Dustin Frisch
2 months ago
commit
4c07edf6de
No known key found for this signature in database
GPG Key ID: B4C3BF012D9B26BE
33 changed files with 1956 additions and 0 deletions
-
9.gitignore
-
12TODO.md
-
35client/default.nix
-
37client/desktop.nix
-
11client/gpu.nix
-
91client/hardware.nix
-
21client/home.nix
-
28client/programs.nix
-
11client/sound.nix
-
91client/users.nix
-
494flake.lock
-
153flake.nix
-
28machines/installer/default.nix
-
65machines/installer/hardware.nix
-
59machines/installer/installer/default.nix
-
38machines/installer/netinstall.nix
-
1machines/installer/secrets/cache.crt
-
24machines/installer/secrets/cache.key
-
27machines/ldap/default.nix
-
65machines/ldap/hardware.nix
-
226machines/ldap/ldap.nix
-
24machines/ldap/secrets/ldap.tls.crt
-
24machines/ldap/secrets/ldap.tls.key
-
36machines/ldap/secrets/ldap.yaml
-
27machines/nfs/default.nix
-
65machines/nfs/hardware.nix
-
13machines/nfs/nfs.nix
-
21shared/default.nix
-
28shared/network.nix
-
69shared/nix.nix
-
14shared/system.nix
-
31shared/users.nix
-
78sops-config.nix
@ -0,0 +1,9 @@ |
|||
/result |
|||
|
|||
/.direnv |
|||
/.envrc |
|||
|
|||
/*-efi-vars.fd |
|||
|
|||
# nixago: ignore-linked-files |
|||
/.sops.yaml |
@ -0,0 +1,12 @@ |
|||
# Tasks |
|||
- Configure user env on client (using envfs?) |
|||
- A fancy background image? |
|||
- Make installer work |
|||
- Move ldap to subdomain |
|||
- Switch to HS nameservers |
|||
- Check external SSH access |
|||
- Remove x-tools like xterm |
|||
|
|||
# Issuse |
|||
- Cleartext password in sssd/ldap config |
|||
|
@ -0,0 +1,35 @@ |
|||
{ lib, ... }: |
|||
|
|||
with lib; |
|||
|
|||
{ |
|||
imports = [ |
|||
./hardware.nix |
|||
./gpu.nix |
|||
./home.nix |
|||
./users.nix |
|||
./desktop.nix |
|||
./programs.nix |
|||
]; |
|||
|
|||
deployment = { |
|||
targetHost = "10.32.45.150"; |
|||
}; |
|||
|
|||
networking = { |
|||
useDHCP = mkForce true; |
|||
}; |
|||
|
|||
services.hardware.bolt.enable = true; |
|||
|
|||
security.rtkit.enable = true; |
|||
|
|||
services.avahi = { |
|||
enable = true; |
|||
nssmdns4 = true; |
|||
nssmdns6 = true; |
|||
}; |
|||
|
|||
system.stateVersion = "24.05"; |
|||
} |
|||
|
@ -0,0 +1,37 @@ |
|||
{ pkgs, ... }: |
|||
|
|||
{ |
|||
services.xserver = { |
|||
enable = true; |
|||
displayManager.gdm = { |
|||
enable = true; |
|||
wayland = true; |
|||
}; |
|||
desktopManager.gnome.enable = true; |
|||
xkb.layout = "de"; |
|||
}; |
|||
|
|||
environment.gnome.excludePackages = with pkgs; [ |
|||
epiphany |
|||
gnome-online-accounts-gtk |
|||
gnome-tour |
|||
gnome.geary |
|||
gnome.gnome-calendar |
|||
gnome.gnome-contacts |
|||
]; |
|||
|
|||
programs.dconf = { |
|||
enable = true; |
|||
profiles.user.databases = [ |
|||
{ |
|||
settings = { |
|||
# Set the color scheme to dark. |
|||
"org/gnome/desktop/interface".color-scheme = "prefer-dark"; |
|||
|
|||
"org/gnome/desktop/wm/keybindings".close = [ "<Super>q" ]; |
|||
}; |
|||
} |
|||
]; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,11 @@ |
|||
{ pkgs, ... }: |
|||
|
|||
{ |
|||
hardware.opengl = { |
|||
enable = true; |
|||
driSupport32Bit = true; |
|||
extraPackages = with pkgs; [ |
|||
]; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,91 @@ |
|||
{ modulesPath, ... }: |
|||
|
|||
{ |
|||
imports = [ |
|||
"${modulesPath}/installer/scan/not-detected.nix" |
|||
]; |
|||
|
|||
nixpkgs.hostPlatform = "x86_64-linux"; |
|||
|
|||
boot = { |
|||
loader = { |
|||
systemd-boot.enable = true; |
|||
efi.canTouchEfiVariables = true; |
|||
}; |
|||
|
|||
consoleLogLevel = 3; |
|||
|
|||
initrd = { |
|||
systemd.enable = true; |
|||
verbose = false; |
|||
availableKernelModules = [ |
|||
"uhci_hcd" |
|||
"ehci_pci" |
|||
"ata_piix" |
|||
"mptsas" |
|||
"usb_storage" |
|||
"usbhid" |
|||
"sd_mod" |
|||
"sr_mod" |
|||
]; |
|||
}; |
|||
|
|||
kernelParams = [ |
|||
"quiet" |
|||
"udev.log_level=3" |
|||
]; |
|||
|
|||
plymouth = { |
|||
enable = true; |
|||
theme = "bgrt"; |
|||
}; |
|||
}; |
|||
|
|||
hardware.enableRedistributableFirmware = true; |
|||
hardware.cpu.intel.updateMicrocode = true; |
|||
|
|||
disko.devices = { |
|||
disk = { |
|||
root = { |
|||
type = "disk"; |
|||
device = "/dev/sda"; |
|||
imageSize = "32G"; |
|||
content = { |
|||
type = "gpt"; |
|||
partitions = { |
|||
boot = { |
|||
size = "1M"; |
|||
type = "EF02"; |
|||
}; |
|||
ESP = { |
|||
size = "512M"; |
|||
type = "EF00"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "vfat"; |
|||
mountpoint = "/boot"; |
|||
}; |
|||
}; |
|||
root = { |
|||
end = "-8G"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "ext4"; |
|||
mountpoint = "/"; |
|||
}; |
|||
}; |
|||
swap = { |
|||
size = "100%"; |
|||
content = { |
|||
type = "swap"; |
|||
randomEncryption = true; |
|||
resumeDevice = false; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,21 @@ |
|||
{ config, ...}: |
|||
|
|||
{ |
|||
services.cachefilesd = { |
|||
enable = true; |
|||
}; |
|||
|
|||
fileSystems."home" = { |
|||
mountPoint = "/home"; |
|||
device = "nfs.${config.networking.domain}:/home"; |
|||
fsType = "nfs"; |
|||
options = [ |
|||
"nfsvers=4.2" |
|||
"noauto" |
|||
"fsc" |
|||
"x-systemd.automount" |
|||
]; |
|||
}; |
|||
|
|||
} |
|||
|
@ -0,0 +1,28 @@ |
|||
{ pkgs, ... }: |
|||
|
|||
{ |
|||
programs = { |
|||
vim.defaultEditor = true; |
|||
# zsh = { |
|||
# enable = true; |
|||
# autosuggestions.enable = true; |
|||
# syntaxHighlighting.enable = true; |
|||
# }; |
|||
chromium.enable = true; |
|||
firefox.enable = true; |
|||
fish.enable = true; |
|||
git.enable = true; |
|||
htop.enable = true; |
|||
mtr.enable = true; |
|||
}; |
|||
|
|||
environment.systemPackages = with pkgs; [ |
|||
bat |
|||
eza |
|||
nil |
|||
fd |
|||
ripgrep |
|||
vscode |
|||
]; |
|||
} |
|||
|
@ -0,0 +1,11 @@ |
|||
{ |
|||
hardware.pulseaudio.enable = false; |
|||
|
|||
services.pipewire = { |
|||
enable = true; |
|||
alsa.enable = true; |
|||
alsa.support32Bit = true; |
|||
pulse.enable = true; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,91 @@ |
|||
{ pkgs, lib, config, ... }: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
baseDN = concatMapStringsSep "," |
|||
(part: "dc=${part}") |
|||
(splitString "." "informatik.hs-fulda.de"); |
|||
|
|||
in |
|||
{ |
|||
security.pam.services = { |
|||
sshd = { |
|||
makeHomeDir = true; |
|||
sssdStrictAccess = true; |
|||
unixAuth = lib.mkForce true; |
|||
}; |
|||
login = { |
|||
makeHomeDir = true; |
