diff --git a/SUMMARY.md b/SUMMARY.md index 0c7d4e6..f8742a5 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -27,7 +27,6 @@ - [calanda](nixos-configurations/calanda/README.md) - [cyprianspitz](nixos-configurations/cyprianspitz/README.md) -- [fulberg](nixos-configurations/fulberg/README.md) - [lindberg](nixos-configurations/lindberg/README.md) - [stompert](nixos-configurations/stompert/README.md) - [tierberg](nixos-configurations/tierberg/README.md) diff --git a/defaults/backplane-net/default.nix b/defaults/backplane-net/default.nix deleted file mode 100644 index 65137af..0000000 --- a/defaults/backplane-net/default.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - hostName = config.networking.hostName; - netName = "backplane"; - netConfig = config.qois.meta.network.virtual.${netName}; - hostNetConfig = netConfig.hosts.${hostName}; - wgDefaultPort = 51825; -in -{ - sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; - - networking.wireguard.enable = true; - networking.wireguard.interfaces."wg-${netName}" = { - ips = [ "${hostNetConfig.v4.ip}/${builtins.toString netConfig.v4.prefixLength}" ]; - listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else wgDefaultPort; - privateKeyFile = "/secrets/wireguard/private/${netName}"; - generatePrivateKeyFile = true; - }; - - systemd.network.wait-online.ignoredInterfaces = [ "wg-${netName}" ]; - - networking.firewall.allowedUDPPorts = - if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ wgDefaultPort ]; - - # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module - services.wgautomesh = { - enable = true; - gossipSecretFile = builtins.toString config.sops.secrets."wgautomesh/gossip-secret".path; - openFirewall = true; - logLevel = "info"; - settings = { - interface = "wg-${netName}"; - - # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints - peers = - let - reachableHosts = lib.filterAttrs ( - peerHostName: peerConfig: peerHostName != hostName # Not this host - ) netConfig.hosts; - in - lib.mapAttrsToList (_: peerConfig: { - address = peerConfig.v4.ip; - endpoint = - if peerConfig.endpoint != null then - with peerConfig.endpoint; "${fqdn}:${builtins.toString port}" - else - null; - pubkey = peerConfig.publicKey; - }) reachableHosts; - }; - }; - systemd.services.wgautomesh.requires = [ "wireguard-wg-backplane.service" ]; -} diff --git a/defaults/base-minimal/default.nix b/defaults/base-minimal/default.nix index bd2948f..ce133f9 100644 --- a/defaults/base-minimal/default.nix +++ b/defaults/base-minimal/default.nix @@ -52,27 +52,32 @@ # Package management nix = { - settings = { - trusted-users = [ - "root" - "@wheel" - ]; - substituters = [ - "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39" - "https://cache.nixos.org?priority=40" - "https://attic.qo.is/qois-infrastructure" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" - ]; - }; + settings = + let + substituters = [ + "https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39" + "https://cache.nixos.org?priority=40" + "https://attic.qo.is/qois-infrastructure" + ]; + in + { + trusted-users = [ + "root" + "@wheel" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" + ]; + trusted-substituters = substituters; # For hosts that limit the subst list + inherit substituters; + }; gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 90d"; }; - package = pkgs.nixFlakes; + package = pkgs.nixVersions.stable; extraOptions = '' experimental-features = nix-command flakes ''; @@ -87,10 +92,6 @@ services.openssh = { enable = true; settings.PasswordAuthentication = false; - - # temporary mitigation agains CVE-2024-6387 «regreSSHion» RCE - # See https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128 - settings.LoginGraceTime = 0; }; security.acme = { @@ -105,7 +106,10 @@ }; programs.autojump.enable = true; - programs.vim.defaultEditor = true; + programs.vim = { + enable = true; + defaultEditor = true; + }; sops.defaultSopsFile = let diff --git a/defaults/meta/hosts.json b/defaults/meta/hosts.json index 1befacf..8780258 100644 --- a/defaults/meta/hosts.json +++ b/defaults/meta/hosts.json @@ -1,8 +1,4 @@ { - "fulberg": { - "hostName": "fulberg", - "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCG9qqpUOJ2RsohIqhMuw3YZZSrnPqhf5ayh5y0Cq/I" - }, "calanda": { "hostName": "calanda", "sshKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdoOZcFFRXIqEWqUnwCk/kqP8DZw6/4omDefCT6aNN4" diff --git a/defaults/meta/network-physical.nix b/defaults/meta/network-physical.nix index 3f20460..972476d 100644 --- a/defaults/meta/network-physical.nix +++ b/defaults/meta/network-physical.nix @@ -36,9 +36,6 @@ calanda = { v4.ip = "10.1.2.1"; }; - fulberg = { - v4.ip = "10.1.2.2"; - }; }; }; @@ -46,6 +43,7 @@ v4 = { id = "10.1.1.0"; prefixLength = 24; + # Note: DHCP from .2 to .249, see calanda config }; domain = "plessur-lan.net.qo.is"; @@ -53,6 +51,7 @@ calanda = { v4.ip = "10.1.1.1"; }; + cyprianspitz.v4.ip = "10.1.1.250"; }; }; diff --git a/defaults/meta/network-virtual.nix b/defaults/meta/network-virtual.nix index f0b8b3d..d69be2b 100644 --- a/defaults/meta/network-virtual.nix +++ b/defaults/meta/network-virtual.nix @@ -15,7 +15,7 @@ id = "100.64.0.0"; prefixLength = 10; }; - domain = "vpn.qo.is"; + domain = "vpn.net.qo.is"; hosts = { }; }; @@ -27,15 +27,6 @@ domain = "backplane.net.qo.is"; hosts = { - fulberg = { - v4.ip = "10.250.0.1"; - endpoint = { - fqdn = physical-network.plessur-ext.hosts.calanda.fqdn; - port = 51821; - }; - publicKey = "xcQOu+pp4ckNygcsLmJL1NmUzbbC+k3I7y+hJ9Ul4nk="; - persistentKeepalive = 25; - }; lindberg = { v4.ip = "10.250.0.2"; #endpoint = { # TODO: Port forwarding @@ -102,7 +93,7 @@ cyprianspitz-vms-nat = { v4 = { - id = "10.247.0.0"; + id = "10.248.0.0"; prefixLength = 24; }; domain = "cyprianspitz-vms-nat.net.qo.is"; diff --git a/defaults/meta/network.md b/defaults/meta/network.md index 3015417..72e13ba 100644 --- a/defaults/meta/network.md +++ b/defaults/meta/network.md @@ -18,7 +18,7 @@ package "plessur.net.qo.is" { ] node calanda - node fulberg + node cyprianspitz cloud plessurnet [ LAN Plessur @@ -26,7 +26,7 @@ package "plessur.net.qo.is" { mediaconvchur - "enp4" calanda calanda "br0 (enp2, wlp1, wlp5)" --- plessurnet - calanda "enp4" -- "eno1" fulberg + plessurnet -- cyprianspitz } package "riedbach.net.qo.is" { diff --git a/defaults/nextcloud/default.nix b/defaults/nextcloud/default.nix index db21a58..3d43d43 100644 --- a/defaults/nextcloud/default.nix +++ b/defaults/nextcloud/default.nix @@ -13,7 +13,7 @@ owner = name; }; - qois.postgresql.enable = true; + services.postgresql.enable = true; qois.backup-client.includePaths = [ config.services.nextcloud.home ]; services.nextcloud = { @@ -30,6 +30,24 @@ dbtype = "pgsql"; }; + appstoreEnable = false; + extraApps = { + inherit (config.services.nextcloud.package.passthru.packages.apps) + calendar + contacts + deck + groupfolders + maps + memories + music + news + notes + notify_push + tasks + twofactor_webauthn + ; + }; + phpOptions = { "opcache.interned_strings_buffer" = "23"; }; diff --git a/flake.lock b/flake.lock index b99c44c..722db09 100644 --- a/flake.lock +++ b/flake.lock @@ -1,53 +1,9 @@ { "nodes": { - "attic": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1731270564, - "narHash": "sha256-6KMC/NH/VWP5Eb+hA56hz0urel3jP6Y6cF2PX6xaTkk=", - "owner": "zhaofengli", - "repo": "attic", - "rev": "47752427561f1c34debb16728a210d378f0ece36", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "attic", - "type": "github" - } - }, - "crane": { - "inputs": { - "nixpkgs": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722960479, - "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=", - "owner": "ipetkov", - "repo": "crane", - "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_2", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { @@ -71,11 +27,11 @@ ] }, "locked": { - "lastModified": 1731274291, - "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=", + "lastModified": 1734088167, + "narHash": "sha256-OIitVU+IstPbX/NWn2jLF+/sT9dVKcO2FKeRAzlyX6c=", "owner": "nix-community", "repo": "disko", - "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc", + "rev": "d32f2d1750d61a476a236526b725ec5a32e16342", "type": "github" }, "original": { @@ -100,129 +56,7 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "attic", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { - "locked": { - "lastModified": 1726042813, - "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "159be5db480d1df880a0135ca0bfed84c2f88353", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-nixos-stable": { - "locked": { - "lastModified": 1731239293, - "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-nixos-unstable": { - "locked": { - "lastModified": 1731139594, - "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { "locked": { "lastModified": 1702272962, "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", @@ -238,6 +72,38 @@ "type": "github" } }, + "nixpkgs-nixos-stable": { + "locked": { + "lastModified": 1733808091, + "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-nixos-unstable": { + "locked": { + "lastModified": 1733940404, + "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "private": { "inputs": { "nixpkgs-nixos-unstable": [ @@ -259,7 +125,6 @@ }, "root": { "inputs": { - "attic": "attic", "deploy-rs": "deploy-rs", "disko": "disko", "nixpkgs-nixos-stable": "nixpkgs-nixos-stable", @@ -272,17 +137,14 @@ "inputs": { "nixpkgs": [ "nixpkgs-nixos-unstable" - ], - "nixpkgs-stable": [ - "nixpkgs-nixos-stable" ] }, "locked": { - "lastModified": 1731213149, - "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", + "lastModified": 1733965552, + "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", + "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 98f5cca..d9dae25 100644 --- a/flake.nix +++ b/flake.nix @@ -5,19 +5,17 @@ extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="; }; inputs = { - attic.url = "github:zhaofengli/attic"; deploy-rs.url = "github:serokell/deploy-rs"; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs-nixos-stable"; }; nixpkgs-nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11"; sops-nix = { url = "github:Mic92/sops-nix"; inputs = { nixpkgs.follows = "nixpkgs-nixos-unstable"; - nixpkgs-stable.follows = "nixpkgs-nixos-stable"; }; }; private.url = "git+file:./private"; diff --git a/nixos-configurations/calanda/default.nix b/nixos-configurations/calanda/default.nix index 94e3ffa..dcc9bff 100644 --- a/nixos-configurations/calanda/default.nix +++ b/nixos-configurations/calanda/default.nix @@ -17,5 +17,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/calanda/networking.nix b/nixos-configurations/calanda/networking.nix index e909427..a96757d 100644 --- a/nixos-configurations/calanda/networking.nix +++ b/nixos-configurations/calanda/networking.nix @@ -4,11 +4,10 @@ let meta = config.qois.meta; plessur-dmz-net = meta.network.physical.plessur-dmz; plessur-lan-net = meta.network.physical.plessur-lan; + plessur-ext-net = meta.network.physical.plessur-ext; getCalandaIp4 = net: net.hosts.calanda.v4.ip; in { - imports = [ ../../defaults/backplane-net ]; - networking.hostName = meta.hosts.calanda.hostName; networking.domain = "ilanz.fh2.ch"; networking.enableIPv6 = false; # TODO @@ -30,6 +29,8 @@ in ]; }; + qois.backplane-net.enable = true; + # TODO: Metaize ips services.qois.router = { enable = true; @@ -53,6 +54,14 @@ in }; }; + # Assign the static address to cyprianspitz (required for ssh luks unlock at this time) + services.dnsmasq.settings.dhcp-host = + let + cyprianspitzEnp0s31f6Mac = "9c:6b:00:58:6e:90"; + inherit (plessur-lan-net.hosts.cyprianspitz.v4) ip; + in + "${cyprianspitzEnp0s31f6Mac},${ip}"; + # DMZ services.unbound.settings.server = { interface = [ plessur-dmz-net.hosts.calanda.v4.ip ]; @@ -66,43 +75,19 @@ in # DMZ Portforwarding networking.nat.forwardPorts = let - fulbergPort = ( - proto: port: { - destination = "10.1.2.2:${toString port}"; - proto = proto; - sourcePort = port; - loopbackIPs = [ "85.195.200.253" ]; - } - ); - cyprianspitzPort = ( - proto: port: { - destination = "10.1.1.11:${toString port}"; - proto = proto; - sourcePort = port; - loopbackIPs = [ "85.195.200.253" ]; + cyprianspitzPortDst = ( + proto: sourcePort: dstPort: { + destination = "${plessur-lan-net.hosts.cyprianspitz.v4.ip}:${toString dstPort}"; + inherit proto; + inherit sourcePort; + loopbackIPs = [ plessur-ext-net.hosts.calanda.v4.ip ]; } ); + cyprianspitzPort = proto: port: (cyprianspitzPortDst proto port port); in [ - { - destination = "10.1.2.2:22"; - proto = "tcp"; - sourcePort = 8022; - } - { - destination = "10.1.2.2:2222"; - proto = "tcp"; - sourcePort = 8222; - } - { - destination = "10.1.1.11:2222"; - proto = "tcp"; - sourcePort = 8223; - } - ] - ++ map (fulbergPort "udp") [ - 51820 - 51821 + (cyprianspitzPortDst "tcp" 8222 22) + (cyprianspitzPortDst "tcp" 8223 2222) ] ++ map (cyprianspitzPort "tcp") [ 80 