Dustin Frisch 2 months ago
commit
4c07edf6de
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 9
      .gitignore
  2. 12
      TODO.md
  3. 35
      client/default.nix
  4. 37
      client/desktop.nix
  5. 11
      client/gpu.nix
  6. 91
      client/hardware.nix
  7. 21
      client/home.nix
  8. 28
      client/programs.nix
  9. 11
      client/sound.nix
  10. 91
      client/users.nix
  11. 494
      flake.lock
  12. 153
      flake.nix
  13. 28
      machines/installer/default.nix
  14. 65
      machines/installer/hardware.nix
  15. 59
      machines/installer/installer/default.nix
  16. 38
      machines/installer/netinstall.nix
  17. 1
      machines/installer/secrets/cache.crt
  18. 24
      machines/installer/secrets/cache.key
  19. 27
      machines/ldap/default.nix
  20. 65
      machines/ldap/hardware.nix
  21. 226
      machines/ldap/ldap.nix
  22. 24
      machines/ldap/secrets/ldap.tls.crt
  23. 24
      machines/ldap/secrets/ldap.tls.key
  24. 36
      machines/ldap/secrets/ldap.yaml
  25. 27
      machines/nfs/default.nix
  26. 65
      machines/nfs/hardware.nix
  27. 13
      machines/nfs/nfs.nix
  28. 21
      shared/default.nix
  29. 28
      shared/network.nix
  30. 69
      shared/nix.nix
  31. 14
      shared/system.nix
  32. 31
      shared/users.nix
  33. 78
      sops-config.nix

9
.gitignore

@ -0,0 +1,9 @@
/result
/.direnv
/.envrc
/*-efi-vars.fd
# nixago: ignore-linked-files
/.sops.yaml

12
TODO.md

@ -0,0 +1,12 @@
# Tasks
- Configure user env on client (using envfs?)
- A fancy background image?
- Make installer work
- Move ldap to subdomain
- Switch to HS nameservers
- Check external SSH access
- Remove x-tools like xterm
# Issuse
- Cleartext password in sssd/ldap config

35
client/default.nix

@ -0,0 +1,35 @@
{ lib, ... }:
with lib;
{
imports = [
./hardware.nix
./gpu.nix
./home.nix
./users.nix
./desktop.nix
./programs.nix
];
deployment = {
targetHost = "10.32.45.150";
};
networking = {
useDHCP = mkForce true;
};
services.hardware.bolt.enable = true;
security.rtkit.enable = true;
services.avahi = {
enable = true;
nssmdns4 = true;
nssmdns6 = true;
};
system.stateVersion = "24.05";
}

37
client/desktop.nix

@ -0,0 +1,37 @@
{ pkgs, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
desktopManager.gnome.enable = true;
xkb.layout = "de";
};
environment.gnome.excludePackages = with pkgs; [
epiphany
gnome-online-accounts-gtk
gnome-tour
gnome.geary
gnome.gnome-calendar
gnome.gnome-contacts
];
programs.dconf = {
enable = true;
profiles.user.databases = [
{
settings = {
# Set the color scheme to dark.
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
"org/gnome/desktop/wm/keybindings".close = [ "<Super>q" ];
};
}
];
};
}

11
client/gpu.nix

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
hardware.opengl = {
enable = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
];
};
}

91
client/hardware.nix

@ -0,0 +1,91 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
nixpkgs.hostPlatform = "x86_64-linux";
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
consoleLogLevel = 3;
initrd = {
systemd.enable = true;
verbose = false;
availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
};
kernelParams = [
"quiet"
"udev.log_level=3"
];
plymouth = {
enable = true;
theme = "bgrt";
};
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
disko.devices = {
disk = {
root = {
type = "disk";
device = "/dev/sda";
imageSize = "32G";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
end = "-8G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
swap = {
size = "100%";
content = {
type = "swap";
randomEncryption = true;
resumeDevice = false;
};
};
};
};
};
};
};
}

21
client/home.nix

@ -0,0 +1,21 @@
{ config, ...}:
{
services.cachefilesd = {
enable = true;
};
fileSystems."home" = {
mountPoint = "/home";
device = "nfs.${config.networking.domain}:/home";
fsType = "nfs";
options = [
"nfsvers=4.2"
"noauto"
"fsc"
"x-systemd.automount"
];
};
}

28
client/programs.nix

@ -0,0 +1,28 @@
{ pkgs, ... }:
{
programs = {
vim.defaultEditor = true;
# zsh = {
# enable = true;
# autosuggestions.enable = true;
# syntaxHighlighting.enable = true;
# };
chromium.enable = true;
firefox.enable = true;
fish.enable = true;
git.enable = true;
htop.enable = true;
mtr.enable = true;
};
environment.systemPackages = with pkgs; [
bat
eza
nil
fd
ripgrep
vscode
];
}

11
client/sound.nix

@ -0,0 +1,11 @@
{
hardware.pulseaudio.enable = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}