|||
sssdStrictAccess = true; |
|||
unixAuth = lib.mkForce true; |
|||
}; |
|||
systemd-user = { |
|||
makeHomeDir = true; |
|||
sssdStrictAccess = true; |
|||
unixAuth = lib.mkForce true; |
|||
}; |
|||
}; |
|||
|
|||
services.sssd = { |
|||
enable = true; |
|||
config = '' |
|||
[sssd] |
|||
config_file_version = 2 |
|||
services = nss, pam, ssh, ifp |
|||
domains = hsfd |
|||
|
|||
debug_level = 8 |
|||
|
|||
[nss] |
|||
override_homedir = /home/%u |
|||
override_shell = /run/current-system/sw/bin/bash |
|||
|
|||
filter_users = root |
|||
filter_groups = root |
|||
|
|||
reconnection_retries = 3 |
|||
|
|||
[pam] |
|||
|
|||
[domain/hsfd] |
|||
id_provider = ldap |
|||
access_provider = ldap |
|||
auth_provider = ldap |
|||
|
|||
# TODO: ldap_uri = ldaps://ldap${config.networking.domain}/ |
|||
ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/ |
|||
ldap_search_base = ou=users,${baseDN} |
|||
|
|||
ldap_tls_reqcert = demand |
|||
ldap_id_use_start_tls = true |
|||
|
|||
ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de |
|||
ldap_default_authtok_type = password |
|||
ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw |
|||
|
|||
ldap_access_order = filter |
|||
ldap_access_filter = (objectClass=*) |
|||
|
|||
ldap_user_object_class = posixAccount |
|||
ldap_user_name = cn |
|||
|
|||
override_gid = ${toString config.users.groups."users".gid} |
|||
|
|||
cache_credentials = true |
|||
|
|||
min_id = 1000 |
|||
enumerate = false |
|||
''; |
|||
}; |
|||
|
|||
users.users."root".packages = with pkgs; [ |
|||
sss-cli |
|||
]; |
|||
|
|||
#sops.secrets."ldap/login/password" = { |
|||
# owner = "nslcd"; |
|||
# sopsFile = ./secrets.yaml; |
|||
#}; |
|||
} |
|||
|
@ -0,0 +1,494 @@ |
|||
{ |
|||
"nodes": { |
|||
"colmena": { |
|||
"inputs": { |
|||
"flake-compat": "flake-compat", |
|||
"flake-utils": [ |
|||
"flake-utils" |
|||
], |
|||
"nix-github-actions": "nix-github-actions", |
|||
"nixpkgs": [ |
|||
"nixpkgs" |
|||
], |
|||
"stable": "stable" |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1731249827, |
|||
"narHash": "sha256-04iOZoJ0D+y3xhZtaCgSBOz8T4hED7oMVkuAOzXT8vU=", |
|||
"owner": "zhaofengli", |
|||
"repo": "colmena", |
|||
"rev": "a2193487bcf70bbb998ad1a25a4ff02b8d55db7a", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "zhaofengli", |
|||
"repo": "colmena", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"disko": { |
|||
"inputs": { |
|||
"nixpkgs": [ |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1731274291, |
|||
"narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=", |
|||
"owner": "nix-community", |
|||
"repo": "disko", |
|||
"rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"repo": "disko", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-compat": { |
|||
"flake": false, |
|||
"locked": { |
|||
"lastModified": 1650374568, |
|||
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", |
|||
"owner": "edolstra", |
|||
"repo": "flake-compat", |
|||
"rev": "b4a34015c698c7793d592d66adbab377907a2be8", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "edolstra", |
|||
"repo": "flake-compat", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-compat_2": { |
|||
"flake": false, |
|||
"locked": { |
|||
"lastModified": 1696426674, |
|||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", |
|||
"owner": "edolstra", |
|||
"repo": "flake-compat", |
|||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "edolstra", |
|||
"repo": "flake-compat", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-utils": { |
|||
"inputs": { |
|||
"systems": "systems" |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1726560853, |
|||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-utils_2": { |
|||
"locked": { |
|||
"lastModified": 1653893745, |
|||
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-utils_3": { |
|||
"locked": { |
|||
"lastModified": 1653893745, |
|||
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-utils_4": { |
|||
"locked": { |
|||
"lastModified": 1653893745, |
|||
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"flake-utils_5": { |
|||
"locked": { |
|||
"lastModified": 1653893745, |
|||
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "numtide", |
|||
"repo": "flake-utils", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"git-hooks": { |
|||
"inputs": { |
|||
"flake-compat": "flake-compat_2", |
|||
"gitignore": "gitignore", |
|||
"nixpkgs": [ |
|||
"nixpkgs" |
|||
], |
|||
"nixpkgs-stable": "nixpkgs-stable" |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1730814269, |
|||
"narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=", |
|||
"owner": "cachix", |
|||
"repo": "git-hooks.nix", |
|||
"rev": "d70155fdc00df4628446352fc58adc640cd705c2", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "cachix", |
|||
"repo": "git-hooks.nix", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"gitignore": { |
|||
"inputs": { |
|||
"nixpkgs": [ |
|||
"git-hooks", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1709087332, |
|||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", |
|||
"owner": "hercules-ci", |
|||
"repo": "gitignore.nix", |
|||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "hercules-ci", |
|||
"repo": "gitignore.nix", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"ldap-sync": { |
|||
"flake": false, |
|||
"locked": { |
|||
"lastModified": 1705328305, |
|||
"narHash": "sha256-PPc16Obzg53YVLSMP2pCOXBF6+q7/BIG6FF7EiI0st8=", |
|||
"ref": "refs/heads/main", |
|||
"rev": "49edeafeaf7fbadbfe59e4763223593cab989317", |
|||
"revCount": 14, |
|||
"type": "git", |
|||
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" |
|||
}, |
|||
"original": { |
|||
"type": "git", |
|||
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git" |
|||
} |
|||
}, |
|||
"nix-github-actions": { |
|||
"inputs": { |
|||
"nixpkgs": [ |
|||
"colmena", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1729742964, |
|||
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", |
|||
"owner": "nix-community", |
|||
"repo": "nix-github-actions", |
|||
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"repo": "nix-github-actions", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixago": { |
|||
"inputs": { |
|||
"flake-utils": [ |
|||
"flake-utils" |
|||
], |
|||
"nixago-exts": "nixago-exts", |
|||
"nixpkgs": [ |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1714086354, |
|||
"narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", |
|||
"owner": "jmgilman", |
|||
"repo": "nixago", |
|||
"rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "jmgilman", |
|||
"repo": "nixago", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixago-exts": { |
|||
"inputs": { |
|||
"flake-utils": "flake-utils_2", |
|||
"nixago": "nixago_2", |
|||
"nixpkgs": [ |
|||
"nixago", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1676070308, |
|||
"narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", |
|||
"owner": "nix-community", |
|||
"repo": "nixago-extensions", |
|||
"rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"repo": "nixago-extensions", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixago-exts_2": { |
|||
"inputs": { |
|||
"flake-utils": "flake-utils_4", |
|||
"nixago": "nixago_3", |
|||
"nixpkgs": [ |
|||
"nixago", |
|||
"nixago-exts", |
|||
"nixago", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1655508669, |
|||
"narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", |
|||
"owner": "nix-community", |
|||
"repo": "nixago-extensions", |
|||
"rev": "3022a932ce109258482ecc6568c163e8d0b426aa", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"repo": "nixago-extensions", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixago_2": { |
|||
"inputs": { |
|||
"flake-utils": "flake-utils_3", |
|||
"nixago-exts": "nixago-exts_2", |
|||
"nixpkgs": [ |
|||
"nixago", |
|||
"nixago-exts", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1676070010, |
|||
"narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", |
|||
"owner": "nix-community", |
|||
"repo": "nixago", |
|||
"rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"ref": "rename-config-data", |
|||
"repo": "nixago", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixago_3": { |
|||
"inputs": { |
|||
"flake-utils": "flake-utils_5", |
|||
"nixpkgs": [ |
|||
"nixago", |
|||
"nixago-exts", |
|||
"nixago", |
|||
"nixago-exts", |
|||
"nixpkgs" |
|||
] |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1655405483, |
|||
"narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", |
|||
"owner": "nix-community", |
|||
"repo": "nixago", |
|||
"rev": "e6a9566c18063db5b120e69e048d3627414e327d", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-community", |
|||
"repo": "nixago", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixpkgs": { |
|||
"locked": { |
|||
"lastModified": 1730963269, |
|||
"narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", |
|||
"owner": "NixOS", |
|||
"repo": "nixpkgs", |
|||
"rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "NixOS", |
|||
"ref": "nixos-24.05", |
|||
"repo": "nixpkgs", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixpkgs-stable": { |
|||
"locked": { |
|||
"lastModified": 1730741070, |
|||
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", |
|||
"owner": "NixOS", |
|||
"repo": "nixpkgs", |
|||
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "NixOS", |
|||
"ref": "nixos-24.05", |
|||
"repo": "nixpkgs", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixpkgs-stable_2": { |
|||
"locked": { |
|||
"lastModified": 1730602179, |
|||
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", |
|||
"owner": "NixOS", |
|||
"repo": "nixpkgs", |
|||
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "NixOS", |
|||
"ref": "release-24.05", |
|||
"repo": "nixpkgs", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"nixpkgs-unstable": { |
|||
"locked": { |
|||
"lastModified": 1731139594, |
|||
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", |
|||
"owner": "NixOS", |
|||
"repo": "nixpkgs", |
|||
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "NixOS", |
|||
"ref": "nixos-unstable", |
|||
"repo": "nixpkgs", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"root": { |
|||
"inputs": { |
|||
"colmena": "colmena", |
|||
"disko": "disko", |
|||
"flake-utils": "flake-utils", |
|||
"git-hooks": "git-hooks", |
|||
"ldap-sync": "ldap-sync", |
|||
"nixago": "nixago", |
|||
"nixpkgs": "nixpkgs", |
|||
"nixpkgs-unstable": "nixpkgs-unstable", |
|||
"sops": "sops" |
|||
} |
|||
}, |
|||
"sops": { |
|||
"inputs": { |
|||
"nixpkgs": [ |
|||
"nixpkgs" |
|||
], |
|||
"nixpkgs-stable": "nixpkgs-stable_2" |
|||
}, |
|||
"locked": { |
|||
"lastModified": 1731213149, |
|||
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", |
|||
"owner": "Mic92", |
|||
"repo": "sops-nix", |
|||
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "Mic92", |
|||
"repo": "sops-nix", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"stable": { |
|||
"locked": { |
|||
"lastModified": 1730883749, |
|||
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", |
|||
"owner": "NixOS", |
|||
"repo": "nixpkgs", |
|||
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "NixOS", |
|||
"ref": "nixos-24.05", |
|||
"repo": "nixpkgs", |
|||
"type": "github" |
|||
} |
|||
}, |
|||
"systems": { |
|||
"locked": { |
|||
"lastModified": 1681028828, |
|||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", |
|||
"owner": "nix-systems", |
|||
"repo": "default", |
|||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", |
|||
"type": "github" |
|||
}, |
|||
"original": { |
|||
"owner": "nix-systems", |
|||
"repo": "default", |
|||
"type": "github" |
|||
} |
|||
} |
|||
}, |
|||
"root": "root", |
|||
"version": 7 |
|||
} |
@ -0,0 +1,153 @@ |
|||
{ |
|||
inputs = { |
|||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; |
|||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; |
|||
|
|||
flake-utils.url = "github:numtide/flake-utils"; |
|||
|
|||
git-hooks = { |
|||
url = "github:cachix/git-hooks.nix"; |
|||
inputs.nixpkgs.follows = "nixpkgs"; |
|||
}; |
|||
|
|||
colmena = { |
|||
url = "github:zhaofengli/colmena"; |
|||
inputs.nixpkgs.follows = "nixpkgs"; |
|||
inputs.flake-utils.follows = "flake-utils"; |
|||
}; |
|||
|
|||
disko = { |
|||
url = "github:nix-community/disko"; |
|||
inputs.nixpkgs.follows = "nixpkgs"; |
|||
}; |
|||
|
|||
nixago = { |
|||
url = "github:jmgilman/nixago"; |
|||
inputs.nixpkgs.follows = "nixpkgs"; |
|||
inputs.flake-utils.follows = "flake-utils"; |
|||
}; |
|||
|
|||
sops = { |
|||
url = "github:Mic92/sops-nix"; |
|||
inputs.nixpkgs.follows = "nixpkgs"; |
|||
}; |
|||
|
|||
ldap-sync = { |
|||
type = "git"; |
|||
url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"; |
|||
flake = false; |
|||
}; |
|||
}; |
|||
|
|||
outputs = |