diff --git a/nixos-configurations/cyprianspitz/README.md b/nixos-configurations/cyprianspitz/README.md index cef3a7e..d6369f9 100644 --- a/nixos-configurations/cyprianspitz/README.md +++ b/nixos-configurations/cyprianspitz/README.md @@ -8,7 +8,14 @@ Reboot requires passphrase. # Get HDD Password: sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml -ssh -p 8223 -J root@calanda.plessur-ext.net.qo.is +ssh -p 8223 root@calanda.plessur-ext.net.qo.is +``` + + +Direct remote ssh access: + +``` +ssh -p 8222 root@calanda.plessur-ext.net.qo.is ``` ## Hardware @@ -29,4 +36,4 @@ TODO ### HDD Bay -Note that slot 5 (the leftmost) SATA bay is not connected due to the mainboard only having 4 SATA plugs. +Note that the slot in the middle of the SATA bay is not connected due to the mainboard only having 4 SATA plugs. diff --git a/nixos-configurations/cyprianspitz/applications/default.nix b/nixos-configurations/cyprianspitz/applications/default.nix index b14b66b..18cd6ea 100644 --- a/nixos-configurations/cyprianspitz/applications/default.nix +++ b/nixos-configurations/cyprianspitz/applications/default.nix @@ -1,4 +1,9 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { imports = [ @@ -7,4 +12,5 @@ ]; qois.loadbalancer.enable = true; + qois.backplane-net.hosts.loadbalancers = lib.mkForce [ "cyprianspitz" ]; } diff --git a/nixos-configurations/cyprianspitz/default.nix b/nixos-configurations/cyprianspitz/default.nix index d06194d..66ff7e7 100644 --- a/nixos-configurations/cyprianspitz/default.nix +++ b/nixos-configurations/cyprianspitz/default.nix @@ -24,5 +24,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/cyprianspitz/networking.nix b/nixos-configurations/cyprianspitz/networking.nix index 8147a3f..469c598 100644 --- a/nixos-configurations/cyprianspitz/networking.nix +++ b/nixos-configurations/cyprianspitz/networking.nix @@ -2,29 +2,34 @@ let meta = config.qois.meta; + getNetV4Ip = net: { + address = net.hosts.cyprianspitz.v4.ip; + prefixLength = net.v4.prefixLength; + }; + calandaIp = meta.network.physical.plessur-lan.hosts.calanda.v4.ip; in { + networking.enableIPv6 = false; networking.hostName = meta.hosts.cyprianspitz.hostName; - imports = [ ../../defaults/backplane-net ]; - + networking.nameservers = [ calandaIp ]; networking.useDHCP = false; - networking.interfaces.enp0s31f6.useDHCP = true; - networking.interfaces.enp2s0.useDHCP = true; + networking.interfaces.enp0s31f6.ipv4.addresses = [ + (getNetV4Ip meta.network.physical.plessur-lan) + ]; + + networking.defaultGateway = { + address = calandaIp; + interface = "enp0s31f6"; + }; # Virtualization - networking.interfaces.vms-nat.useDHCP = false; - networking.interfaces.vms-nat.ipv4.addresses = [ - ( - let - netConfig = meta.network.virtual.cyprianspitz-vms-nat; - in - { - address = netConfig.hosts.cyprianspitz.v4.ip; - prefixLength = netConfig.v4.prefixLength; - } - ) - ]; + networking.interfaces.vms-nat = { + useDHCP = false; + ipv4.addresses = [ + (getNetV4Ip meta.network.virtual.cyprianspitz-vms-nat) + ]; + }; networking.bridges.vms-nat.interfaces = [ ]; networking.nat = { @@ -41,8 +46,9 @@ in in { enable = true; - resolveLocalQueries = false; + resolveLocalQueries = true; settings = { + server = [ calandaIp ]; interface = "vms-nat"; bind-interfaces = true; @@ -67,31 +73,17 @@ in }; # Boot - boot.initrd.network.udhcpc.enable = true; - services.qois.luks-ssh = { enable = true; interface = "eth0"; + sshPort = 2222; sshHostKey = "/secrets/system/initrd-ssh-key"; # TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path; }; - # Configure this node to be used as an vpn exit node - qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "server"; - authKeyFile = config.sops.secrets."tailscale/key".path; - extraUpFlags = [ - "--login-server=https://vpn.qo.is" - "--advertise-exit-node" - ( - with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}" - ) - "--advertise-tags=tag:srv" - ]; - }; + qois.backplane-net.enable = true; + # Configure this node to be used as an vpn exit node + qois.vpn-exit-node.enable = true; } diff --git a/nixos-configurations/cyprianspitz/secrets.nix b/nixos-configurations/cyprianspitz/secrets.nix index 0e9f62c..d61753f 100644 --- a/nixos-configurations/cyprianspitz/secrets.nix +++ b/nixos-configurations/cyprianspitz/secrets.nix @@ -3,8 +3,5 @@ sops.secrets = { "system/hdd" = { }; "system/initrd-ssh-key" = { }; - "tailscale/key" = { - restartUnits = [ "tailscaled.service" ]; - }; }; } diff --git a/nixos-configurations/default.nix b/nixos-configurations/default.nix index 6fccd8b..00253e0 100644 --- a/nixos-configurations/default.nix +++ b/nixos-configurations/default.nix @@ -3,7 +3,6 @@ pkgs, nixpkgs-nixos-stable, disko, - attic, sops-nix, ... }@inputs: @@ -20,13 +19,6 @@ pkgs.lib.genAttrs configs ( modules = [ self.nixosModules.default ./${config}/default.nix - ( - { ... }: - { - imports = [ "${attic}/nixos/atticd.nix" ]; - services.atticd.useFlakeCompatOverlay = false; - } - ) disko.nixosModules.disko sops-nix.nixosModules.sops ( diff --git a/nixos-configurations/fulberg/README.md b/nixos-configurations/fulberg/README.md deleted file mode 100644 index 2db184e..0000000 --- a/nixos-configurations/fulberg/README.md +++ /dev/null @@ -1 +0,0 @@ -# fulberg diff --git a/nixos-configurations/fulberg/applications/default.nix b/nixos-configurations/fulberg/applications/default.nix deleted file mode 100644 index c915eb0..0000000 --- a/nixos-configurations/fulberg/applications/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: { } diff --git a/nixos-configurations/fulberg/backup.nix b/nixos-configurations/fulberg/backup.nix deleted file mode 100644 index e37c8e8..0000000 --- a/nixos-configurations/fulberg/backup.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, pkgs, ... }: -{ - - qois.backup-server = { - enable = true; - backupStorageRoot = "/mnt/nas/backup"; - }; - - services.borgbackup.repos = - let - backupRoot = "/mnt/nas/backup"; - hostBackupRoot = "${backupRoot}/hosts"; - dataBackupRoot = "${backupRoot}/data"; - in - { - "lindberg-nextcloud" = { - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIpzfp9VqclbPJ42ZrkRpvjMSTeyq0qce03zCRXqIHMw backup@lindberg-nextcloud" - ]; - path = "${hostBackupRoot}/lindberg-nextcloud"; - }; - "lindberg-data" = { - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-data@lindberg" - ]; - path = "${dataBackupRoot}/lindberg"; - }; - "lindberg-build-system" = { - authorizedKeys = [ - "ssh-ed25519 AAAATODOTODOTODONTE5AAAAIGTmyoVONC12MgOodvzdPpZzLSVwpkC6zkf+Rg0W36gy backup-system@lindberg-build" - ]; - path = "${dataBackupRoot}/lindberg-build-system"; - }; - }; -} diff --git a/nixos-configurations/fulberg/default.nix b/nixos-configurations/fulberg/default.nix deleted file mode 100644 index 4605b9d..0000000 --- a/nixos-configurations/fulberg/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: -{ - - imports = [ - ../../defaults/base - ../../defaults/hardware/apu.nix - ../../defaults/meta - ./applications - ./backup.nix - ./filesystems.nix - ./networking.nix - ./secrets.nix - ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like fi:le locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/nixos-configurations/fulberg/filesystems.nix b/nixos-configurations/fulberg/filesystems.nix deleted file mode 100644 index 547cd79..0000000 --- a/nixos-configurations/fulberg/filesystems.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, pkgs, ... }: -{ - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/360a6bc9-fc4e-4803-bd53-69320ac32ac5"; - fsType = "btrfs"; - options = [ - "defaults" - "subvol=nixos" - "noatime" - ]; - }; - "/mnt/nas" = { - device = "10.1.1.39:/qois"; - fsType = "nfs"; - options = [ - "defaults" - "noatime" - "soft" - ]; - }; - }; - - swapDevices = [ { device = "/dev/disk/by-uuid/73f91e99-d856-4504-b6b2-d60f855d6d95"; } ]; - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - }; -} diff --git a/nixos-configurations/fulberg/networking.nix b/nixos-configurations/fulberg/networking.nix deleted file mode 100644 index 125539d..0000000 --- a/nixos-configurations/fulberg/networking.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: -let - meta = config.qois.meta; - plessur-dmz-net = meta.network.physical.plessur-dmz; - getCalandaIp4 = net: net.hosts.calanda.v4.ip; -in -{ - networking.hostName = meta.hosts.fulberg.hostName; - - imports = [ ../../defaults/backplane-net ]; - - # WWAN is currently not available due to a broken SIM-card. - #services.qois.wwan = { - # enable = true; - # apn = "gprs.swisscom.ch"; - # networkInterface = "wwp0s19u1u3i12"; - #}; - - networking.interfaces.enp1s0 = { - useDHCP = false; - ipv4.addresses = [ - { - inherit (plessur-dmz-net.v4) prefixLength; - address = plessur-dmz-net.hosts.fulberg.v4.ip; - } - ]; - }; - - networking.defaultGateway = plessur-dmz-net.v4.gateway; - networking.nameservers = plessur-dmz-net.v4.nameservers; - - # Configure this node to be used as an vpn exit node - qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "server"; - authKeyFile = config.sops.secrets."tailscale/key".path; - extraUpFlags = [ - "--login-server=https://vpn.qo.is" - "--advertise-exit-node" - ( - with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}" - ) - "--advertise-tags=tag:srv" - ]; - }; -} diff --git a/nixos-configurations/fulberg/secrets.nix b/nixos-configurations/fulberg/secrets.nix deleted file mode 100644 index b7aa8fe..0000000 --- a/nixos-configurations/fulberg/secrets.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - sops.secrets = { - "tailscale/key" = { - restartUnits = [ "tailscale.service" ]; - }; - }; -} diff --git a/nixos-configurations/lindberg-build/applications/attic.nix b/nixos-configurations/lindberg-build/applications/attic.nix deleted file mode 100644 index 2825897..0000000 --- a/nixos-configurations/lindberg-build/applications/attic.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, pkgs, ... }: - -let - atticPort = 8080; - atticHostname = "attic.qo.is"; -in - -{ - - services.atticd = { - enable = true; - - # Replace with absolute path to your credentials file - # generate secret with - # nix run system#openssl rand 64 | base64 -w0 - # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl" - credentialsFile = config.sops.secrets."attic/server_token".path; - - settings = { - listen = "127.0.0.1:${builtins.toString atticPort}"; - allowed-hosts = [ "attic.qo.is" ]; - api-endpoint = "https://attic.qo.is/"; - - # Data chunking - # - # Warning: If you change any of the values here, it will be - # difficult to reuse existing chunks for newly-uploaded NARs - # since the cutpoints will be different. As a result, the - # deduplication ratio will suffer for a while after the change. - chunking = { - # The minimum NAR size to trigger chunking - # - # If 0, chunking is disabled entirely for newly-uploaded NARs. - # If 1, all NARs are chunked. - nar-size-threshold = 64 * 1024; # 64 KiB - - # The preferred minimum size of a chunk, in bytes - min-size = 16 * 1024; # 16 KiB - - # The preferred average size of a chunk, in bytes - avg-size = 64 * 1024; # 64 KiB - - # The preferred maximum size of a chunk, in bytes - max-size = 256 * 1024; # 256 KiB - }; - - database.url = "postgresql:///atticd?host=/run/postgresql"; - }; - }; - - imports = [ ../../../defaults/webserver ]; - - qois.postgresql.enable = true; - # Note: Attic cache availability is "best effort", so no artifacts are backed up. - - services.postgresql = { - ensureDatabases = [ "atticd" ]; - ensureUsers = [ - { - name = "atticd"; - ensureDBOwnership = true; - } - ]; - }; - - services.nginx = { - enable = true; - clientMaxBodySize = "1g"; - virtualHosts.${atticHostname} = { - kTLS = true; - forceSSL = true; - enableACME = true; - - locations."