91
client/users.nix

@ -0,0 +1,91 @@
{ pkgs, lib, config, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." "informatik.hs-fulda.de");
in
{
security.pam.services = {
sshd = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
login = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
systemd-user = {
makeHomeDir = true;
sssdStrictAccess = true;
unixAuth = lib.mkForce true;
};
};
services.sssd = {
enable = true;
config = ''
[sssd]
config_file_version = 2
services = nss, pam, ssh, ifp
domains = hsfd
debug_level = 8
[nss]
override_homedir = /home/%u
override_shell = /run/current-system/sw/bin/bash
filter_users = root
filter_groups = root
reconnection_retries = 3
[pam]
[domain/hsfd]
id_provider = ldap
access_provider = ldap
auth_provider = ldap
# TODO: ldap_uri = ldaps://ldap${config.networking.domain}/
ldap_uri = ldaps://ldap-linuxlab.informatik.hs-fulda.de/
ldap_search_base = ou=users,${baseDN}
ldap_tls_reqcert = demand
ldap_id_use_start_tls = true
ldap_default_bind_dn = cn=login,dc=informatik,dc=hs-fulda,dc=de
ldap_default_authtok_type = password
ldap_default_authtok = TXyk&6G?Ta/B[DZ2^g'KmpUw
ldap_access_order = filter
ldap_access_filter = (objectClass=*)
ldap_user_object_class = posixAccount
ldap_user_name = cn
override_gid = ${toString config.users.groups."users".gid}
cache_credentials = true
min_id = 1000
enumerate = false
'';
};
users.users."root".packages = with pkgs; [
sss-cli
];
#sops.secrets."ldap/login/password" = {
# owner = "nslcd";
# sopsFile = ./secrets.yaml;
#};
}

494
flake.lock

@ -0,0 +1,494 @@
{
"nodes": {
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1731249827,
"narHash": "sha256-04iOZoJ0D+y3xhZtaCgSBOz8T4hED7oMVkuAOzXT8vU=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "a2193487bcf70bbb998ad1a25a4ff02b8d55db7a",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1731274291,
"narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
"owner": "nix-community",
"repo": "disko",
"rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1730814269,
"narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "d70155fdc00df4628446352fc58adc640cd705c2",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"ldap-sync": {
"flake": false,
"locked": {
"lastModified": 1705328305,
"narHash": "sha256-PPc16Obzg53YVLSMP2pCOXBF6+q7/BIG6FF7EiI0st8=",
"ref": "refs/heads/main",
"rev": "49edeafeaf7fbadbfe59e4763223593cab989317",
"revCount": 14,
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
},
"original": {
"type": "git",
"url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixago": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixago-exts": "nixago-exts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1714086354,
"narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=",
"owner": "jmgilman",
"repo": "nixago",
"rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d",
"type": "github"
},
"original": {
"owner": "jmgilman",
"repo": "nixago",
"type": "github"
}
},
"nixago-exts": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixago": "nixago_2",
"nixpkgs": [
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070308,
"narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago-exts_2": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixago": "nixago_3",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655508669,
"narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "3022a932ce109258482ecc6568c163e8d0b426aa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago_2": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixago-exts": "nixago-exts_2",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070010,
"narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=",
"owner": "nix-community",
"repo": "nixago",
"rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "rename-config-data",
"repo": "nixago",
"type": "github"
}
},
"nixago_3": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655405483,
"narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=",
"owner": "nix-community",
"repo": "nixago",
"rev": "e6a9566c18063db5b120e69e048d3627414e327d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1730963269,
"narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1731139594,
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"colmena": "colmena",
"disko": "disko",
"flake-utils": "flake-utils",
"git-hooks": "git-hooks",
"ldap-sync": "ldap-sync",
"nixago": "nixago",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops": "sops"
}
},
"sops": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1731213149,
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

153
flake.nix

@ -0,0 +1,153 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago = {
url = "github:jmgilman/nixago";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
sops = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
ldap-sync = {
type = "git";
url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git";
flake = false;
};
};
outputs =
{ self
, nixpkgs
, flake-utils
, colmena
, git-hooks
, nixago
, ...
}@inputs:
let
# List of all machine names as defined in the machines directory
machines = builtins.attrNames (builtins.readDir ./machines);
in
{
colmena = {
meta = {
nixpkgs = import nixpkgs {
system = "x86_64-linux";
};
specialArgs = {
inherit inputs;
};
};
defaults = {
imports = [
inputs.disko.nixosModules.disko
inputs.sops.nixosModules.sops
./shared
];
deployment.replaceUnknownProfiles = false;
};
"client" = ./client;
} // (builtins.listToAttrs (builtins.map
(name: {
inherit name;
value = ./machines/${name};
})
machines));
} // flake-utils.lib.eachDefaultSystem (system: {
checks = {
pre-commit = git-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixpkgs-fmt.enable = true;
statix.enable = true;
shellcheck.enable = true;
};
};
};
devShells.default =
let
pkgs = nixpkgs.legacyPackages.${system};
sops-config = nixago.lib.${system}.make {
data = (pkgs.callPackage ./sops-config.nix {
inherit machines;
}).config;
output = ".sops.yaml";
format = "yaml";
};
in
pkgs.mkShell {
buildInputs =
self.checks.${system}.pre-commit.enabledPackages ++
[ colmena.packages.${system}.colmena ] ++
(with pkgs; [
bash
gitAndTools.git
sops
age
openssh
ssh-to-age
]);
shellHook = ''
${self.checks.${system}.pre-commit.shellHook}
${sops-config.shellHook}
'';
};
packages.disks =
let
pkgs = nixpkgs.legacyPackages.${system};
hive = colmena.lib.makeHive self.outputs.colmena;
in pkgs.linkFarm "linuxlab-testing" (builtins.mapAttrs
(_: node: node.config.system.build.diskoImages)
hive.nodes);
});
nixConfig = {
extra-substituters = [
"https://colmena.cachix.org"
];
extra-trusted-public-keys = [
"colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="
];
};
}

28
machines/installer/default.nix

@ -0,0 +1,28 @@
{
imports = [
./hardware.nix
# TODO: ./cache.nix
./netinstall.nix
];
deployment = {
targetHost = "10.32.45.12";
};
networking = {
interfaces."eth0" = {
ipv4.addresses = [{
address = "10.32.45.12";
prefixLength = 24;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
};
};
system.stateVersion = "24.05";
}

65
machines/installer/hardware.nix

@ -0,0 +1,65 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
disko.devices = {
disk = {
root = {
type = "disk";
device = "/dev/sda";
imageSize = "64G";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