|||
{ self |
|||
, nixpkgs |
|||
, flake-utils |
|||
, colmena |
|||
, git-hooks |
|||
, nixago |
|||
, ... |
|||
}@inputs: |
|||
let |
|||
|
|||
# List of all machine names as defined in the machines directory |
|||
machines = builtins.attrNames (builtins.readDir ./machines); |
|||
|
|||
in |
|||
{ |
|||
colmena = { |
|||
meta = { |
|||
nixpkgs = import nixpkgs { |
|||
system = "x86_64-linux"; |
|||
}; |
|||
|
|||
specialArgs = { |
|||
inherit inputs; |
|||
}; |
|||
}; |
|||
|
|||
defaults = { |
|||
imports = [ |
|||
inputs.disko.nixosModules.disko |
|||
inputs.sops.nixosModules.sops |
|||
|
|||
./shared |
|||
]; |
|||
|
|||
deployment.replaceUnknownProfiles = false; |
|||
}; |
|||
|
|||
"client" = ./client; |
|||
|
|||
} // (builtins.listToAttrs (builtins.map |
|||
(name: { |
|||
inherit name; |
|||
value = ./machines/${name}; |
|||
}) |
|||
machines)); |
|||
|
|||
} // flake-utils.lib.eachDefaultSystem (system: { |
|||
checks = { |
|||
pre-commit = git-hooks.lib.${system}.run { |
|||
src = ./.; |
|||
hooks = { |
|||
nixpkgs-fmt.enable = true; |
|||
statix.enable = true; |
|||
shellcheck.enable = true; |
|||
}; |
|||
}; |
|||
}; |
|||
|
|||
devShells.default = |
|||
let |
|||
pkgs = nixpkgs.legacyPackages.${system}; |
|||
|
|||
sops-config = nixago.lib.${system}.make { |
|||
data = (pkgs.callPackage ./sops-config.nix { |
|||
inherit machines; |
|||
}).config; |
|||
output = ".sops.yaml"; |
|||
format = "yaml"; |
|||
}; |
|||
|
|||
in |
|||
pkgs.mkShell { |
|||
buildInputs = |
|||
self.checks.${system}.pre-commit.enabledPackages ++ |
|||
[ colmena.packages.${system}.colmena ] ++ |
|||
(with pkgs; [ |
|||
bash |
|||
gitAndTools.git |
|||
sops |
|||
age |
|||
openssh |
|||
ssh-to-age |
|||
]); |
|||
|
|||
shellHook = '' |
|||
${self.checks.${system}.pre-commit.shellHook} |
|||
${sops-config.shellHook} |
|||
''; |
|||
}; |
|||
|
|||
packages.disks = |
|||
let |
|||
pkgs = nixpkgs.legacyPackages.${system}; |
|||
hive = colmena.lib.makeHive self.outputs.colmena; |
|||
|
|||
in pkgs.linkFarm "linuxlab-testing" (builtins.mapAttrs |
|||
(_: node: node.config.system.build.diskoImages) |
|||
hive.nodes); |
|||
}); |
|||
|
|||
nixConfig = { |
|||
extra-substituters = [ |
|||
"https://colmena.cachix.org" |
|||
]; |
|||
|
|||
extra-trusted-public-keys = [ |
|||
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" |
|||
]; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,28 @@ |
|||
{ |
|||
imports = [ |
|||
./hardware.nix |
|||
# TODO: ./cache.nix |
|||
./netinstall.nix |
|||
]; |
|||
|
|||
deployment = { |
|||
targetHost = "10.32.45.12"; |
|||
}; |
|||
|
|||
networking = { |
|||
interfaces."eth0" = { |
|||
ipv4.addresses = [{ |
|||
address = "10.32.45.12"; |
|||
prefixLength = 24; |
|||
}]; |
|||
}; |
|||
|
|||
defaultGateway = { |
|||
interface = "eth0"; |
|||
address = "10.32.45.1"; |
|||
}; |
|||
}; |
|||
|
|||
system.stateVersion = "24.05"; |
|||
} |
|||
|
@ -0,0 +1,65 @@ |
|||
{ modulesPath, ... }: |
|||
|
|||
{ |
|||
imports = [ |
|||
"${modulesPath}/installer/scan/not-detected.nix" |
|||
]; |
|||
|
|||
nixpkgs.hostPlatform = "x86_64-linux"; |
|||
|
|||
boot.initrd.availableKernelModules = [ |
|||
"uhci_hcd" |
|||
"ehci_pci" |
|||
"ata_piix" |
|||
"mptsas" |
|||
"usb_storage" |
|||
"usbhid" |
|||
"sd_mod" |
|||
"sr_mod" |
|||
]; |
|||
|
|||
boot.loader = { |
|||
systemd-boot.enable = true; |
|||
efi.canTouchEfiVariables = true; |
|||
}; |
|||
|
|||
hardware.enableRedistributableFirmware = true; |
|||
hardware.cpu.intel.updateMicrocode = true; |
|||
|
|||
disko.devices = { |
|||
disk = { |
|||
root = { |
|||
type = "disk"; |
|||
device = "/dev/sda"; |
|||
imageSize = "64G"; |
|||
content = { |
|||
type = "gpt"; |
|||
partitions = { |
|||
boot = { |
|||
size = "1M"; |
|||
type = "EF02"; |
|||
}; |
|||
ESP = { |
|||
size = "512M"; |
|||
type = "EF00"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "vfat"; |
|||
mountpoint = "/boot"; |
|||
}; |
|||
}; |
|||
root = { |
|||
size = "100%"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "ext4"; |
|||
mountpoint = "/"; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,59 @@ |
|||
{ pkgs, lib, modulesPath, config, target, ... }: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
installer = pkgs.writers.writeBash "installer" '' |
|||
set -euo pipefail |
|||
|
|||
"${target.config.system.build.diskoScript}" |
|||
|
|||
"${target.config.system.build.nixos-install}" \ |
|||
--root /mnt \ |
|||
--system "${target.config.system.build.toplevel}" \ |
|||
--no-channel-copy \ |
|||
--no-root-password \ |
|||
--verbose |
|||
|
|||
reboot |
|||
''; |
|||
|
|||
in { |
|||
imports = [ |
|||
"${modulesPath}/installer/netboot/netboot-minimal.nix" |
|||
]; |
|||
|
|||
networking.hostName = "installer"; |
|||
|
|||
services.getty.autologinUser = lib.mkForce "root"; |
|||
|
|||
systemd.services."auto-install" = { |
|||
description = "Automated NixOS installer"; |
|||
|
|||
wants = [ "network-online.target" ]; |
|||
after = [ "network-online.target" ]; |
|||
|
|||
conflicts = [ "getty@tty1.service" ]; |
|||
|
|||
wantedBy = [ "multi-user.target" ]; |
|||
|
|||
path = with pkgs; [ bash nix ]; |
|||
|
|||
unitConfig = { |
|||
FailureAction = "force-reboot"; |
|||
}; |
|||
|
|||
serviceConfig = { |
|||
Type = "oneshot"; |
|||
|
|||
ExecStart = installer; |
|||
|
|||
StandardInput = "none"; |
|||
StandardOutput = "journal+console"; |
|||
StandardError = "journal+console"; |
|||
}; |
|||
}; |
|||
|
|||
system.stateVersion = config.system.nixos.release; |
|||
} |
|||
|
@ -0,0 +1,38 @@ |
|||
{ pkgs, lib, nodes, ... }: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
installer = pkgs.nixos [ |
|||
./installer |
|||
|
|||
{ |
|||
_module.args = { |
|||
target = nodes."client"; |
|||
}; |
|||
} |
|||
]; |
|||
|
|||
in |
|||
{ |
|||
services.pixiecore = { |
|||
enable = true; |
|||
|
|||
dhcpNoBind = true; |
|||
|
|||
port = 5080; |
|||
|
|||
mode = "boot"; |
|||
kernel = "file://${installer.config.system.build.kernel}/bzImage"; |
|||
initrd = "file://${installer.config.system.build.netbootRamdisk}/initrd"; |
|||
cmdLine = concatStringsSep " " [ |
|||
"init=${installer.config.system.build.toplevel}/init" |
|||
"loglevel=4" |
|||
"console=tty0" |
|||
"console=ttyS1,57600n8" |
|||
]; |
|||
|
|||
openFirewall = true; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1 @@ |
|||
cache.linuxlab.informatik.hs-fulda.de:jrTFzlS3uRzOOteHmynLmSIvFMWgb4+YH+ShcrczdEY= |