/".proxyPass = "http://127.0.0.1:${builtins.toString atticPort}"; - }; - }; -} diff --git a/nixos-configurations/lindberg-build/applications/default.nix b/nixos-configurations/lindberg-build/applications/default.nix index d634828..d9360ee 100644 --- a/nixos-configurations/lindberg-build/applications/default.nix +++ b/nixos-configurations/lindberg-build/applications/default.nix @@ -1,10 +1,24 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: { imports = [ - ./attic.nix ./nixpkgs-cache.nix ]; qois.git-ci-runner.enable = true; + qois.attic.enable = true; + qois.postgresql.package = pkgs.postgresql_15; + + # Remove substituters that are hosted on this node, to prevent lockups + # since the current nix implementation is not forgiving with unavailable subsituters. + # The qois-infrastructure cache is not needed, + # since the builds are done (and cached) on this host anyway. + nix.settings.substituters = lib.mkForce [ + "https://cache.nixos.org?priority=40" + ]; } diff --git a/nixos-configurations/lindberg-build/backup.nix b/nixos-configurations/lindberg-build/backup.nix index 287f4ad..493171d 100644 --- a/nixos-configurations/lindberg-build/backup.nix +++ b/nixos-configurations/lindberg-build/backup.nix @@ -3,7 +3,6 @@ let vnet = config.qois.meta.network.virtual.backplane.hosts; systemTargets = [ - "fulberg" "tierberg" ]; systemJobs = builtins.listToAttrs ( diff --git a/nixos-configurations/lindberg-build/default.nix b/nixos-configurations/lindberg-build/default.nix index 7021494..f5b4bfd 100644 --- a/nixos-configurations/lindberg-build/default.nix +++ b/nixos-configurations/lindberg-build/default.nix @@ -4,7 +4,6 @@ imports = [ ../../defaults/base-vm ../../defaults/meta - ../../defaults/backplane-net ./applications ./backup.nix @@ -22,5 +21,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-build/networking.nix b/nixos-configurations/lindberg-build/networking.nix index 3cbe068..0e8f881 100644 --- a/nixos-configurations/lindberg-build/networking.nix +++ b/nixos-configurations/lindberg-build/networking.nix @@ -6,6 +6,8 @@ networking.useDHCP = false; networking.interfaces.enp11s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/nixos-configurations/lindberg-build/secrets.nix b/nixos-configurations/lindberg-build/secrets.nix index 988fc1f..8d66d7e 100644 --- a/nixos-configurations/lindberg-build/secrets.nix +++ b/nixos-configurations/lindberg-build/secrets.nix @@ -1,9 +1,6 @@ { ... }: { sops.secrets = { - "attic/server_token" = { - restartUnits = [ "atticd.service" ]; - }; "gitlab-runner/default-registration" = { restartUnits = [ "gitlab-runner.service" ]; }; diff --git a/nixos-configurations/lindberg-nextcloud/applications/cloud.nix b/nixos-configurations/lindberg-nextcloud/applications/cloud.nix index 86716d2..8e6b4ff 100644 --- a/nixos-configurations/lindberg-nextcloud/applications/cloud.nix +++ b/nixos-configurations/lindberg-nextcloud/applications/cloud.nix @@ -6,7 +6,7 @@ in imports = [ ../../../defaults/nextcloud ]; - qois.postgresql.enable = true; + services.postgresql.enable = true; services.nextcloud = { hostName = host; diff --git a/nixos-configurations/lindberg-nextcloud/applications/default.nix b/nixos-configurations/lindberg-nextcloud/applications/default.nix index 6188fc9..d872c18 100644 --- a/nixos-configurations/lindberg-nextcloud/applications/default.nix +++ b/nixos-configurations/lindberg-nextcloud/applications/default.nix @@ -2,4 +2,6 @@ { imports = [ ./cloud.nix ]; + + qois.postgresql.package = pkgs.postgresql_14; } diff --git a/nixos-configurations/lindberg-nextcloud/default.nix b/nixos-configurations/lindberg-nextcloud/default.nix index 9300262..78fc78d 100644 --- a/nixos-configurations/lindberg-nextcloud/default.nix +++ b/nixos-configurations/lindberg-nextcloud/default.nix @@ -2,10 +2,8 @@ { imports = [ - ../../defaults/backplane-net ../../defaults/base-vm ../../defaults/meta - ../../defaults/webserver ./applications ./backup.nix ./secrets.nix @@ -32,6 +30,8 @@ networking.useDHCP = false; networking.interfaces.enp2s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 @@ -46,5 +46,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-nextcloud/secrets.nix b/nixos-configurations/lindberg-nextcloud/secrets.nix index 3fa2f78..8327b13 100644 --- a/nixos-configurations/lindberg-nextcloud/secrets.nix +++ b/nixos-configurations/lindberg-nextcloud/secrets.nix @@ -2,7 +2,7 @@ let backupConfiguration = { restartUnits = [ - "borgbackup-job-system-fulberg.service" + "borgbackup-job-system-cyprianspitz.service" "borgbackup-job-system-tierberg.service" ]; }; diff --git a/nixos-configurations/lindberg-webapps/applications/default.nix b/nixos-configurations/lindberg-webapps/applications/default.nix index c635d21..9efef42 100644 --- a/nixos-configurations/lindberg-webapps/applications/default.nix +++ b/nixos-configurations/lindberg-webapps/applications/default.nix @@ -6,4 +6,5 @@ qois.vault.enable = true; qois.git.enable = true; qois.static-page.enable = true; + qois.postgresql.package = pkgs.postgresql_15; } diff --git a/nixos-configurations/lindberg-webapps/default.nix b/nixos-configurations/lindberg-webapps/default.nix index 0b37a67..1cbfd2f 100644 --- a/nixos-configurations/lindberg-webapps/default.nix +++ b/nixos-configurations/lindberg-webapps/default.nix @@ -4,7 +4,6 @@ imports = [ ../../defaults/base-vm ../../defaults/meta - ../../defaults/backplane-net ./applications ./disko-config.nix @@ -21,5 +20,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg-webapps/networking.nix b/nixos-configurations/lindberg-webapps/networking.nix index fd4b437..07f42ff 100644 --- a/nixos-configurations/lindberg-webapps/networking.nix +++ b/nixos-configurations/lindberg-webapps/networking.nix @@ -6,6 +6,8 @@ networking.useDHCP = false; networking.interfaces.enp1s0.useDHCP = true; + qois.backplane-net.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/nixos-configurations/lindberg/default.nix b/nixos-configurations/lindberg/default.nix index b8ea27d..74a84b6 100644 --- a/nixos-configurations/lindberg/default.nix +++ b/nixos-configurations/lindberg/default.nix @@ -25,5 +25,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.11"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/lindberg/networking.nix b/nixos-configurations/lindberg/networking.nix index e46c3b5..67f2b0b 100644 --- a/nixos-configurations/lindberg/networking.nix +++ b/nixos-configurations/lindberg/networking.nix @@ -6,8 +6,6 @@ in { networking.hostName = meta.hosts.lindberg.hostName; - imports = [ ../../defaults/backplane-net ]; - networking.useDHCP = false; networking.interfaces.enp5s0.useDHCP = true; @@ -40,7 +38,7 @@ in in { enable = true; - resolveLocalQueries = false; + resolveLocalQueries = true; settings = { interface = "vms-nat"; bind-interfaces = true; @@ -56,7 +54,14 @@ in dhcp-authoritative = true; }; }; - systemd.services.dnsmasq.bindsTo = [ "network-addresses-vms-nat.service" ]; + systemd.services.dnsmasq = + let + vmsNat = [ "network-addresses-vms-nat.service" ]; + in + { + bindsTo = vmsNat; + after = vmsNat; + }; networking.firewall.interfaces.vms-nat = { allowedUDPPorts = [ 53 @@ -74,20 +79,7 @@ in sshPort = 2222; }; - # Use this node as vpn exit node - qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "server"; - authKeyFile = config.sops.secrets."tailscale/key".path; - extraUpFlags = [ - "--login-server=https://vpn.qo.is" - "--advertise-exit-node" - ( - with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}" - ) - "--advertise-tags=tag:srv" - ]; - }; + qois.backplane-net.enable = true; + + qois.vpn-exit-node.enable = true; } diff --git a/nixos-configurations/lindberg/secrets.nix b/nixos-configurations/lindberg/secrets.nix index b9121f7..27905c3 100644 --- a/nixos-configurations/lindberg/secrets.nix +++ b/nixos-configurations/lindberg/secrets.nix @@ -2,7 +2,7 @@ let backupConfiguration = { restartUnits = [ - "borgbackup-job-data-fulberg.service" + "borgbackup-job-data-cyprianspitz.service" "borgbackup-job-data-tierberg.service" ]; }; diff --git a/nixos-configurations/stompert/default.nix b/nixos-configurations/stompert/default.nix index e4cb9a4..5eea848 100644 --- a/nixos-configurations/stompert/default.nix +++ b/nixos-configurations/stompert/default.nix @@ -6,13 +6,13 @@ { imports = [ - ../../defaults/backplane-net ../../defaults/hardware/apu.nix ../../defaults/base ../../defaults/meta ]; - boot.initrd.luks.devices."systems".device = "/dev/disk/by-uuid/5718bd19-cb7a-4728-9ec4-6b2be48215fc"; + boot.initrd.luks.devices."systems".device = + "/dev/disk/by-uuid/5718bd19-cb7a-4728-9ec4-6b2be48215fc"; fileSystems."/" = { device = "/dev/mapper/vg_systems-hv_stompert"; @@ -52,6 +52,8 @@ networking.interfaces.enp3s0.useDHCP = true; networking.tempAddresses = "disabled"; + qois.backplane-net.enable = true; + # Set your time zone. # time.timeZone = "Europe/Amsterdam"; @@ -59,5 +61,5 @@ # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "22.11"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/tierberg/default.nix b/nixos-configurations/tierberg/default.nix index 2408f89..1058b24 100644 --- a/nixos-configurations/tierberg/default.nix +++ b/nixos-configurations/tierberg/default.nix @@ -20,5 +20,5 @@ # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. - system.stateVersion = "23.05"; # Did you read the comment? + system.stateVersion = "24.11"; # Did you read the comment? } diff --git a/nixos-configurations/tierberg/networking.nix b/nixos-configurations/tierberg/networking.nix index 2d57100..e80eb9d 100644 --- a/nixos-configurations/tierberg/networking.nix +++ b/nixos-configurations/tierberg/networking.nix @@ -7,8 +7,6 @@ in { networking.hostName = meta.hosts.tierberg.hostName; - imports = [ ../../defaults/backplane-net ]; - networking.enableIPv6 = false; # TODO networking.useDHCP = false; @@ -21,6 +19,8 @@ in ]; networking.interfaces.enp3s0.useDHCP = true; + qois.backplane-net.enable = true; + services.qois.luks-ssh = { enable = true; interface = "eth0"; diff --git a/nixos-modules/meta/network.nix b/nixos-modules/meta/network.nix index a17a9e9..3caa3d7 100644 --- a/nixos-modules/meta/network.nix +++ b/nixos-modules/meta/network.nix @@ -146,7 +146,7 @@ in }); }; - # Taken from https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/services/networking/wireguard.nix: + # Taken from https://github.com/NixOS/nixpkgs/blob/nixos-21.11/nixos/modules/services/networking/wireguard.nix: publicKey = mkOption { example = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; type = str; diff --git a/nixos-modules/postgresql/default.nix b/nixos-modules/postgresql/default.nix index e2a8e88..b67f574 100644 --- a/nixos-modules/postgresql/default.nix +++ b/nixos-modules/postgresql/default.nix @@ -11,11 +11,15 @@ in with lib; { options.qois.postgresql = { - enable = mkEnableOption ''Enable postgresql services with defaults''; + # Note: this module is auto-enabled if postgres is used. + package = mkPackageOption pkgs "postgresql" { + example = "postgresql_15"; + default = null; + }; }; - config = mkIf cfg.enable { - services.postgresql.enable = true; + config = mkIf config.services.postgresql.enable { + services.postgresql.package = cfg.package; services.postgresqlBackup.enable = true; qois.backup-client.includePaths = [ config.services.postgresqlBackup.location ]; }; diff --git a/nixos-modules/qois/attic/default.nix b/nixos-modules/qois/attic/default.nix new file mode 100644 index 0000000..adb9e4b --- /dev/null +++ b/nixos-modules/qois/attic/default.nix @@ -0,0 +1,98 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.qois.attic; +in +{ + + options.qois.attic = { + enable = mkEnableOption "Enable attic service"; + domain = mkOption { + description = "Domain for attic server"; + type = types.str; + default = "attic.qo.is"; + }; + port = mkOption { + description = "Server Port"; + type = types.numbers.between 1 65536; + default = 8080; + }; + }; + + config = mkIf cfg.enable { + sops.secrets."attic/server_token".restartUnits = [ "atticd.service" ]; + + services.atticd = { + enable = true; + + # Replace with absolute path to your credentials file + # generate secret with + # nix run system#openssl rand 64 | base64 -w0 + # ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="output from openssl" + environmentFile = config.sops.secrets."attic/server_token".path; + + settings = { + listen = "127.0.0.1:${toString cfg.port}"; + allowed-hosts = [ cfg.domain ]; + api-endpoint = "https://${cfg.domain}/"; + + # Data chunking + # + # Warning: If you change any of the values here, it will be + # difficult to reuse existing chunks for newly-uploaded NARs + # since the cutpoints will be different. As a result, the + # deduplication ratio will suffer for a while after the change. + chunking = { + # The minimum NAR size to trigger chunking + # + # If 0, chunking is disabled entirely for newly-uploaded NARs. + # If 1, all NARs are chunked. + nar-size-threshold = 64 * 1024; # 64 KiB + + # The preferred minimum size of a chunk, in bytes + min-size = 16 * 1024; # 16 KiB + + # The preferred average size of a chunk, in bytes + avg-size = 64 * 1024; # 64 KiB + + # The preferred maximum size of a chunk, in bytes + max-size = 256 * 1024; # 256 KiB + }; + + garbage-collection.default-retention-period = "6 months"; + + database.url = "postgresql:///atticd?host=/run/postgresql"; + }; + }; + + # Note: Attic cache availability is "best effort", so no artifacts are backed up. + + services.postgresql = { + enable = true; + ensureDatabases = [ "atticd" ]; + ensureUsers = [ + { + name = "atticd"; + ensureDBOwnership = true; + } + ]; + }; + + services.nginx = { + enable = true; + clientMaxBodySize = "1g"; + virtualHosts.${cfg.domain} = { + kTLS = true; + forceSSL = true; + enableACME = true; + + locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + }; +} diff --git a/nixos-modules/qois/backplane-net.hosts/default.nix b/nixos-modules/qois/backplane-net.hosts/default.nix new file mode 100644 index 0000000..b249dac --- /dev/null +++ b/nixos-modules/qois/backplane-net.hosts/default.