59
machines/installer/installer/default.nix

@ -0,0 +1,59 @@
{ pkgs, lib, modulesPath, config, target, ... }:
with lib;
let
installer = pkgs.writers.writeBash "installer" ''
set -euo pipefail
"${target.config.system.build.diskoScript}"
"${target.config.system.build.nixos-install}" \
--root /mnt \
--system "${target.config.system.build.toplevel}" \
--no-channel-copy \
--no-root-password \
--verbose
reboot
'';
in {
imports = [
"${modulesPath}/installer/netboot/netboot-minimal.nix"
];
networking.hostName = "installer";
services.getty.autologinUser = lib.mkForce "root";
systemd.services."auto-install" = {
description = "Automated NixOS installer";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
conflicts = [ "getty@tty1.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ bash nix ];
unitConfig = {
FailureAction = "force-reboot";
};
serviceConfig = {
Type = "oneshot";
ExecStart = installer;
StandardInput = "none";
StandardOutput = "journal+console";
StandardError = "journal+console";
};
};
system.stateVersion = config.system.nixos.release;
}

38
machines/installer/netinstall.nix

@ -0,0 +1,38 @@
{ pkgs, lib, nodes, ... }:
with lib;
let
installer = pkgs.nixos [
./installer
{
_module.args = {
target = nodes."client";
};
}
];
in
{
services.pixiecore = {
enable = true;
dhcpNoBind = true;
port = 5080;
mode = "boot";
kernel = "file://${installer.config.system.build.kernel}/bzImage";
initrd = "file://${installer.config.system.build.netbootRamdisk}/initrd";
cmdLine = concatStringsSep " " [
"init=${installer.config.system.build.toplevel}/init"
"loglevel=4"
"console=tty0"
"console=ttyS1,57600n8"
];
openFirewall = true;
};
}

1
machines/installer/secrets/cache.crt

@ -0,0 +1 @@
cache.linuxlab.informatik.hs-fulda.de:jrTFzlS3uRzOOteHmynLmSIvFMWgb4+YH+ShcrczdEY=

24
machines/installer/secrets/cache.key

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:u2f84L2XIPqNBPKtkAU7LAwUj0wwxemsOuUB/qk/SSjutA8RLi5TmBQHnnBY/5l3u154JN9RzHsHQyMp7NHiT1gsmvrmNhdWRzLTxG7MfIJW0SVpjD7X6GLmH5vnVSLJZScRfHgdRcYl9sFO7HlT/vRAtb57ZYM+QZS5b1ZB,iv:yzwOKZA5iwrn/CkhtwF7tUytsy0lseJcBqm4UqVAsqA=,tag:WhxIH/K314fvOm81lfK6EQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVDhNSjF0amNnSWJ2ZEhq\ndnRoOXZpYk5oN09abFozK1Y0WVhDSVJ2U0RzCkw0OXhScjQwRGlDcDdnUHh2cDd3\nclBDd2RwQzRIMy9CVjZXbGFNSUdjU2cKLS0tIHBzSXdCMElkclJMU2I0WWtHbTJP\nWW5TQ2syRk9Obm5qYUtZVGZYbmtzTkEKkMiRInW2OuY6FhXTfueqokehWNxwO905\ntk5jVzyS0kVDt2Mi29Ny+HUhTpLWn2mJii8HMz698ElAxvXrHBZurQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age14lgxmyw860py9yyjz3cxkr6u0x30qra2e27c9my0sycqyfankf2sjrsse6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSHBOUUhqcHlPeTNXOE8z\nWDlNZkhSbnY5SEV5MFplWmhNVXpTaXlycHd3Ck9hY1F6LzNpWjhFdWN0SnpaT0M0\nR2R5TmRNek0wYTJUREp4YklTaVJzdXMKLS0tIDdOTWN6b2kwR1R3bzNTT2s1UFMr\nUm0yWHNkSXg5ZFR1dWhUdHRmSm13eG8Kcprh4nvmUDgI6/nntD+FTY4SsqpEAs3U\n44tvzXSNjEMp9dHIkVu45+NyKOGjZoNUAA7dEvFYAAgZqHPbLMJ0aw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-11T21:50:59Z",
"mac": "ENC[AES256_GCM,data:n6TfbZmYcV2ER7n4fXanVJ9ekbytU07NdHVDO/VoTkERvstb1NuTeo7LjA+KVVKxM3ZUvAtMfjpAXvgP1exL4WkOzQHk5RV3odfZhGsvMOUaHp7cfww6/JrO8I+EzJWhDh2tO+xFpuD2sprvNiWT60PFG6kDQKn7XYy63+ECCyo=,iv:7ytrvXtk3Mz3ioeuv0hc80y2FLSyUWdtFyVEhidUeAI=,tag:BS8am9kxloRP+AbavEmfPA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}

27
machines/ldap/default.nix

@ -0,0 +1,27 @@
{
imports = [
./hardware.nix
./ldap.nix
];
deployment = {
targetHost = "10.32.45.11";
};
networking = {
interfaces."eth0" = {
ipv4.addresses = [{
address = "10.32.45.11";
prefixLength = 24;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
};
};
system.stateVersion = "24.05";
}

65
machines/ldap/hardware.nix

@ -0,0 +1,65 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
disko.devices = {
disk = {
root = {
type = "disk";
device = "/dev/sda";
imageSize = "32G";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

