Compare commits
10 Commits
4e8a2bb7e4
...
db33f88300
Author | SHA1 | Date |
---|---|---|
Tim Van Baak | db33f88300 | |
Tim Van Baak | 1d515f416a | |
Tim Van Baak | dd265429be | |
Tim Van Baak | 35247f7b4a | |
Tim Van Baak | b9c6e20ef6 | |
Tim Van Baak | d87f127954 | |
Tim Van Baak | ec88265631 | |
Tim Van Baak | 2a618ce67f | |
Tim Van Baak | 656fdeef49 | |
Tim Van Baak | 7feec36673 |
|
@ -5,75 +5,29 @@
|
|||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
# Bootloader.
|
||||
boot.loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
};
|
||||
|
||||
beatific.hostName = "backyard";
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
|
||||
# Enable networking
|
||||
networking.networkmanager.enable = true;
|
||||
users.users.tvb.extraGroups = [ "networkmanager" ];
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "UTC";
|
||||
|
||||
services.ntp = {
|
||||
networking.firewall = {
|
||||
enable = true;
|
||||
servers = [ "time.nist.gov" ];
|
||||
};
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
i18n.extraLocaleSettings = {
|
||||
LC_ADDRESS = "en_US.UTF-8";
|
||||
LC_IDENTIFICATION = "en_US.UTF-8";
|
||||
LC_MEASUREMENT = "en_US.UTF-8";
|
||||
LC_MONETARY = "en_US.UTF-8";
|
||||
LC_NAME = "en_US.UTF-8";
|
||||
LC_NUMERIC = "en_US.UTF-8";
|
||||
LC_PAPER = "en_US.UTF-8";
|
||||
LC_TELEPHONE = "en_US.UTF-8";
|
||||
LC_TIME = "en_US.UTF-8";
|
||||
};
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
users.users.tvb = {
|
||||
isNormalUser = true;
|
||||
group = "tvb";
|
||||
extraGroups = [ "networkmanager" "wheel" ];
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../../keys/tvb.palamas.pub
|
||||
../../keys/tvb.stagirite.pub
|
||||
../../keys/tvb.catacomb.pub
|
||||
../../keys/tvb.unfolder.pub
|
||||
allowedTCPPorts = [
|
||||
80 # http
|
||||
443 # https
|
||||
];
|
||||
};
|
||||
users.groups.tvb = {};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
git
|
||||
];
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
# This value governs how some stateful data, like databases, are handled
|
||||
# across different versions of NixOS. This should not be changed to a new
|
||||
# release unless the sysadmin has determined that no services would be
|
||||
# adversely affected by changing this.
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
}
|
||||
|
|
|
@ -1,18 +1,156 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkOption types;
|
||||
inherit (lib) mkDefault mkIf mkMerge mkOption mkOverride types;
|
||||
cfg = config.beatific;
|
||||
mkFlag = description: mkOption {
|
||||
type = types.bool;
|
||||
inherit description;
|
||||
default = true;
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
beatific.hostName = mkOption {
|
||||
beatific = {
|
||||
# The host name is reused for beatific-specific configuration.
|
||||
# The bulk of common config is handled in beatific.defaults below, but
|
||||
# having one option without a default ensures that the module cannot be
|
||||
# imported accidentally.
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
description = "Hostname";
|
||||
};
|
||||
|
||||
isLighthouse = mkOption {
|
||||
type = types.bool;
|
||||
description = "Whether this host is a Nebula lighthouse";
|
||||
default = false;
|
||||
};
|
||||
|
||||
config = let
|
||||
in {
|
||||
networking.hostName = cfg.hostName;
|
||||
# Groups of related defaults can be disabled by flipping off the switches here:
|
||||
# beatific.defaults.${category} = false;
|
||||
# They default to true because the point is to do these things by default.
|
||||
defaults = {
|
||||
time = mkFlag "Default time zone and NTP";
|
||||
i18n = mkFlag "Default locale settings";
|
||||
programs = mkFlag "Default installed programs";
|
||||
ssh = mkFlag "Default sshd settings";
|
||||
nebula = mkFlag "Default beatific nebula settings";
|
||||
tvb = mkFlag "Default tvb account";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
{
|
||||
# Options to always set
|
||||
networking.hostName = cfg.hostName;
|
||||
nix.extraOptions = "experimental-features = nix-command flakes";
|
||||
}
|
||||
|
||||
(mkIf cfg.defaults.time {
|
||||
# mkDefault time zone to make it easy to configure it to non-UTC
|
||||
time.timeZone = mkDefault "UTC";
|
||||
services.ntp.enable = true;
|
||||
services.ntp.servers = [ "time.nist.gov" ];
|
||||
})
|
||||
|
||||
(mkIf cfg.defaults.i18n {
|
||||
# en_US.UTF-8
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
i18n.extraLocaleSettings = {
|
||||
LC_ADDRESS = "en_US.UTF-8";
|
||||
LC_IDENTIFICATION = "en_US.UTF-8";
|
||||
LC_MEASUREMENT = "en_US.UTF-8";
|
||||
LC_MONETARY = "en_US.UTF-8";
|
||||
LC_NAME = "en_US.UTF-8";
|
||||
LC_NUMERIC = "en_US.UTF-8";
|
||||
LC_PAPER = "en_US.UTF-8";
|
||||
LC_TELEPHONE = "en_US.UTF-8";
|
||||
LC_TIME = "en_US.UTF-8";
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf cfg.defaults.programs {
|
||||
environment.systemPackages = with pkgs; [
|
||||
curl
|
||||
git
|
||||
htop
|
||||
nebula
|
||||
python3
|
||||
vim
|
||||
wget
|
||||
];
|
||||
# The nixpkgs default is "nano", so we go one priority higher
|
||||
environment.variables.EDITOR = mkOverride 999 "vim";
|
||||
})
|
||||
|
||||
(mkIf cfg.defaults.ssh {
|
||||
services.openssh.enable = true;
|
||||
services.openssh.banner = ''
|
||||
____ ______ _______ _____ ______ _____ ______ ./|,,/|
|
||||
| _ \| ____| /\ |__ __|_ _| ____|_ _|/ ____/ < o o|
|
||||
| |_) | |__ / \ | | | | | |__ | | | | <\ ( |
|
||||
| _ <| __| / /\ \ | | | | | __| | | | | <\\ |\ |
|
||||
| |_) | |____/ ____ \ | | _| |_| | _| |_| |___<\\\ |(__)
|
||||
|____/|_____/_/ \_\|_| |_____|_| |_____|\_____|\\ |
|
||||
|
||||
'';
|
||||
networking.firewall.allowPing = true;
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
})
|
||||
|
||||
(mkIf cfg.defaults.nebula {
|
||||
services.nebula.networks.beatific = let
|
||||
empyreanExternalDns = "vpn.alogoulogoi.com";
|
||||
empyreanInternalIp = "10.22.20.1";
|
||||
nebulaPort = 4242;
|
||||
in {
|
||||
enable = true;
|
||||
|
||||
# The lighthouse only listens on the designated subdomain
|
||||
listen.host = if cfg.isLighthouse then empyreanExternalDns else "0.0.0.0";
|
||||
listen.port = nebulaPort;
|
||||
|
||||
# Standard certificate paths
|
||||
ca = "/etc/nebula/beatific/beatific.crt";
|
||||
cert = "/etc/nebula/beatific/${cfg.hostName}.crt";
|
||||
key = "/etc/nebula/beatific/${cfg.hostName}.key";
|
||||
|
||||
isLighthouse = cfg.isLighthouse;
|
||||
# Non-lighthouses connect to the lighthouse at empyrean
|
||||
# This should be a VPN address in the static host map
|
||||
lighthouses = mkIf (! cfg.isLighthouse) [ empyreanInternalIp ];
|
||||
|
||||
# Currently there is no VPN-level traffic filtering
|
||||
firewall.outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
firewall.inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
|
||||
|
||||
# Map the lighthouse address to its public address
|
||||
staticHostMap = { ${empyreanInternalIp} = [ "${empyreanExternalDns}:${toString nebulaPort}" ]; };
|
||||
|
||||
settings = {
|
||||
# Enable UDP holepunching both ways, which allows nodes to establish more direct connections with each other
|
||||
punchy = { punch = true; response = true; };
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf cfg.defaults.tvb {
|
||||
users.groups.tvb = {};
|
||||
users.users.tvb = {
|
||||
isNormalUser = true;
|
||||
group = "tvb";
|
||||
extraGroups = [ "wheel" ];
|
||||
initialPassword = "password";
|
||||
openssh.authorizedKeys.keyFiles = [
|
||||
../keys/tvb.catacomb.pub
|
||||
../keys/tvb.empyrean.pub
|
||||
../keys/tvb.palamas.pub
|
||||
../keys/tvb.stagirite.pub
|
||||
../keys/tvb.unfolder.pub
|
||||
../keys/tvb.vagrant.pub
|
||||
];
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue