qo.is/infrastructure
3
0
Fork 0
Code Issues 12 Pull requests 1 Projects 1 Activity Actions

Commit files for public release
All checks were successful
CI / build (push) Successful in 13m53s
Details

Browse source
This commit is contained in:
Fabian Hauser 2024-10-02 16:52:04 +03:00
commit fef2377502
174 changed files with 7423 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
defaults/backplane-net/README.md Normal file
View file

@ -0,0 +1,5 @@
## Backplane Overlay Network
The `backplane.net.qo.is` overlay network connects all the hosts in a peer-to-peer fashion using [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh).
The definition of the connected hosts are in [defaults/meta/network-virtual.nix](../meta/network-virtual.nix).

58
defaults/backplane-net/default.nix Normal file
View file

@ -0,0 +1,58 @@
{
pkgs,
lib,
config,
...
}:
let
hostName = config.networking.hostName;
netName = "backplane";
netConfig = config.qois.meta.network.virtual.${netName};
hostNetConfig = netConfig.hosts.${hostName};
wgDefaultPort = 51825;
in
{
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
networking.wireguard.enable = true;
networking.wireguard.interfaces."wg-${netName}" = {
ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ];
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort;
privateKeyFile = "/secrets/wireguard/private/${netName}";
generatePrivateKeyFile = true;
};
systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ];
networking.firewall.allowedUDPPorts =
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ];
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
services.wgautomesh = {
enable = true;
gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path;
openFirewall = true;
logLevel = "info";
settings = {
interface = "wg-${netName}";
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
peers =
let
reachableHosts = lib.filterAttrs (
peerHostName: peerConfig: peerHostName != hostName # Not this host
) netConfig.hosts;
in
lib.mapAttrsToList (_: peerConfig: {
address = peerConfig.v4.ip;
endpoint =
if peerConfig.endpoint != null then
with peerConfig.endpoint; "${fqdn}:${builtins.toString port}"
else
null;
pubkey = peerConfig.publicKey;
}) reachableHosts;
};
};
systemd.services.wgautomesh.requires = [ "wireguard-wg-backplane.service" ];
}

55
defaults/base-minimal/applications.nix Normal file
View file

@ -0,0 +1,55 @@
{
config,
lib,
pkgs,
...
}:
{
environment.systemPackages =
with pkgs;
[
vim
tmux
killall
bc
rename
wipe
gnupg
ripgrep
]
++ [
nix-index
nix-diff
]
++ [
autojump
powerline-go
]
++ [
# File Utilities
ack
unzip
iotop
tree
vim
vimPlugins.pathogen
vimPlugins.airline
git
git-lfs
]
++ [
# Filesystem & Disk Utilities
parted
]
++ [
# Networking Utilities
nmap
bind
curl
wget
rsync
iftop
mailutils
];
}

132
defaults/base-minimal/default.nix Normal file
View file

@ -0,0 +1,132 @@
{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [
./unfree.nix
./applications.nix
./overlays.nix
./security.nix
];
boot.loader.timeout = 2;
boot.tmp.useTmpfs = true;
boot.loader.grub.splashImage = null;
console.keyMap = "de_CH-latin1";
i18n.defaultLocale = "en_US.UTF-8";
boot.kernel.sysctl = {
"kernel.panic" = 20; # Reboot kernel on panic after this much seconds
};
boot.initrd.network.udhcpc.extraArgs = [
"-A"
"900" # Wait for a DHCP lease on boot for 15mins
];
systemd.watchdog = {
runtimeTime = "5m";
rebootTime = "10m";
};
users.mutableUsers = false;
users.users = {
root.openssh.authorizedKeys.keys =
with lib;
concatLists (
mapAttrsToList (
name: user:
if elem "wheel" user.extraGroups && name != "root" then user.openssh.authorizedKeys.keys else [ ]
) config.users.users
);
};
# Disable dependency on xorg
# TODO: Set environment.noXlibs on hosts that don't need any x libraries.
security.pam.services.su.forwardXAuth = lib.mkForce false;
# Package management
nix = {
settings = {
trusted-users = [
"root"
"@wheel"
];
substituters = [
"https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
"https://cache.nixos.org?priority=40"
"https://attic.qo.is/qois-infrastructure"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 90d";
};
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
system.autoUpgrade = {
enable = true;
randomizedDelaySec = "30m";
flags = [
"--update-input"
"nixpkgs-nixos-2211"
"--commit-lock-file"
];
};
# Network services
networking.firewall = {
allowPing = true;
allowedTCPPorts = [ 22 ];
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
# temporary mitigation agains CVE-2024-6387 «regreSSHion» RCE
# See https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
settings.LoginGraceTime = 0;
};
security.acme = {
acceptTerms = true;
defaults.email = "sysadmin@qo.is";
};
# Default Settings
environment.etc = {
gitconfig.source = ./etc/gitconfig;
vimrc.source = ./etc/vimrc;
};
programs.autojump.enable = true;
programs.vim.defaultEditor = true;
sops.defaultSopsFile =
let
defaultSopsPath = "${inputs.private}/nixos-configurations/${config.networking.hostName}/secrets.sops.yaml";
in
lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
services.fstrim.enable = true;
qois.outgoing-server-mail.enable = true;
qois.backup-client.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=4096";
}