226
machines/ldap/ldap.nix

@ -0,0 +1,226 @@
{ pkgs, lib, config, inputs, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." "informatik.hs-fulda.de");
ldap-sync =
let
wrapped = pkgs.callPackage inputs.ldap-sync { };
env = pkgs.runCommand "ldap-sync-env" { } ''
mkdir -p $out
ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
'';
in
pkgs.runCommand "ldap-sync-wrapper"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
--chdir "${env}"
'';
in
{
services.openldap = {
enable = true;
package = (pkgs.openldap.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
"--enable-overlays"
"--enable-remoteauth"
"--enable-spasswd"
"--with-cyrus-sasl"
];
doCheck = false;
})).override {
cyrus_sasl = pkgs.cyrus_sasl.override {
enableLdap = true;
};
};
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "config ACL stats stats2 trace";
olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
olcSaslHost = "localhost";
olcSaslSecProps = "none";
olcSizeLimit = "unlimited";
};
children = {
"cn=schema".includes = [
"${config.services.openldap.package}/etc/schema/core.ldif"
"${config.services.openldap.package}/etc/schema/cosine.ldif"
"${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
"${config.services.openldap.package}/etc/schema/nis.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/db";
olcSuffix = baseDN;
olcRootDN = "cn=root,${baseDN}";
olcRootPW.path = config.sops.secrets."ldap/root/password".path;
olcAccess = [
# Custom access rules for userPassword attributes
''{0}to attrs=userPassword
by self read
by anonymous auth
by * none
''
# Synced is managed by sync
''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
by * break
''
# Allow login to read users
''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
by self read
by * break
''
# Prevent access
''{3}to *
by * none
''
];
};
children = {
"olcOverlay={0}remoteauth" = {
attrs = {
objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
olcOverlay = "{0}remoteauth";
olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
olcRemoteAuthDNAttribute = "seeAlso";
olcRemoteAuthDomainAttribute = "associatedDomain";
olcRemoteAuthDefaultDomain = "upstream";
olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
olcRemoteAuthRetryCount = "3";
olcRemoteAuthStore = "false";
};
};
};
};
};
};
declarativeContents = {
"dc=informatik,dc=hs-fulda,dc=de" = ''
dn: dc=informatik,dc=hs-fulda,dc=de
objectClass: domain
dc: informatik
dn: ou=users,dc=informatik,dc=hs-fulda,dc=de
objectClass: organizationalUnit
ou: users
dn: ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de
objectClass: organizationalUnit
ou: users
dn: cn=sync,dc=informatik,dc=hs-fulda,dc=de
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: top
cn: sync
userPassword: {SSHA}Kf5ViggnBdUAPJ3/X5F80Qf/tXOzGI9G
dn: cn=login,dc=informatik,dc=hs-fulda,dc=de
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: top
cn: login
userPassword: {SSHA}esWkdMFThbFD0gSE5tC+jJ1rjwfUuI0p
'';
};
};
systemd.services."openldap" = {
environment = {
SASL_PATH = pkgs.writeTextFile {
name = "openldap-sasl-path";
destination = "/slapd.conf";
text = ''
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: GSSAPI EXTERNAL PLAIN NTLM
'';
};
};
onSuccess = [ "ldap-sync.service" ];
};
systemd.services."ldap-sync" = {
script = "${ldap-sync}/bin/ldap-sync";
startAt = "hourly";
requisite = [ "openldap.service" ];
# Flush caches
postStop = ''
${config.services.nscd.package}/bin/nscd --invalidate=group
${config.services.nscd.package}/bin/nscd --invalidate=passwd
'';
};
sops.secrets."ldap/root/password" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/upstream" = {
sopsFile = ./secrets/ldap.yaml;
owner = "openldap";
};
sops.secrets."ldap/tls/key" = {
sopsFile = ./secrets/ldap.tls.key;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/tls/crt" = {
sopsFile = ./secrets/ldap.tls.crt;
format = "binary";
owner = "openldap";
};
sops.secrets."ldap/sync/config" = {
sopsFile = ./secrets/ldap.yaml;
};
networking.firewall.allowedTCPPorts = [
22
389
636
];
}

24
machines/ldap/secrets/ldap.tls.crt
File diff suppressed because it is too large
View File

24
machines/ldap/secrets/ldap.tls.key

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:kX2fP6oI4d4ssW+XDv5lF1dn7zAOEH1Qg+tY1AlKkRiWnQmKt5ik2ot6/jcoq9w2hv3Rnrh4Zb6Ndy/OJi3JzPb8Je+lOKC8nTekYz7ZTqdO8CKfONmGaMJO9crR6bJrIXkw3GLd8m14wmFg2tYSYOz918t91BTNpujcDS0t4VpNdgRjX7TFq4+SOOO0oqQDyuXrnK830NvUranO4tNkFCRzIuW0nMeXqE8lehp9wPfJJ9vhNXk8nizgQaazvtjl2An34BQeZFHp7ff+C6XrLoFFX0CkewAkwZ9EUVFzJwShrKjRGgdTqd9u6CuuP02UQrxyfyj8MqRThnyTtZ3GPFGcO6bsPEfQav5PjdhAuoM3XTqLkYIsoyNK+XGNmYy7lEn+optXJxfpzEt1TT7uSftyCsJ13fQOG1JsXNaGrORagSp0ngDyOVMFMZTWDpavB+hweV1ITeMqN6pukWGtYCW/KRpBWDxUQUZGXTdLyt8SL+LZZgPzgLuKxWwmwsbjTZh01EB32VdRfiSSEano8nhM+Z1Xq+Zxpf7PwCrv1CXBHkcj+j856ywE1+J2KayI3mzOB6zV1Hauw/HuIvw4Y9a7QNk1YwWn21XBJtI0Qc8luV8cJCGryElOJUXXF+RE5QveHKX4QOPXZ4kUib6qZqN9BsPmnEskJq8seKGdfufFLuqUNEdaGKwrK3zH9BFKTLk2sA7JRaMsSlOwFNF+HcK6Sjyn46ZWRRCX6fmdHaJv2ECHVVeZdlFY5x2TZz5LQB4XALKcTXyvlwoytrboGm2S4X1qwqfpUSSd4WIQ3l+Ygtd9MwbcazwDjlASVDU7mFQEElWS//KV1VZjr5KrT0ZCCdLMdwA7BooUqk9q/nePvuW7hssvFNw+GiiGKGDgVPlxMRY6NaVv59/k5lw0x40HOXWs9LuhhvQ51KQtMyIKMygWsJ6IQYyZrhf8c4T9K+llt5CUrUQr3OFh1mhhancw0n9Uvnn5npV4Ig17+di9EhPWDbVbYSoGm4r4SD6aR8BBFQ1Q1yeFsoBGJnm2b3N/l0xyw94H6fD4dDw+BROH6LpbpcMAZGK/WTn1vrgMjbLWpJUa4T2gBkYzDt67lETygQ8iYhFBW+U0TvK4Dh8VSJFiA4T3UpAgl/+LN2TjFogkHbhYuMDYXChr9mcJ+rhq5ztd0HQw9Wi1xsC7w/PPSV25aOfpXq9PucYkb1WU0MT0qyU/T9jrMqs2FzkG5J8L/dzll92ZbXgzKE+017MA+YXFulPKd4oio1qFXYKa9n9KPTRCE4uq6tBfuPQ/JtQFuzd8j3pds6oM0hiuuSujqk5Ci5Tj9/fAjk0jM4RcTsHRtOUoS/JFyzTmJ9B4sWBDzB+GD1QfKAJaVgmmEULLEhNpaB6DtUTXAp/9zm041LWlk+XzL3f2gwPvPTxKm64cOQPoDbyQk8ZV1+5KqrleEc1lyj1nL+RXf8CO93Y5IWZg855cY5EugKlwCeL2zR647JD/Yn9BjbsCp5DVjo+VjwEDBcYgCBHbvK6HHt6T2SEYcCUTmLpVpXaTPBYXL8xsanABAixlcdgtk4X1ZoNqEnS0+HBwdZBwDtwF2OPDOJHbtozOGdA/aqpxamjm0tfcaPf/1I4S6pHUONZ2J/o3bDKf2RITMoDMeC8G3w9tHrqWzYs6iWbFz/vTsYw622KrkFMAwO14zBwyUoG6R7o160hy7T6R/KKUyw7M+b1yKRFNuuhFEATNC4BhG60N0nyWfKdFP3cMeJEG8OMCzl4M/xHXX9Y81GTK1Yd1vpR3IhGo2wDWwiXEUic4r7gD8paEkgvXefOqIVBg7eE7MMofOk45sEKmD11h0ao5scEQ3ObtkVP8iJlH5tQ52r1vlSHnvCvbwNX5rurH6JqvU0/bH2JhcbkGvvFWIExn+8usmuJFy1ffJ2gOS5Z1AMJHsQJ+0bmny26BgN76zVJHJ0PLAUjY+M0PsgyxZTNJJUqc72h+4AF2nTSbdzlkAaxS92g7xxkZCRNnVgI04nDkqbxu12ej8y1kB1p3s1JWoI63bsflkI9boPqAWNYqlBRHnZT5v+/SOXq3RCOvsTbiBi/Mq2PGQs4YVXh2iE/AxtORUqGkg5slXsb7AmogXSn+U+EscwopMm1NknREmNFMGYvOU5PffBspW+3JRbRsTUymRLcHyUN1p1NhIyWQ9Kdxs9LJx6eKDoi7duYYokmK0isQj8fndgjwwguyjN4VLxsud7W/57O5izOO0C0N/G/mKbhe9ZCRxcLhfvwJq6EEWiTyf9DLQcO8A988JPzMU/oJTpKPkt/9JjK9P2imPKNQMKrV+09+lC3ZqYEP0kRrSCnVvcB1XPiaXLfr2CkO0U48xMHf52A238BtcTGO1rSNU3FkWiHVu3U+rW9woW7y8/f1F4sVy4xzFKnyYvVSrTyLIEW9d7sUX6m70of2bxvWkVcU/m2SYe5MPVyvdLTy1KbllKbA6mLPqGeGMDVbHRsc7Pyht5hZda6ahZCuadaCsU1klkmof2OhpLy9Lzq0rNJ3eMmxrqnNfCe35HWOK9iEA9O52kLbhmmo+K0jDsC3hoc1Bsu03754rePapLFi4oRtxw2ahLpVTfNEgHGNguJSUUpKV28pvVhN133+Bysod9KrJxYtjWzjJpaf2U2sbyb2IUSwPLCGsUe6whCZwVLI53qeUgBIq/i7eBWwhMezvjUU6i08V1oQPBTq+3QNOTg8qVdLETYAiApO+9wsZ+7ko8QbV+hfCWiHepFSSVw8mmsooiOZucs3TRrw6e7skEOzrrQKDwbnltP4h0oW0KRStF10VhH6GqsNv5gusKhMVQ85q5HjbDmR1mhL6Weg1olrAhDiFSqSqTRqrLfU96UPQ99wUo+Z/x/XftnYthK3AePGgNJc9OoSewTvQtYWj4GWTES46fft9RqjCgUi5RudlOsDE876jQTsIMb70+TicGZn6cTaj49ECmUFwG6pq0ZqzYkgNFTVahrLPWQoV3HjhO95SczAAwK+gf9a/11h5Doa+3ViqJ/GC6r/5nhzmFC6nP+fsM041SiVtlQcQdFmu7EKOcDk9h+MZijh0J4Ta93/XbCUTEpvXKB8uscLa2jsocMyyy+THjwDY3XXdN9asKi+XDYQ87WN3bX2h3rfm0QuwBdqosApiCtt5a73GUXxyGIPogOHf/cOrZhIu7x+mJfkjLO2gtGspkvZ8dDZolff2LTTNJ/+ne9MJN6bowzWsY8isTCtvRugAdytKOdJ/gkkTUAVP/2+rQNTX0BBgQgJzIqBMLu+FDT4Sc3ySCqnqPpgQJqiH5y9faLdx4p23ZKxh4WSc0zqidHkibFvMzsouXMDNgKVeRuExWCPZyNrNl6c6220oIjmExUIlvmNDOFaeAedN+tMljJiORL70XI63ebwkNfc/BFwFr2kG1J96bNXHgGXmdAZ2Xt2+Do+MGWFuP52B2rk9Q/pF4XYTWjGSAJNzWyMfs4Z5eG6J2vNN0JWYXnu8tEeXzCXwmarYrxafoblBEVzbt0UON2TwzCqkk3G33k3wWwPZLuvnW5muCtyK9bDTmOIaaPlWPyQ0g/c29tlNKRtfSGGT71B/LT895S85G0p4mahUj7KPchCeB0xRsnd3xQQCzBoOUGgIn3b61pYjL/kLyO4Znr15L84o1osXsW+OzvbTD2yxn7KND6iG+7OaqCyt9TwYZN94dMl+0c0thmNrluhaJ3VioYacC+TJG9GhoE4GCZP4hz6urw5I0CLNtKLv+botrCvAq+daAE9dt/8GcZDkT9GBGidmyX12v03pkOpkOx8mLffE/Ccl9Mt6//sK5t019Q/myIt+i5YTrHGerAdWQTFdxQj3LG6xbWf9BRPU81Z9XqLO+KNnzdA18cGlxMAlR0Fodq8iVCtO9c7uS5XgkSFdNOWdhAw2we6qMmBp/pwDtZUxdeepj7TQfVynx//lT1tg7WOxd3nf0V9U94759Vvz7r7wvREwcjqa4AjJLoUQGfhddpmOd4ycqxreqx1MCKqY+E3kU36zedB7eO/P2hD6OkFDFacZUBXzIw+csTwT0ehSv6zHGSPvF1H0gXzjgoB6CgDznPfRLWnGBfBggK2O3CIjP9wjzs4hXlP14U+0KL9sycPfV32WDTLzLIzyhek4CpVT5nUMLz5uXgkCdiIW6yYs3e46+eZKkXC21bVh7O6PVvwsJci5gZAz3PGM7Bpgqz0WbSItVAJpkOqCNivdim88vD+CT/m9sIppz9USqCMOfx9/UplwXbVtfSUQXPlIRprDIV1vJWka3oY2uN0oz1VPDHgN5VJ4PSO1mnQPmFg4B/hPoNCo2HVu49DrQL86uuAw6xkfL0=,iv:dQC+JMRPyNFqbIYRSDMBXEmTVK5QmRbBpEYXG+06l+M=,tag:brQ2Fl9jtvmlT5N/gaN4jA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBeEpiRjhYU3ErSW56a3Z5\nbUN2TUxaSTlIT3dFK0p1dlV6WTd2bzJLbW4wCkJLd0hSZmRGUHg4Z2NpQ2VFa25T\na0dhUlpLSk1GSEl6eGY0NllMclY2bDgKLS0tIENGanhCK2dLcmFxclNDWUtuS0Vt\nejZncjdVUll1OG1aM1BFK0EwckNodGcKMBn25B8U9pR+NDm4xTK43DSPxSLmcDgz\ntm6EZy6ENOJYsFf1UCILrd9pkX5Vt/h3RE5U/IJEpIiYsaYSTRjG6w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMHZqcEs3SjBHaDB3YUR6\nbldiNVVTcjd0dkU3aWVZUnNzSG1FakRLR21nCkthT25oMnlLaVloTE5ZdnA3SXAx\nYXZveWJRSWowcTZ6Y3QyaDVvaU4vZk0KLS0tIHZ0ZndoV2RINEVkTXpkT0gwV295\nZy9jMVVNaVF0MENhZ2FNZlhjVWhtYWMKDjw+F73tFDuXBODKE1ntB4XjKnualbRX\nHoK5ZWz2kQiD5j9Z3eiA3K4UkQs8+XLBzFHKWsUJm+DXFj6pRex2iw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-10-23T13:42:58Z",
"mac": "ENC[AES256_GCM,data:BUQmiBa481d2vggylNYkIKBuOg579REAnxMxX/je+IOvGwx/ODC7W0Zm+bzUYtNa/hmvW4fxwmA8VBHNUPgHrmI7zbNQlXdegg3QcXabr0jr3tqcFkLU7LeOt72tCRSGiZSZ3Pz0GXLzhZo9u+t1d/NVVO3p6ZFp/8Ta5fxq0ns=,iv:8PZROLEwl9wdVXsEMMBNKkbnlboeZQiVKDvjiyGJW38=,tag:d+y/GgHHgcSS8SGqIiPs8g==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
}
}