@ -0,0 +1,24 @@ |
|||
{ |
|||
"data": "ENC[AES256_GCM,data:u2f84L2XIPqNBPKtkAU7LAwUj0wwxemsOuUB/qk/SSjutA8RLi5TmBQHnnBY/5l3u154JN9RzHsHQyMp7NHiT1gsmvrmNhdWRzLTxG7MfIJW0SVpjD7X6GLmH5vnVSLJZScRfHgdRcYl9sFO7HlT/vRAtb57ZYM+QZS5b1ZB,iv:yzwOKZA5iwrn/CkhtwF7tUytsy0lseJcBqm4UqVAsqA=,tag:WhxIH/K314fvOm81lfK6EQ==,type:str]", |
|||
"sops": { |
|||
"kms": null, |
|||
"gcp_kms": null, |
|||
"azure_kv": null, |
|||
"hc_vault": null, |
|||
"age": [ |
|||
{ |
|||
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVDhNSjF0amNnSWJ2ZEhq\ndnRoOXZpYk5oN09abFozK1Y0WVhDSVJ2U0RzCkw0OXhScjQwRGlDcDdnUHh2cDd3\nclBDd2RwQzRIMy9CVjZXbGFNSUdjU2cKLS0tIHBzSXdCMElkclJMU2I0WWtHbTJP\nWW5TQ2syRk9Obm5qYUtZVGZYbmtzTkEKkMiRInW2OuY6FhXTfueqokehWNxwO905\ntk5jVzyS0kVDt2Mi29Ny+HUhTpLWn2mJii8HMz698ElAxvXrHBZurQ==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
}, |
|||
{ |
|||
"recipient": "age14lgxmyw860py9yyjz3cxkr6u0x30qra2e27c9my0sycqyfankf2sjrsse6", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHBOUUhqcHlPeTNXOE8z\nWDlNZkhSbnY5SEV5MFplWmhNVXpTaXlycHd3Ck9hY1F6LzNpWjhFdWN0SnpaT0M0\nR2R5TmRNek0wYTJUREp4YklTaVJzdXMKLS0tIDdOTWN6b2kwR1R3bzNTT2s1UFMr\nUm0yWHNkSXg5ZFR1dWhUdHRmSm13eG8Kcprh4nvmUDgI6/nntD+FTY4SsqpEAs3U\n44tvzXSNjEMp9dHIkVu45+NyKOGjZoNUAA7dEvFYAAgZqHPbLMJ0aw==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
} |
|||
], |
|||
"lastmodified": "2024-11-11T21:50:59Z", |
|||
"mac": "ENC[AES256_GCM,data:n6TfbZmYcV2ER7n4fXanVJ9ekbytU07NdHVDO/VoTkERvstb1NuTeo7LjA+KVVKxM3ZUvAtMfjpAXvgP1exL4WkOzQHk5RV3odfZhGsvMOUaHp7cfww6/JrO8I+EzJWhDh2tO+xFpuD2sprvNiWT60PFG6kDQKn7XYy63+ECCyo=,iv:7ytrvXtk3Mz3ioeuv0hc80y2FLSyUWdtFyVEhidUeAI=,tag:BS8am9kxloRP+AbavEmfPA==,type:str]", |
|||
"pgp": null, |
|||
"unencrypted_suffix": "_unencrypted", |
|||
"version": "3.8.1" |
|||
} |
|||
} |
@ -0,0 +1,27 @@ |
|||
{ |
|||
imports = [ |
|||
./hardware.nix |
|||
./ldap.nix |
|||
]; |
|||
|
|||
deployment = { |
|||
targetHost = "10.32.45.11"; |
|||
}; |
|||
|
|||
networking = { |
|||
interfaces."eth0" = { |
|||
ipv4.addresses = [{ |
|||
address = "10.32.45.11"; |
|||
prefixLength = 24; |
|||
}]; |
|||
}; |
|||
|
|||
defaultGateway = { |
|||
interface = "eth0"; |
|||
address = "10.32.45.1"; |
|||
}; |
|||
}; |
|||
|
|||
system.stateVersion = "24.05"; |
|||
} |
|||
|
@ -0,0 +1,65 @@ |
|||
{ modulesPath, ... }: |
|||
|
|||
{ |
|||
imports = [ |
|||
"${modulesPath}/installer/scan/not-detected.nix" |
|||
]; |
|||
|
|||
nixpkgs.hostPlatform = "x86_64-linux"; |
|||
|
|||
boot.initrd.availableKernelModules = [ |
|||
"uhci_hcd" |
|||
"ehci_pci" |
|||
"ata_piix" |
|||
"mptsas" |
|||
"usb_storage" |
|||
"usbhid" |
|||
"sd_mod" |
|||
"sr_mod" |
|||
]; |
|||
|
|||
boot.loader = { |
|||
systemd-boot.enable = true; |
|||
efi.canTouchEfiVariables = true; |
|||
}; |
|||
|
|||
hardware.enableRedistributableFirmware = true; |
|||
hardware.cpu.intel.updateMicrocode = true; |
|||
|
|||
disko.devices = { |
|||
disk = { |
|||
root = { |
|||
type = "disk"; |
|||
device = "/dev/sda"; |
|||
imageSize = "32G"; |
|||
content = { |
|||
type = "gpt"; |
|||
partitions = { |
|||
boot = { |
|||
size = "1M"; |
|||
type = "EF02"; |
|||
}; |
|||
ESP = { |
|||
size = "512M"; |
|||
type = "EF00"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "vfat"; |
|||
mountpoint = "/boot"; |
|||
}; |
|||
}; |
|||
root = { |
|||
size = "100%"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "ext4"; |
|||
mountpoint = "/"; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,226 @@ |
|||
{ pkgs, lib, config, inputs, ... }: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
baseDN = concatMapStringsSep "," |
|||
(part: "dc=${part}") |
|||
(splitString "." "informatik.hs-fulda.de"); |
|||
|
|||
ldap-sync = |
|||
let |
|||
wrapped = pkgs.callPackage inputs.ldap-sync { }; |
|||
env = pkgs.runCommand "ldap-sync-env" { } '' |
|||
mkdir -p $out |
|||
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties |
|||
''; |
|||
in |
|||
pkgs.runCommand "ldap-sync-wrapper" |
|||
{ |
|||
nativeBuildInputs = [ pkgs.makeWrapper ]; |
|||
} '' |
|||
mkdir -p $out/bin |
|||
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \ |
|||
--chdir "${env}" |
|||
''; |
|||
|
|||
in |
|||
{ |
|||
services.openldap = { |
|||
enable = true; |
|||
|
|||
package = (pkgs.openldap.overrideAttrs (final: prev: { |
|||
configureFlags = prev.configureFlags ++ [ |
|||
"--enable-overlays" |
|||
"--enable-remoteauth" |
|||
"--enable-spasswd" |
|||
"--with-cyrus-sasl" |
|||
]; |
|||
|
|||
doCheck = false; |
|||
|
|||
})).override { |
|||
cyrus_sasl = pkgs.cyrus_sasl.override { |
|||
enableLdap = true; |
|||
}; |
|||
}; |
|||
|
|||
urlList = [ "ldap:///" "ldaps:///" ]; |
|||
|
|||
settings = { |
|||
attrs = { |
|||
olcLogLevel = "config ACL stats stats2 trace"; |
|||
|
|||
olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path; |
|||
olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path; |
|||
olcTLSCRLCheck = "none"; |
|||
olcTLSVerifyClient = "never"; |
|||
olcTLSProtocolMin = "3.1"; |
|||
|
|||
olcSaslHost = "localhost"; |
|||
olcSaslSecProps = "none"; |
|||
|
|||
olcSizeLimit = "unlimited"; |
|||
}; |
|||
|
|||
children = { |
|||
"cn=schema".includes = [ |
|||
"${config.services.openldap.package}/etc/schema/core.ldif" |
|||
"${config.services.openldap.package}/etc/schema/cosine.ldif" |
|||
"${config.services.openldap.package}/etc/schema/inetorgperson.ldif" |
|||
"${config.services.openldap.package}/etc/schema/nis.ldif" |
|||
]; |
|||
"olcDatabase={1}mdb" = { |
|||
attrs = { |
|||
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; |
|||
|
|||
olcDatabase = "{1}mdb"; |
|||
olcDbDirectory = "/var/lib/openldap/db"; |
|||
|
|||
olcSuffix = baseDN; |
|||
|
|||
olcRootDN = "cn=root,${baseDN}"; |
|||
olcRootPW.path = config.sops.secrets."ldap/root/password".path; |
|||
|
|||
olcAccess = [ |
|||
# Custom access rules for userPassword attributes |
|||
''{0}to attrs=userPassword |
|||
by self read |
|||
by anonymous auth |
|||
by * none |
|||
'' |
|||
|
|||
# Synced is managed by sync |
|||
''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de" |
|||
by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage |
|||
by * break |
|||
'' |
|||
|
|||
# Allow login to read users |
|||
''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de" |
|||
by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read |
|||
by self read |
|||
by * break |
|||
'' |
|||
|
|||
# Prevent access |
|||
''{3}to * |
|||
by * none |
|||
'' |