31
defaults/base-minimal/etc/gitconfig Normal file
View file

@ -0,0 +1,31 @@
[core]
packedGitWindowSize = 16m
packedGitLimit = 64m
[pack]
windowMemory = 64m
packSizeLimit = 64m
thread = 1
deltaCacheSize = 1m
[color]
branch = auto
diff = auto
status = auto
[push]
default = simple
[pull]
rebase = true
[branch]
autosetuprebase = always
[commit]
# gpgsign = true
[tag]
# gpgsign = true
[alias]
s = status --short --branch
a = add --patch
c = commit --message
l = log --color --graph --pretty=format:'%Cred%h%Creset - %C(bold)%s%Creset%C(yellow)%d%Creset %C(green)%an%Creset %C(cyan)%cr%Creset' --abbrev-commit
d = diff
[diff]
# noprefix = true

54
defaults/base-minimal/etc/vimrc Normal file
View file

@ -0,0 +1,54 @@
" Use Vim settings, rather than Vi settings (much better!).
" This must be first, because it changes other options as a side effect.
" Avoid side effects when it was already reset.
if &compatible
set nocompatible
endif
" Convenient command to see the difference between the current buffer and the
" file it was loaded from, thus the changes you made.
" Only define it when not defined already.
" Revert with: ":delcommand DiffOrig".
if !exists(":DiffOrig")
command DiffOrig vert new | set bt=nofile | r ++edit # | 0d_ | diffthis
\ | wincmd p | diffthis
endif
" Don't wake up system with blinking cursor:
" http://www.linuxpowertop.org/known.php
let &guicursor = &guicursor . ",a:blinkon0"
""""""""""""""""""""""""""
" Design Settings
""""""""""""""""""""""""""
set background=dark
colorscheme elflord
""""""""""""""""""""""""""
" Other Settings
""""""""""""""""""""""""""
set ignorecase " Ignore search case
set autoindent " Newline with automatic text indent
set ruler " Show current position
set pastetoggle=<F2>
set ignorecase
set hidden
set splitbelow
set splitright
set tabstop=2
set shiftwidth=2
set softtabstop=2
set expandtab
set listchars="eol:¬,tab:>·,trail:~,extends:>,precedes:<,space:␣"
set grepprg=ack\ -k
filetype plugin indent on
syntax on

12
defaults/base-minimal/overlays.nix Normal file
View file

@ -0,0 +1,12 @@
{
config,
lib,
pkgs,
options,
...
}:
{
nixpkgs.overlays = [ (import ../../overlays) ];
nix.nixPath = options.nix.nixPath.default;
}

37
defaults/base-minimal/security.nix Normal file
View file

@ -0,0 +1,37 @@
{
config,
lib,
pkgs,
...
}:
with lib;
{
# ###########################################################################
# Options taken from hardened kernel profile, see
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
# ###########################################################################
# Enable strict reverse path filtering (that is, do not attempt to route
# packets that "obviously" do not belong to the iface's network; dropped
# packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
}

22
defaults/base-minimal/unfree.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
lib,
pkgs,
...
}:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"corefonts"
"camingo-code"
"helvetica-neue-lt-std"
#"kochi-substitute-naga10"
"ttf-envy-code-r"
"vista-fonts"
"vista-fonts-chs"
"xkcd-font-unstable"
"ricty"
];
}

