From 8a304ef46e1ad221253f883a8a296a12018e3d30 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 10 Feb 2020 18:15:23 +0100 Subject: [PATCH] Add dilion server --- modules/private/environment.nix | 16 ++++++ modules/private/system.nix | 88 +++++++++++++++++++------------ modules/private/system/dilion.nix | 68 ++++++++++++++++++++++++ nixops/Makefile | 5 ++ nixops/default.nix | 1 + 5 files changed, 145 insertions(+), 33 deletions(-) create mode 100644 modules/private/system/dilion.nix diff --git a/modules/private/environment.nix b/modules/private/environment.nix index c4c32c8..3b51f37 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix @@ -114,6 +114,14 @@ let description = "Host FQDN"; type = str; }; + users = mkOption { + type = unspecified; + default = pkgs: []; + description = '' + Sublist of users from realUsers. Function that takes pkgs as + argument and gives an array as a result + ''; + }; emails = mkOption { default = []; description = "List of e-mails that the server can be a sender of"; @@ -287,6 +295,14 @@ in }; }; }; + realUsers = mkOption { + description = '' + Attrset of function taking pkgs as argument. + Real users settings, should provide a subattr of users.users. + with at least: name, (hashed)Password, shell + ''; + type = attrsOf unspecified; + }; users = mkOption { description = "System and regular users uid/gid"; type = attrsOf (submodule { diff --git a/modules/private/system.nix b/modules/private/system.nix index 66208c4..64fc2d9 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -23,41 +23,63 @@ MaxRetentionSec="1year" ''; - users.mutableUsers = false; - users.users.root.packages = let - nagios-cli = pkgs.writeScriptBin "nagios-cli" '' - #!${pkgs.stdenv.shell} - sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} - ''; - in - [ - pkgs.telnet - pkgs.htop - pkgs.iftop - pkgs.bind.dnsutils - pkgs.httpie - pkgs.iotop - pkgs.whois - pkgs.ngrep - pkgs.tcpdump - pkgs.tshark - pkgs.tcpflow - pkgs.mitmproxy - pkgs.nmap - pkgs.p0f - pkgs.socat - pkgs.lsof - pkgs.psmisc - pkgs.wget + users.users = + builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ + isNormalUser = true; + home = "/home/${x.name}"; + createHome = true; + linger = true; + } // x)) (config.hostEnv.users pkgs)) + // { + root.packages = let + nagios-cli = pkgs.writeScriptBin "nagios-cli" '' + #!${pkgs.stdenv.shell} + sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} + ''; + in + [ + pkgs.telnet + pkgs.htop + pkgs.iftop + pkgs.bind.dnsutils + pkgs.httpie + pkgs.iotop + pkgs.whois + pkgs.ngrep + pkgs.tcpdump + pkgs.tshark + pkgs.tcpflow + pkgs.mitmproxy + pkgs.nmap + pkgs.p0f + pkgs.socat + pkgs.lsof + pkgs.psmisc + pkgs.wget - pkgs.cnagios - nagios-cli - ]; + pkgs.cnagios + nagios-cli + ]; + }; - environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; - environment.systemPackages = [ - pkgs.vim - ]; + users.mutableUsers = false; + environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; + environment.systemPackages = + let + home-manager = builtins.fetchGit { + url = "https://github.com/rycee/home-manager.git"; + rev = "ef64bc598f28818d56c86629dad98b468af9c071"; + ref = "release-19.03"; + }; + in + [ + pkgs.git + pkgs.vim + ] ++ + (lib.optional + (builtins.length (config.hostEnv.users pkgs) > 0) + ((pkgs.callPackage home-manager {}).home-manager) + ); }; } diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix new file mode 100644 index 0000000..258506b --- /dev/null +++ b/modules/private/system/dilion.nix @@ -0,0 +1,68 @@ +{ privateFiles }: +{ config, pkgs, ... }: +{ + boot.kernelPackages = pkgs.linuxPackages_latest; + myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; + + networking = { + firewall.enable = false; + interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList + (n: ips: { address = ips.ip4; prefixLength = 32; }) + (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); + interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList + (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) + config.hostEnv.ips); + }; + + myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ]; + imports = builtins.attrValues (import ../..); + + deployment = { + targetEnv = "hetzner"; + hetzner = { + robotUser = config.myEnv.hetzner.user; + robotPass = config.myEnv.hetzner.pass; + mainIPv4 = config.hostEnv.ips.main.ip4; + partitions = '' + clearpart --all --initlabel --drives=sda,sdb,sdc,sdd + + part swap --recommended --label=swap --fstype=swap --ondisk=sda + + part raid.1 --grow --ondisk=sdc + part raid.2 --grow --ondisk=sdd + + raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 + + part /nix --grow --label=nix --ondisk=sda + part /data --grow --label=data --ondisk=sdb + ''; + }; + }; + + programs.zsh.enable = true; + + time.timeZone = "Europe/Paris"; + nix = { + useSandbox = "relaxed"; + extraOptions = '' + keep-outputs = true + keep-derivations = true + #Assumed in NUR + allow-import-from-derivation = true + ''; + }; + + # This is equivalent to setting environment.sessionVariables.NIX_PATH + nix.nixPath = [ + "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz" + "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz" + ]; + + # This value determines the NixOS release with which your system is + # to be compatible, in order to avoid breaking some software such as + # database servers. You should change this only after NixOS release + # notes say you should. + # https://nixos.org/nixos/manual/release-notes.html + system.stateVersion = "19.03"; # Did you read the comment? +} + diff --git a/nixops/Makefile b/nixops/Makefile index 02d34f8..1852e75 100644 --- a/nixops/Makefile +++ b/nixops/Makefile @@ -33,6 +33,9 @@ SSH_ARGS ?= ssh-eldiron: $(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS) +ssh-dilion: + $(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS) + ssh-backup-2: $(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS) @@ -77,6 +80,7 @@ list-generations: delete-generations: nix-env -p $(profile) --delete-generations $(GEN) $(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) + $(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) $(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) $(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN) .PHONY: delete-generations @@ -84,6 +88,7 @@ delete-generations: cleanup: delete-generations nix-store --gc $(NIXOPS_PRIV) ssh eldiron -- nix-store --gc + $(NIXOPS_PRIV) ssh dilion -- nix-store --gc $(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc $(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc .PHONY: cleanup diff --git a/nixops/default.nix b/nixops/default.nix index 5f4f4d2..56b86e8 100644 --- a/nixops/default.nix +++ b/nixops/default.nix @@ -7,6 +7,7 @@ # Used by hetzner cloud to provision machines resources.sshKeyPairs.ssh-key = {}; + dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; }; eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; }; backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; }; monitoring-1 = import ../modules/private/system/monitoring-1.nix { inherit privateFiles; }; -- 2.41.0