Many small structural improvements (treefmt, no cyclic imports, git-pre-commit-hook, faster CI) #50
106 changed files with 864 additions and 780 deletions
34
.github/workflows/ci.yml
vendored
34
.github/workflows/ci.yml
vendored
|
@ -1,11 +1,12 @@
|
|||
name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: nix develop --command bash -c "{0}"
|
||||
env:
|
||||
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
|
||||
|
||||
CACHE_NAME: qois
|
||||
CACHE_REPOSITORY: qois:qois-infrastructure
|
||||
jobs:
|
||||
build:
|
||||
runs-on: nix
|
||||
|
@ -15,25 +16,20 @@ jobs:
|
|||
with:
|
||||
token: ${{ secrets.CI_TOKEN }}
|
||||
lfs: false
|
||||
|
||||
- name: Use attic cache
|
||||
run: nix run .#cache use
|
||||
|
||||
- name: Build
|
||||
- name: Setup Attic Cache
|
||||
env:
|
||||
SERVER: https://attic.qo.is/
|
||||
ATTIC_AUTH_TOKEN: ${{ secrets.ATTIC_AUTH_TOKEN }}
|
||||
run: |
|
||||
nix build --max-jobs 12 --cores 12
|
||||
nix run .#cache push
|
||||
|
||||
- name: Run Checks
|
||||
run: nix flake check
|
||||
|
||||
attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
|
||||
attic use "$CACHE_REPOSITORY"
|
||||
- name: Run Builds and Checks
|
||||
run: nix-fast-build --no-nom --max-jobs 6 --skip-cached --attic-cache "$CACHE_REPOSITORY"
|
||||
- name: Deploy Docs
|
||||
if: success() && github.ref == 'refs/heads/main'
|
||||
run: |
|
||||
mkdir ~/.ssh/
|
||||
echo -e "Host lindberg-webapps.backplane.net.qo.is\n StrictHostKeyChecking no" >> ~/.ssh/config
|
||||
(umask 0077 && printf "%s\n" "${{ secrets.SSH_DEPLOY_KEY }}" > ~/.ssh/id_ed25519)
|
||||
# Remote build might be neccessary due to non-wheel nix users signing restrictions.
|
||||
# However, the build should come from the cache anyway.
|
||||
nix develop --command deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
|
||||
|
||||
deploy --skip-checks --remote-build .#lindberg-webapps.\"docs-ops.qo.is\"
|
||||
# Remote build is neccessary due to non-wheel nix users signing restrictions. However, the build should come from the cache anyway.
|
||||
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -6,3 +6,4 @@ result*
|
|||
/book
|
||||
/.sops.yaml
|
||||
/.nixos-test-history
|
||||
/.pre-commit-config.yaml
|
||||
|
|
33
.nixd.json
33
.nixd.json
|
@ -1,18 +1,21 @@
|
|||
{
|
||||
"eval": {
|
||||
"target": {
|
||||
"args": ["-f", "default.nix"],
|
||||
"installable": ""
|
||||
}
|
||||
},
|
||||
"formatting": {
|
||||
"command": "nixfmt"
|
||||
},
|
||||
"options": {
|
||||
"enable": true,
|
||||
"target": {
|
||||
"args": [],
|
||||
"installable": ""
|
||||
}
|
||||
"eval": {
|
||||
"target": {
|
||||
"args": [
|
||||
"-f",
|
||||
"default.nix"
|
||||
],
|
||||
"installable": ""
|
||||
}
|
||||
},
|
||||
"formatting": {
|
||||
"command": "nixfmt"
|
||||
},
|
||||
"options": {
|
||||
"enable": true,
|
||||
"target": {
|
||||
"args": [],
|
||||
"installable": ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
8
.vscode/extensions.json
vendored
8
.vscode/extensions.json
vendored
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"recommendations": [
|
||||
"jnoortheen.nix-ide"
|
||||
]
|
||||
}
|
||||
"recommendations": [
|
||||
"jnoortheen.nix-ide"
|
||||
]
|
||||
}
|
||||
|
|
81
README.md
81
README.md
|
@ -6,66 +6,65 @@ Check out the current [rendered documentation](https://docs-ops.qo.is).
|
|||
|
||||
## Structure
|
||||
|
||||
`nixos-configurations`: Main nixos configuration for every host.
|
||||
`defaults`: Configuration defaults
|
||||
`nixos-modules`: Custom modules (e.g. for vpn and routers)
|
||||
`nixos-configurations`: Main nixos configuration for every host.\
|
||||
`defaults`: Configuration defaults\
|
||||
`nixos-modules`: Custom modules (e.g. for vpn and routers)\
|
||||
`private`: Private configuration values (like users, sops-encrypted secrets and keys)
|
||||
|
||||
## Building
|
||||
|
||||
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
|
||||
|
||||
- `nix build`
|
||||
Build all host configurations and docs
|
||||
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`
|
||||
Build a single host configuration with
|
||||
- `nix build .#docs`
|
||||
Build the documentation website
|
||||
|
||||
## Development
|
||||
|
||||
- `nix develop`
|
||||
This repository requires [nix flakes](https://nixos.wiki/wiki/Flakes)
|
||||
|
||||
- `nix flake check`\
|
||||
Execute the project's checks, which includes building all configurations and packages. See [Tests](./checks/README.md).
|
||||
|
||||
- `nix build .#nixosConfigurations.<hostname>.config.system.build.toplevel`\
|
||||
Build a single host configuration.
|
||||
|
||||
- `nix build .#docs`\
|
||||
Build the documentation website.
|
||||
|
||||
- `nix develop`\
|
||||
Development environment
|
||||
- `nix flake check`
|
||||
Execute the project's checks
|
||||
- `nix fmt`
|
||||
|
||||
- `nix fmt`\
|
||||
Autofix formatting
|
||||
|
||||
### Working with the private submodule
|
||||
### Secrets and `private` Submodule
|
||||
|
||||
To clone with submodules (if you have access):
|
||||
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix) and a git submodule in `private`.\
|
||||
Make sure you have the submodule correctly available. To clone with submodules (if you have access):
|
||||
|
||||
```bash
|
||||
git clone --recurse-submodules https://git.qo.is/qo.is/infrastructure.git
|
||||
# See below for how to commit changes.
|
||||
```
|
||||
|
||||
On changes:
|
||||
|
||||
```bash
|
||||
git add private
|
||||
nix flake lock --update-input private
|
||||
```
|
||||
|
||||
## Deployment
|
||||
|
||||
`nix run .#deploy-qois`
|
||||
|
||||
See [Deployment](deploy/README.md) for details.
|
||||
|
||||
## Secrets
|
||||
|
||||
Secret management is done with [nix-sops](https://github.com/Mic92/sops-nix).
|
||||
|
||||
Secrets are stored in `private/passwords.sops.yaml` (sysadmin passwords),
|
||||
`private/nixos-configurations/secrets.sops.yaml` (shared secrets for all hosts) and
|
||||
`private/nixos-modules/shared-secrets/default.sops.yaml` (shared secrets for all hosts) and
|
||||
`private/nixos-configurations/<hostname>/secrets.sops.yaml` (host specific secrets).
|
||||
|
||||
Usage:
|
||||
To modify secrets:
|
||||
|
||||
```bash
|
||||
sops $file # To edit a file
|
||||
sops-rekey # To rekey all secrets, e.g. after a key rollover or new host
|
||||
```
|
||||
|
||||
After changing secrets, don't forget to push the sub-repository and run
|
||||
`nix flake update private` in the infrastructure repository to use the changes in builds.
|
||||
After changing secrets:
|
||||
|
||||
```bash
|
||||
# Commit changes in subrepo
|
||||
pushd private
|
||||
git commit
|
||||
git push
|
||||
nix flake prefetch . # Make subrepo available in nix store. Required until nix 2.27.
|
||||
popd
|
||||
|
||||
git add private
|
||||
nix flake lock --update-input private
|
||||
```
|
||||
|
||||
## Deployment
|
||||
|
||||
See [Deployment](deploy/README.md) for details.
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
- [Testing](checks/README.md)
|
||||
- [Deployment](deploy/README.md)
|
||||
|
||||
---
|
||||
______________________________________________________________________
|
||||
|
||||
- [Network Topology](defaults/meta/network.md)
|
||||
- [Hardware (generic)](defaults/hardware/README.md)
|
||||
|
@ -12,7 +12,6 @@
|
|||
- [Updates](updates.md)
|
||||
- [New Host Setup](nixos-configurations/setup.md)
|
||||
|
||||
|
||||
# Services
|
||||
|
||||
- [E-mail](email.md)
|
||||
|
|
|
@ -1,11 +1,19 @@
|
|||
# Tests
|
||||
# Tests
|
||||
|
||||
`nix flake check` currently:
|
||||
|
||||
- builds all nixos-configurations
|
||||
- builds all packages
|
||||
- runs all [nixos-module tests](#module-tests)
|
||||
- checks all deployment configurations
|
||||
- checks repository formatting.
|
||||
|
||||
## Module Tests
|
||||
|
||||
We test our nixos modules with [NixOS tests](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
|
||||
Running nixos tests requires QEMU virtualisation, so make sure you have KVM virtualisation support enabled.
|
||||
|
||||
Run all: `nix build .#checks.x86_64-linux.nixos-modules`
|
||||
Run all: `nix build .#checks.x86_64-linux.nixos-modules`\
|
||||
Run single test: `nix build .#checks.x86_64-linux.nixos-modules.entries.vm-test-run-testNameAsInDerivationName`
|
||||
|
||||
### Run Test Interactively
|
||||
|
|
|
@ -1,26 +1,22 @@
|
|||
{
|
||||
self,
|
||||
flakeSelf,
|
||||
system,
|
||||
pkgs,
|
||||
deployPkgs,
|
||||
treefmtEval,
|
||||
...
|
||||
}:
|
||||
}@inputs:
|
||||
{
|
||||
${system} = {
|
||||
|
||||
# Check project formatting
|
||||
format = pkgs.runCommand "nixfmt-check" { } ''
|
||||
set -euo pipefail
|
||||
cd ${self}
|
||||
${self.formatter.${system}}/bin/formatter . --check
|
||||
mkdir $out
|
||||
'';
|
||||
formatting = treefmtEval.config.build.check flakeSelf;
|
||||
|
||||
nixos-modules = pkgs.callPackage ./nixos-modules {
|
||||
defaultModule = self.nixosModules.default;
|
||||
inherit (self.lib) getSubDirs isFolderWithFile;
|
||||
};
|
||||
|
||||
#TODO(#29): Integration/System tests
|
||||
nixos-configurations = import ./nixos-configurations inputs;
|
||||
|
||||
# Import deploy-rs tests
|
||||
} // (deployPkgs.deploy-rs.lib.deployChecks self.deploy);
|
||||
|
|
4
checks/nixos-configurations/default.nix
Normal file
4
checks/nixos-configurations/default.nix
Normal file
|
@ -0,0 +1,4 @@
|
|||
{ self, pkgs, ... }:
|
||||
pkgs.linkFarmFromDrvs "all" (
|
||||
pkgs.lib.mapAttrsToList (_n: v: v.config.system.build.toplevel) self.nixosConfigurations
|
||||
)
|
|
@ -4,12 +4,14 @@
|
|||
getSubDirs,
|
||||
lib,
|
||||
testers,
|
||||
defaultModule,
|
||||
}:
|
||||
let
|
||||
inherit (lib)
|
||||
filter
|
||||
path
|
||||
mkDefault
|
||||
mkForce
|
||||
readFile
|
||||
attrNames
|
||||
concatStringsSep
|
||||
|
@ -23,6 +25,7 @@ let
|
|||
in
|
||||
testers.runNixOSTest {
|
||||
inherit name;
|
||||
|
||||
imports = [
|
||||
(import (getFilePath "test.nix") {
|
||||
inherit name;
|
||||
|
@ -30,7 +33,12 @@ let
|
|||
})
|
||||
];
|
||||
|
||||
defaults.imports = [ (getFilePath "default.nix") ];
|
||||
defaults = {
|
||||
imports = [ defaultModule ];
|
||||
|
||||
qois.outgoing-server-mail.enable = mkForce false;
|
||||
qois.backup-client.enable = mkForce false;
|
||||
};
|
||||
|
||||
# Calls a `test(...)` python function in the test's python file with the list of nodes and helper functions.
|
||||
# Helper symbols may be added as function args when needed and can be found in:
|
||||
|
|
5
checks/packages/default.nix
Normal file
5
checks/packages/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ self, pkgs, ... }:
|
||||
let
|
||||
inherit (pkgs.lib) attrValues;
|
||||
in
|
||||
pkgs.linkFarmFromDrvs "all" (attrValues self.packages)
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
# APU
|
||||
|
||||
## Setup
|
||||
|
@ -7,5 +6,5 @@ To boot the nixos installer with the console port, add `console=ttyS0,115200n8`
|
|||
|
||||
# ASROCK Mainboards
|
||||
|
||||
`F2`: Boot into BIOS
|
||||
`F2`: Boot into BIOS\
|
||||
`F11`: Select boot device
|
||||
|
|
|
@ -2,9 +2,7 @@
|
|||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -2,9 +2,7 @@
|
|||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -2,9 +2,7 @@
|
|||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
|
|
@ -74,7 +74,6 @@ All Services are published under the *qo.is* domain name. Following services are
|
|||
|
||||
## Contacts
|
||||
|
||||
|
||||
### Init7
|
||||
|
||||
- [Status Netzwerkdienste](https://www.init7.net/status/)
|
||||
|
|
|
@ -4,7 +4,6 @@ Note that you have to be connected to the `vpn.qo.is`
|
|||
(or execute the deployment from a host that is in the `backplane.net.qo.is` overlay network)
|
||||
and that you need to have SSH root access to the target machines.
|
||||
|
||||
|
||||
## Deploy to selected target hosts
|
||||
|
||||
```bash
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
deployPkgs,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
deployPkgs,
|
||||
pkgs,
|
||||
self,
|
||||
system,
|
||||
...
|
||||
|
|
|
@ -1,9 +1,21 @@
|
|||
{
|
||||
pkgs,
|
||||
git-hooks-nix,
|
||||
treefmtEval,
|
||||
system,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
let
|
||||
pre-commit-check = git-hooks-nix.lib.${system}.run {
|
||||
src = ../.;
|
||||
hooks.treefmt = {
|
||||
enable = true;
|
||||
package = treefmtEval.config.build.wrapper;
|
||||
always_run = true;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${system}.default = pkgs.mkShellNoCC {
|
||||
name = "qois-infrastructure-shell";
|
||||
|
@ -14,9 +26,9 @@
|
|||
vscode = pkgs.vscodium;
|
||||
};
|
||||
in
|
||||
[ vscodium-with-extensions ]
|
||||
pre-commit-check.enabledPackages
|
||||
++ [ vscodium-with-extensions ]
|
||||
++ (with self.packages.${system}; [
|
||||
cache
|
||||
deploy-qois
|
||||
sops
|
||||
sops-rekey
|
||||
|
@ -24,14 +36,15 @@
|
|||
++ (with pkgs; [
|
||||
attic-client
|
||||
deploy-rs
|
||||
jq
|
||||
nix-fast-build
|
||||
nixVersions.git
|
||||
nixd
|
||||
nixfmt-rfc-style
|
||||
nixos-anywhere
|
||||
ssh-to-age
|
||||
pssh
|
||||
ssh-to-age
|
||||
yq
|
||||
jq
|
||||
]);
|
||||
LANG = "C.UTF-8";
|
||||
LC_ALL = "C.UTF-8";
|
||||
|
@ -47,11 +60,7 @@
|
|||
done
|
||||
export XDG_DATA_DIRS
|
||||
|
||||
# Make sure we support the pure case as well as non nixos cases
|
||||
# where dynamic bash completions were not sourced.
|
||||
#if ! type _completion_loader > /dev/null; then
|
||||
# . ${pkgs.bash-completion}/etc/profile.d/bash_completion.sh
|
||||
#fi
|
||||
${pre-commit-check.shellHook}
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
1
email.md
1
email.md
|
@ -9,7 +9,6 @@ E-Mail accounts should be created in a `first.lastname@qo.is` fashion.
|
|||
Alias/forwarding Domains may be added on an best effort basis.
|
||||
Bills for these domains should go directly to the respective owner (i.e. should be registered with own accounts).
|
||||
|
||||
|
||||
## System E-mails
|
||||
|
||||
For groups, systems, services that require e-mail access, other accounts may be created.
|
||||
|
|
110
flake.lock
generated
110
flake.lock
generated
|
@ -56,18 +56,77 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"git-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat_2",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742649964,
|
||||
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gitignore": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"git-hooks-nix",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709087332,
|
||||
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "hercules-ci",
|
||||
"repo": "gitignore.nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1702272962,
|
||||
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
|
||||
"lastModified": 1742669843,
|
||||
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
|
||||
"rev": "1e5b653dff12029333a6546c11e108ede13052eb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -88,7 +147,7 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-nixos-unstable": {
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1742669843,
|
||||
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
|
||||
|
@ -106,15 +165,16 @@
|
|||
},
|
||||
"private": {
|
||||
"inputs": {
|
||||
"nixpkgs-nixos-unstable": [
|
||||
"nixpkgs-nixos-unstable"
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1737552783,
|
||||
"narHash": "sha256-pJ2lp36L3++a5HtdN7ULcVpdB4j7yo90TDayWuAO+T8=",
|
||||
"rev": "33cf80043c64ddd6882268430454e3cbe98b692b",
|
||||
"revCount": 11,
|
||||
"lastModified": 1742912717,
|
||||
"narHash": "sha256-jKDVM4hLzNwYpg1/at53B2LZIEEvey1UUIi5cR8wNVQ=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "80b04cd406adc46357888614ecc3f467b85ab8fa",
|
||||
"revCount": 15,
|
||||
"type": "git",
|
||||
"url": "file:./private"
|
||||
},
|
||||
|
@ -127,16 +187,18 @@
|
|||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
"disko": "disko",
|
||||
"git-hooks-nix": "git-hooks-nix",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"nixpkgs-nixos-stable": "nixpkgs-nixos-stable",
|
||||
"nixpkgs-nixos-unstable": "nixpkgs-nixos-unstable",
|
||||
"private": "private",
|
||||
"sops-nix": "sops-nix"
|
||||
"sops-nix": "sops-nix",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs-nixos-unstable"
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
|
@ -168,6 +230,26 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"treefmt-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1742370146,
|
||||
"narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "adc195eef5da3606891cedf80c0d9ce2d3190808",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
|
|
132
flake.nix
132
flake.nix
|
@ -5,34 +5,48 @@
|
|||
extra-trusted-public-keys = "qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=";
|
||||
};
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
|
||||
|
||||
treefmt-nix = {
|
||||
url = "github:numtide/treefmt-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
git-hooks-nix = {
|
||||
url = "github:cachix/git-hooks.nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
disko = {
|
||||
url = "github:nix-community/disko";
|
||||
inputs.nixpkgs.follows = "nixpkgs-nixos-stable";
|
||||
};
|
||||
nixpkgs-nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
nixpkgs-nixos-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs = {
|
||||
nixpkgs.follows = "nixpkgs-nixos-unstable";
|
||||
};
|
||||
};
|
||||
private.url = "git+file:./private";
|
||||
private.inputs.nixpkgs-nixos-unstable.follows = "nixpkgs-nixos-unstable";
|
||||
private.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs =
|
||||
{ nixpkgs-nixos-unstable, deploy-rs, ... }@inputs:
|
||||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
deploy-rs,
|
||||
treefmt-nix,
|
||||
...
|
||||
}@inputs:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
# Packages for development and build process
|
||||
pkgs = import nixpkgs-nixos-unstable { inherit system; };
|
||||
deployPkgs = import nixpkgs-nixos-unstable {
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
deployPkgs = import nixpkgs {
|
||||
inherit system;
|
||||
overlays = [
|
||||
deploy-rs.overlay
|
||||
(self: super: {
|
||||
(_self: super: {
|
||||
deploy-rs = {
|
||||
inherit (pkgs) deploy-rs;
|
||||
lib = super.deploy-rs.lib;
|
||||
|
@ -40,22 +54,86 @@
|
|||
})
|
||||
];
|
||||
};
|
||||
importParams = inputs // {
|
||||
inherit pkgs;
|
||||
inherit deployPkgs;
|
||||
inherit system;
|
||||
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
|
||||
importParams = {
|
||||
inherit (inputs)
|
||||
deploy-rs
|
||||
disko
|
||||
nixpkgs-nixos-stable
|
||||
sops-nix
|
||||
private
|
||||
git-hooks-nix
|
||||
;
|
||||
inherit
|
||||
deployPkgs
|
||||
pkgs
|
||||
system
|
||||
treefmtEval
|
||||
;
|
||||
flakeSelf = self;
|
||||
};
|
||||
in
|
||||
{
|
||||
checks = import ./checks/default.nix importParams;
|
||||
deploy = import ./deploy/default.nix importParams;
|
||||
devShells = import ./dev-shells/default.nix importParams;
|
||||
formatter.${system} = pkgs.writeShellScriptBin "formatter" ''
|
||||
${pkgs.findutils}/bin/find $1 -type f -name '*.nix' -exec ${pkgs.nixfmt-rfc-style}/bin/nixfmt ''${@:2} {} +
|
||||
'';
|
||||
nixosConfigurations = import ./nixos-configurations/default.nix importParams;
|
||||
nixosModules = import ./nixos-modules/default.nix importParams;
|
||||
packages = import ./packages/default.nix importParams;
|
||||
lib = import ./lib/default.nix importParams;
|
||||
checks = import ./checks/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self)
|
||||
lib
|
||||
packages
|
||||
nixosModules
|
||||
nixosConfigurations
|
||||
deploy
|
||||
;
|
||||
};
|
||||
}
|
||||
);
|
||||
deploy = import ./deploy/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self)
|
||||
lib
|
||||
packages
|
||||
nixosModules
|
||||
nixosConfigurations
|
||||
;
|
||||
};
|
||||
}
|
||||
);
|
||||
devShells = import ./dev-shells/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self) lib packages;
|
||||
};
|
||||
}
|
||||
);
|
||||
formatter.${system} = treefmtEval.config.build.wrapper;
|
||||
nixosConfigurations = import ./nixos-configurations/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self) lib packages nixosModules;
|
||||
};
|
||||
}
|
||||
);
|
||||
nixosModules = import ./nixos-modules/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self) lib packages;
|
||||
};
|
||||
}
|
||||
);
|
||||
packages = import ./packages/default.nix (
|
||||
importParams
|
||||
// {
|
||||
self = {
|
||||
inherit (self) lib packages;
|
||||
};
|
||||
}
|
||||
);
|
||||
lib = import ./lib/default.nix { inherit pkgs; };
|
||||
};
|
||||
}
|
||||
|
|
|
@ -8,7 +8,7 @@ let
|
|||
path
|
||||
;
|
||||
# Get a list of all subdirectories of a directory.
|
||||
getSubDirs = base: attrNames (filterAttrs (n: t: t == "directory") (builtins.readDir base));
|
||||
getSubDirs = base: attrNames (filterAttrs (_n: t: t == "directory") (builtins.readDir base));
|
||||
# Check if a folder with a base path and folder name contains a file with a specific name
|
||||
isFolderWithFile =
|
||||
fileName: basePath: folderName:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -6,8 +6,6 @@
|
|||
./filesystems.nix
|
||||
|
||||
../../defaults/hardware/apu.nix
|
||||
|
||||
../../defaults/meta
|
||||
];
|
||||
|
||||
qois.system.physical.enable = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
|
||||
fileSystems."/" = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
meta = config.qois.meta;
|
||||
|
|
|
@ -1,17 +1,16 @@
|
|||
# Host: Cyprianspitz
|
||||
|
||||
## Operations {#_operations}
|
||||
## Operations {#\_operations}
|
||||
|
||||
Reboot requires passphrase.
|
||||
|
||||
``` bash
|
||||
```bash
|
||||
# Get HDD Password:
|
||||
sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml
|
||||
|
||||
ssh -p 8223 root@calanda.plessur-ext.net.qo.is
|
||||
```
|
||||
|
||||
|
||||
Direct remote ssh access:
|
||||
|
||||
```
|
||||
|
@ -24,8 +23,6 @@ TODO
|
|||
|
||||
- [Mainboard Manual](docs/z790m-itx-wifi.pdf)
|
||||
|
||||
|
||||
|
||||
### Top Overview
|
||||
|
||||

|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
qois.backup-server = {
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
qois.vpn-server.enable = true;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -10,8 +10,6 @@
|
|||
./virtualisation.nix
|
||||
|
||||
../../defaults/hardware/asrock-z790m.nix
|
||||
|
||||
../../defaults/meta
|
||||
];
|
||||
|
||||
qois.system.physical.enable = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
meta = config.qois.meta;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
|
|
|
@ -2,16 +2,16 @@
|
|||
self,
|
||||
pkgs,
|
||||
nixpkgs-nixos-stable,
|
||||
disko,
|
||||
sops-nix,
|
||||
...
|
||||
}@inputs:
|
||||
let
|
||||
inherit (pkgs.lib) genAttrs;
|
||||
inherit (nixpkgs-nixos-stable.lib) nixosSystem;
|
||||
configs = self.lib.foldersWithNix ./.;
|
||||
in
|
||||
pkgs.lib.genAttrs configs (
|
||||
genAttrs configs (
|
||||
config:
|
||||
nixpkgs-nixos-stable.lib.nixosSystem {
|
||||
nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = {
|
||||
inherit inputs;
|
||||
|
@ -19,15 +19,6 @@ pkgs.lib.genAttrs configs (
|
|||
modules = [
|
||||
self.nixosModules.default
|
||||
./${config}/default.nix
|
||||
disko.nixosModules.disko
|
||||
sops-nix.nixosModules.sops
|
||||
(
|
||||
{ ... }:
|
||||
{
|
||||
system.extraSystemBuilderCmds = "ln -s ${self} $out/nixos-configuration";
|
||||
imports = [ ./secrets.nix ];
|
||||
}
|
||||
)
|
||||
];
|
||||
}
|
||||
)
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
qois.nixpkgs-cache = {
|
||||
enable = true;
|
||||
hostname = "nixpkgs-cache.qo.is";
|
||||
dnsResolvers = [ config.qois.meta.network.virtual.lindberg-vms-nat.hosts.lindberg.v4.ip ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../defaults/meta
|
||||
|
||||
./applications
|
||||
./disko-config.nix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../defaults/meta
|
||||
./applications
|
||||
./backup.nix
|
||||
./secrets.nix
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
## Setting up new static sites
|
||||
|
||||
|
||||
Generate ssh key for deployment:
|
||||
|
||||
```bash
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
|
||||
imports = [ ];
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../defaults/meta
|
||||
|
||||
./applications
|
||||
./disko-config.nix
|
||||
./networking.nix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
# Host: Lindberg
|
||||
|
||||
## Operations {#_operations}
|
||||
## Operations {#\_operations}
|
||||
|
||||
Reboot requires passphrase (see pass `host/lindberg/hdd_luks`)
|
||||
|
||||
``` bash
|
||||
```bash
|
||||
ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
|
||||
```
|
||||
|
||||
|
@ -12,7 +12,6 @@ ssh -p 2222 root@lindberg.riedbach-ext.net.qo.is
|
|||
|
||||
- [Mainboard Manual](docs/X570Pro4-mainboard-manual.pdf)
|
||||
|
||||
|
||||
### Front / Back
|
||||
|
||||
#### Front Overview
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
|
||||
imports = [ ./loadbalancer.nix ];
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
|
||||
qois.backup-client.includePaths = [ "/mnt/data" ];
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
|
@ -11,8 +11,6 @@
|
|||
./virtualisation.nix
|
||||
|
||||
../../defaults/hardware/asrock.nix
|
||||
|
||||
../../defaults/meta
|
||||
];
|
||||
|
||||
qois.system.physical.enable = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
|
||||
let
|
||||
meta = config.qois.meta;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
virtualisation.libvirtd = {
|
||||
enable = true;
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
{ inputs, ... }:
|
||||
{
|
||||
sops.secrets =
|
||||
let
|
||||
allHostsSecretsFile = "${inputs.private}/nixos-configurations/secrets.sops.yaml";
|
||||
in
|
||||
{
|
||||
"msmtp/password".sopsFile = allHostsSecretsFile;
|
||||
"wgautomesh/gossip-secret".sopsFile = allHostsSecretsFile;
|
||||
};
|
||||
}
|
|
@ -3,8 +3,8 @@
|
|||
## Prepare Remote Machine
|
||||
|
||||
1. Boot nixos installer image
|
||||
2. Set a root password: `sudo passwd root`
|
||||
3. Get host ip to connect to ssh with `ip a`
|
||||
1. Set a root password: `sudo passwd root`
|
||||
1. Get host ip to connect to ssh with `ip a`
|
||||
|
||||
## Verify configuration
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
|||
|
||||
## Installation
|
||||
|
||||
```bash
|
||||
````bash
|
||||
nix develop
|
||||
|
||||
# Set according to what we want
|
||||
|
@ -60,11 +60,11 @@ sops exec-file --no-fifo --filename secret.key private/nixos-configurations/$REM
|
|||
--disk-encryption-keys /run/secrets/system/hdd.key <(yq --raw-output '.system.hdd' {}) \
|
||||
--disk-encryption-keys /run/secrets/system/initrd-ssh-key <(yq --raw-output '.system.\"initrd-ssh-key\"' {})
|
||||
"
|
||||
```
|
||||
````
|
||||
|
||||
## Post-Setup
|
||||
|
||||
* Add backplane-vpn pubkey to `network-virtual.nix` configuration with
|
||||
- Add backplane-vpn pubkey to `network-virtual.nix` configuration with
|
||||
```bash
|
||||
wg pubkey < /secrets/wireguard/private/backplane
|
||||
```
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Operations {#_operations}
|
||||
# Operations {#\_operations}
|
||||
|
||||
Reboot requires passphrase (see pass `host/stompert/hdd_luks`)
|
||||
|
||||
``` bash
|
||||
```bash
|
||||
ssh -p 2222 root@stompert.eem-ext.net.qo.is
|
||||
```
|
||||
|
|
|
@ -2,13 +2,11 @@
|
|||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../../defaults/hardware/apu.nix
|
||||
|
||||
../../defaults/meta
|
||||
];
|
||||
|
||||
qois.system.physical.enable = true;
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
@ -35,7 +34,7 @@ in
|
|||
|
||||
networking.hosts = pipe cfg.loadbalancers [
|
||||
(map (hostname: config.qois.meta.network.virtual.backplane.hosts.${hostname}.v4.ip))
|
||||
(flip genAttrs (lb: cfg.domains))
|
||||
(flip genAttrs (_lb: cfg.domains))
|
||||
];
|
||||
|
||||
};
|
||||
|
|
|
@ -1,19 +1,12 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.qois.backplane-net;
|
||||
hostName = config.networking.hostName;
|
||||
netConfig = config.qois.meta.network.virtual.${cfg.netName};
|
||||
hostNetConfig = netConfig.hosts.${hostName};
|
||||
interface = "wg-${cfg.netName}";
|
||||
wgService = [ "wireguard-${interface}.service" ];
|
||||
in
|
||||
|
||||
{
|
||||
options.qois.backplane-net = {
|
||||
enable = mkEnableOption "Enable backplane server services";
|
||||
|
@ -22,11 +15,6 @@ in
|
|||
type = types.str;
|
||||
default = "backplane";
|
||||
};
|
||||
domain = mkOption {
|
||||
description = "Domain";
|
||||
type = types.str;
|
||||
default = hostNetConfig;
|
||||
};
|
||||
port = mkOption {
|
||||
description = "Wireguard Default Port";
|
||||
type = types.number;
|
||||
|
@ -34,50 +22,59 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
|
||||
config = lib.mkIf cfg.enable (
|
||||
let
|
||||
hostName = config.networking.hostName;
|
||||
netConfig = config.qois.meta.network.virtual.${cfg.netName};
|
||||
hostNetConfig = netConfig.hosts.${hostName};
|
||||
interface = "wg-${cfg.netName}";
|
||||
wgService = [ "wireguard-${interface}.service" ];
|
||||
in
|
||||
{
|
||||
sops.secrets."wgautomesh/gossip-secret".restartUnits = [ "wgautomesh.service" ];
|
||||
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces."wg-${cfg.netName}" = {
|
||||
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
|
||||
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
|
||||
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
|
||||
generatePrivateKeyFile = true;
|
||||
};
|
||||
|
||||
systemd.network.wait-online.ignoredInterfaces = [ interface ];
|
||||
|
||||
networking.firewall.allowedUDPPorts =
|
||||
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
|
||||
|
||||
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
|
||||
services.wgautomesh = {
|
||||
enable = true;
|
||||
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
inherit interface;
|
||||
|
||||
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
|
||||
peers = pipe netConfig.hosts [
|
||||
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
|
||||
(mapAttrsToList (
|
||||
_: peerConfig: {
|
||||
address = peerConfig.v4.ip;
|
||||
endpoint =
|
||||
if (peerConfig.endpoint != null) then
|
||||
with peerConfig.endpoint; "${fqdn}:${toString port}"
|
||||
else
|
||||
null;
|
||||
pubkey = peerConfig.publicKey;
|
||||
}
|
||||
))
|
||||
];
|
||||
networking.wireguard.enable = true;
|
||||
networking.wireguard.interfaces."wg-${cfg.netName}" = {
|
||||
ips = [ "${hostNetConfig.v4.ip}/${toString netConfig.v4.prefixLength}" ];
|
||||
listenPort = if hostNetConfig.endpoint != null then hostNetConfig.endpoint.port else cfg.port;
|
||||
privateKeyFile = "/secrets/wireguard/private/${cfg.netName}";
|
||||
generatePrivateKeyFile = true;
|
||||
};
|
||||
};
|
||||
systemd.services.wgautomesh = {
|
||||
requires = wgService;
|
||||
after = wgService;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.network.wait-online.ignoredInterfaces = [ interface ];
|
||||
|
||||
networking.firewall.allowedUDPPorts =
|
||||
if hostNetConfig.endpoint != null then [ hostNetConfig.endpoint.port ] else [ cfg.port ];
|
||||
|
||||
# Configure wgautomesh to setup peers. Make sure that the name is not used in the VPN module
|
||||
services.wgautomesh = {
|
||||
enable = true;
|
||||
gossipSecretFile = config.sops.secrets."wgautomesh/gossip-secret".path;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
inherit interface;
|
||||
|
||||
# Map meta network configuration to the format of wgautomesh and filter out peers with endpoints
|
||||
peers = pipe netConfig.hosts [
|
||||
(filterAttrs (peerHostName: _: peerHostName != hostName)) # Not this host
|
||||
(mapAttrsToList (
|
||||
_: peerConfig: {
|
||||
address = peerConfig.v4.ip;
|
||||
endpoint =
|
||||
if (peerConfig.endpoint != null) then
|
||||
with peerConfig.endpoint; "${fqdn}:${toString port}"
|
||||
else
|
||||
null;
|
||||
pubkey = peerConfig.publicKey;
|
||||
}
|
||||
))
|
||||
];
|
||||
};
|
||||
};
|
||||
systemd.services.wgautomesh = {
|
||||
requires = wgService;
|
||||
after = wgService;
|
||||
};
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
config,
|
||||
lib,
|
||||
options,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -2,8 +2,6 @@
|
|||
config,
|
||||
lib,
|
||||
options,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ For user documentation, refer to the [upstream Nextcloud docs](https://docs.next
|
|||
## Backup / Restore
|
||||
|
||||
1. Stop all related services: nextcloud, php-fpm, redis etc.
|
||||
2. (mabe dump redis data?)
|
||||
3. Import Database Backup
|
||||
4. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume
|
||||
5. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)
|
||||
1. (mabe dump redis data?)
|
||||
1. Import Database Backup
|
||||
1. Restore `/var/lib/nextcloud`, which is currently a bind mount on `lindberg`'s `/mnt/data` volume
|
||||
1. Resync nextcloud files and database, see [nextcloud docs](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html)
|
||||
|
|
|
@ -1,8 +1,20 @@
|
|||
inputs: {
|
||||
{
|
||||
private,
|
||||
self,
|
||||
disko,
|
||||
sops-nix,
|
||||
...
|
||||
}:
|
||||
{
|
||||
default =
|
||||
{ config, pkgs, ... }:
|
||||
{ ... }:
|
||||
{
|
||||
|
||||
imports = (inputs.self.lib.loadSubmodulesFrom ./.) ++ [ inputs.private.nixosModules.default ];
|
||||
imports = (self.lib.loadSubmodulesFrom ./.) ++ [
|
||||
../defaults/meta
|
||||
disko.nixosModules.disko
|
||||
sops-nix.nixosModules.sops
|
||||
private.nixosModules.default
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
Runner for the [Forgejo git instance](../git/README.md).
|
||||
|
||||
|
||||
## Default docker/ubuntu Runner
|
||||
|
||||
Registers a default runner with ubuntu OS or executes user's OCI container with podman.
|
||||
|
@ -19,3 +18,14 @@ Consequentially, don't use to build nix things that should stay secret (which is
|
|||
## Create Secret Token
|
||||
|
||||
To create a new token for registration, follow the steps outlined in the [Forgejo documentation](https://forgejo.org/docs/latest/user/actions/#forgejo-runner).