39
defaults/base-vm/default.nix Normal file
View file

@ -0,0 +1,39 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
{
imports = [
../base-minimal
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.loader.grub.enable = true;
system.autoUpgrade.allowReboot = true;
services.qemuGuest.enable = true;
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"sr_mod"
];
# Taken from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/minimal.nix
documentation.enable = lib.mkDefault false;
documentation.doc.enable = lib.mkDefault false;
documentation.info.enable = lib.mkDefault false;
documentation.man.enable = lib.mkDefault false;
documentation.nixos.enable = lib.mkDefault false;
}

32
defaults/base/applications.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}:
{
environment.systemPackages =
with pkgs;
[
pciutils
dmidecode
smartmontools
iw
efibootmgr
efitools
efivar
pwgen
powertop
lm_sensors
]
++ [
# Filesystem & Disk Utilities
hdparm
smartmontools
]
++ [
# Networking Utilities
tcpdump
];
}

25
defaults/base/default.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
../base-minimal
./applications.nix
];
# System Services
services.fwupd.enable = true;
services.smartd = {
enable = true;
notifications.mail = {
enable = true;
mailer = "${pkgs.msmtp}/bin/sendmail";
sender = "system@qo.is";
recipient = "sysadmin@qo.is";
};
};
}

15
defaults/hardware/README.md Normal file
View file

@ -0,0 +1,15 @@
# APU
## Setup
To boot the nixos installer with the console port, add `console=ttyS0,115200n8` to the kernel command line in grub.
# ASROCK Mainboards
`F2`: Boot into BIOS
`F11`: Select boot device
# NUC
- [Boot Keybindings](https://www.intel.com/content/www/us/en/support/articles/000005672/boards-and-kits/desktop-boards.html)

38
defaults/hardware/apu.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.loader.grub.extraConfig = "\n serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1\n terminal_input serial\n terminal_output serial\n ";
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"ehci_pci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
"igb"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [
"kvm-amd"
"virtio"
"tun"
];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "console=ttyS0,115200n8" ];
# CPU Configuration
hardware.cpu.amd.updateMicrocode = true;
nix.settings.max-jobs = lib.mkDefault 4;
}

40
defaults/hardware/apu1.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.loader.grub.extraConfig = "\n serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1\n terminal_input serial\n terminal_output serial\n ";
boot.initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"xhci_pci"
"ahci"
"ehci_pci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
"r8169"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [
"kvm-amd"
"virtio"
"tun"
];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "console=ttyS0,115200n8" ];
hardware.cpu.amd.updateMicrocode = true;
nix.settings.max-jobs = lib.mkDefault 2;
}

33
defaults/hardware/asrock-z790m.nix Normal file
View file

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"e1000e"
"virtio-pci"
];
boot.initrd.kernelModules = [ ];
# boot.kernelModules = [ "kvm-intel" "virtio" "tun" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# boot.kernelParams = [ "console=ttyS0,115200n8" ];
hardware.cpu.intel.updateMicrocode = true;
powerManagement.cpuFreqGovernor = "ondemand";
nix.settings.max-jobs = lib.mkDefault 8;
}

27
defaults/hardware/asrock.nix Normal file
View file

@ -0,0 +1,27 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"xhci_pci"
"ahci"
"virtio-pci"
"igb"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
hardware.cpu.amd.updateMicrocode = true;
nix.settings.max-jobs = lib.mkDefault 24;
}

33
defaults/hardware/nuc.nix Normal file
View file

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"e1000e"
"virtio-pci"
];
boot.initrd.kernelModules = [ ];
# boot.kernelModules = [ "kvm-intel" "virtio" "tun" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# boot.kernelParams = [ "console=ttyS0,115200n8" ];
hardware.cpu.intel.updateMicrocode = true;
powerManagement.cpuFreqGovernor = "ondemand";
nix.settings.max-jobs = lib.mkDefault 8;
}

40
defaults/hardware/wle-regulatory-domain/ath10k-override-eeprom-regulatory-domain.patch Normal file
View file

@ -0,0 +1,40 @@
diff --unified --recursive --text archlinux-linux/drivers/net/wireless/ath/regd.c archlinux-linux-patched/drivers/net/wireless/ath/regd.c
--- a/drivers/net/wireless/ath/regd.c 2019-08-29 18:31:52.749909030 +0200
+++ b/drivers/net/wireless/ath/regd.c 2019-08-29 18:33:33.318773763 +0200
@@ -345,6 +345,8 @@
struct ieee80211_channel *ch;
unsigned int i;
+ return;
+
for (band = 0; band < NUM_NL80211_BANDS; band++) {
if (!wiphy->bands[band])
continue;
@@ -378,6 +380,8 @@
{
struct ieee80211_supported_band *sband;
+ return;
+
sband = wiphy->bands[NL80211_BAND_2GHZ];
if (!sband)
return;
@@ -407,6 +411,8 @@
struct ieee80211_channel *ch;
unsigned int i;
+ return;
+
if (!wiphy->bands[NL80211_BAND_5GHZ])
return;
@@ -639,6 +645,9 @@
const struct ieee80211_regdomain *regd;
wiphy->reg_notifier = reg_notifier;
+
+ return 0;
+
wiphy->regulatory_flags |= REGULATORY_STRICT_REG |
REGULATORY_CUSTOM_REG;

23
defaults/hardware/wle-regulatory-domain/default.nix Normal file
View file

@ -0,0 +1,23 @@
{
config,
lib,
pkgs,
...
}:
{
boot.kernelPatches = [
{
name = "ath10k-override-eeprom-regulatory-domain";
patch = ./ath10k-override-eeprom-regulatory-domain.patch;
extraConfig = ''
EXPERT y
CFG80211_CERTIFICATION_ONUS y
ATH_REG_DYNAMIC_USER_REG_HINTS y
ATH_REG_DYNAMIC_USER_CERT_TESTING y
ATH_REG_DYNAMIC_USER_CERT_TESTING y
ATH9K_DFS_CERTIFIED y
ATH10K_DFS_CERTIFIED y
'';
}
];
}

11
defaults/hardware/wle200nx.nix Normal file
View file

@ -0,0 +1,11 @@
{
config,
lib,
pkgs,
...
}:
{
services.hostapd.extraConfig = ''
ht_capab=[HT40-][HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40]
'';
}

13
defaults/meta/default.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hosts.nix
./network-physical.nix
./network-virtual.nix
];
}

44
defaults/meta/hosts.json Normal file
View file

@ -0,0 +1,44 @@
{
"fulberg": {
"hostName": "fulberg",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCG9qqpUOJ2RsohIqhMuw3YZZSrnPqhf5ayh5y0Cq/I"
},
"calanda": {
"hostName": "calanda",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdoOZcFFRXIqEWqUnwCk/kqP8DZw6/4omDefCT6aNN4"
},
"lindberg": {
"hostName": "lindberg",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDksfXKLgPJVuWHAl/pxWRhghun8U6asTZNHa34u+gJw"
},
"lindberg-nextcloud": {
"hostName": "lindberg-nextcloud",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFR5U4yhZ2x/WN9dO+hVVSTCPMyv/1TB8mbuCXxexZOo"
},
"lindberg-build": {
"hostName": "lindberg-build",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnDwwGiucyTI2U8o2rC53weJwp6dO8zcF7BZjkvVq7e"
},
"lindberg-webapps": {
"hostName": "lindberg-webapps",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJT99lj5OI+V1PlZl/T2ikBORwMiXjDfWpHYfq/GvUM5"
},
"batzberg": {
"hostName": "batzberg"
},
"tierberg": {
"hostName": "tierberg",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJS2v0mUDJsNr1DHdgjxEQRnoVaEmExFfvHqpvagYLi6"
},
"stompert": {
"hostName": "stompert",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKuqMPLbREFIrYcmReaRoHdz1TatpvlrZN14L6cikia"
},
"router-coredump": {
"hostName": "router"
},
"cyprianspitz": {
"hostName": "cyprianspitz",
"sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE4udYgCfxHEAkM9r8yaerk7l+BgW7039imM0moKpTbB"
}
}

4
defaults/meta/hosts.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }:
{
qois.meta.hosts = builtins.fromJSON (builtins.readFile ./hosts.json);
}