36
machines/ldap/secrets/ldap.yaml

@ -0,0 +1,36 @@
ldap:
root:
username: ENC[AES256_GCM,data:h6YGYg==,iv:QaCy9dRJNnI4UiQwgeboAxl8XZ+xGyYK8mLyybLNyF4=,tag:PQpKFwltnyRvmYJbPoGxvQ==,type:str]
password: ENC[AES256_GCM,data:3np5tR14nxbZe0hlX0Wd4/kDNRb3z3y3z13SyqTY3wE=,iv:yXz45Tsfof0U2JljSRxuUICRjNZ1U3YD4IlXsU4E0/o=,tag:XABl21e6uaj96ApLcRMSpA==,type:str]
upstream: ENC[AES256_GCM,data:KT6x/jm+p9+3e69yWE/hUMWlNrVuecUK3TcnRdqOJWA=,iv:n5P8NE7xUkOz68g/OcemnpZdEjT8aSEgzC4AS0kyStc=,tag:r+gEb4DIzdyBAsavBucvFQ==,type:str]
sync:
config: ENC[AES256_GCM,data:sgobPqiTsGDNfJKvIYiv+6E3s8Ipfog+2EVgz16ZPMwIU6u1id6cxPnE0nnCQcGVKc80owHmy/zYPzsPF7bHhSebGgZN8dN/xnP1xStIssqRP3XhSitNIMREImHs7iKT7f1/Km9CfZxm2WL2XPlaalK/oC/VJ9TiKcJjjnKuQvFbk1Ph2Pe2wPnd6/tZ8/EPGpRm1s+28YzaxWABFjLG/VEdrCJt45rOxpFXDXzQN/3iIRc7EM/CGQZEoJLky2QBd5597UuB9DBU7mkRUPv9JO7euMX9KH8CAYvHutOMpzEaD/LoRMmZxhpBhn3jQGj/uIyr13nJynQ39xkh58UYsENgyTMeAtr7MBzUDuAe1FC7f1NPbKpNuhaab25IqVwnGoOGOj5B8JcWZR1hDU5OTsp5xLTQn3K/SlWeii79EGwgS/pmtyCziQqtd+oS46dnWJupS5ESoU3gdXDvgzNnJsD3qCqrgY+pw3bcQY9D5HhhLdkYByiAbVgtTDVO9EZDxeyHG0APq1J3rkEZxTGunlx9M/wVWD2h/lVsY45KCD+0S9ukhxcEM89LTlI5jeiKbt689uPp6WjmfFo4sdFFm0XbpxTew1YXXORFC+nyM/nh9IhK3G9Jo2LvRDoX0XeZkH+Zmy8J5BZ7kwpdw6de8KEnpj+jyxFD15D5gQfGQC8vfiKA0yNoKdUNGPkkF4vRCFoJLIRnqJfmqWmXcW4E8BjiQId8nx6QGDty+i5HJnYktR7AvK61Q8VMjTYsT12Uwk9Buqn5AbC1Z7pwM7CgiRR7hpUIRYAlB6VBuqXK0xBqSqRIlT5izSyjCRz2W+njeWhPrKF4rSglzHr0/wB3lwpBF7VEOBuvItxhuTpdhZdN3RTAqehj/KRuPx1vdLKdH8s9xTx6leHvaBnVQJ4jCcO8wTMrHXVmGUPtZ852OIQpKjeLQqzSs9mDK/jT0zz5gQXChBiYIP+2XOVFuyoSqTKkMBf0zuPqcq8ZD9gSYc53/XWNGUFGWvzlb/PvnfkKnaetOlyIYelAgm0Tb9VNye1HPODxXnZ1DXhZwGw7CLfxtavu8PrmiQDZwD8FbOWwyDoQA+6rCijZ2gHnoyDP,iv:uX/5gv+bQEKXZPVJDXiBajaWasxmh/mZZq66UNaKe3Q=,tag:kvAZYD+kqcWtc/Oo+ym20g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gsv9h0faztlavyw8ydl3t8p39u737jj48qvg8lrnsdkamthqaepsqegr08
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3b2JsOXdFTndnclZCRm80
REZpZFBuMlFvVWhMcDRBNDJlV3d0MEFIUno0CncrejdPeTN1Z2t2SnRzNjBSTXc4
dWRWTE1XTy9LcHZYSWRabDZSemQrS2sKLS0tIHkwbFpuenpwOCtoVFg4ZHBDc3k3
bnJ3YzRHcDBPcGR0NzlKUzF6bHcyajQK214Dek7XUkmIelWsmVxk5eZmPsfbllP0
1kqP5vImXTMVmcvGR0XTnYxkNt5LVke8DWnsfEEMZniJxbm61N7+UQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wzany9cugzdzgj9zv7cc9w9ctnuu00vl6vm34cgjlyudegfqcptqgd9ut6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcFh2R3lDdGc1cVBrWWhz
VTN6S2hyM20vSlhIRTUvbld3dE0wOGdUZHpzCjJvMFkrdndVUHlIaFZKSW04amlS
enlBNmJGc0pjbEkvNTNucTExNE9PSXMKLS0tIDlHSEQ4VVBFci9aWEpmRTNVY0hL
SDdOQkVUZVFKZUhIcytGVHNWRU9yWnMKgrnTLzfvi9RRL59+iOnvXVew3GUQtXvV
lBZ7Jam2G3AKFsdY/Z4QMAH9cqaLypPQRt5uJ+2Agl2dbGKqTqUFrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-23T15:39:50Z"
mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

27
machines/nfs/default.nix

@ -0,0 +1,27 @@
{
imports = [
./hardware.nix
./nfs.nix
];
deployment = {
targetHost = "10.32.45.10";
};
networking = {
interfaces."eth0" = {
ipv4.addresses = [{
address = "10.32.45.10";
prefixLength = 24;
}];
};
defaultGateway = {
interface = "eth0";
address = "10.32.45.1";
};
};
system.stateVersion = "24.05";
}

65
machines/nfs/hardware.nix

@ -0,0 +1,65 @@
{ modulesPath, ... }:
{
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
];
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"mptsas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
disko.devices = {
disk = {
root = {
type = "disk";
device = "/dev/sda";
imageSize = "32G";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

13
machines/nfs/nfs.nix

@ -0,0 +1,13 @@
{
services.nfs.server = {
enable = true;
exports = ''
/home 10.32.45.0/24(rw,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [
2049 # NFSv4
];
}

21
shared/default.nix

@ -0,0 +1,21 @@
{ name, ...}:
{
imports = [
./nix.nix
./network.nix
./users.nix
./system.nix
];
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
console.keyMap = "de";
_module.args = {
machinePath = ../machines/${name};
};
disko.imageBuilder.imageFormat = "qcow2";
}

28
shared/network.nix

@ -0,0 +1,28 @@
{ config, name, ...}:
{
networking = {
nftables.enable = true;
hostName = name;
domain = "linuxlab.informatik.hs-fulda.de";
search = [
"linuxlab.informatik.hs-fulda.de"
];
# TODO: nameservers = [ "10.0.0.53" ];
nameservers = [ "1.0.0.1" "1.1.1.1" ];
useDHCP = false;
extraHosts = ''
10.32.45.10 nfs.${config.networking.domain}
10.32.45.11 ldap.${config.networking.domain}
10.32.45.12 install.${config.networking.domain}
10.32.45.11 ldap-linuxlab.informatik.hs-fulda.de
'';
};
}

69
shared/nix.nix

@ -0,0 +1,69 @@
{ config, lib, pkgs, inputs, ... }:
{
nixpkgs.overlays = [
# Make nixpkgs-unstable available as subtree
(_: _: {
unstable = import inputs.nixpkgs-unstable {
inherit (config.nixpkgs) system;
config = {
allowUnfree = true;
};
};
})
# Let builders fetch sources directly instead of uploading
(self: super: (super.prefer-remote-fetch self super))
];
# Who cares about licenses?
nixpkgs.config.allowUnfree = true;
# Link nixpkgs to etc for usage in NIX_PATH.
# This allows update to the symlinks when updating nixpkgs without changes
# to NIX_PATH, which requires a new session to bekome active.
environment.etc.nixpkgs.source = pkgs.linkFarm "nixpkgs" [
{ name = "nixpkgs"; inherit (pkgs) path; }
{ name = "nixpkgs-unstable"; inherit (pkgs.unstable) path; }
];
nix = {
nixPath = lib.mkForce [
"nixpkgs=/etc/nixpkgs/nixpkgs"
"nixpkgs-unstable=/etc/nixpkgs/nixpkgs-unstable"
];
registry = {
"nixpkgs" = {
from = { type = "indirect"; id = "nixpkgs"; };
to = { type = "path"; path = "/etc/nixpkgs/nixpkgs"; };
};
"nixpkgs-unstable" = {
from = { type = "indirect"; id = "nixpkgs-unstable"; };
to = { type = "path"; path = "/etc/nixpkgs/nixpkgs-unstable"; };
};
};
# Take out the trash
gc = {
automatic = true;
dates = "monthly";
options = "--delete-older-than 30d";
};
# Optimize the store
optimise = {
automatic = true;
dates = [ "monthly" ];
};
# Enable modern commands
settings = {
experimental-features = [
"flakes"
"nix-command"
];
};
};
}

14
shared/system.nix

@ -0,0 +1,14 @@
{
services.haveged.enable = true;
services.openssh = {
enable = true;
settings.PermitRootLogin = "without-password";
};
networking.firewall = {
allowedTCPPorts = [
22 # SSH
];
};
}

31
shared/users.nix

@ -0,0 +1,31 @@
{ pkgs, config, ...}:
{
users.mutableUsers = false;
users.users."root" = {
#hashedPassword = "$y$j9T$5ZEv2RROIXAqdFjFEXEst0$5HA63fmwjGXw1id4n94TRgY1gTuXsQGKXmzlcWXyE07";
hashedPassword = "$y$j9T$IqOVsS6/ACfhDXzA3LqsZ1$J/16UDhw44bHWJqIoCdjms6IEwT4tk4ghq2WpThOlMA";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
];
packages = with pkgs; [
vim
wget
curl
tmux
fd
ripgrep
htop
iotop
iftop
file
iperf
ldns
tcpdump
];
};
}

78
sops-config.nix

@ -0,0 +1,78 @@
{ lib
, runCommandNoCCLocal
, writeText
, ssh-to-age
, machines
, ...
}:
with lib;
let
admins = {
"fooker" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ";
};
hosts = {
"nfs" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMW2Ouwep/O0ULtPC8aHx+s9oB8RDJis02u9wYnJe7My";
"ldap" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeRJF8IwyYAe4T4x7+n6ufO6lmOTu6PgPdmHiPRfCqI";
"installer" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrc58WlxYKaPNO1J8j8KQxOLJooc9fIxp6gZZoB4Y7o";
};
sshToAge = ssh-key:
let
key = runCommandNoCCLocal "hostkey-to-age" { } ''
${ssh-to-age}/bin/ssh-to-age < '${writeText "" ssh-key}' > "$out"
'';
in
pipe key [
readFile
(removeSuffix "\n")
];
# Keys for each machine
machine-keys = genAttrs machines (machine:
let
ssh-key = assert assertMsg (hasAttr machine hosts) ''
SSH host key is not specified for machine '${machine}'.
Make sure the SSH host key is added to `sops-config.nix` after initial provisioning.
After changing the hosts, make sure to run `sops updatekeys` with all relevant secret files.
'';
getAttr machine hosts;
in
sshToAge ssh-key);
# Keys for all admins
admin-keys = mapAttrsToList
(_: sshToAge)
admins;
mkRule = path: keys: {
"path_regex" = "^${if path == null then "" else "${escapeRegex path}/"}(${escapeRegex "secrets.yaml"}|secrets/.+)$";
"key_groups" = [{
"age" = keys;
}];
};
# Create a rule for each machine allowing the mechanie and all admins
machine-rules = map
(machine: mkRule
"machines/${machine}"
(admin-keys ++ (singleton machine-keys.${machine})))
machines;
# A single global rule allowing all machines and all admins to access
global-rules = singleton (mkRule null (admin-keys ++ (attrValues machine-keys)));
in
{
inherit admin-keys;
config = {
"creation_rules" = concatLists [
machine-rules
global-rules
];
};
}
Loading…
Cancel
Save