|
||||
|
||||
## Clear Runner Caches
|
||||
|
||||
Under some circumstances, runner caches need to be cleared. This can be done with:
|
||||
|
||||
```bash
|
||||
cd /var/lib/private/gitea-runner/
|
||||
systemctl stop --all gitea-runner-*
|
||||
rm -r */.cache/
|
||||
systemctl start --all gitea-runner-*
|
||||
```
|
||||
|
|
|
@ -25,6 +25,35 @@ with lib;
|
|||
default = 10;
|
||||
description = "How many nix runner instances to start";
|
||||
};
|
||||
|
||||
trustedSubstituters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
# General substitutors (also elsewhere defined defaults, but without priority params)
|
||||
"https://cache.nixos.org"
|
||||
"https://${config.qois.nixpkgs-cache.hostname}"
|
||||
"https://cache.garnix.io"
|
||||
|
||||
# Project builds
|
||||
"https://attic.qo.is/qois-infrastructure" # https://git.qo.is/qo.is/infrastructure
|
||||
"https://attic.qo.is/dotfiles" # https://git.qo.is/fabianhauser/dotfiles
|
||||
];
|
||||
description = "Substitutors that are trusted by the host.";
|
||||
};
|
||||
|
||||
trustedPublicKeys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
# General subsitutors
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
|
||||
|
||||
# Project builds
|
||||
"qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE=" # https://git.qo.is/qo.is/infrastructure
|
||||
"dotfiles:KpLi0qe5O5rb8E8N8vntZWBDqFwG3Ksx4AFGizYCLoU=" # https://git.qo.is/fabianhauser/dotfiles
|
||||
];
|
||||
description = "Substitutor public keys that are trusted by the host.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
|
@ -34,6 +63,12 @@ with lib;
|
|||
"gitea-runner-${defaultInstanceName}.service"
|
||||
] ++ (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances);
|
||||
|
||||
nix.settings = {
|
||||
trusted-substituters = cfg.trustedSubstituters;
|
||||
trusted-public-keys = cfg.trustedPublicKeys;
|
||||
|
||||
};
|
||||
|
||||
virtualisation.podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
|
@ -146,7 +181,7 @@ with lib;
|
|||
{
|
||||
systemd.services =
|
||||
genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances)
|
||||
(name: {
|
||||
(_name: {
|
||||
after = [
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
|
@ -237,7 +272,9 @@ with lib;
|
|||
pkgs.findutils
|
||||
pkgs.gawk
|
||||
pkgs.git
|
||||
pkgs.git-lfs
|
||||
pkgs.gnugrep
|
||||
pkgs.gnused
|
||||
pkgs.jq
|
||||
pkgs.nix
|
||||
pkgs.nodejs
|
||||
|
|
|
@ -38,7 +38,6 @@ sudo -u forgejo 'nix run nixpkgs#forgejo -- admin user create --config ~custom/c
|
|||
## Backup / Restore
|
||||
|
||||
1. `systemctl stop forgejo.service`
|
||||
2. Import Postgresql Database Backup
|
||||
3. Restore `/var/lib/forgejo`
|
||||
4. `systemctl start forgejo.service`
|
||||
|
||||
1. Import Postgresql Database Backup
|
||||
1. Restore `/var/lib/forgejo`
|
||||
1. `systemctl start forgejo.service`
|
||||
|
|
|
@ -9,7 +9,7 @@ with lib;
|
|||
let
|
||||
# We assume that all static pages are hosted on lindberg-webapps
|
||||
staticPages = pipe config.qois.static-page.pages [
|
||||
(mapAttrsToList (name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases))
|
||||
(mapAttrsToList (_name: { domain, domainAliases, ... }: [ domain ] ++ domainAliases))
|
||||
flatten
|
||||
(map (name: {
|
||||
inherit name;
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
|
@ -83,7 +82,7 @@ in
|
|||
with lib;
|
||||
concatLists (
|
||||
mapAttrsToList (
|
||||
name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
|
||||
_name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
|
||||
) config.users.users
|
||||
);
|
||||
hostKeys = [ cfg.sshHostKey ];
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
|
@ -43,10 +42,10 @@ in
|
|||
};
|
||||
config =
|
||||
let
|
||||
hostsWithSshKey = lib.filterAttrs (name: hostCfg: hostCfg.sshKey != null) cfg;
|
||||
hostsWithSshKey = lib.filterAttrs (_name: hostCfg: hostCfg.sshKey != null) cfg;
|
||||
in
|
||||
{
|
||||
programs.ssh.knownHosts = lib.mapAttrs (name: hostCfg: {
|
||||
programs.ssh.knownHosts = lib.mapAttrs (_name: hostCfg: {
|
||||
publicKey = hostCfg.sshKey;
|
||||
}) hostsWithSshKey;
|
||||
};
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
|
@ -17,13 +16,6 @@ let
|
|||
type = str;
|
||||
inherit description;
|
||||
});
|
||||
mkOptStr =
|
||||
description:
|
||||
(mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
inherit description;
|
||||
});
|
||||
|
||||
mkNetworkIdOpts =
|
||||
v:
|
||||
|
@ -225,10 +217,10 @@ in
|
|||
(getHostNamesForNetworks hostname cfg.virtual) ++ (getHostNamesForNetworks hostname cfg.physical);
|
||||
|
||||
hostsWithPublicKey = lib.filterAttrs (
|
||||
hostName: hostConfig: hostConfig.sshKey != null
|
||||
_hostName: hostConfig: hostConfig.sshKey != null
|
||||
) config.qois.meta.hosts;
|
||||
in
|
||||
mapAttrs (name: hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey;
|
||||
mapAttrs (name: _hostCfg: { extraHostNames = getHostNames name; }) hostsWithPublicKey;
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
@ -16,6 +15,7 @@ with lib;
|
|||
hostname = mkOption {
|
||||
type = types.str;
|
||||
example = "mycache.myhost.org";
|
||||
default = "nixpkgs-cache.qo.is";
|
||||
description = "Hostname, under which the cache is served";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
routerCfg = config.qois.router;
|
||||
cfg = config.qois.router.wireless;
|
||||
in
|
||||
{
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Router Role {#_router_role}
|
||||
# Router Role {#\_router_role}
|
||||
|
||||
The `router` role set is applied on hosts which serve the rule of a SOHO
|
||||
router.
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
|
|
|
@ -3,4 +3,3 @@
|
|||
This module enables static nginx sites, with data served from "/var/lib/nginx/$domain/root".
|
||||
|
||||
To deploy the site, a user `nginx-$domain` is added, of which a `root` profile in the home folder can be deployed, e.g. with deploy-rs.
|
||||
|
||||
|
|
|
@ -53,7 +53,7 @@ with lib;
|
|||
config = mkIf cfg.enable (
|
||||
let
|
||||
pageConfigs = concatMapAttrs (
|
||||
name: page:
|
||||
_name: page:
|
||||
let
|
||||
home = "/var/lib/nginx-${page.domain}";
|
||||
in
|
||||
|
@ -76,7 +76,7 @@ with lib;
|
|||
|
||||
users = {
|
||||
groups = concatMapAttrs (
|
||||
name:
|
||||
_name:
|
||||
{ user, ... }:
|
||||
{
|
||||
"${user}" = { };
|
||||
|
@ -84,10 +84,10 @@ with lib;
|
|||
) pageConfigs;
|
||||
users =
|
||||
{
|
||||
${config.services.nginx.user}.extraGroups = mapAttrsToList (domain: getAttr "user") pageConfigs;
|
||||
${config.services.nginx.user}.extraGroups = mapAttrsToList (_domain: getAttr "user") pageConfigs;
|
||||
}
|
||||
// (concatMapAttrs (
|
||||
name:
|
||||
_name:
|
||||
{
|
||||
user,
|
||||
home,
|
||||
|
@ -134,10 +134,10 @@ with lib;
|
|||
globalRedirect = domain;
|
||||
};
|
||||
});
|
||||
aliasVhosts = concatMapAttrs (name: mkAliasVhost) pageConfigs;
|
||||
aliasVhosts = concatMapAttrs (_name: mkAliasVhost) pageConfigs;
|
||||
|
||||
in
|
||||
aliasVhosts // (mapAttrs (name: mkVhost) pageConfigs);
|
||||
aliasVhosts // (mapAttrs (_name: mkVhost) pageConfigs);
|
||||
};
|
||||
}
|
||||
);
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
inherit (lib) mkForce genAttrs const;
|
||||
in
|
||||
{
|
||||
# Setup simple localhost page with an example.com redirect
|
||||
# Setup simple docs.example.com page with an example.com redirect
|
||||
qois.static-page = {
|
||||
enable = true;
|
||||
pages."localhost".domainAliases = [ "example.com" ];
|
||||
pages."docs.example.com".domainAliases = [ "example.com" ];
|
||||
};
|
||||
|
||||
# Disable TLS services
|
||||
services.nginx.virtualHosts = genAttrs [ "localhost" "example.com" ] (const {
|
||||
services.nginx.virtualHosts = genAttrs [ "docs.example.com" "example.com" ] (const {
|
||||
forceSSL = mkForce false;
|
||||
enableACME = mkForce false;
|
||||
});
|
||||
|
|
|
@ -3,18 +3,20 @@ def test(subtest, webserver):
|
|||
webserver.wait_for_open_port(80)
|
||||
|
||||
# Preparations
|
||||
webserverRoot = "/var/lib/nginx-localhost/root"
|
||||
webserverRoot = "/var/lib/nginx-docs.example.com/root"
|
||||
indexContent = "It works!"
|
||||
webserver.succeed(f"mkdir {webserverRoot}")
|
||||
webserver.succeed(f"echo '{indexContent}' > {webserverRoot}/index.html")
|
||||
webserver.succeed(f"chown -R nginx-localhost\: {webserverRoot}")
|
||||
webserver.succeed(f"chown -R nginx-docs.example.com\: {webserverRoot}")
|
||||
|
||||
# Helpers
|
||||
def curl_variable_test(node, variable, expected, url):
|
||||
value = node.succeed(
|
||||
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'")
|
||||
assert value == expected, \
|
||||
f"curl -s --no-location -o /dev/null -w '%{{{variable}}}' '{url}'"
|
||||
)
|
||||
assert value == expected, (
|
||||
f"expected {variable} to be '{expected}' but got '{value}'"
|
||||
)
|
||||
|
||||
def expect_http_code(node, code, url):
|
||||
curl_variable_test(node, "http_code", code, url)
|
||||
|
@ -24,23 +26,24 @@ def test(subtest, webserver):
|
|||
|
||||
def expect_http_content(node, expectedContent, url):
|
||||
content = node.succeed(f"curl --no-location --silent '{url}'")
|
||||
assert content.strip() == expectedContent.strip(), f'''
|
||||
assert content.strip() == expectedContent.strip(), f"""
|
||||
expected content:
|
||||
{expectedContent}
|
||||
at {url} but got following content:
|
||||
{content}
|
||||
'''
|
||||
"""
|
||||
|
||||
# Tests
|
||||
with subtest("website is successfully served on localhost"):
|
||||
expect_http_code(webserver, "200", "http://localhost/index.html")
|
||||
expect_http_content(webserver, indexContent,
|
||||
"http://localhost/index.html")
|
||||
with subtest("website is successfully served on docs.example.com"):
|
||||
webserver.succeed("grep docs.example.com /etc/hosts")
|
||||
expect_http_code(webserver, "200", "http://docs.example.com/index.html")
|
||||
expect_http_content(
|
||||
webserver, indexContent, "http://docs.example.com/index.html"
|
||||
)
|
||||
|
||||
with subtest("example.com is in hosts file and a redirect to localhost"):
|
||||
webserver.succeed("grep example.com /etc/hosts")
|
||||
with subtest("example.com is a redirect to docs.example.com"):
|
||||
webserver.succeed("grep -e '[^\.]example.com' /etc/hosts")
|
||||
|
||||
url = "http://example.com/index.html"
|
||||
expect_http_code(webserver, "301", url)
|
||||
expect_http_location(
|
||||
webserver, "http://localhost/index.html", url)
|
||||
expect_http_location(webserver, "http://docs.example.com/index.html", url)
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
@ -11,7 +10,6 @@
|
|||
./overlays.nix
|
||||
./physical.nix
|
||||
./security.nix
|
||||
./unfree.nix
|
||||
./virtual-machine.nix
|
||||
];
|
||||
|
||||
|
@ -57,9 +55,9 @@
|
|||
settings =
|
||||
let
|
||||
substituters = [
|
||||
"https://${inputs.self.nixosConfigurations.lindberg-build.config.qois.nixpkgs-cache.hostname}?priority=39"
|
||||
"https://${config.qois.nixpkgs-cache.hostname}?priority=30"
|
||||
"https://attic.qo.is/qois-infrastructure?priority=32"
|
||||
"https://cache.nixos.org?priority=40"
|
||||
"https://attic.qo.is/qois-infrastructure"
|
||||
];
|
||||
in
|
||||
{
|
||||
|
@ -71,7 +69,7 @@
|
|||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"qois-infrastructure:lh35ymN7Aoxm5Hz0S6JusxE+cYzMU+x9OMKjDVIpfuE="
|
||||
];
|
||||
trusted-substituters = substituters; # For hosts that limit the subst list
|
||||
trusted-substituters = substituters;
|
||||
inherit substituters;
|
||||
};
|
||||
gc = {
|
||||
|
@ -113,12 +111,6 @@
|
|||
defaultEditor = true;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile =
|
||||
let
|
||||
defaultSopsPath = "${inputs.private}/nixos-configurations/${config.networking.hostName}/secrets.sops.yaml";
|
||||
in
|
||||
lib.mkIf (builtins.pathExists defaultSopsPath) defaultSopsPath;
|
||||
|
||||
services.fstrim.enable = true;
|
||||
|
||||
qois.outgoing-server-mail.enable = true;
|
||||
|
|
|
@ -1,12 +1,8 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
options,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
nixpkgs.overlays = [ (import ../../overlays) ];
|
||||
nix.nixPath = options.nix.nixPath.default;
|
||||
}
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib;
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
nixpkgs.config.allowUnfreePredicate =
|
||||
pkg:
|
||||
builtins.elem (lib.getName pkg) [
|
||||
"corefonts"
|
||||
"camingo-code"
|
||||
"helvetica-neue-lt-std"
|
||||
#"kochi-substitute-naga10"
|
||||
"ttf-envy-code-r"
|
||||
"vista-fonts"
|
||||
"vista-fonts-chs"
|
||||
"xkcd-font-unstable"
|
||||
"ricty"
|
||||
];
|
||||
}
|
|
@ -3,7 +3,7 @@
|
|||
To use our Vaultwarden instance, you can use the regular
|
||||
[Bitwarden apps](https://bitwarden.com/download/) with our custom server when logging in:
|
||||
|
||||
Username: `first.lastname@qo.is`
|
||||
Username: `first.lastname@qo.is`\
|
||||
Server Name: `https://vault.qo.is`
|
||||
|
||||
## Create Accounts
|
||||
|
@ -17,7 +17,6 @@ Please instruct users to:
|
|||
- the password cannot be reset without loosing all the passwords.
|
||||
Use of [Emergency Contacts](https://bitwarden.com/help/emergency-access/) or Organizations may be advisable.
|
||||
|
||||
|
||||
## Administration
|
||||
|
||||
An admin panel is available under [vault.qo.is/admin](https://vault.qo.is/admin).
|
||||
|
@ -26,12 +25,10 @@ The password is saved in the pass database under `vaultwarden-admin`.
|
|||
In the administration panel, users and organizations may be managed.
|
||||
Instance settings should be changed with the nixos module in the infrastructure repository only.
|
||||
|
||||
|
||||
## Backup / Restore
|
||||
|
||||
1. `systemctl stop vaultwarden.service`
|
||||
2. Import Postgresql Database Backup
|
||||
3. Restore `/var/lib/bitwarden_rs`
|
||||
4. `systemctl start vaultwarden.service`
|
||||
5. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview)
|
||||
|
||||
1. Import Postgresql Database Backup
|
||||
1. Restore `/var/lib/bitwarden_rs`
|
||||
1. `systemctl start vaultwarden.service`
|
||||
1. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview)
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
|
|
@ -29,14 +29,13 @@ These nodes allow access to the internet for clients connected to the VPN:
|
|||
|
||||
> ⚠️ Currently, name resolution for these do not work reliably on first starts, hence the IP must be used. This hould be fixed in the future.
|
||||
|
||||
|
||||
### Add exit nodes:
|
||||
|
||||
1. Create a preauth secret on the `vpn.qo.is` host:
|
||||
```bash
|
||||
headscale preauthkeys create --user srv --reusable
|
||||
```
|
||||
2. Configure the new exit-node host with the `qois.vpn-exit-node` module.
|
||||
```
|
||||
1. Configure the new exit-node host with the `qois.vpn-exit-node` module.
|
||||
|
||||
When using the `srv` user, exit nodes and routes are automatically accepted as trusted.
|
||||
|
||||
|
@ -50,11 +49,9 @@ To use the service, you can use a normal Tailscale client with following additio
|
|||
| `exit-node` | `100.64.0.5` (lindberg) or `100.64.0.6` (cypriaspitz) | Use host as [exit node](#exit-nodes) |
|
||||
| `login-server` | `https://vpn.qo.is` | Use our own VPN service. |
|
||||
|
||||
|
||||
> ⚠️ Currently, if the client is in an IPv6 network, the transport is broken.
|
||||
> Disable IPv6 connectivity to use the VPN.
|
||||
> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
|
||||
|
||||
> See [#4](https://git.qo.is/qo.is/infrastructure/issues/4) for details.
|
||||
|
||||
### NixOS
|
||||
|
||||
|
@ -90,15 +87,15 @@ See [this Headscale documentation for more](https://headscale.net/stable/usage/c
|
|||
### Server
|
||||
|
||||
1. `systemctl stop headscale`
|
||||
2. Replace `/var/lib/headscale`
|
||||
3. `systemctl start headscale`
|
||||
4. Monitor logs for errors
|
||||
1. Replace `/var/lib/headscale`
|
||||
1. `systemctl start headscale`
|
||||
1. Monitor logs for errors
|
||||
|
||||
Note: `/var/lib/headscale` contains a sqlite database.
|
||||
|
||||
### Clients
|
||||
|
||||
1. `systemctl stop tailscaled`
|
||||
2. Replace `/var/lib/tailscale`
|
||||
3. `systemctl start tailscaled`
|
||||
4. Monitor logs for errors
|
||||
1. Replace `/var/lib/tailscale`
|
||||
1. `systemctl start tailscaled`
|
||||
1. Monitor logs for errors
|
||||
|
|
|
@ -10,7 +10,7 @@ let
|
|||
cfgLoadbalancer = config.qois.loadbalancer;
|
||||
defaultDnsRecords =
|
||||
(mapAttrs (
|
||||
name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
|
||||
_name: value: mkIf (cfgLoadbalancer.hostmap ? ${value}) cfgLoadbalancer.hostmap.${value}
|
||||
) cfgLoadbalancer.domains)
|
||||
// {
|
||||
"vpn.qo.is" = config.services.headscale.address;
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# WWAN Module {#_wwan_module}
|
||||
# WWAN Module {#\_wwan_module}
|
||||
|
||||
This module configures WWAN adapters that support MBIM
|
||||
|
||||
## Current limitations {#_current_limitations}
|
||||
## Current limitations {#\_current_limitations}
|
||||
|
||||
- IPv4 tested only
|
||||
- Currently, it is not simple to get network failures or address
|
||||
|
|
|
@ -6,11 +6,11 @@ MODE=$1
|
|||
DEV=$2
|
||||
|
||||
if [ "$DEBUG" == "" ]; then
|
||||
DEBUG="false"
|
||||
DEBUG="false"
|
||||
fi
|
||||
|
||||
if [ "$MBIM_INTERFACE" == "" ]; then
|
||||
MBIM_INTERFACE="/dev/cdc-wdm0"
|
||||
MBIM_INTERFACE="/dev/cdc-wdm0"
|
||||
fi
|
||||
|
||||
###############################################################################
|
||||
|
@ -29,274 +29,273 @@ ipv6_dns=()
|
|||
ipv6_mtu=""
|
||||
|
||||
export previous_state state skip_line \
|
||||
ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \
|
||||
ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu
|
||||
ipv4_addresses ipv4_gateway ipv4_dns ipv4_mtu \
|
||||
ipv6_addresses ipv6_gateway ipv6_dns ipv6_mtu
|
||||
|
||||
###############################################################################
|
||||
# Function
|
||||
###############################################################################
|
||||
|
||||
function print_debug {
|
||||
if [ "$DEBUG" != "false" ]; then
|
||||
echo "[State: $state] $1" >&2
|
||||
fi
|
||||
if [ "$DEBUG" != "false" ]; then
|
||||
echo "[State: $state] $1" >&2
|
||||
fi
|
||||
}
|
||||
|
||||
function print_full_configuration {
|
||||
if [[ "${#ipv4_addresses[@]}" > 0 ]]; then
|
||||
printf "IPv4: "
|
||||
printf '%s, ' "${ipv4_addresses[@]}"
|
||||
printf "\n"
|
||||
if [[ ${#ipv4_addresses[@]} > 0 ]]; then
|
||||
printf "IPv4: "
|
||||
printf '%s, ' "${ipv4_addresses[@]}"
|
||||
printf "\n"
|
||||
|
||||
printf "GW: $ipv4_gateway\n"
|
||||
printf "GW: $ipv4_gateway\n"
|
||||
|
||||
printf "DNS: "
|
||||
printf '%s, ' "${ipv4_dns[@]}"
|
||||
printf "\n"
|
||||
printf "DNS: "
|
||||
printf '%s, ' "${ipv4_dns[@]}"
|
||||
printf "\n"
|
||||
|
||||
printf "MTU: $ipv4_mtu\n"
|
||||
fi
|
||||
printf "MTU: $ipv4_mtu\n"
|
||||
fi
|
||||
|
||||
if [[ "${#ipv6_addresses[@]}" > 0 ]]; then
|
||||
echo
|
||||
printf "IPv6: "
|
||||
printf '%s, ' "${ipv6_addresses[@]}"
|
||||
printf "\n"
|
||||
if [[ ${#ipv6_addresses[@]} > 0 ]]; then
|
||||
echo
|
||||
printf "IPv6: "
|
||||
printf '%s, ' "${ipv6_addresses[@]}"
|
||||
printf "\n"
|
||||
|
||||
printf "GW: $ipv6_gateway\n"
|
||||
printf "GW: $ipv6_gateway\n"
|
||||
|
||||
printf "DNS: "
|
||||
printf '%s, ' "${ipv6_dns[@]}"
|
||||
printf "\n"
|
||||
printf "DNS: "
|
||||
printf '%s, ' "${ipv6_dns[@]}"
|
||||
printf "\n"
|
||||
|
||||
printf "MTU: $ipv6_mtu\n"
|
||||
fi
|
||||
printf "MTU: $ipv6_mtu\n"
|
||||
fi
|
||||
}
|
||||
|
||||
function next_state {
|
||||
previous_state="$state"
|
||||
state="$1"
|
||||
previous_state="$state"
|
||||
state="$1"
|
||||
}
|
||||
|
||||
function parse_ip {
|
||||
# IP [0]: '10.134.203.177/30'
|
||||
local line_re="IP \[([0-9]+)\]: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local ip_cnt=${BASH_REMATCH[1]}
|
||||
local ip=${BASH_REMATCH[2]}
|
||||
fi
|
||||
echo "$ip"
|
||||
# IP [0]: '10.134.203.177/30'
|
||||
local line_re="IP \[([0-9]+)\]: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local ip_cnt=${BASH_REMATCH[1]}
|
||||
local ip=${BASH_REMATCH[2]}
|
||||
fi
|
||||
echo "$ip"
|
||||
}
|
||||
|
||||
function parse_dns {
|
||||
# IP [0]: '10.134.203.177/30'
|
||||
local line_re="DNS \[([0-9]+)\]: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local dns_cnt=${BASH_REMATCH[1]}
|
||||
local dns=${BASH_REMATCH[2]}
|
||||
fi
|
||||
echo "$dns"
|
||||
# IP [0]: '10.134.203.177/30'
|
||||
local line_re="DNS \[([0-9]+)\]: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local dns_cnt=${BASH_REMATCH[1]}
|
||||
local dns=${BASH_REMATCH[2]}
|
||||
fi
|
||||
echo "$dns"
|
||||
}
|
||||
|
||||
function parse_gateway {
|
||||
# Gateway: '10.134.203.178'
|
||||
local line_re="Gateway: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local gw=${BASH_REMATCH[1]}
|
||||
fi
|
||||
echo "$gw"
|
||||
# Gateway: '10.134.203.178'
|
||||
local line_re="Gateway: '(.+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local gw=${BASH_REMATCH[1]}
|
||||
fi
|
||||
echo "$gw"
|
||||
}
|
||||
|
||||
function parse_mtu {
|
||||
# MTU: '1500'
|
||||
local line_re="MTU: '([0-9]+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local mtu=${BASH_REMATCH[1]}
|
||||
fi
|
||||
echo "$mtu"
|
||||
# MTU: '1500'
|
||||
local line_re="MTU: '([0-9]+)'"
|
||||
local input=$1
|
||||
if [[ $input =~ $line_re ]]; then
|
||||
local mtu=${BASH_REMATCH[1]}
|
||||
fi
|
||||
echo "$mtu"
|
||||
}
|
||||
|
||||
function parse_input_state_machine {
|
||||
state="start"
|
||||
while true; do
|
||||
if [[ "$skip_line" == 0 ]]; then
|
||||
read line || break # TODO: Clean up
|
||||
else
|
||||
skip_line=0
|
||||
fi
|
||||
case "$state" in
|
||||
"start")
|
||||
read line || break # first line is empty, read a new one #TODO: This is not very clean...
|
||||
case "$line" in
|
||||
*"configuration available: 'none'"*)
|
||||
# Skip none state
|
||||
# TODO: This is a workaround of the original parser's shortcomming
|
||||
continue
|
||||
;;
|
||||
*"IPv4 configuration available"*)
|
||||
next_state "ipv4_ip"
|
||||
continue
|
||||
;;
|
||||
*"IPv6 configuration available"*)
|
||||
next_state "ipv6_ip"
|
||||
continue
|
||||
;;
|
||||
*)
|
||||
next_state "exit"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
"error")
|
||||
echo "Error in pattern matchin of state $previous_state. Exiting." >&2
|
||||
exit 2
|
||||
;;
|
||||
"exit")
|
||||
break
|
||||
;;
|
||||
"ipv4_ip")
|
||||
ipv4=$(parse_ip "$line")
|
||||
if [ -z "$ipv4" ]; then
|
||||
if [[ "${#ipv4_addresses[@]}" < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv4_gateway"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv4"
|
||||
ipv4_addresses+=("$ipv4")
|
||||
;;
|
||||
"ipv4_gateway")
|
||||
gw=$(parse_gateway "$line")
|
||||
if [ -z "$gw" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$gw"
|
||||
ipv4_gateway="$gw"
|
||||
next_state "ipv4_dns"
|
||||
;;
|
||||
"ipv4_dns")
|
||||
ipv4=$(parse_dns "$line")
|
||||
if [ -z "$ipv4" ]; then
|
||||
if [[ "${#ipv4_dns[@]}" < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv4_mtu"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv4"
|
||||
ipv4_dns+=("$ipv4")
|
||||
;;
|
||||
"ipv4_mtu")
|
||||
mtu=$(parse_mtu "$line")
|
||||
if [ -z "$mtu" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$mtu"
|
||||
ipv4_mtu="$mtu"
|
||||
next_state "start"
|
||||
;;
|
||||
"ipv6_ip")
|
||||
ipv6=$(parse_ip "$line")
|
||||
if [ -z "$ipv6" ]; then
|
||||
if [[ "${#ipv6_addresses[@]}" < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv6_gateway"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv6"
|
||||
ipv6_addresses+=("$ipv6")
|
||||
;;
|
||||
"ipv6_gateway")
|
||||
gw=$(parse_gateway "$line")
|
||||
if [ -z "$gw" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$gw"
|
||||
ipv6_gateway="$gw"
|
||||
next_state "ipv6_dns"
|
||||
;;
|
||||
"ipv6_dns")
|
||||
ipv6=$(parse_dns "$line")
|
||||
if [ -z "$ipv6" ]; then
|
||||
if [[ "${#ipv6_dns[@]}" < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv6_mtu"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv6"
|
||||
ipv6_dns+=("$ipv6")
|
||||
;;
|
||||
"ipv6_mtu")
|
||||
mtu=$(parse_mtu "$line")
|
||||
if [ -z "$mtu" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$mtu"
|
||||
ipv6_mtu="$mtu"
|
||||
next_state "start"
|
||||
;;
|
||||
*)
|
||||
print_debug "Invalid state (came from $previous_state). Exiting."
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
done
|
||||
state="start"
|
||||
while true; do
|
||||
if [[ $skip_line == 0 ]]; then
|
||||
read line || break # TODO: Clean up
|
||||
else
|
||||
skip_line=0
|
||||
fi
|
||||
case "$state" in
|
||||
"start")
|
||||
read line || break # first line is empty, read a new one #TODO: This is not very clean...
|
||||
case "$line" in
|
||||
*"configuration available: 'none'"*)
|
||||
# Skip none state
|
||||
# TODO: This is a workaround of the original parser's shortcomming
|
||||
continue
|
||||
;;
|
||||
*"IPv4 configuration available"*)
|
||||
next_state "ipv4_ip"
|
||||
continue
|
||||
;;
|
||||
*"IPv6 configuration available"*)
|
||||
next_state "ipv6_ip"
|
||||
continue
|
||||
;;
|
||||
*)
|
||||
next_state "exit"
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
"error")
|
||||
echo "Error in pattern matchin of state $previous_state. Exiting." >&2
|
||||
exit 2
|
||||
;;
|
||||
"exit")
|
||||
break
|
||||
;;
|
||||
"ipv4_ip")
|
||||
ipv4=$(parse_ip "$line")
|
||||
if [ -z "$ipv4" ]; then
|
||||
if [[ ${#ipv4_addresses[@]} < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv4_gateway"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv4"
|
||||
ipv4_addresses+=("$ipv4")
|
||||
;;
|
||||
"ipv4_gateway")
|
||||
gw=$(parse_gateway "$line")
|
||||
if [ -z "$gw" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$gw"
|
||||
ipv4_gateway="$gw"
|
||||
next_state "ipv4_dns"
|
||||
;;
|
||||
"ipv4_dns")
|
||||
ipv4=$(parse_dns "$line")
|
||||
if [ -z "$ipv4" ]; then
|
||||
if [[ ${#ipv4_dns[@]} < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv4_mtu"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv4"
|
||||
ipv4_dns+=("$ipv4")
|
||||
;;
|
||||
"ipv4_mtu")
|
||||
mtu=$(parse_mtu "$line")
|
||||
if [ -z "$mtu" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$mtu"
|
||||
ipv4_mtu="$mtu"
|
||||
next_state "start"
|
||||
;;
|
||||
"ipv6_ip")
|
||||
ipv6=$(parse_ip "$line")
|
||||
if [ -z "$ipv6" ]; then
|
||||
if [[ ${#ipv6_addresses[@]} < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv6_gateway"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv6"
|
||||
ipv6_addresses+=("$ipv6")
|
||||
;;
|
||||
"ipv6_gateway")
|
||||
gw=$(parse_gateway "$line")
|
||||
if [ -z "$gw" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$gw"
|
||||
ipv6_gateway="$gw"
|
||||
next_state "ipv6_dns"
|
||||
;;
|
||||
"ipv6_dns")
|
||||
ipv6=$(parse_dns "$line")
|
||||
if [ -z "$ipv6" ]; then
|
||||
if [[ ${#ipv6_dns[@]} < 1 ]]; then
|
||||
next_state "error"
|
||||
continue
|
||||
else
|
||||
next_state "ipv6_mtu"
|
||||
skip_line=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
print_debug "$ipv6"
|
||||
ipv6_dns+=("$ipv6")
|
||||
;;
|
||||
"ipv6_mtu")
|
||||
mtu=$(parse_mtu "$line")
|
||||
if [ -z "$mtu" ]; then
|
||||
next_state "error"
|
||||
continue
|
||||
fi
|
||||
print_debug "$mtu"
|
||||
ipv6_mtu="$mtu"
|
||||
next_state "start"
|
||||
;;
|
||||
*)
|
||||
print_debug "Invalid state (came from $previous_state). Exiting."