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.qois.backplane-net.hosts; + defaultDomains = attrNames config.qois.loadbalancer.domains; + defaultLoadbalancers = [ "lindberg" ]; +in +{ + + options.qois.backplane-net.hosts = { + enable = mkOption { + default = true; + description = "Whether to enable hosts aliases for loadbalanced services. This prevents turnarounds over external networks for these services."; + type = types.bool; + }; + + domains = mkOption { + description = "Domains that are hosted by the backplane loadbalancer"; + type = with types; listOf str; + default = defaultDomains; + }; + loadbalancers = mkOption { + description = "List of Loadbalancer hostnames as listed in the backplane network"; + type = with types; listOf str; + default = defaultLoadbalancers; + }; + }; + + config = mkIf cfg.enable { + + networking.hosts = pipe cfg.loadbalancers [ + (map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip)) + (flip genAttrs (lb: cfg.domains)) + ]; + + }; +} diff --git a/defaults/backplane-net/README.md b/nixos-modules/qois/backplane-net/README.md similarity index 100% rename from defaults/backplane-net/README.md rename to nixos-modules/qois/backplane-net/README.md diff --git a/nixos-modules/qois/backplane-net/default.nix b/nixos-modules/qois/backplane-net/default.nix new file mode 100644 index 0000000..08fb31e --- /dev/null +++ b/nixos-modules/qois/backplane-net/default.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.qois.backplane-net; + hostName = config.networking.hostName; + netConfig = config.qois.meta.network.virtual.${cfg.netName}; + hostNetConfig = netConfig.hosts.${hostName}; + interface = "wg-${cfg.netName}"; + wgService = [ "wireguard-${interface}.service" ]; +in + +{ + options.qois.backplane-net = { + enable = mkEnableOption "Enable backplane server services"; + netName = mkOption { + description = "Network Name"; + type = types.str; + default = "backplane"; + }; + domain = mkOption { + description = "Domain"; + type = types.str; + default = hostNetConfig; + }; + port = mkOption { + description = "Wireguard Default Port"; + type = types.number; + default = 51825; + }; + }; + + config = { + sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ]; + + networking.wireguard.enable = true; + networking.wireguard.interfaces."wg-${cfg.netName}" = { + ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ]; + listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port; + privateKeyFile = "/secrets/wireguard/private/${cfg.netName}"; + generatePrivateKeyFile = true; + }; + + systemd.network.wait-online.ignoredInterfaces = [ interface ]; + + networking.firewall.allowedUDPPorts = + if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ]; + + # Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module + services.wgautomesh = { + enable = true; + gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path; + openFirewall = true; + settings = { + inherit interface; + + # Map meta network configuration to the format of wgautomesh and filter out peers with endpoints + peers = pipe netConfig.hosts [ + (filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host + (mapAttrsToList ( + _: peerConfig: { + address = peerConfig.v4.ip; + endpoint = + if (peerConfig.endpoint != null) then + with peerConfig.endpoint; "${fqdn}:${toString port}" + else + null; + pubkey = peerConfig.publicKey; + } + )) + ]; + }; + }; + systemd.services.wgautomesh = { + requires = wgService; + after = wgService; + }; + }; +} diff --git a/nixos-modules/qois/git-ci-runner/default.nix b/nixos-modules/qois/git-ci-runner/default.nix index 6a8bb6c..ac53334 100644 --- a/nixos-modules/qois/git-ci-runner/default.nix +++ b/nixos-modules/qois/git-ci-runner/default.nix @@ -91,9 +91,10 @@ with lib; emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.' useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser - cat < etc/nix/nix.conf + cp -a ${config.environment.etc."nix/nix.conf".source} etc/nix/nix.conf + + cat <> etc/nix/nix.conf accept-flake-config = true - experimental-features = nix-command flakes NIX_CONFIG cat < etc/nsswitch.conf diff --git a/nixos-modules/qois/git/default.nix b/nixos-modules/qois/git/default.nix index 20ba2dd..719a3a0 100644 --- a/nixos-modules/qois/git/default.nix +++ b/nixos-modules/qois/git/default.nix @@ -21,10 +21,11 @@ with lib; }; config = mkIf cfg.enable { - qois.postgresql.enable = true; + services.postgresql.enable = true; services.forgejo = { enable = true; + package = pkgs.forgejo; database.type = "postgres"; lfs.enable = true; diff --git a/nixos-modules/qois/loadbalancer/default.nix b/nixos-modules/qois/loadbalancer/default.nix index 56c7208..fe5477c 100644 --- a/nixos-modules/qois/loadbalancer/default.nix +++ b/nixos-modules/qois/loadbalancer/default.nix @@ -79,7 +79,7 @@ let in { - options.qois.loadbalancer = with lib; { + options.qois.loadbalancer = { enable = mkEnableOption "Enable services http+s loadbalancing"; domains = mkOption { diff --git a/defaults/webserver/default.nix b/nixos-modules/qois/nginx/default.nix similarity index 85% rename from defaults/webserver/default.nix rename to nixos-modules/qois/nginx/default.nix index 2aa4aaf..3fd799d 100644 --- a/defaults/webserver/default.nix +++ b/nixos-modules/qois/nginx/default.nix @@ -1,12 +1,9 @@ { - config, - lib, - pkgs, ... }: { - services.nginx = { + config.services.nginx = { recommendedTlsSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; diff --git a/nixos-modules/qois/vpn-exit-node/default.nix b/nixos-modules/qois/vpn-exit-node/default.nix new file mode 100644 index 0000000..aff1a84 --- /dev/null +++ b/nixos-modules/qois/vpn-exit-node/default.nix @@ -0,0 +1,50 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.qois.vpn-exit-node; +in +{ + + options.qois.vpn-exit-node = { + enable = mkEnableOption "vpn exit node"; + domain = mkOption { + description = "Domain for the VPN admin server"; + type = types.str; + default = "vpn.qo.is"; + }; + }; + + config = mkIf cfg.enable { + + qois.backup-client.includePaths = [ "/var/lib/tailscale" ]; + + sops.secrets."tailscale/key".restartUnits = [ "tailscaled.service" ]; + + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "server"; + authKeyFile = config.sops.secrets."tailscale/key".path; + extraUpFlags = + let + backplaneRoute = + with config.qois.meta.network.virtual.backplane.v4; + "${id}/${builtins.toString prefixLength}"; + in + [ + "--timeout 60s" + "--accept-dns=false" + "--accept-routes=false" + "--login-server=https://${cfg.domain}" + "--advertise-exit-node" + "--advertise-routes=${backplaneRoute}" + "--advertise-tags=tag:srv" + ]; + }; + }; +} diff --git a/nixos-modules/qois/vpn-server/default.nix b/nixos-modules/qois/vpn-server/default.nix index 5940292..d813532 100644 --- a/nixos-modules/qois/vpn-server/default.nix +++ b/nixos-modules/qois/vpn-server/default.nix @@ -8,14 +8,23 @@ with lib; let cfg = config.qois.vpn-server; cfgLoadbalancer = config.qois.loadbalancer; - defaultDnsRecords = mapAttrs ( - name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} - ) cfgLoadbalancer.domains; + defaultDnsRecords = + (mapAttrs ( + name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value} + ) cfgLoadbalancer.domains) + // { + "vpn.qo.is" = config.services.headscale.address; + }; in { options.qois.vpn-server = { enable = mkEnableOption "Enable vpn server services"; + domain = mkOption { + description = "Domain for the VPN admin server"; + type = types.str; + default = "vpn.qo.is"; + }; dnsRecords = mkOption { description = "DNS records to add to Hosts"; type = with types; attrsOf str; @@ -32,18 +41,22 @@ in environment.systemPackages = [ pkgs.headscale ]; + # We bind to the backplane vpn IP, so wait for the wireguard net to be available + systemd.services.headscale.after = [ "wireguard-wg-backplane.service" ]; + qois.backup-client.includePaths = with config.services.headscale.settings; ( [ - db_path - private_key_path + database.sqlite.path + derp.server.private_key_path noise.private_key_path ] ++ derp.paths ); networking.firewall.checkReversePath = "loose"; + networking.firewall.allowedTCPPorts = [ config.services.headscale.port ]; networking.firewall.allowedUDPPorts = [ 41641 ]; @@ -51,7 +64,7 @@ in let vnet = config.qois.meta.network.virtual; vpnNet = vnet.vpn; - vpnNetPrefix = "${vpnNet.v4.id}/${builtins.toString vpnNet.v4.prefixLength}"; + vpnNetPrefix = "${vpnNet.v4.id}/${toString vpnNet.v4.prefixLength}"; backplaneNetPrefix = "${vnet.backplane.v4.id}/${builtins.toString vnet.backplane.v4.prefixLength}"; in { @@ -59,19 +72,19 @@ in address = vnet.backplane.hosts.cyprianspitz.v4.ip; port = 46084; settings = { - server_url = "https://${vpnNet.domain}:443"; + server_url = "https://${cfg.domain}:443"; tls_letsencrypt_challenge_type = "TLS-ALPN-01"; tls_letsencrypt_hostname = vpnNet.domain; - dns_config = { - nameservers = [ vnet.backplane.hosts.calanda.v4.ip ]; - domains = [ - vpnNet.domain + dns = { + base_domain = vpnNet.domain; + magic_dns = true; + nameservers.global = [ "127.0.0.1" ]; + search_domains = [ + # First is base_domain by default with magic_dns vnet.backplane.domain ]; - magic_dns = true; - base_domain = vpnNet.domain; extra_records = pipe cfg.dnsRecords [ attrsToList (map (val: val // { type = "A"; })) @@ -80,56 +93,64 @@ in ip_prefixes = [ vpnNetPrefix ]; - acl_policy_path = pkgs.writeTextFile { - name = "acls"; - text = builtins.toJSON { - hosts = { - "clients" = vpnNetPrefix; - }; - groups = { - "group:wheel" = cfg.wheelUsers; - }; - tagOwners = { - "tag:srv" = [ "srv" ]; # srv tag ist owned by srv user - }; - autoApprovers = { - exitNode = [ - "tag:srv" - "group:wheel" - ]; - routes = { - ${backplaneNetPrefix} = [ "tag:srv" ]; + policy = + let + # Note: headscale has limited acl support currently. This might change in the future. + aclPolicy = { + hosts = { + "clients" = vpnNetPrefix; }; - }; - - acls = [ - # Allow all communication from and to srv tagged hosts - { - action = "accept"; - src = [ + groups = { + "group:wheel" = cfg.wheelUsers; + }; + tagOwners = { + "tag:srv" = [ "srv" ]; # srv tag ist owned by srv user + }; + autoApprovers = { + exitNode = [ "tag:srv" - "srv" + "group:wheel" ]; - dst = [ "*:*" ]; - } - { - action = "accept"; - src = [ "*" ]; - dst = [ - "tag:srv:*" - "srv:*" - ]; - } + routes = { + ${backplaneNetPrefix} = [ "tag:srv" ]; + }; + }; - # Allow access to all connected hosts for wheels - { - action = "accept"; - src = [ "group:wheel" ]; - dst = [ "*:*" ]; - } - ]; + acls = [ + # Allow all communication from and to srv tagged hosts + { + action = "accept"; + src = [ + "tag:srv" + "srv" + ]; + dst = [ "*:*" ]; + } + { + action = "accept"; + src = [ "*" ]; + dst = [ + "tag:srv:*" + "srv:*" + ]; + } + + # Allow access to all connected hosts for wheels + { + action = "accept"; + src = [ "group:wheel" ]; + dst = [ "*:*" ]; + } + ]; + }; + in + { + mode = "file"; + path = pkgs.writeTextFile { + name = "acls"; + text = builtins.toJSON aclPolicy; + }; }; - }; }; }; }); diff --git a/nixos-modules/router-dhcp/default.nix b/nixos-modules/router-dhcp/default.nix index 6b63067..34d3b54 100644 --- a/nixos-modules/router-dhcp/default.nix +++ b/nixos-modules/router-dhcp/default.nix @@ -43,625 +43,630 @@ in }; config = mkIf cfg.enable { - services.dnsmasq.enable = true; - services.dnsmasq.extraConfig = '' - # Listen on this specific port instead of the standard DNS port - # (53). Setting this to zero completely disables DNS function, - # leaving only DHCP and/or TFTP. - port=${toString cfg.localDnsPort} - - # The following two options make you a better netizen, since they - # tell dnsmasq to filter out queries which the public DNS cannot - # answer, and which load the servers (especially the root servers) - # unnecessarily. If you have a dial-on-demand link they also stop - # these requests from bringing up the link unnecessarily. - - # Never forward plain names (without a dot or domain part) - domain-needed - # Never forward addresses in the non-routed address spaces. - bogus-priv - - - # Uncomment this to filter useless windows-originated DNS requests - # which can trigger dial-on-demand links needlessly. - # Note that (amongst other things) this blocks all SRV requests, - # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. - # This option only affects forwarding, SRV records originating for - # dnsmasq (via srv-host= lines) are not suppressed by it. - #filterwin2k - - # Change this line if you want dns to get its upstream servers from - # somewhere other that /etc/resolv.conf - #resolv-file= - - # By default, dnsmasq will send queries to any of the upstream - # servers it knows about and tries to favour servers to are known - # to be up. Uncommenting this forces dnsmasq to try each query - # with each server strictly in the order they appear in - # /etc/resolv.conf - #strict-order - - # If you don't want dnsmasq to read /etc/resolv.conf or any other - # file, getting its servers from this file instead (see below), then - # uncomment this. - #no-resolv - - # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv - # files for changes and re-read them then uncomment this. - no-poll - - # Add other name servers here, with domain specs if they are for - # non-public domains. - #server=/localnet/192.168.0.1 - - # Example of routing PTR queries to nameservers: this will send all - # address->name queries for 192.168.3/24 to nameserver 10.1.2.3 - #server=/3.168.192.in-addr.arpa/10.1.2.3 - - # Add local-only domains here, queries in these domains are answered - # from /etc/hosts or DHCP only. - local=/${config.networking.hostName}/ - - # Add domains which you want to force to an IP address here. - # The example below send any host in double-click.net to a local - # web-server. - #address=/double-click.net/127.0.0.1 - address=/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP} - - # --address (and --server) work with IPv6 addresses too. - #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 - - # You can control how dnsmasq talks to a server: this forces - # queries to 10.1.2.3 to be routed via eth1 - # server=10.1.2.3@eth1 - - # and this sets the source (ie local) address used to talk to - # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that - # IP on the machine, obviously). - # server=10.1.2.3@192.168.1.1#55 - - # If you want dnsmasq to change uid and gid to something other - # than the default, edit the following lines. - #user= - #group= - - # If you want dnsmasq to listen for DHCP and DNS requests only on - # specified interfaces (and the loopback) give the name of the - # interface (eg eth0) here. - # Repeat the line for more than one interface. - interface=${routerCfg.internalBridgeInterfaceName} - interface=lo - # Or you can specify which interface _not_ to listen on - #except-interface= - # Or which to listen on by address (remember to include 127.0.0.1 if - # you use this.) - #listen-address= - # If you want dnsmasq to provide only DNS service on an interface, - # configure it as shown above, and then use the following line to - # disable DHCP and TFTP on it. - no-dhcp-interface=lo - - # On systems which support it, dnsmasq binds the wildcard address, - # even when it is listening on only some interfaces. It then discards - # requests that it shouldn't reply to. This has the advantage of - # working even when interfaces come and go and change address. If you - # want dnsmasq to really bind only the interfaces it is listening on, - # uncomment this option. About the only time you may need this is when - # running another nameserver on the same machine. - bind-interfaces - - # If you don't want dnsmasq to read /etc/hosts, uncomment the - # following line. - no-hosts - # or if you want it to read another file, as well as /etc/hosts, use - # this. - #addn-hosts=/etc/banner_add_hosts - - # Set this (and domain: see below) if you want to have a domain - # automatically added to simple names in a hosts-file. - expand-hosts - - # Set the domain for dnsmasq. this is optional, but if it is set, it - # does the following things. - # 1) Allows DHCP hosts to have fully qualified domain names, as long - # as the domain part matches this setting. - # 2) Sets the "domain" DHCP option thereby potentially setting the - # domain of all systems configured by DHCP - # 3) Provides the domain part for "expand-hosts" - domain=${cfg.localDomain} - - # Set a different domain for a particular subnet - #domain=wireless.thekelleys.org.uk,192.168.2.0/24 - - # Same idea, but range rather then subnet - #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 - - # Uncomment this to enable the integrated DHCP server, you need - # to supply the range of addresses available for lease and optionally - # a lease time. If you have more than one network, you will need to - # repeat this for each network on which you want to supply DHCP - # service. - dhcp-range=${cfg.dhcpRange},48h - - # This is an example of a DHCP range where the netmask is given. This - # is needed for networks we reach the dnsmasq DHCP server via a relay - # agent. If you don't know what a DHCP relay agent is, you probably - # don't need to worry about this. - #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h - - # This is an example of a DHCP range which sets a tag, so that - # some DHCP options may be set only for this network. - #dhcp-range=set:red,192.168.0.50,192.168.0.150 - - # Use this DHCP range only when the tag "green" is set. - #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h - - # Specify a subnet which can't be used for dynamic address allocation, - # is available for hosts with matching --dhcp-host lines. Note that - # dhcp-host declarations will be ignored unless there is a dhcp-range - # of some type for the subnet in question. - # In this case the netmask is implied (it comes from the network - # configuration on the machine running dnsmasq) it is possible to give - # an explicit netmask instead. - #dhcp-range=192.168.0.0,static - - # Enable DHCPv6. Note that the prefix-length does not need to be specified - # and defaults to 64 if missing/ - #dhcp-range=1234::2, 1234::500, 64, 12h - - # Do Router Advertisements, BUT NOT DHCP for this subnet. - #dhcp-range=1234::, ra-only - - # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and - # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack - # hosts. Use the DHCPv4 lease to derive the name, network segment and - # MAC address and assume that the host will also have an - # IPv6 address calculated using the SLAAC alogrithm. - #dhcp-range=1234::, ra-names - - # Do Router Advertisements, BUT NOT DHCP for this subnet. - # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) - #dhcp-range=1234::, ra-only, 48h - - # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA - # so that clients can use SLAAC addresses as well as DHCP ones. - #dhcp-range=1234::2, 1234::500, slaac - - # Do Router Advertisements and stateless DHCP for this subnet. Clients will - # not get addresses from DHCP, but they will get other configuration information. - # They will use SLAAC for addresses. - #dhcp-range=1234::, ra-stateless - - # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses - # from DHCPv4 leases. - #dhcp-range=1234::, ra-stateless, ra-names - - # Do router advertisements for all subnets where we're doing DHCPv6 - # Unless overriden by ra-stateless, ra-names, et al, the router - # advertisements will have the M and O bits set, so that the clients - # get addresses and configuration from DHCPv6, and the A bit reset, so the - # clients don't use SLAAC addresses. - #enable-ra - - # Supply parameters for specified hosts using DHCP. There are lots - # of valid alternatives, so we will give examples of each. Note that - # IP addresses DO NOT have to be in the range given above, they just - # need to be on the same network. The order of the parameters in these - # do not matter, it's permissible to give name, address and MAC in any - # order. - - # Always allocate the host with Ethernet address 11:22:33:44:55:66 - # The IP address 192.168.0.60 - #dhcp-host=11:22:33:44:55:66,192.168.0.60 - - # Always set the name of the host with hardware address - # 11:22:33:44:55:66 to be "fred" - #dhcp-host=11:22:33:44:55:66,fred - - # Always give the host with Ethernet address 11:22:33:44:55:66 - # the name fred and IP address 192.168.0.60 and lease time 45 minutes - #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m - - # Give a host with Ethernet address 11:22:33:44:55:66 or - # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume - # that these two Ethernet interfaces will never be in use at the same - # time, and give the IP address to the second, even if it is already - # in use by the first. Useful for laptops with wired and wireless - # addresses. - #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 - - # Give the machine which says its name is "bert" IP address - # 192.168.0.70 and an infinite lease - #dhcp-host=bert,192.168.0.70,infinite - - # Always give the host with client identifier 01:02:02:04 - # the IP address 192.168.0.60 - #dhcp-host=id:01:02:02:04,192.168.0.60 - - # Always give the host with client identifier "marjorie" - # the IP address 192.168.0.60 - #dhcp-host=id:marjorie,192.168.0.60 - - # Enable the address given for "judge" in /etc/hosts - # to be given to a machine presenting the name "judge" when - # it asks for a DHCP lease. - #dhcp-host=judge - - # Never offer DHCP service to a machine whose Ethernet - # address is 11:22:33:44:55:66 - #dhcp-host=11:22:33:44:55:66,ignore - - # Ignore any client-id presented by the machine with Ethernet - # address 11:22:33:44:55:66. This is useful to prevent a machine - # being treated differently when running under different OS's or - # between PXE boot and OS boot. - #dhcp-host=11:22:33:44:55:66,id:* - - # Send extra options which are tagged as "red" to - # the machine with Ethernet address 11:22:33:44:55:66 - #dhcp-host=11:22:33:44:55:66,set:red - - # Send extra options which are tagged as "red" to - # any machine with Ethernet address starting 11:22:33: - #dhcp-host=11:22:33:*:*:*,set:red - - # Give a fixed IPv6 address and name to client with - # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 - # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. - # Note also the they [] around the IPv6 address are obilgatory. - #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] - - # Ignore any clients which are not specified in dhcp-host lines - # or /etc/ethers. Equivalent to ISC "deny unknown-clients". - # This relies on the special "known" tag which is set when - # a host is matched. - #dhcp-ignore=tag:!known - - # Send extra options which are tagged as "red" to any machine whose - # DHCP vendorclass string includes the substring "Linux" - #dhcp-vendorclass=set:red,Linux - - # Send extra options which are tagged as "red" to any machine one - # of whose DHCP userclass strings includes the substring "accounts" - #dhcp-userclass=set:red,accounts - - # Send extra options which are tagged as "red" to any machine whose - # MAC address matches the pattern. - #dhcp-mac=set:red,00:60:8C:*:*:* - - # If this line is uncommented, dnsmasq will read /etc/ethers and act - # on the ethernet-address/IP pairs found there just as if they had - # been given as --dhcp-host options. Useful if you keep - # MAC-address/host mappings there for other purposes. - #read-ethers - - # Send options to hosts which ask for a DHCP lease. - # See RFC 2132 for details of available options. - # Common options can be given to dnsmasq by name: - # run "dnsmasq --help dhcp" to get a list. - # Note that all the common settings, such as netmask and - # broadcast address, DNS server and default route, are given - # sane defaults by dnsmasq. You very likely will not need - # any dhcp-options. If you use Windows clients and Samba, there - # are some options which are recommended, they are detailed at the - # end of this section. - - # Override the default route supplied by dnsmasq, which assumes the - # router is the same machine as the one running dnsmasq. - #dhcp-option=3,1.2.3.4 - dhcp-option=6,${routerCfg.internalRouterIP} - - # Do the same thing, but using the option name - #dhcp-option=option:router,1.2.3.4 - - # Override the default route supplied by dnsmasq and send no default - # route at all. Note that this only works for the options sent by - # default (1, 3, 6, 12, 28) the same line will send a zero-length option - # for all other option numbers. - #dhcp-option=3 - - # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 - #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 - - # Send DHCPv6 option. Note [] around IPv6 addresses. - #dhcp-option=option6:dns-server,[1234::77],[1234::88] - - # Send DHCPv6 option for namservers as the machine running - # dnsmasq and another. - #dhcp-option=option6:dns-server,[::],[1234::88] - - # Set the NTP time server address to be the same machine as - # is running dnsmasq - #dhcp-option=42,0.0.0.0 - - # Set the NIS domain name to "welly" - #dhcp-option=40,welly - - # Set the default time-to-live to 50 - #dhcp-option=23,50 - - # Set the "all subnets are local" flag - #dhcp-option=27,1 - - # Send the etherboot magic flag and then etherboot options (a string). - #dhcp-option=128,e4:45:74:68:00:00 - #dhcp-option=129,NIC=eepro100 - - # Specify an option which will only be sent to the "red" network - # (see dhcp-range for the declaration of the "red" network) - # Note that the tag: part must precede the option: part. - #dhcp-option = tag:red, option:ntp-server, 192.168.1.1 - - # The following DHCP options set up dnsmasq in the same way as is specified - # for the ISC dhcpcd in - # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt - # adapted for a typical dnsmasq installation where the host running - # dnsmasq is also the host running samba. - # you may want to uncomment some or all of them if you use - # Windows clients and Samba. - #dhcp-option=19,0 # option ip-forwarding off - #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) - #dhcp-option=45,0.0.0.0 # netbios datagram distribution server - #dhcp-option=46,8 # netbios node type - - # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. - #dhcp-option=252,"\n" - - # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client - # probably doesn't support this...... - dhcp-option=option:domain-search,${cfg.localDomain} - - # Send RFC-3442 classless static routes (note the netmask encoding) - #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 - - # Send vendor-class specific options encapsulated in DHCP option 43. - # The meaning of the options is defined by the vendor-class so - # options are sent only when the client supplied vendor class - # matches the class given here. (A substring match is OK, so "MSFT" - # matches "MSFT" and "MSFT 5.0"). This example sets the - # mtftp address to 0.0.0.0 for PXEClients. - #dhcp-option=vendor:PXEClient,1,0.0.0.0 - - # Send microsoft-specific option to tell windows to release the DHCP lease - # when it shuts down. Note the "i" flag, to tell dnsmasq to send the - # value as a four-byte integer - that's what microsoft wants. See - # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true - #dhcp-option=vendor:MSFT,2,1i - - # Send the Encapsulated-vendor-class ID needed by some configurations of - # Etherboot to allow is to recognise the DHCP server. - #dhcp-option=vendor:Etherboot,60,"Etherboot" - - # Send options to PXELinux. Note that we need to send the options even - # though they don't appear in the parameter request list, so we need - # to use dhcp-option-force here. - # See http://syslinux.zytor.com/pxe.php#special for details. - # Magic number - needed before anything else is recognised - #dhcp-option-force=208,f1:00:74:7e - # Configuration file name - #dhcp-option-force=209,configs/common - # Path prefix - #dhcp-option-force=210,/tftpboot/pxelinux/files/ - # Reboot time. (Note 'i' to send 32-bit value) - #dhcp-option-force=211,30i - - # Set the boot filename for netboot/PXE. You will only need - # this is you want to boot machines over the network and you will need - # a TFTP server; either dnsmasq's built in TFTP server or an - # external one. (See below for how to enable the TFTP server.) - #dhcp-boot=pxelinux.0 - - # The same as above, but use custom tftp-server instead machine running dnsmasq - #dhcp-boot=pxelinux,server.name,192.168.1.100 - - # Boot for Etherboot gPXE. The idea is to send two different - # filenames, the first loads gPXE, and the second tells gPXE what to - # load. The dhcp-match sets the gpxe tag for requests from gPXE. - #dhcp-match=set:gpxe,175 # gPXE sends a 175 option. - #dhcp-boot=tag:!gpxe,undionly.kpxe - #dhcp-boot=mybootimage - - # Encapsulated options for Etherboot gPXE. All the options are - # encapsulated within option 175 - #dhcp-option=encap:175, 1, 5b # priority code - #dhcp-option=encap:175, 176, 1b # no-proxydhcp - #dhcp-option=encap:175, 177, string # bus-id - #dhcp-option=encap:175, 189, 1b # BIOS drive code - #dhcp-option=encap:175, 190, user # iSCSI username - #dhcp-option=encap:175, 191, pass # iSCSI password - - # Test for the architecture of a netboot client. PXE clients are - # supposed to send their architecture as option 93. (See RFC 4578) - #dhcp-match=peecees, option:client-arch, 0 #x86-32 - #dhcp-match=itanics, option:client-arch, 2 #IA64 - #dhcp-match=hammers, option:client-arch, 6 #x86-64 - #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 - - # Do real PXE, rather than just booting a single file, this is an - # alternative to dhcp-boot. - #pxe-prompt="What system shall I netboot?" - # or with timeout before first available action is taken: - #pxe-prompt="Press F8 for menu.", 60 - - # Available boot services. for PXE. - #pxe-service=x86PC, "Boot from local disk" - - # Loads /pxelinux.0 from dnsmasq TFTP server. - #pxe-service=x86PC, "Install Linux", pxelinux - - # Loads /pxelinux.0 from TFTP server at 1.2.3.4. - # Beware this fails on old PXE ROMS. - #pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 - - # Use bootserver on network, found my multicast or broadcast. - #pxe-service=x86PC, "Install windows from RIS server", 1 - - # Use bootserver at a known IP address. - #pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 - - # If you have multicast-FTP available, - # information for that can be passed in a similar way using options 1 - # to 5. See page 19 of - # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf - - - # Enable dnsmasq's built-in TFTP server - #enable-tftp - - # Set the root directory for files available via FTP. - #tftp-root=/var/ftpd - - # Make the TFTP server more secure: with this set, only files owned by - # the user dnsmasq is running as will be send over the net. - #tftp-secure - - # This option stops dnsmasq from negotiating a larger blocksize for TFTP - # transfers. It will slow things down, but may rescue some broken TFTP - # clients. - #tftp-no-blocksize - - # Set the boot file name only when the "red" tag is set. - #dhcp-boot=net:red,pxelinux.red-net - - # An example of dhcp-boot with an external TFTP server: the name and IP - # address of the server are given after the filename. - # Can fail with old PXE ROMS. Overridden by --pxe-service. - #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 - - # If there are multiple external tftp servers having a same name - # (using /etc/hosts) then that name can be specified as the - # tftp_servername (the third option to dhcp-boot) and in that - # case dnsmasq resolves this name and returns the resultant IP - # addresses in round robin fasion. This facility can be used to - # load balance the tftp load among a set of servers. - #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name - - # Set the limit on DHCP leases, the default is 150 - #dhcp-lease-max=150 - - # The DHCP server needs somewhere on disk to keep its lease database. - # This defaults to a sane location, but if you want to change it, use - # the line below. - #dhcp-leasefile=/var/lib/misc/dnsmasq.leases - - # Set the DHCP server to authoritative mode. In this mode it will barge in - # and take over the lease for any client which broadcasts on the network, - # whether it has a record of the lease or not. This avoids long timeouts - # when a machine wakes up on a new network. DO NOT enable this if there's - # the slightest chance that you might end up accidentally configuring a DHCP - # server for your campus/company accidentally. The ISC server uses - # the same option, and this URL provides more information: - # http://www.isc.org/files/auth.html - dhcp-authoritative - - # Run an executable when a DHCP lease is created or destroyed. - # The arguments sent to the script are "add" or "del", - # then the MAC address, the IP address and finally the hostname - # if there is one. - #dhcp-script=/bin/echo - - # Set the cachesize here. - #cache-size=150 - - # If you want to disable negative caching, uncomment this. - #no-negcache - - # Normally responses which come form /etc/hosts and the DHCP lease - # file have Time-To-Live set as zero, which conventionally means - # do not cache further. If you are happy to trade lower load on the - # server for potentially stale date, you can set a time-to-live (in - # seconds) here. - #local-ttl= - - # If you want dnsmasq to detect attempts by Verisign to send queries - # to unregistered .com and .net hosts to its sitefinder service and - # have dnsmasq instead return the correct NXDOMAIN response, uncomment - # this line. You can add similar lines to do the same for other - # registries which have implemented wildcard A records. - #bogus-nxdomain=64.94.110.11 - - # If you want to fix up DNS results from upstream servers, use the - # alias option. This only works for IPv4. - # This alias makes a result of 1.2.3.4 appear as 5.6.7.8 - #alias=1.2.3.4,5.6.7.8 - # and this maps 1.2.3.x to 5.6.7.x - #alias=1.2.3.0,5.6.7.0,255.255.255.0 - # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 - #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 - - # Change these lines if you want dnsmasq to serve MX records. - - # Return an MX record named "maildomain.com" with target - # servermachine.com and preference 50 - #mx-host=maildomain.com,servermachine.com,50 - - # Set the default target for MX records created using the localmx option. - #mx-target=servermachine.com - - # Return an MX record pointing to the mx-target for all local - # machines. - #localmx - - # Return an MX record pointing to itself for all local machines. - #selfmx - - # Change the following lines if you want dnsmasq to serve SRV - # records. These are useful if you want to serve ldap requests for - # Active Directory and other windows-originated DNS requests. - # See RFC 2782. - # You may add multiple srv-host lines. - # The fields are ,,,, - # If the domain part if missing from the name (so that is just has the - # service and protocol sections) then the domain given by the domain= - # config option is used. (Note that expand-hosts does not need to be - # set for this to work.) - - # A SRV record sending LDAP for the example.com domain to - # ldapserver.example.com port 389 - #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 - - # A SRV record sending LDAP for the example.com domain to - # ldapserver.example.com port 389 (using domain=) - #domain=example.com - #srv-host=_ldap._tcp,ldapserver.example.com,389 - - # Two SRV records for LDAP, each with different priorities - #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 - #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 - - # A SRV record indicating that there is no LDAP server for the domain - # example.com - #srv-host=_ldap._tcp.example.com - - # The following line shows how to make dnsmasq serve an arbitrary PTR - # record. This is useful for DNS-SD. (Note that the - # domain-name expansion done for SRV records _does_not - # occur for PTR records.) - #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" - - # Change the following lines to enable dnsmasq to serve TXT records. - # These are used for things like SPF and zeroconf. (Note that the - # domain-name expansion done for SRV records _does_not - # occur for TXT records.) - - #Example SPF. - #txt-record=example.com,"v=spf1 a -all" - - #Example zeroconf - #txt-record=_http._tcp.example.com,name=value,paper=A4 - - # Provide an alias for a "local" DNS name. Note that this _only_ works - # for targets which are names from DHCP or /etc/hosts. Give host - # "bert" another name, bertrand - #cname=bertand,bert - - # For debugging purposes, log each DNS query as it passes through - # dnsmasq. - #log-queries - - # Log lots of extra information about DHCP transactions. - #log-dhcp - ''; + services.dnsmasq = { + enable = true; + settings = { + # Listen on this specific port instead of the standard DNS port + # (53). Setting this to zero completely disables DNS function, + # leaving only DHCP and/or TFTP. + port = cfg.localDnsPort; + + # The following two options make you a better netizen, since they + # tell dnsmasq to filter out queries which the public DNS cannot + # answer, and which load the servers (especially the root servers) + # unnecessarily. If you have a dial-on-demand link they also stop + # these requests from bringing up the link unnecessarily. + + # Never forward plain names (without a dot or domain part) + domain-needed = true; + # Never forward addresses in the non-routed address spaces. + bogus-priv = true; + + # Uncomment this to filter useless windows-originated DNS requests + # which can trigger dial-on-demand links needlessly. + # Note that (amongst other things) this blocks all SRV requests, + # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. + # This option only affects forwarding, SRV records originating for + # dnsmasq (via srv-host= lines) are not suppressed by it. + #filterwin2k + + # Change this line if you want dns to get its upstream servers from + # somewhere other that /etc/resolv.conf + #resolv-file= + + # By default, dnsmasq will send queries to any of the upstream + # servers it knows about and tries to favour servers to are known + # to be up. Uncommenting this forces dnsmasq to try each query + # with each server strictly in the order they appear in + # /etc/resolv.conf + #strict-order + + # If you don't want dnsmasq to read /etc/resolv.conf or any other + # file, getting its servers from this file instead (see below), then + # uncomment this. + #no-resolv + + # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv + # files for changes and re-read them then uncomment this. + no-poll = true; + + # Add other name servers here, with domain specs if they are for + # non-public domains. + #server=/localnet/192.168.0.1 + + # Example of routing PTR queries to nameservers: this will send all + # address->name queries for 192.168.3/24 