|||
]; |
|||
}; |
|||
|
|||
children = { |
|||
"olcOverlay={0}remoteauth" = { |
|||
attrs = { |
|||
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ]; |
|||
|
|||
olcOverlay = "{0}remoteauth"; |
|||
|
|||
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\""; |
|||
olcRemoteAuthDNAttribute = "seeAlso"; |
|||
olcRemoteAuthDomainAttribute = "associatedDomain"; |
|||
olcRemoteAuthDefaultDomain = "upstream"; |
|||
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}"; |
|||
olcRemoteAuthRetryCount = "3"; |
|||
olcRemoteAuthStore = "false"; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
|
|||
declarativeContents = { |
|||
"dc=informatik,dc=hs-fulda,dc=de" = '' |
|||
dn: dc=informatik,dc=hs-fulda,dc=de |
|||
objectClass: domain |
|||
dc: informatik |
|||
|
|||
dn: ou=users,dc=informatik,dc=hs-fulda,dc=de |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
|
|||
dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de |
|||
objectClass: organizationalUnit |
|||
ou: users |
|||
|
|||
dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de |
|||
objectClass: applicationProcess |
|||
objectClass: simpleSecurityObject |
|||
objectClass: top |
|||
cn: sync |
|||
userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G |
|||
|
|||
dn: cn=login,dc=informatik,dc=hs-fulda,dc=de |
|||
objectClass: applicationProcess |
|||
objectClass: simpleSecurityObject |
|||
objectClass: top |
|||
cn: login |
|||
userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p |
|||
''; |
|||
}; |
|||
}; |
|||
|
|||
systemd.services."openldap" = { |
|||
environment = { |
|||
SASL_PATH = pkgs.writeTextFile { |
|||
name = "openldap-sasl-path"; |
|||
destination = "/slapd.conf"; |
|||
text = '' |
|||
pwcheck_method: saslauthd |
|||
saslauthd_path: /var/run/saslauthd/mux |
|||
mech_list: GSSAPI EXTERNAL PLAIN NTLM |
|||
''; |
|||
}; |
|||
}; |
|||
|
|||
onSuccess = [ "ldap-sync.service" ]; |
|||
}; |
|||
|
|||
systemd.services."ldap-sync" = { |
|||
script = "${ldap-sync}/bin/ldap-sync"; |
|||
startAt = "hourly"; |
|||
|
|||
requisite = [ "openldap.service" ]; |
|||
|
|||
# Flush caches |
|||
postStop = '' |
|||
${config.services.nscd.package}/bin/nscd --invalidate=group |
|||
${config.services.nscd.package}/bin/nscd --invalidate=passwd |
|||
''; |
|||
}; |
|||
|
|||
sops.secrets."ldap/root/password" = { |
|||
sopsFile = ./secrets/ldap.yaml; |
|||
owner = "openldap"; |
|||
}; |
|||
|
|||
sops.secrets."ldap/upstream" = { |
|||
sopsFile = ./secrets/ldap.yaml; |
|||
owner = "openldap"; |
|||
}; |
|||
|
|||
sops.secrets."ldap/tls/key" = { |
|||
sopsFile = ./secrets/ldap.tls.key; |
|||
format = "binary"; |
|||
owner = "openldap"; |
|||
}; |
|||
|
|||
sops.secrets."ldap/tls/crt" = { |
|||
sopsFile = ./secrets/ldap.tls.crt; |
|||
format = "binary"; |
|||
owner = "openldap"; |
|||
}; |
|||
|
|||
sops.secrets."ldap/sync/config" = { |
|||
sopsFile = ./secrets/ldap.yaml; |
|||
}; |
|||
|
|||
networking.firewall.allowedTCPPorts = [ |
|||
22 |
|||
389 |
|||
636 |
|||
]; |
|||
} |
|||
|
24
machines/ldap/secrets/ldap.tls.crt
File diff suppressed because it is too large
View File
File diff suppressed because it is too large
View File
@ -0,0 +1,24 @@ |
|||
{ |
|||
"data": "ENC[AES256_GCM,data:kX2fP6oI4d4ssW+XDv5lF1dn7zAOEH1Qg+tY1AlKkRiWnQmKt5ik2ot6/jcoq9w2hv3Rnrh4Zb6Ndy/OJi3JzPb8Je+lOKC8nTekYz7ZTqdO8CKfONmGaMJO9crR6bJrIXkw3GLd8m14wmFg2tYSYOz918t91BTNpujcDS0t4VpNdgRjX7TFq4+SOOO0oqQDyuXrnK830NvUranO4tNkFCRzIuW0nMeXqE8lehp9wPfJJ9vhNXk8nizgQaazvtjl2An34BQeZFHp7ff+C6XrLoFFX0CkewAkwZ9EUVFzJwShrKjRGgdTqd9u6CuuP02UQrxyfyj8MqRThnyTtZ3GPFGcO6bsPEfQav5PjdhAuoM3XTqLkYIsoyNK+XGNmYy7lEn+optXJxfpzEt1TT7uSftyCsJ13fQOG1JsXNaGrORagSp0ngDyOVMFMZTWDpavB+hweV1ITeMqN6pukWGtYCW/KRpBWDxUQUZGXTdLyt8SL+LZZgPzgLuKxWwmwsbjTZh01EB32VdRfiSSEano8nhM+Z1Xq+Zxpf7PwCrv1CXBHkcj+j856ywE1+J2KayI3mzOB6zV1Hauw/HuIvw4Y9a7QNk1YwWn21XBJtI0Qc8luV8cJCGryElOJUXXF+RE5QveHKX4QOPXZ4kUib6qZqN9BsPmnEskJq8seKGdfufFLuqUNEdaGKwrK3zH9BFKTLk2sA7JRaMsSlOwFNF+HcK6Sjyn46ZWRRCX6fmdHaJv2ECHVVeZdlFY5x2TZz5LQB4XALKcTXyvlwoytrboGm2S4X1qwqfpUSSd4WIQ3l+Ygtd9MwbcazwDjlASVDU7mFQEElWS//KV1VZjr5KrT0ZCCdLMdwA7BooUqk9q/nePvuW7hssvFNw+GiiGKGDgVPlxMRY6NaVv59/k5lw0x40HOXWs9LuhhvQ51KQtMyIKMygWsJ6IQYyZrhf8c4T9K+llt5CUrUQr3OFh1mhhancw0n9Uvnn5npV4Ig17+di9EhPWDbVbYSoGm4r4SD6aR8BBFQ1Q1yeFsoBGJnm2b3N/l0xyw94H6fD4dDw+BROH6LpbpcMAZGK/WTn1vrgMjbLWpJUa4T2gBkYzDt67lETygQ8iYhFBW+U0TvK4Dh8VSJFiA4T3UpAgl/+LN2TjFogkHbhYuMDYXChr9mcJ+rhq5ztd0HQw9Wi1xsC7w/PPSV25aOfpXq9PucYkb1WU0MT0qyU/T9jrMqs2FzkG5J8L/dzll92ZbXgzKE+017MA+YXFulPKd4oio1qFXYKa9n9KPTRCE4uq6tBfuPQ/JtQFuzd8j3pds6oM0hiuuSujqk5Ci5Tj9/fAjk0jM4RcTsHRtOUoS/JFyzTmJ9B4sWBDzB+GD1QfKAJaVgmmEULLEhNpaB6DtUTXAp/9zm041LWlk+XzL3f2gwPvPTxKm64cOQPoDbyQk8ZV1+5KqrleEc1lyj1nL+RXf8CO93Y5IWZg855cY5EugKlwCeL2zR647JD/Yn9BjbsCp5DVjo+VjwEDBcYgCBHbvK6HHt6T2SEYcCUTmLpVpXaTPBYXL8xsanABAixlcdgtk4X1ZoNqEnS0+HBwdZBwDtwF2OPDOJHbtozOGdA/aqpxamjm0tfcaPf/1I4S6pHUONZ2J/o3bDKf2RITMoDMeC8G3w9tHrqWzYs6iWbFz/vTsYw622KrkFMAwO14zBwyUoG6R7o160hy7T6R/KKUyw7M+b1yKRFNuuhFEATNC4BhG60N0nyWfKdFP3cMeJEG8OMCzl4M/xHXX9Y81GTK1Yd1vpR3IhGo2wDWwiXEUic4r7gD8paEkgvXefOqIVBg7eE7MMofOk45sEKmD11h0ao5scEQ3ObtkVP8iJlH5tQ52r1vlSHnvCvbwNX5rurH6JqvU0/bH2JhcbkGvvFWIExn+8usmuJFy1ffJ2gOS5Z1AMJHsQJ+0bmny26BgN76zVJHJ0PLAUjY+M0PsgyxZTNJJUqc72h+4AF2nTSbdzlkAaxS92g7xxkZCRNnVgI04nDkqbxu12ej8y1kB1p3s1JWoI63bsflkI9boPqAWNYqlBRHnZT5v+/SOXq3RCOvsTbiBi/Mq2PGQs4YVXh2iE/AxtORUqGkg5slXsb7AmogXSn+U+EscwopMm1NknREmNFMGYvOU5PffBspW+3JRbRsTUymRLcHyUN1p1NhIyWQ9Kdxs9LJx6eKDoi7duYYokmK0isQj8fndgjwwguyjN4VLxsud7W/57O5izOO0C0N/G/mKbhe9ZCRxcLhfvwJq6EEWiTyf9DLQcO8A988JPzMU/oJTpKPkt/9JjK9P2imPKNQMKrV+09+lC3ZqYEP0kRrSCnVvcB1XPiaXLfr2CkO0U48xMHf52A238BtcTGO1rSNU3FkWiHVu3U+rW9woW7y8/f1F4sVy4xzFKnyYvVSrTyLIEW9d7sUX6m70of2bxvWkVcU/m2SYe5MPVyvdLTy1KbllKbA6mLPqGeGMDVbHRsc7Pyht5hZda6ahZCuadaCsU1klkmof2OhpLy9Lzq0rNJ3eMmxrqnNfCe35HWOK9iEA9O52kLbhmmo+K0jDsC3hoc1Bsu03754rePapLFi4oRtxw2ahLpVTfNEgHGNguJSUUpKV28pvVhN133+Bysod9KrJxYtjWzjJpaf2U2sbyb2IUSwPLCGsUe6whCZwVLI53qeUgBIq/i7eBWwhMezvjUU6i08V1oQPBTq+3QNOTg8qVdLETYAiApO+9wsZ+7ko8QbV+hfCWiHepFSSVw8mmsooiOZucs3TRrw6e7skEOzrrQKDwbnltP4h0oW0KRStF10VhH6GqsNv5gusKhMVQ85q5HjbDmR1mhL6Weg1olrAhDiFSqSqTRqrLfU96UPQ99wUo+Z/x/XftnYthK3AePGgNJc9OoSewTvQtYWj4GWTES46fft9RqjCgUi5RudlOsDE876jQTsIMb70+TicGZn6cTaj49ECmUFwG6pq0ZqzYkgNFTVahrLPWQoV3HjhO95SczAAwK+gf9a/11h5Doa+3ViqJ/GC6r/5nhzmFC6nP+fsM041SiVtlQcQdFmu7EKOcDk9h+MZijh0J4Ta93/XbCUTEpvXKB8uscLa2jsocMyyy+THjwDY3XXdN9asKi+XDYQ87WN3bX2h3rfm0QuwBdqosApiCtt5a73GUXxyGIPogOHf/cOrZhIu7x+mJfkjLO2gtGspkvZ8dDZolff2LTTNJ/+ne9MJN6bowzWsY8isTCtvRugAdytKOdJ/gkkTUAVP/2+rQNTX0BBgQgJzIqBMLu+FDT4Sc3ySCqnqPpgQJqiH5y9faLdx4p23ZKxh4WSc0zqidHkibFvMzsouXMDNgKVeRuExWCPZyNrNl6c6220oIjmExUIlvmNDOFaeAedN+tMljJiORL70XI63ebwkNfc/BFwFr2kG1J96bNXHgGXmdAZ2Xt2+Do+MGWFuP52B2rk9Q/pF4XYTWjGSAJNzWyMfs4Z5eG6J2vNN0JWYXnu8tEeXzCXwmarYrxafoblBEVzbt0UON2TwzCqkk3G33k3wWwPZLuvnW5muCtyK9bDTmOIaaPlWPyQ0g/c29tlNKRtfSGGT71B/LT895S85G0p4mahUj7KPchCeB0xRsnd3xQQCzBoOUGgIn3b61pYjL/kLyO4Znr15L84o1osXsW+OzvbTD2yxn7KND6iG+7OaqCyt9TwYZN94dMl+0c0thmNrluhaJ3VioYacC+TJG9GhoE4GCZP4hz6urw5I0CLNtKLv+botrCvAq+daAE9dt/8GcZDkT9GBGidmyX12v03pkOpkOx8mLffE/Ccl9Mt6//sK5t019Q/myIt+i5YTrHGerAdWQTFdxQj3LG6xbWf9BRPU81Z9XqLO+KNnzdA18cGlxMAlR0Fodq8iVCtO9c7uS5XgkSFdNOWdhAw2we6qMmBp/pwDtZUxdeepj7TQfVynx//lT1tg7WOxd3nf0V9U94759Vvz7r7wvREwcjqa4AjJLoUQGfhddpmOd4ycqxreqx1MCKqY+E3kU36zedB7eO/P2hD6OkFDFacZUBXzIw+csTwT0ehSv6zHGSPvF1H0gXzjgoB6CgDznPfRLWnGBfBggK2O3CIjP9wjzs4hXlP14U+0KL9sycPfV32WDTLzLIzyhek4CpVT5nUMLz5uXgkCdiIW6yYs3e46+eZKkXC21bVh7O6PVvwsJci5gZAz3PGM7Bpgqz0WbSItVAJpkOqCNivdim88vD+CT/m9sIppz9USqCMOfx9/UplwXbVtfSUQXPlIRprDIV1vJWka3oY2uN0oz1VPDHgN5VJ4PSO1mnQPmFg4B/hPoNCo2HVu49DrQL86uuAw6xkfL0=,iv:dQC+JMRPyNFqbIYRSDMBXEmTVK5QmRbBpEYXG+06l+M=,tag:brQ2Fl9jtvmlT5N/gaN4jA==,type:str]", |
|||
"sops": { |
|||
"kms": null, |
|||
"gcp_kms": null, |
|||
"azure_kv": null, |
|||
"hc_vault": null, |
|||
"age": [ |
|||
{ |
|||
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
}, |
|||
{ |
|||
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6", |
|||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n" |
|||
} |
|||
], |
|||
"lastmodified": "2024-10-23T13:42:58Z", |
|||
"mac": "ENC[AES256_GCM,data:BUQmiBa481d2vggylNYkIKBuOg579REAnxMxX/je+IOvGwx/ODC7W0Zm+bzUYtNa/hmvW4fxwmA8VBHNUPgHrmI7zbNQlXdegg3QcXabr0jr3tqcFkLU7LeOt72tCRSGiZSZ3Pz0GXLzhZo9u+t1d/NVVO3p6ZFp/8Ta5fxq0ns=,iv:8PZROLEwl9wdVXsEMMBNKkbnlboeZQiVKDvjiyGJW38=,tag:d+y/GgHHgcSS8SGqIiPs8g==,type:str]", |
|||
"pgp": null, |
|||
"unencrypted_suffix": "_unencrypted", |
|||
"version": "3.9.1" |
|||
} |
|||
} |
@ -0,0 +1,36 @@ |
|||
ldap: |
|||
root: |
|||
username: ENC[AES256_GCM,data:h6YGYg==,iv:QaCy9dRJNnI4UiQwgeboAxl8XZ+xGyYK8mLyybLNyF4=,tag:PQpKFwltnyRvmYJbPoGxvQ==,type:str] |
|||
password: ENC[AES256_GCM,data:3np5tR14nxbZe0hlX0Wd4/kDNRb3z3y3z13SyqTY3wE=,iv:yXz45Tsfof0U2JljSRxuUICRjNZ1U3YD4IlXsU4E0/o=,tag:XABl21e6uaj96ApLcRMSpA==,type:str] |
|||
upstream: ENC[AES256_GCM,data:KT6x/jm+p9+3e69yWE/hUMWlNrVuecUK3TcnRdqOJWA=,iv:n5P8NE7xUkOz68g/OcemnpZdEjT8aSEgzC4AS0kyStc=,tag:r+gEb4DIzdyBAsavBucvFQ==,type:str] |
|||
sync: |
|||
config: ENC[AES256_GCM,data:sgobPqiTsGDNfJKvIYiv+6E3s8Ipfog+2EVgz16ZPMwIU6u1id6cxPnE0nnCQcGVKc80owHmy/zYPzsPF7bHhSebGgZN8dN/xnP1xStIssqRP3XhSitNIMREImHs7iKT7f1/Km9CfZxm2WL2XPlaalK/oC/VJ9TiKcJjjnKuQvFbk1Ph2Pe2wPnd6/tZ8/EPGpRm1s+28YzaxWABFjLG/VEdrCJt45rOxpFXDXzQN/3iIRc7EM/CGQZEoJLky2QBd5597UuB9DBU7mkRUPv9JO7euMX9KH8CAYvHutOMpzEaD/LoRMmZxhpBhn3jQGj/uIyr13nJynQ39xkh58UYsENgyTMeAtr7MBzUDuAe1FC7f1NPbKpNuhaab25IqVwnGoOGOj5B8JcWZR1hDU5OTsp5xLTQn3K/SlWeii79EGwgS/pmtyCziQqtd+oS46dnWJupS5ESoU3gdXDvgzNnJsD3qCqrgY+pw3bcQY9D5HhhLdkYByiAbVgtTDVO9EZDxeyHG0APq1J3rkEZxTGunlx9M/wVWD2h/lVsY45KCD+0S9ukhxcEM89LTlI5jeiKbt689uPp6WjmfFo4sdFFm0XbpxTew1YXXORFC+nyM/nh9IhK3G9Jo2LvRDoX0XeZkH+Zmy8J5BZ7kwpdw6de8KEnpj+jyxFD15D5gQfGQC8vfiKA0yNoKdUNGPkkF4vRCFoJLIRnqJfmqWmXcW4E8BjiQId8nx6QGDty+i5HJnYktR7AvK61Q8VMjTYsT12Uwk9Buqn5AbC1Z7pwM7CgiRR7hpUIRYAlB6VBuqXK0xBqSqRIlT5izSyjCRz2W+njeWhPrKF4rSglzHr0/wB3lwpBF7VEOBuvItxhuTpdhZdN3RTAqehj/KRuPx1vdLKdH8s9xTx6leHvaBnVQJ4jCcO8wTMrHXVmGUPtZ852OIQpKjeLQqzSs9mDK/jT0zz5gQXChBiYIP+2XOVFuyoSqTKkMBf0zuPqcq8ZD9gSYc53/XWNGUFGWvzlb/PvnfkKnaetOlyIYelAgm0Tb9VNye1HPODxXnZ1DXhZwGw7CLfxtavu8PrmiQDZwD8FbOWwyDoQA+6rCijZ2gHnoyDP,iv:uX/5gv+bQEKXZPVJDXiBajaWasxmh/mZZq66UNaKe3Q=,tag:kvAZYD+kqcWtc/Oo+ym20g==,type:str] |
|||
sops: |
|||
kms: [] |
|||
gcp_kms: [] |
|||
azure_kv: [] |
|||
hc_vault: [] |
|||
age: |
|||
- recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08 |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80 |
|||
REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4 |
|||
dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3 |
|||
bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0 |
|||
1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
- recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6 |
|||
enc: | |
|||
-----BEGIN AGE ENCRYPTED FILE----- |
|||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz |
|||
VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS |
|||
enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL |
|||
SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV |
|||
lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg== |
|||
-----END AGE ENCRYPTED FILE----- |
|||
lastmodified: "2024-10-23T15:39:50Z" |
|||
mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str] |
|||
pgp: [] |
|||
unencrypted_suffix: _unencrypted |
|||
version: 3.9.1 |
@ -0,0 +1,27 @@ |
|||
{ |
|||
imports = [ |
|||
./hardware.nix |
|||
./nfs.nix |
|||
]; |
|||
|
|||
deployment = { |
|||
targetHost = "10.32.45.10"; |
|||
}; |
|||
|
|||
networking = { |
|||
interfaces."eth0" = { |
|||
ipv4.addresses = [{ |
|||
address = "10.32.45.10"; |
|||
prefixLength = 24; |
|||
}]; |
|||
}; |
|||
|
|||
defaultGateway = { |
|||
interface = "eth0"; |
|||
address = "10.32.45.1"; |
|||
}; |
|||
}; |
|||
|
|||
system.stateVersion = "24.05"; |
|||
} |
|||
|
@ -0,0 +1,65 @@ |
|||
{ modulesPath, ... }: |
|||
|
|||
{ |
|||
imports = [ |
|||
"${modulesPath}/installer/scan/not-detected.nix" |
|||
]; |
|||
|
|||
nixpkgs.hostPlatform = "x86_64-linux"; |
|||
|
|||
boot.initrd.availableKernelModules = [ |
|||
"uhci_hcd" |
|||
"ehci_pci" |
|||
"ata_piix" |
|||
"mptsas" |
|||
"usb_storage" |
|||
"usbhid" |
|||
"sd_mod" |
|||
"sr_mod" |
|||
]; |
|||
|
|||
boot.loader = { |
|||
systemd-boot.enable = true; |
|||
efi.canTouchEfiVariables = true; |
|||
}; |
|||
|
|||
hardware.enableRedistributableFirmware = true; |
|||
hardware.cpu.intel.updateMicrocode = true; |
|||
|
|||
disko.devices = { |
|||
disk = { |
|||
root = { |
|||
type = "disk"; |
|||
device = "/dev/sda"; |
|||
imageSize = "32G"; |
|||
content = { |
|||
type = "gpt"; |
|||
partitions = { |
|||
boot = { |
|||
size = "1M"; |
|||
type = "EF02"; |
|||
}; |
|||
ESP = { |
|||
size = "512M"; |
|||
type = "EF00"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "vfat"; |
|||
mountpoint = "/boot"; |
|||
}; |
|||
}; |
|||
root = { |
|||
size = "100%"; |
|||
content = { |
|||
type = "filesystem"; |
|||
format = "ext4"; |
|||
mountpoint = "/"; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,13 @@ |
|||
{ |
|||
services.nfs.server = { |
|||
enable = true; |
|||
exports = '' |
|||
/home 10.32.45.0/24(rw,async,no_root_squash) |
|||
''; |
|||
}; |
|||
|
|||
networking.firewall.allowedTCPPorts = [ |
|||
2049 # NFSv4 |
|||
]; |
|||
} |
|||
|
@ -0,0 +1,21 @@ |
|||
{ name, ...}: |
|||
|
|||
{ |
|||
imports = [ |
|||
./nix.nix |
|||
./network.nix |
|||
./users.nix |
|||
./system.nix |
|||
]; |
|||
|
|||
time.timeZone = "Europe/Berlin"; |
|||
i18n.defaultLocale = "en_US.UTF-8"; |
|||
console.keyMap = "de"; |
|||
|
|||
_module.args = { |
|||
machinePath = ../machines/${name}; |
|||
}; |
|||
|
|||
disko.imageBuilder.imageFormat = "qcow2"; |
|||
} |
|||
|
@ -0,0 +1,28 @@ |
|||
{ config, name, ...}: |
|||
|
|||
{ |
|||
networking = { |
|||
nftables.enable = true; |
|||
|
|||
hostName = name; |
|||
domain = "linuxlab.informatik.hs-fulda.de"; |
|||
|
|||
search = [ |
|||
"linuxlab.informatik.hs-fulda.de" |
|||
]; |
|||
|
|||
# TODO: nameservers = [ "10.0.0.53" ]; |
|||
nameservers = [ "1.0.0.1" "1.1.1.1" ]; |
|||
|
|||
useDHCP = false; |
|||
|
|||
extraHosts = '' |
|||
10.32.45.10 nfs.${config.networking.domain} |
|||
10.32.45.11 ldap.${config.networking.domain} |
|||
10.32.45.12 install.${config.networking.domain} |
|||
|
|||
10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de |
|||
''; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,69 @@ |
|||
{ config, lib, pkgs, inputs, ... }: |
|||
|
|||
{ |
|||
nixpkgs.overlays = [ |
|||
# Make nixpkgs-unstable available as subtree |
|||
(_: _: { |
|||
unstable = import inputs.nixpkgs-unstable { |
|||
inherit (config.nixpkgs) system; |
|||
config = { |
|||
allowUnfree = true; |
|||
}; |
|||
}; |
|||
}) |
|||
|
|||
# Let builders fetch sources directly instead of uploading |
|||
(self: super: (super.prefer-remote-fetch self super)) |
|||
]; |
|||
|
|||
# Who cares about licenses? |
|||
nixpkgs.config.allowUnfree = true; |
|||
|
|||
# Link nixpkgs to etc for usage in NIX_PATH. |
|||
# This allows update to the symlinks when updating nixpkgs without changes |
|||
# to NIX_PATH, which requires a new session to bekome active. |
|||
environment.etc.nixpkgs.source = pkgs.linkFarm "nixpkgs" [ |
|||
{ name = "nixpkgs"; inherit (pkgs) path; } |
|||
{ name = "nixpkgs-unstable"; inherit (pkgs.unstable) path; } |
|||
]; |
|||
|
|||
nix = { |
|||
nixPath = lib.mkForce [ |
|||
"nixpkgs=/etc/nixpkgs/nixpkgs" |
|||
"nixpkgs-unstable=/etc/nixpkgs/nixpkgs-unstable" |
|||
]; |
|||
|
|||
registry = { |
|||
"nixpkgs" = { |
|||
from = { type = "indirect"; id = "nixpkgs"; }; |
|||
to = { type = "path"; path = "/etc/nixpkgs/nixpkgs"; }; |
|||
}; |
|||
"nixpkgs-unstable" = { |
|||
from = { type = "indirect"; id = "nixpkgs-unstable"; }; |
|||
to = { type = "path"; path = "/etc/nixpkgs/nixpkgs-unstable"; }; |
|||
}; |
|||
}; |
|||
|
|||
# Take out the trash |
|||
gc = { |
|||
automatic = true; |
|||
dates = "monthly"; |
|||
options = "--delete-older-than 30d"; |
|||
}; |
|||
|
|||
# Optimize the store |
|||
optimise = { |
|||
automatic = true; |
|||
dates = [ "monthly" ]; |
|||
}; |
|||
|
|||
# Enable modern commands |
|||
settings = { |
|||
experimental-features = [ |
|||
"flakes" |
|||
"nix-command" |
|||
]; |
|||
}; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,14 @@ |
|||
{ |
|||
services.haveged.enable = true; |
|||
|
|||
services.openssh = { |
|||
enable = true; |
|||
settings.PermitRootLogin = "without-password"; |
|||
}; |
|||
|
|||
networking.firewall = { |
|||
allowedTCPPorts = [ |
|||
22 # SSH |
|||
]; |
|||
}; |
|||
} |
@ -0,0 +1,31 @@ |
|||
{ pkgs, config, ...}: |
|||
|
|||
{ |
|||
users.mutableUsers = false; |
|||
|
|||
users.users."root" = { |
|||
#hashedPassword = "$y$j9T$5ZEv2RROIXAqdFjFEXEst0$5HA63fmwjGXw1id4n94TRgY1gTuXsQGKXmzlcWXyE07"; |
|||
hashedPassword = "$y$j9T$IqOVsS6/ACfhDXzA3LqsZ1$J/16UDhw44bHWJqIoCdjms6IEwT4tk4ghq2WpThOlMA"; |
|||
|
|||
openssh.authorizedKeys.keys = [ |
|||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so" |
|||
]; |
|||
|
|||
packages = with pkgs; [ |
|||
vim |
|||
wget |
|||
curl |
|||
tmux |
|||
fd |
|||
ripgrep |
|||
htop |
|||
iotop |
|||
iftop |
|||
file |
|||
iperf |
|||
ldns |
|||
tcpdump |
|||
]; |
|||
}; |
|||
} |
|||
|
@ -0,0 +1,78 @@ |
|||
{ lib |
|||
, runCommandNoCCLocal |
|||
, writeText |
|||
, ssh-to-age |
|||
, machines |
|||
, ... |
|||
}: |
|||
|
|||
with lib; |
|||
|
|||
let |
|||
admins = { |
|||
"fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ"; |
|||
}; |
|||
|
|||
hosts = { |
|||
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My"; |
|||
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI"; |
|||
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o"; |
|||
}; |
|||
|
|||
sshToAge = ssh-key: |
|||
let |
|||
key = runCommandNoCCLocal "hostkey-to-age" { } '' |
|||
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out" |
|||
''; |
|||
in |
|||
pipe key [ |
|||
readFile |
|||
(removeSuffix "\n") |
|||
]; |
|||
|
|||
# Keys for each machine |
|||
machine-keys = genAttrs machines (machine: |
|||
let |
|||
ssh-key = assert assertMsg (hasAttr machine hosts) '' |
|||
SSH host key is not specified for machine '${machine}'. |
|||
|
|||
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning. |
|||
After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files. |
|||
''; |
|||
getAttr machine hosts; |
|||
in |
|||
sshToAge ssh-key); |
|||
|
|||
# Keys for all admins |
|||
admin-keys = mapAttrsToList |
|||
(_: sshToAge) |
|||
admins; |
|||
|
|||
mkRule = path: keys: { |
|||
"path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$"; |
|||
"key_groups" = [{ |
|||
"age" = keys; |
|||
}]; |
|||
}; |
|||
|
|||
# Create a rule for each machine allowing the mechanie and all admins |
|||
machine-rules = map |
|||
(machine: mkRule |
|||
"machines/${machine}" |
|||
(admin-keys ++ (singleton machine-keys.${machine}))) |
|||
machines; |
|||
|
|||
# A single global rule allowing all machines and all admins to access |
|||
global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys))); |
|||
|
|||
in |
|||
{ |
|||
inherit admin-keys; |
|||
|
|||
config = { |
|||
"creation_rules" = concatLists [ |
|||
machine-rules |
|||
global-rules |
|||
]; |
|||
}; |
|||
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue