docker on client
- Make installer work
- Move ldap to subdomain
- Switch to HS nameservers
- Check external SSH access
- Remove x-tools like xterm
- Quota per user on homedir
- Exim recovery
- A fancy background image?
# Issuse
- Cleartext password in sssd/ldap config

22
machines/installer/cache.nix
View File

@ -0,0 +1,22 @@
{ config, ... }:
{
services.nix-serve = {
enable = true;
secretKeyFile = config.sops.secrets."cache/key".path;
};
services.nginx = {
enable = true;
virtualHosts."cache.${config.networking.domain}" = {
locations."/".proxyPass = with config.services.nix-serve;
"http://${bindAddress}:${port}";
};
};
sops.secrets."cache/key" = {
sopsFile = ./secrets/cache.key;
format = "binary";
};
}

10
machines/installer/default.nix
View File

@ -2,24 +2,24 @@
imports = [
./hardware.nix
# TODO: ./cache.nix
./netinstall.nix
# ./netinstall.nix
];
deployment = {
targetHost = "10.32.45.12";
targetHost = "10.33.64.21";
};
networking = {
interfaces."eth0" = {
ipv4.addresses = [{
address = "10.32.45.12";
prefixLength = 24;
address = "10.33.64.21";
prefixLength = 20;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
address = "10.33.64.1";
};
};

2
machines/installer/hardware.nix
View File

@ -30,7 +30,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0";
imageSize = "64G";
content = {
type = "gpt";

15
machines/ldap/default.nix
View File

@ -2,23 +2,26 @@
imports = [
./hardware.nix
./ldap.nix
# TODO:
# ../installer/netinstall.nix
];
deployment = {
targetHost = "10.32.45.11";
targetHost = "10.33.64.19";
};
networking = {
interfaces."eth0" = {
interfaces."eno1" = {
ipv4.addresses = [{
address = "10.32.45.11";
prefixLength = 24;
address = "10.33.64.19";
prefixLength = 20;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
interface = "eno1";
address = "10.33.64.1";
};
};

21
machines/ldap/hardware.nix
View File

@ -7,20 +7,22 @@
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
boot = {
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"pata_atiixp"
"mpt3sas"
"usbhid"
"usb_storage"
"sd_mod"
"sr_mod"
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
kernelModules = [ "kvm-amd" ];
loader.grub.enable = true;
};
hardware.enableRedistributableFirmware = true;
@ -30,7 +32,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:01:00.0-scsi-0:1:0:0";
imageSize = "32G";
content = {
type = "gpt";
@ -46,6 +48,7 @@
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {

12
machines/ldap/ldap.nix
View File

@ -191,31 +191,33 @@ in
'';
};
sops.secrets."ldap/root/password" = {
sops.secrets = {
"ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/upstream" = {
"ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/tls/key" = {
"ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/tls/crt" = {
"ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/sync/config" = {
"ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
};
};
networking.firewall.allowedTCPPorts = [
22

6
machines/ldap/secrets/ldap.tls.crt
View File

@ -8,11 +8,11 @@
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTkxXVEZMMm04bFVVbTNV\ndTluWmdNdU1sMVZqNHVUckZ0Rzh5WUM1cGxvCmIxb2Rld0NWek9xQVh5dlo0VGZL\ncXpYeXdUK1dVNVc3SitSeUpnVjVqMlEKLS0tIDd0Si8rbFd6YkFsMWZEMFdIQmd4\nVGNzR3BiaVdaODRtRmI1UW5kbm5sQWsKOYN2GuBROfSVmbPK3gvJhqLfXEgbh/NF\nOYNbi+i0cL41gAQjgqVcAJmzJSyp/wecfge2J8EQnbegFeUGfmrljw==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRTB5dHBnaHJIaWU1a2tF\nemxTYzMrU0VyWWpGYUV4VmYvZ05pRW9jaVhJClQralFYdjVrbHg2RUh4empRTVRJ\nREZFWW5QYVdaTEFJU0E2N1N4T1MxekEKLS0tIDNXWU5QdnZtL2RsUmFjQW5ZYVlB\nYlVPY2J2S2RScS9JRW5uNGd6K2dvQWcKB4n41c1B4G63+VwihKCgKit+2LqDuOpH\ngLSzTRhpqIthk/IA0JCGYsgI7LdbC+dyMzHlFnwKj/PY6YXEsbluEg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QUZtMHpScDFxbXp2cnpW\nSE00Q2JDV2Z0RUtBdGJidlVYSjFkV0RicVNFCi9ZUW12T1ZJUGdWWlJONkNCZFJR\nMEt5dGVvVDlCQWttczNCMGJkSEZ0OEUKLS0tIG9qWVA3dG5KNUY5R1BZRkZBRDNU\nejZLbUpXUXNZL0JYdk4xbXhUZlZHczAKcduhbeOO9wEZo5FOzOae4tl1OMddBgAw\n1JjHE8JzY3yud6C6UNoghwhAG+B1kTa1KlcsUezVxT55rTGQk+Ghog==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbXJkeUNNVmJoRlRzQllN\nRCtmR2ErUURMVFk2aGllRk1XVzNFbmlaQjBZCmM3dWphQTN2TXU1YkVqUk1RWm13\nWW5SdkduQjlLSVVLeS9VSS9tMFRMRFUKLS0tIEVJMFR5NDdRc3hXQ2JsZ2JLL2Nr\nekdVd1VUUFM4eTNTN2RJbm1TeU04ZlUKLESgMA+mqU4IyVWh4sceRarIEb1asBV2\nJF7BIqhqd4N0SVULQg9yeu7cqqg2pJTgkV1Y6nGpOrhtn0nrtor9Dg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:43:39Z",

6
machines/ldap/secrets/ldap.tls.key
View File

@ -8,11 +8,11 @@
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n"
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cTdvSlc2RUljc3l1SERM\neEJVbXZPVnJ4eDk3MDJPelAwWFNJcEp3RkdNCkp3bXBIbUlNeHc2N1NRaGQ5NXFP\nQXJRbVc3N1lKc1hZM2tNcGhNM0pPTncKLS0tIFlQQkE5aURrTzliejV2SHJ1VW1w\nNDJFajBhVkdUK2xpWGpPN0pxL29zT1EKwBt+0/rVeNrwFUiX/PTMEUm6ckrlO6ke\nzldXMZNP69jhrPo9j9jX4kt3Rgg96A0wfIm0AOc82bZyQSxW5wBbtg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n"
"recipient": "age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VkVjL1ZWVlBUQWtEcVB6\nL2tVN2RIWlF4cmlNTmZTOElRcnVNWGZNVjN3CmJEcWFsNFo5STBDb2c0Zk9UczVG\nQTN6d3lFdHA1T3hvaWJtc2tiVUd0dTQKLS0tIEJCNE9wMTFsckRFZ2srd0lwTzFS\nV0twVDVsWVBYcWFxNy9YNVJxTzc5M2cK8TuqO2N31GxmpzUSpllEaM4Rwxf+Ph53\nriaIdZsCZfE04BySoZPil1/IjQ8aDALLe/MUK5AHXYFn8EKfxkqDVQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:42:58Z",

22
machines/ldap/secrets/ldap.yaml
View File

@ -14,20 +14,20 @@ sops:
- recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80
REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4
dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3
bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0
1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0aklvbmwwRnF5Uk9PZTMy
a2hKbEExUDNwVCtGZ2k3cE5SSHRzYy83L0FjCjdQVjNIWk15UFhvRUdtQTZDRFpq
WHlWcHlEcHVzR0dERWhSMTVFVVBWOWsKLS0tIGRBUjhPaGJmWnBvOGxRSTdHM1RJ
cHJRejg5UXlzYm8xS3dKaURBSm9Sd00KxahaaD6oZMEQbV65qxMYL+C4aXafG7aE
RgN/vB9WFBeJmqqKtm0kvtFR4xfwEnTo4aO1UlPw1WCSLF1+j3ZgNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6
- recipient: age1dzhwx7skgpq0aygef77fvnldd00v4yfqg57hav3xsup8flqyqqdsvr5hcw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz
VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS
enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL
SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV
lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdGphWi9NUkdEQVBicTQ0
WURkWGY3a3R6RUgxSnlobURhQVRKT3NFUnpjClFYanIydlRRNC9meXd6U29rR3k1
SGhpTExHcHErcFhXK2JOeUIxMmp4UUEKLS0tIDhoeGFyNkFCR2FBTlR0c2c1N2Nx
TWgzM3hGUFJPMWVHL3FqNzB4MWNTcU0KBu1/Cj3EeXrUajcFfZCZgOytHDuJv2fI
Oth9Mc+jRhKqvDBsc+qcDGzQQaBljkdLrvACM+uFua+hsNgPqxolCw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T15:39:50Z"
mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str]

18
machines/nfs/default.nix
View File

@ -1,24 +1,32 @@
{
imports = [
./hardware.nix
./dhcp.nix
./nfs.nix
];
deployment = {
targetHost = "10.32.45.10";
targetHost = "10.33.64.20";
};
networking = {
interfaces."eth0" = {
interfaces."enp4s0f0" = {
ipv4.addresses = [{
address = "10.32.45.10";
address = "10.33.64.20";
prefixLength = 20;
}];
};
interfaces."enp4s0f1" = {
ipv4.addresses = [{
address = "10.32.44.20";
prefixLength = 24;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
interface = "enp4s0f0";
address = "10.33.64.1";
};
};

125
machines/nfs/dhcp.nix
View File

@ -0,0 +1,125 @@
{ pkgs, config, ... }:
{
services.kea.dhcp4 = {
enable = true;
settings = {
interfaces-config = {
interfaces = [
"enp4s0f0"
"enp4s0f1"
];
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;
type = "memfile";
};
rebind-timer = 2000;
renew-timer = 1000;
subnet4 = [
{
subnet = "10.33.64.0/20";
interface = "enp4s0f1";
pools = [
{
pool = "10.33.65.100 - 10.33.65.200";
}
];
option-data = [
{
name = "routers";
data = "10.33.64.1";
}
{
name = "domain-name-servers";
data = "10.0.0.53";
}
{
name = "domain-name";
data = config.networking.domain;
}
{
name = "domain-search";
data = config.networking.domain;
}
];
}
{
subnet = "10.32.44.0/24";
interface = "enp4s0f1";
pools = [
{
pool = "10.32.44.100 - 10.32.44.200";
}
];
option-data = [
{
name = "routers";
data = "10.32.44.1";
}
{
name = "domain-name-servers";
data = "10.0.0.53";
}
{
name = "domain-name";
data = config.networking.domain;
}
{
name = "domain-search";
data = config.networking.domain;
}
];
}
];
valid-lifetime = 4000;
};
};
networking.firewall.allowedUDPPorts = [
67
68 # DHCP
];
services.pixiecore =
let
script = pkgs.writeText "boot-local.ipxe" ''
#!ipxe
sleep 2
sanboot -n -d 0x80
shell
'';
in
{
enable = true;
dhcpNoBind = true;
port = 5080;
mode = "boot";
kernel = toString script;
openFirewall = true;
};
}

16
machines/nfs/hardware.nix
View File

@ -7,21 +7,23 @@
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.loader = {
kernelModules = [ "kvm-intel" ];
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
@ -30,7 +32,7 @@
disk = {
root = {
type = "disk";
device = "/dev/sda";
device = "/dev/disk/by-path/pci-0000:00:17.0-ata-8.0";
imageSize = "32G";
content = {
type = "gpt";

11
shared/network.nix
View File

@ -11,17 +11,16 @@
"linuxlab.informatik.hs-fulda.de"
];
# TODO: nameservers = [ "10.0.0.53" ];
nameservers = [ "1.0.0.1" "1.1.1.1" ];
nameservers = [ "10.0.0.53" ];
useDHCP = false;
extraHosts = ''
10.32.45.10 nfs.${config.networking.domain}
10.32.45.11 ldap.${config.networking.domain}
10.32.45.12 install.${config.networking.domain}
10.33.64.20 nfs.${config.networking.domain}
10.33.64.19 ldap.${config.networking.domain}
10.33.64.19 install.${config.networking.domain}
10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de
10.33.64.19 ldap-linuxlab.informatik.hs-fulda.de
'';
};
}

4
sops-config.nix
View File

@ -14,8 +14,8 @@ let
};
hosts = {
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI";
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIENsd6EdgIn5jhqXUEyPckoViHLLsYM2on/liwf1IO8p";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFhkh5L4jYl/i4E+lBVDppHcoiohR/gDricyV2wY/3Np";
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
};

Write Preview
Loading…
Cancel
Save