to nameserver 10.1.2.3 + #server=/3.168.192.in-addr.arpa/10.1.2.3 + + # Add local-only domains here, queries in these domains are answered + # from /etc/hosts or DHCP only. + local = "/${config.networking.hostName}/"; + + # Add domains which you want to force to an IP address here. + # The example below send any host in double-click.net to a local + # web-server. + #address=/double-click.net/127.0.0.1 + address = "/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}"; + + # --address (and --server) work with IPv6 addresses too. + #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + + # You can control how dnsmasq talks to a server: this forces + # queries to 10.1.2.3 to be routed via eth1 + # server=10.1.2.3@eth1 + + # and this sets the source (ie local) address used to talk to + # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that + # IP on the machine, obviously). + # server=10.1.2.3@192.168.1.1#55 + + # If you want dnsmasq to change uid and gid to something other + # than the default, edit the following lines. + #user= + #group= + + # If you want dnsmasq to listen for DHCP and DNS requests only on + # specified interfaces (and the loopback) give the name of the + # interface (eg eth0) here. + # Repeat the line for more than one interface. + interface = [ + routerCfg.internalBridgeInterfaceName + "lo" + ]; + # Or you can specify which interface _not_ to listen on + #except-interface= + # Or which to listen on by address (remember to include 127.0.0.1 if + # you use this.) + #listen-address= + # If you want dnsmasq to provide only DNS service on an interface, + # configure it as shown above, and then use the following line to + # disable DHCP and TFTP on it. + no-dhcp-interface = "lo"; + + # On systems which support it, dnsmasq binds the wildcard address, + # even when it is listening on only some interfaces. It then discards + # requests that it shouldn't reply to. This has the advantage of + # working even when interfaces come and go and change address. If you + # want dnsmasq to really bind only the interfaces it is listening on, + # uncomment this option. About the only time you may need this is when + # running another nameserver on the same machine. + bind-interfaces = true; + + # If you don't want dnsmasq to read /etc/hosts, uncomment the + # following line. + no-hosts = true; + # or if you want it to read another file, as well as /etc/hosts, use + # this. + #addn-hosts=/etc/banner_add_hosts + + # Set this (and domain: see below) if you want to have a domain + # automatically added to simple names in a hosts-file. + expand-hosts = true; + + # Set the domain for dnsmasq. this is optional, but if it is set, it + # does the following things. + # 1) Allows DHCP hosts to have fully qualified domain names, as long + # as the domain part matches this setting. + # 2) Sets the "domain" DHCP option thereby potentially setting the + # domain of all systems configured by DHCP + # 3) Provides the domain part for "expand-hosts" + domain = cfg.localDomain; + + # Set a different domain for a particular subnet + #domain=wireless.thekelleys.org.uk,192.168.2.0/24 + + # Same idea, but range rather then subnet + #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + + # Uncomment this to enable the integrated DHCP server, you need + # to supply the range of addresses available for lease and optionally + # a lease time. If you have more than one network, you will need to + # repeat this for each network on which you want to supply DHCP + # service. + dhcp-range = "${cfg.dhcpRange},48h"; + + # This is an example of a DHCP range where the netmask is given. This + # is needed for networks we reach the dnsmasq DHCP server via a relay + # agent. If you don't know what a DHCP relay agent is, you probably + # don't need to worry about this. + #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + + # This is an example of a DHCP range which sets a tag, so that + # some DHCP options may be set only for this network. + #dhcp-range=set:red,192.168.0.50,192.168.0.150 + + # Use this DHCP range only when the tag "green" is set. + #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + + # Specify a subnet which can't be used for dynamic address allocation, + # is available for hosts with matching --dhcp-host lines. Note that + # dhcp-host declarations will be ignored unless there is a dhcp-range + # of some type for the subnet in question. + # In this case the netmask is implied (it comes from the network + # configuration on the machine running dnsmasq) it is possible to give + # an explicit netmask instead. + #dhcp-range=192.168.0.0,static + + # Enable DHCPv6. Note that the prefix-length does not need to be specified + # and defaults to 64 if missing/ + #dhcp-range=1234::2, 1234::500, 64, 12h + + # Do Router Advertisements, BUT NOT DHCP for this subnet. + #dhcp-range=1234::, ra-only + + # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and + # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack + # hosts. Use the DHCPv4 lease to derive the name, network segment and + # MAC address and assume that the host will also have an + # IPv6 address calculated using the SLAAC alogrithm. + #dhcp-range=1234::, ra-names + + # Do Router Advertisements, BUT NOT DHCP for this subnet. + # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) + #dhcp-range=1234::, ra-only, 48h + + # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA + # so that clients can use SLAAC addresses as well as DHCP ones. + #dhcp-range=1234::2, 1234::500, slaac + + # Do Router Advertisements and stateless DHCP for this subnet. Clients will + # not get addresses from DHCP, but they will get other configuration information. + # They will use SLAAC for addresses. + #dhcp-range=1234::, ra-stateless + + # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses + # from DHCPv4 leases. + #dhcp-range=1234::, ra-stateless, ra-names + + # Do router advertisements for all subnets where we're doing DHCPv6 + # Unless overriden by ra-stateless, ra-names, et al, the router + # advertisements will have the M and O bits set, so that the clients + # get addresses and configuration from DHCPv6, and the A bit reset, so the + # clients don't use SLAAC addresses. + #enable-ra + + # Supply parameters for specified hosts using DHCP. There are lots + # of valid alternatives, so we will give examples of each. Note that + # IP addresses DO NOT have to be in the range given above, they just + # need to be on the same network. The order of the parameters in these + # do not matter, it's permissible to give name, address and MAC in any + # order. + + # Always allocate the host with Ethernet address 11:22:33:44:55:66 + # The IP address 192.168.0.60 + #dhcp-host=11:22:33:44:55:66,192.168.0.60 + + # Always set the name of the host with hardware address + # 11:22:33:44:55:66 to be "fred" + #dhcp-host=11:22:33:44:55:66,fred + + # Always give the host with Ethernet address 11:22:33:44:55:66 + # the name fred and IP address 192.168.0.60 and lease time 45 minutes + #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + + # Give a host with Ethernet address 11:22:33:44:55:66 or + # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume + # that these two Ethernet interfaces will never be in use at the same + # time, and give the IP address to the second, even if it is already + # in use by the first. Useful for laptops with wired and wireless + # addresses. + #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + + # Give the machine which says its name is "bert" IP address + # 192.168.0.70 and an infinite lease + #dhcp-host=bert,192.168.0.70,infinite + + # Always give the host with client identifier 01:02:02:04 + # the IP address 192.168.0.60 + #dhcp-host=id:01:02:02:04,192.168.0.60 + + # Always give the host with client identifier "marjorie" + # the IP address 192.168.0.60 + #dhcp-host=id:marjorie,192.168.0.60 + + # Enable the address given for "judge" in /etc/hosts + # to be given to a machine presenting the name "judge" when + # it asks for a DHCP lease. + #dhcp-host=judge + + # Never offer DHCP service to a machine whose Ethernet + # address is 11:22:33:44:55:66 + #dhcp-host=11:22:33:44:55:66,ignore + + # Ignore any client-id presented by the machine with Ethernet + # address 11:22:33:44:55:66. This is useful to prevent a machine + # being treated differently when running under different OS's or + # between PXE boot and OS boot. + #dhcp-host=11:22:33:44:55:66,id:* + + # Send extra options which are tagged as "red" to + # the machine with Ethernet address 11:22:33:44:55:66 + #dhcp-host=11:22:33:44:55:66,set:red + + # Send extra options which are tagged as "red" to + # any machine with Ethernet address starting 11:22:33: + #dhcp-host=11:22:33:*:*:*,set:red + + # Give a fixed IPv6 address and name to client with + # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 + # Note the MAC addresses CANNOT be used to identify DHCPv6 clients. + # Note also the they [] around the IPv6 address are obilgatory. + #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + + # Ignore any clients which are not specified in dhcp-host lines + # or /etc/ethers. Equivalent to ISC "deny unknown-clients". + # This relies on the special "known" tag which is set when + # a host is matched. + #dhcp-ignore=tag:!known + + # Send extra options which are tagged as "red" to any machine whose + # DHCP vendorclass string includes the substring "Linux" + #dhcp-vendorclass=set:red,Linux + + # Send extra options which are tagged as "red" to any machine one + # of whose DHCP userclass strings includes the substring "accounts" + #dhcp-userclass=set:red,accounts + + # Send extra options which are tagged as "red" to any machine whose + # MAC address matches the pattern. + #dhcp-mac=set:red,00:60:8C:*:*:* + + # If this line is uncommented, dnsmasq will read /etc/ethers and act + # on the ethernet-address/IP pairs found there just as if they had + # been given as --dhcp-host options. Useful if you keep + # MAC-address/host mappings there for other purposes. + #read-ethers + + # Send options to hosts which ask for a DHCP lease. + # See RFC 2132 for details of available options. + # Common options can be given to dnsmasq by name: + # run "dnsmasq --help dhcp" to get a list. + # Note that all the common settings, such as netmask and + # broadcast address, DNS server and default route, are given + # sane defaults by dnsmasq. You very likely will not need + # any dhcp-options. If you use Windows clients and Samba, there + # are some options which are recommended, they are detailed at the + # end of this section. + + dhcp-option = [ + # Override the default route supplied by dnsmasq, which assumes the + # router is the same machine as the one running dnsmasq. + #dhcp-option=3,1.2.3.4 + "6,${routerCfg.internalRouterIP}" + + # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client + # probably doesn't support this...... + "option:domain-search,${cfg.localDomain}" + + ]; + + # Do the same thing, but using the option name + #dhcp-option=option:router,1.2.3.4 + + # Override the default route supplied by dnsmasq and send no default + # route at all. Note that this only works for the options sent by + # default (1, 3, 6, 12, 28) the same line will send a zero-length option + # for all other option numbers. + #dhcp-option=3 + + # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 + #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + + # Send DHCPv6 option. Note [] around IPv6 addresses. + #dhcp-option=option6:dns-server,[1234::77],[1234::88] + + # Send DHCPv6 option for namservers as the machine running + # dnsmasq and another. + #dhcp-option=option6:dns-server,[::],[1234::88] + + # Set the NTP time server address to be the same machine as + # is running dnsmasq + #dhcp-option=42,0.0.0.0 + + # Set the NIS domain name to "welly" + #dhcp-option=40,welly + + # Set the default time-to-live to 50 + #dhcp-option=23,50 + + # Set the "all subnets are local" flag + #dhcp-option=27,1 + + # Send the etherboot magic flag and then etherboot options (a string). + #dhcp-option=128,e4:45:74:68:00:00 + #dhcp-option=129,NIC=eepro100 + + # Specify an option which will only be sent to the "red" network + # (see dhcp-range for the declaration of the "red" network) + # Note that the tag: part must precede the option: part. + #dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + + # The following DHCP options set up dnsmasq in the same way as is specified + # for the ISC dhcpcd in + # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt + # adapted for a typical dnsmasq installation where the host running + # dnsmasq is also the host running samba. + # you may want to uncomment some or all of them if you use + # Windows clients and Samba. + #dhcp-option=19,0 # option ip-forwarding off + #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) + #dhcp-option=45,0.0.0.0 # netbios datagram distribution server + #dhcp-option=46,8 # netbios node type + + # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. + #dhcp-option=252,"\n" + + # Send RFC-3442 classless static routes (note the netmask encoding) + #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + + # Send vendor-class specific options encapsulated in DHCP option 43. + # The meaning of the options is defined by the vendor-class so + # options are sent only when the client supplied vendor class + # matches the class given here. (A substring match is OK, so "MSFT" + # matches "MSFT" and "MSFT 5.0"). This example sets the + # mtftp address to 0.0.0.0 for PXEClients. + #dhcp-option=vendor:PXEClient,1,0.0.0.0 + + # Send microsoft-specific option to tell windows to release the DHCP lease + # when it shuts down. Note the "i" flag, to tell dnsmasq to send the + # value as a four-byte integer - that's what microsoft wants. See + # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true + #dhcp-option=vendor:MSFT,2,1i + + # Send the Encapsulated-vendor-class ID needed by some configurations of + # Etherboot to allow is to recognise the DHCP server. + #dhcp-option=vendor:Etherboot,60,"Etherboot" + + # Send options to PXELinux. Note that we need to send the options even + # though they don't appear in the parameter request list, so we need + # to use dhcp-option-force here. + # See http://syslinux.zytor.com/pxe.php#special for details. + # Magic number - needed before anything else is recognised + #dhcp-option-force=208,f1:00:74:7e + # Configuration file name + #dhcp-option-force=209,configs/common + # Path prefix + #dhcp-option-force=210,/tftpboot/pxelinux/files/ + # Reboot time. (Note 'i' to send 32-bit value) + #dhcp-option-force=211,30i + + # Set the boot filename for netboot/PXE. You will only need + # this is you want to boot machines over the network and you will need + # a TFTP server; either dnsmasq's built in TFTP server or an + # external one. (See below for how to enable the TFTP server.) + #dhcp-boot=pxelinux.0 + + # The same as above, but use custom tftp-server instead machine running dnsmasq + #dhcp-boot=pxelinux,server.name,192.168.1.100 + + # Boot for Etherboot gPXE. The idea is to send two different + # filenames, the first loads gPXE, and the second tells gPXE what to + # load. The dhcp-match sets the gpxe tag for requests from gPXE. + #dhcp-match=set:gpxe,175 # gPXE sends a 175 option. + #dhcp-boot=tag:!gpxe,undionly.kpxe + #dhcp-boot=mybootimage + + # Encapsulated options for Etherboot gPXE. All the options are + # encapsulated within option 175 + #dhcp-option=encap:175, 1, 5b # priority code + #dhcp-option=encap:175, 176, 1b # no-proxydhcp + #dhcp-option=encap:175, 177, string # bus-id + #dhcp-option=encap:175, 189, 1b # BIOS drive code + #dhcp-option=encap:175, 190, user # iSCSI username + #dhcp-option=encap:175, 191, pass # iSCSI password + + # Test for the architecture of a netboot client. PXE clients are + # supposed to send their architecture as option 93. (See RFC 4578) + #dhcp-match=peecees, option:client-arch, 0 #x86-32 + #dhcp-match=itanics, option:client-arch, 2 #IA64 + #dhcp-match=hammers, option:client-arch, 6 #x86-64 + #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + + # Do real PXE, rather than just booting a single file, this is an + # alternative to dhcp-boot. + #pxe-prompt="What system shall I netboot?" + # or with timeout before first available action is taken: + #pxe-prompt="Press F8 for menu.", 60 + + # Available boot services. for PXE. + #pxe-service=x86PC, "Boot from local disk" + + # Loads /pxelinux.0 from dnsmasq TFTP server. + #pxe-service=x86PC, "Install Linux", pxelinux + + # Loads /pxelinux.0 from TFTP server at 1.2.3.4. + # Beware this fails on old PXE ROMS. + #pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + + # Use bootserver on network, found my multicast or broadcast. + #pxe-service=x86PC, "Install windows from RIS server", 1 + + # Use bootserver at a known IP address. + #pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + + # If you have multicast-FTP available, + # information for that can be passed in a similar way using options 1 + # to 5. See page 19 of + # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + # Enable dnsmasq's built-in TFTP server + #enable-tftp + + # Set the root directory for files available via FTP. + #tftp-root=/var/ftpd + + # Make the TFTP server more secure: with this set, only files owned by + # the user dnsmasq is running as will be send over the net. + #tftp-secure + + # This option stops dnsmasq from negotiating a larger blocksize for TFTP + # transfers. It will slow things down, but may rescue some broken TFTP + # clients. + #tftp-no-blocksize + + # Set the boot file name only when the "red" tag is set. + #dhcp-boot=net:red,pxelinux.red-net + + # An example of dhcp-boot with an external TFTP server: the name and IP + # address of the server are given after the filename. + # Can fail with old PXE ROMS. Overridden by --pxe-service. + #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + + # If there are multiple external tftp servers having a same name + # (using /etc/hosts) then that name can be specified as the + # tftp_servername (the third option to dhcp-boot) and in that + # case dnsmasq resolves this name and returns the resultant IP + # addresses in round robin fasion. This facility can be used to + # load balance the tftp load among a set of servers. + #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + + # Set the limit on DHCP leases, the default is 150 + #dhcp-lease-max=150 + + # The DHCP server needs somewhere on disk to keep its lease database. + # This defaults to a sane location, but if you want to change it, use + # the line below. + #dhcp-leasefile=/var/lib/misc/dnsmasq.leases + + # Set the DHCP server to authoritative mode. In this mode it will barge in + # and take over the lease for any client which broadcasts on the network, + # whether it has a record of the lease or not. This avoids long timeouts + # when a machine wakes up on a new network. DO NOT enable this if there's + # the slightest chance that you might end up accidentally configuring a DHCP + # server for your campus/company accidentally. The ISC server uses + # the same option, and this URL provides more information: + # http://www.isc.org/files/auth.html + dhcp-authoritative = true; + + # Run an executable when a DHCP lease is created or destroyed. + # The arguments sent to the script are "add" or "del", + # then the MAC address, the IP address and finally the hostname + # if there is one. + #dhcp-script=/bin/echo + + # Set the cachesize here. + #cache-size=150 + + # If you want to disable negative caching, uncomment this. + #no-negcache + + # Normally responses which come form /etc/hosts and the DHCP lease + # file have Time-To-Live set as zero, which conventionally means + # do not cache further. If you are happy to trade lower load on the + # server for potentially stale date, you can set a time-to-live (in + # seconds) here. + #local-ttl= + + # If you want dnsmasq to detect attempts by Verisign to send queries + # to unregistered .com and .net hosts to its sitefinder service and + # have dnsmasq instead return the correct NXDOMAIN response, uncomment + # this line. You can add similar lines to do the same for other + # registries which have implemented wildcard A records. + #bogus-nxdomain=64.94.110.11 + + # If you want to fix up DNS results from upstream servers, use the + # alias option. This only works for IPv4. + # This alias makes a result of 1.2.3.4 appear as 5.6.7.8 + #alias=1.2.3.4,5.6.7.8 + # and this maps 1.2.3.x to 5.6.7.x + #alias=1.2.3.0,5.6.7.0,255.255.255.0 + # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 + #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + + # Change these lines if you want dnsmasq to serve MX records. + + # Return an MX record named "maildomain.com" with target + # servermachine.com and preference 50 + #mx-host=maildomain.com,servermachine.com,50 + + # Set the default target for MX records created using the localmx option. + #mx-target=servermachine.com + + # Return an MX record pointing to the mx-target for all local + # machines. + #localmx + + # Return an MX record pointing to itself for all local machines. + #selfmx + + # Change the following lines if you want dnsmasq to serve SRV + # records. These are useful if you want to serve ldap requests for + # Active Directory and other windows-originated DNS requests. + # See RFC 2782. + # You may add multiple srv-host lines. + # The fields are ,,,, + # If the domain part if missing from the name (so that is just has the + # service and protocol sections) then the domain given by the domain= + # config option is used. (Note that expand-hosts does not need to be + # set for this to work.) + + # A SRV record sending LDAP for the example.com domain to + # ldapserver.example.com port 389 + #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + + # A SRV record sending LDAP for the example.com domain to + # ldapserver.example.com port 389 (using domain=) + #domain=example.com + #srv-host=_ldap._tcp,ldapserver.example.com,389 + + # Two SRV records for LDAP, each with different priorities + #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 + #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + + # A SRV record indicating that there is no LDAP server for the domain + # example.com + #srv-host=_ldap._tcp.example.com + + # The following line shows how to make dnsmasq serve an arbitrary PTR + # record. This is useful for DNS-SD. (Note that the + # domain-name expansion done for SRV records _does_not + # occur for PTR records.) + #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + + # Change the following lines to enable dnsmasq to serve TXT records. + # These are used for things like SPF and zeroconf. (Note that the + # domain-name expansion done for SRV records _does_not + # occur for TXT records.) + + #Example SPF. + #txt-record=example.com,"v=spf1 a -all" + + #Example zeroconf + #txt-record=_http._tcp.example.com,name=value,paper=A4 + + # Provide an alias for a "local" DNS name. Note that this _only_ works + # for targets which are names from DHCP or /etc/hosts. Give host + # "bert" another name, bertrand + #cname=bertand,bert + + # For debugging purposes, log each DNS query as it passes through + # dnsmasq. + #log-queries + + # Log lots of extra information about DHCP transactions. + #log-dhcp + }; + }; systemd.services.dnsmasq = { bindsTo = [ "network-addresses-${routerCfg.internalBridgeInterfaceName}.service" ]; diff --git a/nixos-modules/router-wireless-ap/default.nix b/nixos-modules/router-wireless-ap/default.nix index 6edbd7e..6c31b77 100644 --- a/nixos-modules/router-wireless-ap/default.nix +++ b/nixos-modules/router-wireless-ap/default.nix @@ -63,6 +63,7 @@ in enable = wle24GhzEnabled; radios.${cfg.wleInterface24Ghz} = { + channel = 6; wifi4.enable = true; wifi4.capabilities = [ "HT40-" diff --git a/nixos-modules/vault/default.nix b/nixos-modules/vault/default.nix index e61b5fe..36332af 100644 --- a/nixos-modules/vault/default.nix +++ b/nixos-modules/vault/default.nix @@ -48,8 +48,6 @@ with lib; }; }; - qois.postgresql.enable = true; - qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ]; services.postgresql = @@ -57,6 +55,7 @@ with lib; name = config.users.users.vaultwarden.name; in { + enable = true; ensureUsers = [ { inherit name; @@ -81,7 +80,7 @@ with lib; forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; proxyWebsockets = true; }; }; diff --git a/updates.md b/updates.md index 81a414d..5d7a6e3 100644 --- a/updates.md +++ b/updates.md @@ -28,7 +28,7 @@ deploy-qois .#lindberg-nextcloud .#lindberg-build deploy-qois .#lindberg # Deploy slow physical hosts (maybe do individually) -deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#fulberg .#tierberg .#stompert .#stompert +deploy-qois --confirm-timeout 600 --activation-timeout 600 --targets .#tierberg .#stompert .#stompert ``` @@ -39,7 +39,13 @@ For kernel updates, it might be required to reboot machines, which can be done i pssh -l root -H lindberg-nextcloud.backplane.net.qo.is -H lindberg-build.backplane.net.qo.is reboot ``` -## Aplication Updates +## `systemVersion` upgrades + +- Make sure to read through the nixpkgs changelog to catch configuration scheme changes, + successor applications or for the need for manual interventions. +- Pay special attention the applications listed below. + +## Application Updates Some applications have pinned versions to prevent problems due to accidental upgrades. The version switch has to be done manually by switching the package used. @@ -47,3 +53,5 @@ The version switch has to be done manually by switching the package used. This includes the modules for: - `nextcloud` +- `postgresql`, [→ Nixpkgs manual page](https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading) +