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
interface_stop() {
|
||||
ip addr flush dev $DEV
|
||||
ip route flush dev $DEV
|
||||
|
||||
interface_stop(){
|
||||
ip addr flush dev $DEV
|
||||
ip route flush dev $DEV
|
||||
ip -6 addr flush dev $DEV
|
||||
ip -6 route flush dev $DEV
|
||||
|
||||
ip -6 addr flush dev $DEV
|
||||
ip -6 route flush dev $DEV
|
||||
|
||||
#TODO: Nameserver?
|
||||
#TODO: Nameserver?
|
||||
}
|
||||
|
||||
interface_start() {
|
||||
ip link set $DEV up
|
||||
ip link set $DEV up
|
||||
|
||||
if [[ "${#ipv4_addresses[@]}" > 0 ]]; then
|
||||
ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses?
|
||||
ip link set $DEV mtu $ipv4_mtu
|
||||
ip route add default via $ipv4_gateway dev $DEV
|
||||
#TODO: nameserver ${ipv4_dns[@]}
|
||||
else
|
||||
echo "No IPv4 address, skipping v4 configuration..."
|
||||
fi
|
||||
if [[ ${#ipv4_addresses[@]} > 0 ]]; then
|
||||
ip addr add ${ipv4_addresses[@]} dev $DEV broadcast + #TODO: Works for multiple addresses?
|
||||
ip link set $DEV mtu $ipv4_mtu
|
||||
ip route add default via $ipv4_gateway dev $DEV
|
||||
#TODO: nameserver ${ipv4_dns[@]}
|
||||
else
|
||||
echo "No IPv4 address, skipping v4 configuration..."
|
||||
fi
|
||||
|
||||
if [[ "${#ipv6_addresses[@]}" > 0 ]]; then
|
||||
ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses?
|
||||
ip -6 route add default via $ipv6_gateway dev $DEV
|
||||
ip -6 link set $DEV mtu $ipv6_mtu
|
||||
#TODO: nameserver ${ipv6_dns[@]}"
|
||||
else
|
||||
echo "No IPv6 address, skipping v6 configuration..."
|
||||
fi
|
||||
if [[ ${#ipv6_addresses[@]} > 0 ]]; then
|
||||
ip -6 addr add ${ipv6_addresses[@]} dev $DEV #TODO: Works for multiple addresses?
|
||||
ip -6 route add default via $ipv6_gateway dev $DEV
|
||||
ip -6 link set $DEV mtu $ipv6_mtu
|
||||
#TODO: nameserver ${ipv6_dns[@]}"
|
||||
else
|
||||
echo "No IPv6 address, skipping v6 configuration..."
|
||||
fi
|
||||
}
|
||||
|
||||
###############################################################################
|
||||
|
@ -307,23 +306,23 @@ set -e
|
|||
echo "NOTE: This script does not yet support nameserver configuration."
|
||||
|
||||
case "$MODE" in
|
||||
"start")
|
||||
mbim-network $MBIM_INTERFACE start
|
||||
sleep 1
|
||||
mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | {
|
||||
parse_input_state_machine
|
||||
print_full_configuration
|
||||
interface_stop
|
||||
interface_start
|
||||
}
|
||||
;;
|
||||
"stop")
|
||||
mbim-network $MBIM_INTERFACE stop
|
||||
interface_stop
|
||||
;;
|
||||
*)
|
||||
echo "USAGE: $0 start|stop INTERFACE" >&2
|
||||
echo "You can set an env variable DEBUG to gather debugging output." >&2
|
||||
exit 1
|
||||
;;
|
||||
"start")
|
||||
mbim-network $MBIM_INTERFACE start
|
||||
sleep 1
|
||||
mbimcli -d $MBIM_INTERFACE -p --query-ip-configuration=0 | {
|
||||
parse_input_state_machine
|
||||
print_full_configuration
|
||||
interface_stop
|
||||
interface_start
|
||||
}
|
||||
;;
|
||||
"stop")
|
||||
mbim-network $MBIM_INTERFACE stop
|
||||
interface_stop
|
||||
;;
|
||||
*)
|
||||
echo "USAGE: $0 start|stop INTERFACE" >&2
|
||||
echo "You can set an env variable DEBUG to gather debugging output." >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
self: super: {
|
||||
lib = (super.lib or { }) // {
|
||||
qois = import ../lib { lib = self.lib; };
|
||||
};
|
||||
}
|
42
packages/cache/default.nix
vendored
42
packages/cache/default.nix
vendored
|
@ -1,42 +0,0 @@
|
|||
{
|
||||
attic-client,
|
||||
findutils,
|
||||
gnugrep,
|
||||
writeShellApplication,
|
||||
...
|
||||
}:
|
||||
writeShellApplication {
|
||||
name = "cache";
|
||||
meta.description = "Access the infrastructure's attic cache. Mostly used in CI.";
|
||||
runtimeInputs = [
|
||||
attic-client
|
||||
findutils
|
||||
gnugrep
|
||||
];
|
||||
text = ''
|
||||
SERVER="https://attic.qo.is/"
|
||||
CACHE_NAME="qois"
|
||||
CACHE_REPO="$CACHE_NAME:qois-infrastructure"
|
||||
if [ -z "$ATTIC_AUTH_TOKEN" ]; then
|
||||
echo "Please set the \$ATTIC_AUTH_TOKEN environment variable to access the cache."
|
||||
exit 3
|
||||
fi
|
||||
attic login "$CACHE_NAME" "$SERVER" "$ATTIC_AUTH_TOKEN"
|
||||
|
||||
case "$1" in
|
||||
use)
|
||||
attic use "$CACHE_REPO"
|
||||
;;
|
||||
watch)
|
||||
attic watch-store "$CACHE_REPO"
|
||||
;;
|
||||
push)
|
||||
RESULT_PATH="./result"
|
||||
# Add build dependencies as well
|
||||
nix-store -qR --include-outputs "$(nix-store -qd $RESULT_PATH)" | grep -v '\.drv$' \
|
||||
| xargs attic push "$CACHE_REPO" "$RESULT_PATH"
|
||||
;;
|
||||
|
||||
esac
|
||||
'';
|
||||
}
|
|
@ -1,37 +1,28 @@
|
|||
{
|
||||
self,
|
||||
flakeSelf,
|
||||
system,
|
||||
private,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with pkgs.lib;
|
||||
let
|
||||
inherit (self.lib) foldersWithNix;
|
||||
inherit (pkgs.lib)
|
||||
path
|
||||
genAttrs
|
||||
;
|
||||
in
|
||||
{
|
||||
${system} =
|
||||
let
|
||||
packages = pipe (self.lib.foldersWithNix ./.) [
|
||||
(map (name: {
|
||||
inherit name;
|
||||
path = path.append ./. "./${name}/default.nix";
|
||||
}))
|
||||
(map (
|
||||
{ name, path }:
|
||||
{
|
||||
inherit name;
|
||||
value = pkgs.callPackage path {
|
||||
inherit self;
|
||||
inherit system;
|
||||
};
|
||||
}
|
||||
))
|
||||
listToAttrs
|
||||
];
|
||||
in
|
||||
packages
|
||||
// {
|
||||
default =
|
||||
let
|
||||
nixosConfigs = mapAttrsToList (n: v: v.config.system.build.toplevel) self.nixosConfigurations;
|
||||
in
|
||||
pkgs.linkFarmFromDrvs "all" (nixosConfigs ++ (attrValues packages));
|
||||
};
|
||||
${system} = genAttrs (foldersWithNix ./.) (
|
||||
name:
|
||||
pkgs.callPackage (path.append ./. "./${name}/default.nix") {
|
||||
inherit
|
||||
self
|
||||
flakeSelf
|
||||
system
|
||||
private
|
||||
;
|
||||
}
|
||||
);
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
deploy-rs,
|
||||
self,
|
||||
flakeSelf,
|
||||
writeShellApplication,
|
||||
...
|
||||
}:
|
||||
|
@ -9,6 +9,6 @@ writeShellApplication {
|
|||
meta.description = "Deploy configuration to specificed targets.";
|
||||
runtimeInputs = [ deploy-rs ];
|
||||
text = ''
|
||||
deploy --interactive --targets "''${@:-${self}}"
|
||||
deploy --interactive --targets "''${@:-${flakeSelf}}"
|
||||
'';
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue