diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix new file mode 100644 index 0000000..1311a32 --- /dev/null +++ b/newinfra/nix/hive.nix @@ -0,0 +1,93 @@ +{ + meta = { + # Override to pin the Nixpkgs version (recommended). This option + # accepts one of the following: + # - A path to a Nixpkgs checkout + # - The Nixpkgs lambda (e.g., import ) + # - An initialized Nixpkgs attribute set + # TODO: Pin + nixpkgs = import ; + + # If your Colmena host has nix configured to allow for remote builds + # (for nix-daemon, your user being included in trusted-users) + # you can set a machines file that will be passed to the underlying + # nix-store command during derivation realization as a builders option. + # For example, if you support multiple orginizations each with their own + # build machine(s) you can ensure that builds only take place on your + # local machine and/or the machines specified in this file. + # machinesFile = ./machines.client-a; + }; + + defaults = { pkgs, ... }: { + # This module will be imported by all hosts + environment.systemPackages = with pkgs; [ + vim + wget + curl + traceroute + dnsutils + ]; + time.timeZone = "Europe/Zurich"; + users.users.root.openssh.authorizedKeys.keys = [ ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0n1ikUG9rYqobh7WpAyXrqZqxQoQ2zNJrFPj12gTpP nilsh@PC-Nils'' ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + + services.openssh.enable = true; + # By default, Colmena will replace unknown remote profile + # (unknown means the profile isn't in the nix store on the + # host running Colmena) during apply (with the default goal, + # boot, and switch). + # If you share a hive with others, or use multiple machines, + # and are not careful to always commit/push/pull changes + # you can accidentaly overwrite a remote profile so in those + # scenarios you might want to change this default to false. + # deployment.replaceUnknownProfiles = true; + }; + + dns1 = { name, nodes, modulesPath, ... }: { + imports = [ ./modules/dns (modulesPath + "/profiles/qemu-guest.nix") ]; + + # The name and nodes parameters are supported in Colmena, + # allowing you to reference configurations in other nodes. + networking.hostName = name; + + deployment.targetHost = "dns1.nilstrieb.dev"; + deployment.tags = [ "dns" "us" ]; + + system.stateVersion = "23.11"; + + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; }; + }; + + /*host-b = { + # Like NixOps and Morph, Colmena will attempt to connect to + # the remote host using the attribute name by default. You + # can override it like: + deployment.targetHost = "dns2.infra.noratrieb.dev"; + + # It's also possible to override the target SSH port. + # For further customization, use the SSH_CONFIG_FILE + # environment variable to specify a ssh_config file. + deployment.targetPort = 1234; + + # Override the default for this target host + deployment.replaceUnknownProfiles = false; + + # You can filter hosts by tags with --on @tag-a,@tag-b. + # In this example, you can deploy to hosts with the "web" tag using: + # colmena apply --on @web + # You can use globs in tag matching as well: + # colmena apply --on '@infra-*' + deployment.tags = [ "dns" "eu" ]; + + boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + };*/ +} diff --git a/newinfra/nix/modules/dns/default.nix b/newinfra/nix/modules/dns/default.nix new file mode 100644 index 0000000..35fb78c --- /dev/null +++ b/newinfra/nix/modules/dns/default.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: { + # get the package for the debugging tools + environment.systemPackages = with pkgs; [ knot-dns ]; + + networking.firewall.allowedUDPPortRanges = [ + { from = 53; to = 53; } + ]; + + services.knot = { + enable = true; + settingsFile = pkgs.writeTextFile { + name = "knot.conf"; + text = '' + server: + listen: 0.0.0.0@53 + listen: ::@53 + + zone: + - domain: noratrieb.dev + storage: /var/lib/knot/zones/ + file: ${import ./noratrieb.dev.nix { inherit pkgs; }} + log: + - target: syslog + any: info + ''; + }; + }; +} diff --git a/newinfra/nix/modules/dns/nilstrieb.dev.md b/newinfra/nix/modules/dns/nilstrieb.dev.md new file mode 100644 index 0000000..2e13e4a --- /dev/null +++ b/newinfra/nix/modules/dns/nilstrieb.dev.md @@ -0,0 +1,29 @@ +@ A N/A 185.199.108.153 +@ A N/A 185.199.109.153 +@ A N/A 185.199.110.153 +@ A N/A 185.199.111.153 +@ AAAA N/A 2606:50c0:8002:0:0:0:0:153 +@ AAAA N/A 2606:50c0:8003:0:0:0:0:153 +@ AAAA N/A 2606:50c0:8000:0:0:0:0:153 +@ AAAA N/A 2606:50c0:8001:0:0:0:0:153 +@ MX 10 mail.protonmail.ch +@ MX 20 mailsec.protonmail.ch +@ TXT N/A protonmail-verification=86964dcc4994261eab23dbc53dad613b10bab6de +@ TXT N/A v=spf1 include:_spf.protonmail.ch ~all +bisect-rustc A N/A 184.174.32.252 +blog CNAME N/A nilstrieb.github.io +_atproto.bsky TXT N/A did=did:plc:pqyzoyxk7gfcbxk65mjyncyl +cors-school A N/A 184.174.32.252 +api.cors-school A N/A 184.174.32.252 +docker A N/A 184.174.32.252 +hugo-chat A N/A 184.174.32.252 +api.hugo-chat A N/A 184.174.32.252 +k8s-control A N/A 161.97.165.1 +localhost A N/A 127.0.0.1 +olat A N/A 184.174.32.252 +pronouns TXT N/A TODO +uptime A N/A 184.174.32.252 +vps1 A N/A 161.97.165.1 +vps2 A N/A 184.174.32.252 +www A N/A 184.174.32.252 +dns1 A N/A 154.38.163.74 \ No newline at end of file diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix new file mode 100644 index 0000000..3fd8686 --- /dev/null +++ b/newinfra/nix/modules/dns/noratrieb.dev.nix @@ -0,0 +1,43 @@ +# https://github.com/nix-community/dns.nix +{ pkgs, ... }: +let + # TODO: do this in a central place + dns = import (pkgs.fetchFromGitHub { + owner = "nix-community"; + repo = "dns.nix"; + rev = "v1.1.2"; + hash = "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0="; + }); + + data = with dns.lib.combinators; + { + SOA = { + nameServer = "154.38.163.74"; #"ns1.noratrieb.dev"; + adminEmail = "void@noratrieb.dev"; + serial = 2024072601; + }; + + NS = [ + "154.38.163.74" #"ns1.noratrieb.dev" + #"ns2.noratrieb.dev" + ]; + + A = [ (a "161.97.165.1") ]; + AAAA = [ ]; + + subdomains = { + www.CNAME = [ (cname "noratrieb.dev") ]; + pronouns.TXT = [ + "she/her" + ]; + + #ns1 = (host "154.38.163.74"); + + #"dns1.infra" = (a "154.38.163.74"); + }; + }; +in +pkgs.writeTextFile { + name = "noratrieb.dev.zone"; + text = dns.lib.toString "noratrieb.dev" data; +} diff --git a/newinfra/provision/README.md b/newinfra/provision/README.md new file mode 100644 index 0000000..690e6c7 --- /dev/null +++ b/newinfra/provision/README.md @@ -0,0 +1,12 @@ +# provisioning + +NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-infect) over a default image. + +> Contabo sets the hostname to something like vmi######.contaboserver.net, Nixos only allows RFC 1035 compliant hostnames (see here). +> Run `hostname something_without_dots` before running the script. +> If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname. + +``` +curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect +bash nixos-infect +``` diff --git a/shell.nix b/shell.nix index 0016f1c..a665039 100644 --- a/shell.nix +++ b/shell.nix @@ -4,6 +4,7 @@ ansible-lint awscli certbot + colmena dig openssl caddy