114
defaults/meta/network-physical.nix Normal file
View file

@ -0,0 +1,114 @@
{
config,
lib,
pkgs,
...
}:
{
qois.meta.network.physical = {
plessur-ext = {
v4 = {
id = "85.195.200.253";
prefixLength = 24;
};
v6 = {
id = "2a02:169:1e02::";
prefixLength = 48;
};
domain = "plessur-ext.net.qo.is";
hosts = {
calanda = {
v4.ip = "85.195.200.253";
};
};
};
plessur-dmz = {
v4 = {
id = "10.1.2.0";
prefixLength = 24;
gateway = "10.1.2.1";
nameservers = [ "10.1.2.1" ];
};
domain = "plessur-dmz.net.qo.is";
hosts = {
calanda = {
v4.ip = "10.1.2.1";
};
fulberg = {
v4.ip = "10.1.2.2";
};
};
};
plessur-lan = {
v4 = {
id = "10.1.1.0";
prefixLength = 24;
};
domain = "plessur-lan.net.qo.is";
hosts = {
calanda = {
v4.ip = "10.1.1.1";
};
};
};
eem-lan = {
domain = "eem-lan.net.qo.is";
hosts = {
stompert.v4.ip = ""; # TODO
};
};
riedbach-ext = {
# IP: Dynamic
domain = "riedbach-ext.net.qo.is";
hosts = {
lindberg = {
# TODO: This is the router, not really lindberg.
v4.ip = "145.40.194.243";
};
};
};
lattenbach-ext = {
# Forwarded ports:
# udp:51820 -> 10.0.0.60:51820
# tcp:51022 -> 10.0.0.60:22
# tcp:51023 -> 10.0.0.60:2222
domain = "lattenbach-ext.net.qo.is";
hosts.router-coredump.v4.ip = "5.226.148.126";
};
lattenbach-lan = {
# Coredump LAN
v4 = {
id = "10.0.0.0";
prefixLength = 16;
};
domain = "lattenbach-lan.net.qo.is";
hosts = {
tierberg = {
v4.ip = "10.0.0.60";
};
};
};
lattenbach-nas = {
# Coredump net between apu and nas
v4 = {
id = "192.168.254.0";
prefixLength = 24;
};
domain = "lattenbach-nas.net.qo.is";
hosts = {
tierberg.v4.ip = "192.168.254.2";
batzberg.v4.ip = "192.168.254.1";
};
};
};
}

114
defaults/meta/network-virtual.nix Normal file
View file

@ -0,0 +1,114 @@
{
config,
lib,
pkgs,
...
}:
{
qois.meta.network.virtual =
let
physical-network = config.qois.meta.network.physical;
in
{
vpn = {
v4 = {
id = "100.64.0.0";
prefixLength = 10;
};
domain = "vpn.qo.is";
hosts = { };
};
backplane = {
v4 = {
id = "10.250.0.0";
prefixLength = 24;
};
domain = "backplane.net.qo.is";
hosts = {
fulberg = {
v4.ip = "10.250.0.1";
endpoint = {
fqdn = physical-network.plessur-ext.hosts.calanda.fqdn;
port = 51821;
};
publicKey = "xcQOu+pp4ckNygcsLmJL1NmUzbbC+k3I7y+hJ9Ul4nk=";
persistentKeepalive = 25;
};
lindberg = {
v4.ip = "10.250.0.2";
#endpoint = { # TODO: Port forwarding
# fqdn = physical-network.riedbach-ext.hosts.lindberg.fqdn;
# port = 51821;
#};
publicKey = "uxxdpFXSTnfTvzSEzrUq4DuWSILJD5tNj6ks2jhWF10=";
persistentKeepalive = 25; # TODO: Remove when port forwarding enabled
};
lindberg-nextcloud = {
v4.ip = "10.250.0.3";
publicKey = "6XGL4QKB8AMpm/VGcTgWqk9RiSws7DmY5TpIDkXbwlg=";
persistentKeepalive = 25;
};
tierberg = {
v4.ip = "10.250.0.4";
publicKey = "51j1l+pT9W61wx4y2KyUb1seLdCHs3FUKAjmrHBFz1w=";
persistentKeepalive = 25;
};
stompert = {
v4.ip = "10.250.0.5";
publicKey = "CHTjQbmN9WhbRCxKgowxpMx4c5Zu0NDk0rRXEvuB3XA=";
persistentKeepalive = 25;
};
calanda = {
v4.ip = "10.250.0.6";
publicKey = "WMuMCzo8e/aNeGP7256mhK0Fe+x06Ws7a9hOZDPCr0M=";
endpoint = {
fqdn = physical-network.plessur-ext.hosts.calanda.fqdn;
port = 51823;
};
};
lindberg-build = {
v4.ip = "10.250.0.7";
publicKey = "eWuvGpNVl601VDIgshOm287dlZa/5gF9lL4SjYEbIG8=";
persistentKeepalive = 25;
};
lindberg-webapps = {
v4.ip = "10.250.0.8";
publicKey = "LOA3Kumg8FV4DJxONwv+/8l/jOQLJ6SD2k/RegerR04=";
persistentKeepalive = 25;
};
cyprianspitz = {
v4.ip = "10.250.0.9";
endpoint = {
fqdn = physical-network.plessur-ext.hosts.calanda.fqdn;
port = 51824;
};
publicKey = "iLzHSgIwZz44AF7961mwEbK9AnSwcr+aKpd7XAAVTHo=";
};
};
};
lindberg-vms-nat = {
v4 = {
id = "10.247.0.0";
prefixLength = 24;
};
domain = "lindberg-vms-nat.net.qo.is";
hosts = {
lindberg.v4.ip = "10.247.0.1";
};
};
cyprianspitz-vms-nat = {
v4 = {
id = "10.247.0.0";
prefixLength = 24;
};
domain = "cyprianspitz-vms-nat.net.qo.is";
hosts = {
cyprianspitz.v4.ip = "10.248.0.1";
};
};
};
}

83
defaults/meta/network.md Normal file
View file

@ -0,0 +1,83 @@
# Network
This document provides an overview over the qo.is network structure.
## Physical View
```plantuml
@startuml
skinparam style strictuml
left to right direction
package "plessur.net.qo.is" {
entity mediaconvchur [
Media
Converter
(Passive)
]
node calanda
node fulberg
cloud plessurnet [
<i>LAN Plessur
]
mediaconvchur - "enp4" calanda
calanda "br0 (enp2, wlp1, wlp5)" --- plessurnet
calanda "enp4" -- "eno1" fulberg
}
package "riedbach.net.qo.is" {
node riedbachrouter
node lindberg
riedbachrouter -- "enp5s0" lindberg
}
package "eem.net.qo.is" {
node eemrouter
node stompert
eemrouter -- "enp2s0" stompert
}
cloud internet[
<b>@
]
package "coredump.net.qo.is" {
node coredumprouter
node tierberg
coredumprouter -- "enpXs0" tierberg
}
internet .. mediaconvchur: INIT7 Fiber (1G/1G)
internet .. riedbachrouter: iway Fiber (1G/1G)
internet .. eemrouter: KPN NL Fiber
internet .. coredumprouter: Openfactory DSL
@enduml
```
## DNS
All Services are published under the *qo.is* domain name. Following services are available:
`qo.is` Primery Domain - Redirect to docs.qo.is and some .well-known ressources
{{#include ../backplane-net/README.md}}
## Contacts
### Init7
- [Status Netzwerkdienste](https://www.init7.net/status/)
- [NOC E-Mail](mailto:noc@init7.net)
- +41 44 315 44 00
- Init7 (Schweiz) AG, Technoparkstrasse 5, CH-8406 Winterthur

17
defaults/nextcloud/README.md Normal file
View file

@ -0,0 +1,17 @@
# Nextcloud
Running on [cloud.qo.is](https://cloud.qo.is), contact someone from the board for administrative tasks.
At this time, we do not enforce any size limits or alike.
We have some globally configured shared folders for our family members.
For user documentation, refer to the [upstream Nextcloud docs](https://docs.nextcloud.com/server/stable/user_manual/en/). Clients can be downloaded from [nextcloud.com/install](https://nextcloud.com/install/).
## Backup / Restore
1. Stop all related services: nextcloud, php-fpm, redis etc.
2. (mabe dump redis data?)
3. Import Database Backup
4. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume
5. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)

81
defaults/nextcloud/default.nix Normal file
View file

@ -0,0 +1,81 @@
# Default configuration for hosts
{
config,
lib,
pkgs,
...
}:
{
sops.secrets."nextcloud/admin" = with config.users.users.nextcloud; {
inherit group;
owner = name;
};
qois.postgresql.enable = true;
qois.backup-client.includePaths = [ config.services.nextcloud.home ];
services.nextcloud = {
enable = true;
https = true;
webfinger = true;
maxUploadSize = "10G";
database.createLocally = true;
config = {
adminpassFile = config.sops.secrets."nextcloud/admin".path;
adminuser = "root";
dbtype = "pgsql";
};
phpOptions = {
"opcache.interned_strings_buffer" = "23";
};
poolSettings = {
"pm" = "dynamic";
"pm.max_children" = "256";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "16";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "8";
};
configureRedis = true;
caching.redis = true;
notify_push = {
enable = true;
bendDomainToLocalhost = true;
};
settings = {
log_type = "syslog";
syslog_tag = "nextcloud";
"memories.exiftool" = "${lib.getExe pkgs.exiftool}";
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
preview_ffmpeg_path = "${lib.getExe pkgs.ffmpeg-headless}";
mail_smtpmode = "sendmail";
mail_domain = "qo.is";
};
};
services.phpfpm.pools.nextcloud.settings = {
"pm.max_children" = lib.mkForce "256";
"pm.max_spare_servers" = lib.mkForce "16";
"pm.start_servers" = lib.mkForce "8";
};
users.users.nextcloud.extraGroups = [ "postdrop" ];
systemd.services.nextcloud-cron = {
path = [ pkgs.perl ];
};
environment.systemPackages = with pkgs; [
nodejs # required for Recognize
];
}

122
defaults/vpn/README.md Normal file
View file

@ -0,0 +1,122 @@
# VPN
On [vpn.qo.is](https://vpn.qo.is) we run a [Tailscale](https://tailscale.com) compatible VPN service. To use the service, you can use a normal Tailscale client with following additional configuration:
| Option | Recommended value | Description |
|--------|-------------------|-------------|
| `accept-routes` | enabled (flag) | Accept direct routes to internal services |
| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
| `login-server` | `https://vpn.qo.is` | Use our own VPN service and not tailscale's upstream one |
⚠️ Currently, if the client is in an IPv6 network, the transport is broken. See [#51](https://gitlab.com/qo.is/infrastructure/-/issues/51) for progress on this.
## Exit nodes
- `100.64.0.5`: lindberg (riedbach-net)
- `100.64.0.6`: cyprianspitz (plessur-net)
Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
## User and Client Management
To register a new client, you can generate a pre-auth key and insert it in the client:
```bash
headscale preauthkeys create --user marlene.mayer
```
Or alternatively use the register command shown when configuring the VPN client.
## ACL
At this time, there are a few ACL rules to isolate a users host but do not expect them to be expected to be enforced - expect your client to be accessible by the whole network.
## Exit Nodes
To add an exit node, create a preauth secret on the `vpn.qo.is` host:
```bash
headscale preauthkeys create --user srv --reusable
```
and configure the host as follows:
```nix
# TODO: This should not be a snipped but a module
{config, ...}: {
# Use this node as vpn exit node
services.tailscale = let meta = config.qois.meta; in {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = "/secrets/wireguard/tailscale-key"; # The preauth secret. TODO: Should be in sops.
extraUpFlags = [
"--login-server=https://vpn.qo.is"
"--advertise-exit-node"
(
with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
)
"--advertise-tags=tag:srv"
];
};
}
```
and register it in Headscale with:
```bash
headscale nodes register -u srv -k nodekey:xyzxyzxyzxyzxyzxyzxyzxyz
```
With using the `srv` user, exit nodes and routes get automatically accepted as trusted.
## Clients
### NixOS
Sample config:
```nix
{ config, pkgs, ... }: {
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
authKeyFile = "/secrets/wireguard/tailscale-key"; # This is the pre-auth secret. Make sure it's only accessible by root.
extraUpFlags = [
"--operator"
"yourUserNameChangePlease"
"--accept-routes"
"--exit-node=100.64.0.5"
"--login-server=https://vpn.qo.is"
];
};
}
```
### Mobile App
> Android App: Tip 5 times on the tooltip dots to reveal server config option
See [this Headscale documentation for more](https://headscale.net/android-client/#configuring-the-headscale-url) on how to configure the mobile app. Note that on restarts, sometimes you have to reopen/save the config dialog. If the Tailscale login site is shown, just close the browser with the ❌.
## Backup and Restore
### Server
1. `systemctl stop headscale`
2. Replace `/var/lib/headscale`
3. `systemctl start headscale`
4. Monitor logs for errors
Note: `/var/lib/headscale` contains a sqlite database.
### Clients
1. `systemctl stop tailscaled`
2. Replace `/var/lib/tailscale`
3. `systemctl start tailscaled`
4. Monitor logs for errors

18
defaults/webserver/default.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
lib,
pkgs,
...
}:
{
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
logError = "stderr warn";
proxyResolveWhileRunning = true;
};
}