clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:24623e1a75e4a4494af65457a0d5c1ad73d53fa6
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
...
compare: clerie:updated-inputs-2025-08-30-01-03
Branches Tags
clerie:updated-inputs clerie:updated-inputs-2025-08-31-01-03 clerie:master clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

156 Commits
24623e1a75 ... updated-in

Author SHA1 Message Date
Flake Update Bot
e9dfde7106 Update nixpkgs 2025-08-30-01-03 2025-08-30 03:04:04 +02:00
clerie
dd76691f7d pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name 2025-08-17 21:49:24 +02:00
clerie
72cdef91d9 profiles/common-nix: Remove guests group from trusted nix users 2025-08-17 20:02:34 +02:00
clerie
22c7cb451b pkgs/nixfiles: Add helper script to trigger system upgrades 2025-08-17 19:05:22 +02:00
clerie
9357981ff3 hosts/monitoring-3: Alert on fem.social unavailable 2025-08-17 10:39:01 +02:00
clerie
eddb365ae5 hosts/monitoring-3: Alert nadja.top down after 15min only 2025-08-17 10:17:43 +02:00
clerie
d01de7fc4a hosts/monitoring-3: Add dashboards to deployment 2025-08-16 22:01:06 +02:00
clerie
a1ca9313b9 hosts/monitoring-3: Add Nginx Grafana dashboard 2025-08-15 20:50:24 +02:00
clerie
217ede0307 modules/monitoring: Extract metrics from nginx logs 2025-08-15 18:14:41 +02:00
clerie
643478b724 pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules 2025-08-14 20:20:33 +02:00
clerie
13b8ccd087 hosts/krypton: don't use onlyoffice anymore 2025-08-09 14:59:03 +02:00
clerie
7c3a97a90a hosts/web-2: Update legal.clerie.de 2025-08-09 11:42:04 +02:00
clerie
40338d9b85 hosts/monitoring-3: Monitor alertmanager 2025-08-09 11:41:34 +02:00
clerie
7f6f6281cc profiles/desktop: Migrate from configuration 2025-07-29 23:03:58 +02:00
clerie
2d4acb5a49 flake.lock: Update lix 2025-07-29 18:04:22 +02:00
Flake Update Bot
905682cf17 Update nixpkgs 2025-07-29-01-03 2025-07-29 03:04:11 +02:00
clerie
f5ec777e9b flake/hydraJobs.nix: Track additional packages in hydra 2025-07-28 22:48:59 +02:00
clerie
944bced757 pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers 2025-07-28 22:36:49 +02:00
clerie
5bd15927d5 hosts/web-2: Block Alibaba Cloud because of scraper bots 2025-07-18 23:55:33 +02:00
clerie
9b05a008bb configuration/desktop: Add helvum audio routing gui 2025-07-15 19:39:46 +02:00
clerie
871ba5ea43 pkgs/uptimestatus: Explicitly specify build system 2025-07-15 19:26:50 +02:00
clerie
560e53f77b hosts/krypton: Add drune3d program 2025-07-12 13:21:30 +02:00
clerie
03aa425038 hosts/web-2: Add traveldrafter.clerie.de 2025-07-06 18:17:31 +02:00
clerie
751efd02bb hosts/porter: Enable system auto upgrade 2025-07-05 20:16:01 +02:00
clerie
43d1133772 modules/clerie-system-upgrade: Always reboot after an update 2025-06-30 18:35:57 +02:00
clerie
4245ae84ed hosts/carbon: Don't make kea depend on non existend network-setup.service anymore 2025-06-29 22:25:19 +02:00
clerie
b9f47fc30c flake.nix: Use patched nixpkgs for carbon 2025-06-29 17:29:01 +02:00
clerie
ce54f06fd0 flake/nixosConfigurations.nix: Handle host specific nixpkgs input again 2025-06-29 17:28:38 +02:00
clerie
457fa2ca6f lib/mkNixpkgs.nix: Add function to import nixpkgs with overlays 2025-06-29 16:56:41 +02:00
clerie
60e80ab2e9 profiles/gpg-ssh: Move gpg-ssh to profiles 2025-06-29 11:51:27 +02:00
clerie
4bf030c006 profiles/common-nix: Migrate nix common config zu profile 2025-06-29 11:34:11 +02:00
clerie
0204773d27 lib/nixosSystem.nix: Wrap nixpkgs.lib.nixosSystem and include nixfiles modules and overlays by default 2025-06-28 16:43:03 +02:00
clerie
a66da6cac9 lib/link-local-wireguard.nix: Remove obsolete functions 2025-06-28 16:27:06 +02:00
clerie
691d671420 pkgs/clerie-ssh-known-hosts: Expose function as package 2025-06-28 16:25:38 +02:00
clerie
fef845117e flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again 2025-06-28 16:10:46 +02:00
clerie
11970e287c pkgs/build-support: Move clerie-build-support attribute name to overlay 2025-06-28 15:32:58 +02:00
clerie
cdc1a1e6de flake.nix: Add unused helper variable 2025-06-28 15:31:38 +02:00
clerie
e9b5dce77f flake.nix: Common naming scheme for overlays and no default overlays anymore 2025-06-28 15:22:16 +02:00
clerie
23190f0777 pkgs/overlay.nix: Get rid of pkgs/pkgs.nix and move overrides to separate overlay 2025-06-28 15:14:36 +02:00
clerie
1d927638c5 flake.nix: Exclude build support from flake exported packages and make pkgs/pkgs.nix obsolete again 2025-06-28 15:03:46 +02:00
clerie
a754af1ee9 configuration/desktop: Update renamed option name 2025-06-28 14:14:11 +02:00
clerie
617a27d4fe flake.lock: Update lix 2025-06-28 14:05:39 +02:00
clerie
eace2fabb2 pkgs/build-support: Add writePytonScript helper function 2025-06-28 14:03:57 +02:00
Flake Update Bot
721f6681e1 Update nixpkgs 2025-06-27-01-03 2025-06-27 03:04:09 +02:00
clerie
86bfe85982 hosts/porter: Resolve nginx proxy upstreams via unbound 2025-06-24 16:42:03 +02:00
clerie
e24190ae08 hosts/dn42-il-gw1: Open firewall for wireguard tunnel ports 2025-06-11 08:07:13 +02:00
clerie
9755550435 hosts/dn42-il-gw1: AS4242421718 fix link local peer address 2025-06-11 08:06:42 +02:00
clerie
0dfc013122 hosts/dn42-il-gw1: Add peer AS4242421718 2025-06-10 23:08:38 +02:00
clerie
3c85462f46 monitoring/targets.json: Check fem.social http 2025-06-03 15:43:05 +02:00
clerie
cc1790bf30 modules/nginx-port-forward: Proxy upstream DNS is only reresolved when referenced as a variable 2025-06-03 15:41:56 +02:00
clerie
c97799b97c hosts/monitoring-3: Alert on broken IPv4 to IPv6 proxy 2025-06-02 18:46:43 +02:00
clerie
3b0986cc57 modules/nginx-port-forward: Hardcode dns response caching time to 30s 2025-06-02 18:30:35 +02:00
clerie
89a96632a2 pkgs/overrides: Disable openpgp support in dino 2025-06-02 18:16:33 +02:00
clerie
a7950d2466 pkgs/overrides: Deactivate notification sounds in dino 2025-06-02 18:04:25 +02:00
clerie
c31b68d96a flake.lock: Update bij 2025-06-01 22:20:33 +02:00
clerie
c49e26d828 modules/nginx-port-forward: Resolve upstream hostnames as IPv6 only 2025-06-01 20:32:50 +02:00
clerie
5add1baa8d flake.nix: Update lix 2025-06-01 14:50:29 +02:00
clerie
ff4b3579b3 monitoring/targets.json: Monitor some more websites 2025-06-01 14:25:38 +02:00
clerie
16f709b7aa monitoring/targets.json: Don't ping matrix hosts 2025-06-01 14:19:22 +02:00
clerie
096fe1dc03 profiles/monitoring-server: Monitor http 2025-06-01 14:08:57 +02:00
clerie
e475e46e3c profiles/monitoring-server: Fetch monitoring targets from json file 2025-06-01 13:31:43 +02:00
clerie
92f8495111 modules/nginx-port-forward: Automatically reresolve hostnames 2025-05-31 13:03:00 +02:00
clerie
50ca6f03ee hosts/porter: Proxy port 80 and 443 to baikonur 2025-05-31 13:02:18 +02:00
clerie
1a9475ad7f profiles/common-webserver: Migrate webserver config to profile 2025-05-31 13:00:43 +02:00
clerie
fae30a0fc5 hosts/monitoring-3: Don't alert for /nix/store disk full 2025-05-29 12:16:26 +02:00
clerie
f70421d8f9 Revert "pkgs/overrides: Dino uses OMEMO by default for new conversations" 
Fixed upstream

This reverts commit 1c087b0c9f.
 2025-05-27 16:35:34 +02:00
Flake Update Bot
3f2c0fc244 Update nixpkgs 2025-05-27-01-03 2025-05-27 03:04:02 +02:00
clerie
cddd9b1a1e pkgs/git-show-link: Improve linking to directory 2025-05-25 20:48:07 +02:00
clerie
efad5a6cbb pkgs/git-show-link: Normalize paths 2025-05-25 20:21:51 +02:00
clerie
d334a1a73c pkgs/git-show-link: Link to files directly 2025-05-25 19:59:59 +02:00
clerie
4fa4c8d669 configuration/common: Don't force requests ca bundle environment var 2025-05-25 14:15:54 +02:00
clerie
46d23fb98a pkgs/git-show-link: Specify URL format using --remote-type 2025-05-23 14:51:20 +02:00
clerie
4e56adef58 pkgs/git-show-link: Display error message when not executed in a git repo 2025-05-23 14:28:03 +02:00
clerie
b93dc9f16b configuration/common: Make Python requests always use system CA 2025-05-19 18:43:38 +02:00
clerie
44d1a444ba pkgs/git-show-link: Handle branch names with slashes properly 2025-05-19 10:49:32 +02:00
clerie
d0c6ecff4c flake.lock: Update nixos-exporter 2025-05-08 21:50:31 +02:00
clerie
1042cf279f profiles/hydra-build-machine: Migrate configuration to profile 2025-05-08 17:17:01 +02:00
clerie
fe23b7745f configuration/dn42: Remove obsolete configuration 2025-05-08 16:31:33 +02:00
clerie
ced991b911 profiles/router: Migrate configuration to profile 2025-05-08 16:17:26 +02:00
clerie
fa1220dcf8 configuration/router: All hosts using this config don't do BGP and OSPF 2025-05-08 15:55:59 +02:00
clerie
802a731a57 Merge remote-tracking branch 'origin/updated-inputs-2025-05-06-01-03' 2025-05-08 12:19:02 +02:00
clerie
8b9acbb9b1 hosts/monitoring-3: Display pretty scraping address for nixos-validator 2025-05-08 12:13:54 +02:00
clerie
0b6d9623bc modules/monitoring: Migrate firewall from iptables to NixOS declarative 2025-05-08 12:03:35 +02:00
clerie
69ccc0c692 profiles/wg-clerie: Convert systemd timer into a service with sleep 2025-05-08 11:34:05 +02:00
clerie
1c087b0c9f pkgs/overrides: Dino uses OMEMO by default for new conversations 2025-05-07 18:33:59 +02:00
clerie
8d3057758f pkgs/pull-scans: Add script 2025-05-06 21:43:41 +02:00
Flake Update Bot
87b0c38260 Update nixpkgs 2025-05-06-01-03 2025-05-06 03:03:05 +02:00
clerie
70cde0e367 hosts/storage-2: Allow frank access to em 2025-05-05 12:24:26 +02:00
clerie
593739120a hosts/storage-2: Add location em 2025-05-05 12:24:00 +02:00
clerie
1e810adc51 users/frank: Add user 2025-05-05 12:23:15 +02:00
clerie
891b8ae718 hosts/clerie-backup: Update hardware configuration 2025-04-29 17:26:29 +02:00
clerie
f33b8c0cdf hosts/clerie-backup: Move VM to different region 2025-04-28 15:54:28 +02:00
clerie
dffebb92e8 profiles/firefox: Use webcam through pipewire 2025-04-27 14:12:44 +02:00
clerie
ecdb362f60 profiles/firefox: Provide default configuration 2025-04-27 13:55:33 +02:00
clerie
074ab4befc flake.lock: Update rainbowrss 2025-04-26 13:58:55 +02:00
clerie
35d572e414 hosts/dn42-ildix-service: Disable mimalloc in fernglas so it builds with current nixpkgs 2025-04-26 13:45:49 +02:00
Flake Update Bot
0e0bb82ebd Update nixpkgs 2025-04-24-01-03 2025-04-24 03:03:06 +02:00
clerie
4777fb2eae flake.lock: Update fernglas 2025-04-23 20:02:47 +02:00
clerie
c285e4db89 flake.lock: Update lix 2025-04-22 00:03:40 +02:00
clerie
6e2b11e696 pkgs/uptimestatus: Use python instead of python3 2025-04-21 23:30:51 +02:00
clerie
04f8df6c08 pkgs/iot-data: Remove package 2025-04-21 22:32:53 +02:00
clerie
ae8f8961ea flake.lock: Update rainbowrss 2025-04-21 22:29:43 +02:00
clerie
414402561b hosts/backup-4: Replicate backup to palladium 2025-04-18 11:24:06 +02:00
clerie
fed00bd41b modules/backup: Specify backup server as full URL 2025-04-16 22:03:38 +02:00
clerie
c0a8f8116e hosts/nonat: Enable DHCPv6 to try out NTP 2025-04-16 21:05:01 +02:00
clerie
e9210d4ada hosts/backup-4,hosts/palladium: Setup direct VPN tunnel for backups 2025-04-15 20:55:56 +02:00
clerie
47921ea988 hosts/palladium: Enable monitoring 2025-04-15 20:02:38 +02:00
clerie
3fdf10641b hosts/palladium: Enable wg-clerie 2025-04-15 19:52:24 +02:00
clerie
e9695286b6 pkgs/clerie-sops: Write config to temp file as sops can't read config from pipe 2025-04-15 19:32:21 +02:00
clerie
e125d5d3bf hosts/monitoring-3: Alert when GPG key is about to expire 2025-04-14 21:45:09 +02:00
clerie
cc00e92b51 hosts/web-2: asc file type is already in default mime types 2025-04-14 21:28:08 +02:00
clerie
aaf7bb8871 users/clerie: Extend GPG expiry date 2025-04-14 20:07:53 +02:00
clerie
84dffed418 profiles/wg-clerie: Send host originating traffic to targets reachable via wg-clerie via wg-clerie 2025-04-14 19:11:42 +02:00
clerie
83a094bbd0 hosts/*: Disable DHCPv6Client on every host 2025-04-13 17:05:37 +02:00
clerie
32ec59e303 pkgs/clerie-update-nixfiles: Add script to delete old update-nixfiles branches 2025-04-07 21:37:47 +02:00
clerie
8af0eb2386 profiles/common: Make common-networking the default 2025-04-07 21:27:03 +02:00
clerie
323018daaa profiles/common-dns: Fix typo 2025-04-07 21:11:53 +02:00
clerie
98b4cde2e4 pkgs/git-show-link: Pass format args as dataclass 2025-04-07 17:16:00 +02:00
clerie
f9359f4d50 hosts/dn42-ildix-service: Migrate to systemd-networkd 2025-03-24 21:39:04 +01:00
clerie
a44dfd1e65 hosts/dn42-ildix-clerie: Migrate to systemd-networkd 2025-03-24 20:48:17 +01:00
clerie
1d7eb45286 profiles/serial-console: Add profile for serial console and enable on mercury VMs be default 2025-03-23 14:30:17 +01:00
clerie
c100f6e95b hosts/dn42-il-gw1: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:51:03 +01:00
clerie
d304a47f89 profiles/dn42-router: Fix defaults and decryption of module options 2025-03-22 17:49:52 +01:00
clerie
58f7ba4518 hosts/dn42-il-gw6: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:27:39 +01:00
clerie
cfbeab8706 profiles/dn42-router: Take over config from configuration/dn42 2025-03-22 17:11:59 +01:00
clerie
032987bce5 hosts/dn42-il-gw5: Migrate to systemd-networkd and dn42-router profile 2025-03-22 17:05:02 +01:00
clerie
89ec7e8394 profiles/dn42-router: Add module for dn42 router 2025-03-22 17:04:16 +01:00
clerie
2e35c7955e hosts/dn42-il-gw1: Remove disconnected AS4242420197 n0emis 2025-03-22 14:40:42 +01:00
clerie
6d774cc8ba hosts/dn42-il-gw1: Remove disconnected AS4242421302 perflyst 2025-03-22 14:38:54 +01:00
clerie
75777aa68c profiles/common-dns,profiles/common: Enable systemd-resolved everywhere 2025-03-22 14:34:40 +01:00
clerie
552d2a964c profiles/wg-clerie: Refresh endpoint selection with systemd timer 2025-03-21 18:19:44 +01:00
clerie
9e7deadfb5 hosts/krypton,hosts/zinc: Migrate to systemd-network 2025-03-20 20:07:06 +01:00
clerie
de3bc903ef profiles/common-networking: Centralize new network config 2025-03-20 20:03:39 +01:00
clerie
fed25f02d8 profiles/wg-clerie: Don't let NetworkManager touch the VPN interface 2025-03-20 19:55:17 +01:00
clerie
7a210b13be hosts/_iso: Migrate to systemd-network 2025-03-20 19:46:54 +01:00
clerie
a29978c95a hosts/astatine: Migrate to systemd-network 2025-03-20 19:44:35 +01:00
clerie
2d6afc2093 profiles/wg-clerie: wg-clerie not required for online 2025-03-20 19:43:57 +01:00
clerie
5a719c2f01 hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to profiles.clerie.wg-clerie 2025-03-20 19:30:47 +01:00
clerie
effb386e51 profiles/wg-clerie: Only configure sops secret if we want to use that 2025-03-20 19:30:10 +01:00
clerie
3ec00be4d0 profiles/wg-clerie: Migrate wg-clerie to systemd-networkd 2025-03-20 19:06:51 +01:00
clerie
006877c4ae hosts/astatine,hosts/beryllium,hosts/tungsten: Migrate to 
systemd-networkd

Policy routing clashed with the fallback dhcp on any interface module
for some unknown reason, therefore wg-clerie is disabled on all of these
devices
 2025-03-19 20:07:37 +01:00
clerie
3efc575902 hosts/astatine: Remove unused services 2025-03-19 16:48:11 +01:00
clerie
6beb19b93d hosts/krypton: Use okular from kdePackages 2025-03-18 16:33:38 +01:00
Flake Update Bot
f75393544d Update nixpkgs 2025-03-17-02-03 2025-03-17 03:03:59 +01:00
clerie
2f84edcd99 hosts/palladium: Migrate to systemd-network 2025-03-16 19:09:27 +01:00
clerie
3deb7383e1 hosts/storage-2: Migrate to systemd-network 2025-03-16 18:44:55 +01:00
clerie
f79d99be54 hosts/osmium: Migrate to systemd-network 2025-03-16 18:37:08 +01:00
clerie
ca2f13f765 hosts/nonat: Migrate to systemd-network 2025-03-16 18:29:21 +01:00
clerie
604c30edea hosts/monitoring-3: Migrate to systemd-network 2025-03-16 18:21:35 +01:00
clerie
7141a7fadd hosts/hydra-2: Migrate to systemd-network 2025-03-16 18:12:39 +01:00
clerie
f96326de36 hosts/hydra-1: Migrate to systemd-network 2025-03-16 18:00:16 +01:00
clerie
0cb1c4105a hosts/clerie-backup: Enable systemd-networkd 2025-03-16 17:50:59 +01:00
clerie
e6be0bd7a6 hosts/clerie-backup: Remove a lot of deprecated backup automation 2025-03-16 17:46:20 +01:00
clerie
dd164c1284 hosts/backup-4: Migrate to systemd-networkd 2025-03-16 17:07:07 +01:00
clerie
21fa57545b flake.nix: Update lix 2025-03-16 12:20:25 +01:00
clerie
a0a298689e profiles/mercury-vm,profiles/cybercluster-vm: Add profiles for Proxmox VMs 2025-03-16 12:19:08 +01:00
157 changed files with 4663 additions and 1952 deletions
Expand all files Collapse all files

4
configuration/common/backup.nix
View File

@@ -4,8 +4,8 @@
clerie.backup = { clerie.backup = {
targets = { targets = {
cyan.serverName = "cyan.backup.clerie.de"; cyan.serverUrl = "https://cyan.backup.clerie.de";
magenta.serverName = "magenta.backup.clerie.de"; magenta.serverUrl = "https://magenta.backup.clerie.de";
}; };
}; };

11
configuration/common/certificates.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, lib, ... }:
with lib;
{
environment.sessionVariables = {
REQUESTS_CA_BUNDLE = mkDefault config.security.pki.caBundle;
};
}

3
configuration/common/default.nix
View File

@@ -3,15 +3,14 @@
{ {
imports = [ imports = [
./backup.nix ./backup.nix
./certificates.nix
./initrd.nix ./initrd.nix
./locale.nix ./locale.nix
./networking.nix ./networking.nix
./nix.nix
./programs.nix ./programs.nix
./ssh.nix ./ssh.nix
./systemd.nix ./systemd.nix
./user.nix ./user.nix
./web.nix
]; ];
services.fstrim.enable = true; services.fstrim.enable = true;

70
configuration/common/nix.nix
View File

@@ -1,70 +0,0 @@
{ lib, pkgs, ... }:
{
clerie.nixfiles.enable = true;
clerie.system-auto-upgrade.enable = true;
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = {
"nixpkgs" = lib.mkForce {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
"templates" = {
from = {
type = "indirect";
id = "templates";
};
to = {
type = "git";
url = "https://git.clerie.de/clerie/flake-templates.git";
};
};
};
documentation.doc.enable = false;
environment.systemPackages = with pkgs; [
nix-remove-result-links
];
}

54
configuration/common/web.nix
View File

@@ -1,54 +0,0 @@
{ ... }:
{
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
server_names_hash_bucket_size 64;
charset utf-8;
types {
text/plain nix;
}
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]*:[^:]*(:[^:]*)?): $ip::;
default ::;
}
log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined_anon;
'';
virtualHosts = {
"default" = {
default = true;
rejectSSL = true;
locations."/" = {
return = ''200 "Some piece of infrastructure\n"'';
extraConfig = ''
types { } default_type "text/plain; charset=utf-8";
'';
};
};
};
};
services.logrotate.settings.nginx = {
frequency = "daily";
maxage = 14;
};
security.acme = {
defaults.email = "letsencrypt@clerie.de";
acceptTerms = true;
};
}

19
configuration/desktop/audio.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
};
}

19
configuration/desktop/default.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
security.sudo.wheelNeedsPassword = true;
}

7
configuration/desktop/firmware.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

13
configuration/desktop/fonts.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, ... }:
{
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-emoji
comfortaa
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
}

61
configuration/desktop/gnome.nix
View File

@@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services.gnome = {
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
}

43
configuration/desktop/inputs.nix
View File

@@ -1,43 +0,0 @@
{ ... }:
{
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
mic-mute = [ "<Control>Print" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
}

14
configuration/desktop/networking.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
}

7
configuration/desktop/polkit.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
security.polkit.enable = true;
}

42
configuration/desktop/power.nix
View File

@@ -1,42 +0,0 @@
{ lib, config, ... }:
{
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
services.upower = {
percentageLow = 20;
percentageCritical = 10;
percentageAction = 8;
};
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
}

7
configuration/desktop/printing.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
}

34
configuration/desktop/ssh.nix
View File

@@ -1,34 +0,0 @@
{ pkgs, ... }:
{
imports = [
../../configuration/gpg-ssh
];
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
}

11
configuration/desktop/xserver.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
}

22
configuration/dn42/default.nix
View File

@@ -1,22 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
# Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ];
# Open Fireall for OSPF
networking.firewall.extraCommands = ''
ip6tables -A INPUT -p ospfigp -j ACCEPT
iptables -A INPUT -p ospfigp -j ACCEPT
'';
}

51
configuration/gpg-ssh/default.nix
View File

@@ -1,51 +0,0 @@
{ pkgs, lib, ... }:
let
custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
# Make sure scdaemon never ever again tries to use its own ccid driver
"--disable-ccid-driver"
];
});
in {
programs.gnupg.package = custom_gnupg;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
};
environment.systemPackages = with pkgs; [
custom_gnupg
yubikey-personalization
openpgp-card-tools
# Add wrapper around ssh that takes the gnupg ssh-agent
# instead of gnome-keyring
ssh-gpg
];
services.pcscd.enable = true;
# pcscd sometimes breaks and seem to need a manual restart
# so we allow users to restart that service themself
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units"
&& action.lookup("unit") == "pcscd.service"
&& action.lookup("verb") == "restart"
&& subject.isInGroup("users")
) {
return polkit.Result.YES;
}
});
'';
services.udev.packages = with pkgs; [
yubikey-personalization
];
}

16
configuration/hydra-build-machine/default.nix
View File

@@ -1,16 +0,0 @@
{ ... }:
{
# Allow Hydra to fetch remote URLs in restricted mode
nix.settings.allowed-uris = "http: https: git+https: github:";
services.openssh.settings= {
PermitRootLogin = "yes";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMv8Lbca/CR4das3HJ2F/sQ9dA7kdGS1hSVTt5lX4diP root@hydra-1"
];
}

5
configuration/proxmox-vm/default.nix
View File

@@ -1,5 +0,0 @@
{ ... }:
{
services.qemuGuest.enable = true;
}

27
configuration/router/default.nix
View File

@@ -1,27 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = true;
"net.ipv6.conf.all.forwarding" = true;
};
networking.firewall.checkReversePath = false;
networking.firewall.allowedTCPPorts = [
# Open Firewall for BGP
179
];
networking.firewall.extraCommands = ''
# Open fireall for OSPF
ip46tables -A nixos-fw -p ospfigp -j nixos-fw-accept
# Open firewall for GRE
ip46tables -A nixos-fw -p gre -j nixos-fw-accept
'';
}

429
flake.lock generated
View File

@@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724513039, "lastModified": 1748808701,
"narHash": "sha256-YdBuRgXEU9CcxPd2EjuvDKcfgxL1kk9Gv8nFVVjIros=", "narHash": "sha256-IEer4ypv/tL2zzo7nkgyg7xdK6P+Mc/22oPctEgwhiw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "202f4a1a5791c74a9b7d69a4e63e631bdbe36ba6", "rev": "5f3748df43e6b6e49cc0a23557a378ef37952483",
"revCount": 4, "revCount": 5,
"type": "git", "type": "git",
"url": "https://git.clerie.de/clerie/bij.git" "url": "https://git.clerie.de/clerie/bij.git"
}, },
@@ -58,19 +58,36 @@
"url": "https://git.clerie.de/clerie/chaosevents.git" "url": "https://git.clerie.de/clerie/chaosevents.git"
} }
}, },
"communities": {
"flake": false,
"locked": {
"lastModified": 1739635166,
"narHash": "sha256-0ZONcN3ctsZgMVM//UMp+9iQfhODJNFHOhyWwx0EoTg=",
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"rev": "686adbfd5222b830ba4fee998188cc8d96c09169",
"type": "github"
},
"original": {
"owner": "NLNOG",
"repo": "lg.ring.nlnog.net",
"type": "github"
}
},
"fernglas": { "fernglas": {
"inputs": { "inputs": {
"communities": "communities",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1700408128, "lastModified": 1741172718,
"narHash": "sha256-PLb/q8kIq0wOinkgADHNY6uOB3b3lXQEbLu6ToIFPsU=", "narHash": "sha256-YDEJVlmPzOuKfG26iYuJVOlxFvKBVeb8DbAI9WOtnBU=",
"owner": "wobcom", "owner": "wobcom",
"repo": "fernglas", "repo": "fernglas",
"rev": "407325681e3ad344f6fd05334984a40074aa6347", "rev": "64e2f9af8aefeeaa63431477066dcc0236d111e0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -99,6 +116,21 @@
} }
}, },
"flake-compat": { "flake-compat": {
"locked": {
"lastModified": 1746162366,
"narHash": "sha256-5SSSZ/oQkwfcAz/o/6TlejlVGqeK08wyREBQ5qFFPhM=",
"owner": "nix-community",
"repo": "flake-compat",
"rev": "0f158086a2ecdbb138cd0429410e44994f1b7e4b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@@ -136,28 +168,6 @@
} }
}, },
"flake-parts_2": { "flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"ssh-to-age", "ssh-to-age",
@@ -183,11 +193,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1694529238, "lastModified": 1731533236,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -201,11 +211,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1731533236,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -254,30 +264,35 @@
}, },
"hydra": { "hydra": {
"inputs": { "inputs": {
"flake-compat": "flake-compat",
"lix": "lix", "lix": "lix",
"nix-eval-jobs": "nix-eval-jobs", "nixpkgs": "nixpkgs_3"
"nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1733503045, "lastModified": 1751801455,
"narHash": "sha256-VoMam8Zzbk+X6dIYwH2f9NqItL6g9YDhQvGybzSl8xQ=", "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
"ref": "refs/heads/main", "ref": "lix-2.93",
"rev": "eccf01d4fef67f87b6383f96c73781bd08b686ac", "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
"revCount": 4230, "revCount": 4261,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/lix-project/hydra.git"
}, },
"original": { "original": {
"ref": "lix-2.93",
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/lix-project/hydra.git"
} }
}, },
"lix": { "lix": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": [
"hydra",
"flake-compat"
],
"nix2container": "nix2container", "nix2container": "nix2container",
"nix_2_18": [
"hydra"
],
"nixpkgs": [ "nixpkgs": [
"hydra", "hydra",
"nixpkgs" "nixpkgs"
@@ -286,15 +301,16 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1732112222, "lastModified": 1751235704,
"narHash": "sha256-H7GN4++a4vE49SUNojZx+FSk4mmpb2ifJUtJMJHProI=", "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
"ref": "refs/heads/main", "ref": "release-2.93",
"rev": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff", "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
"revCount": 16513, "revCount": 17874,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix" "url": "https://git.lix.systems/lix-project/lix"
}, },
"original": { "original": {
"ref": "release-2.93",
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix" "url": "https://git.lix.systems/lix-project/lix"
} }
@@ -303,38 +319,68 @@
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile", "flakey-profile": "flakey-profile",
"lix": "lix_2", "lix": [
"lix"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1732605668, "lastModified": 1753282722,
"narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
"ref": "stable", "ref": "release-2.93",
"rev": "96824d606a6656650bbe436366bc89d5ee3a6573", "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
"revCount": 113, "revCount": 149,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
"original": { "original": {
"ref": "stable", "ref": "release-2.93",
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
} }
}, },
"lix_2": { "lix_2": {
"flake": false, "inputs": {
"flake-compat": "flake-compat_2",
"nix2container": "nix2container_2",
"nix_2_18": "nix_2_18",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-regression": "nixpkgs-regression_2",
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": { "locked": {
"lastModified": 1729298361, "lastModified": 1753306924,
"narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
"rev": "ad9d06f7838a25beec425ff406fe68721fef73be", "ref": "release-2.93",
"type": "tarball", "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" "revCount": 17884,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
}, },
"original": { "original": {
"type": "tarball", "ref": "release-2.93",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" "type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
} }
}, },
"mitel-ommclient2": { "mitel-ommclient2": {
@@ -358,56 +404,6 @@
"url": "https://git.clerie.de/clerie/mitel_ommclient2.git" "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
} }
}, },
"nix-eval-jobs": {
"inputs": {
"flake-parts": "flake-parts_2",
"lix": [
"hydra",
"lix"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"hydra",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1732351635,
"narHash": "sha256-H94CcQ3yamG5+RMxtxXllR02YIlxQ5WD/8PcolO9yEA=",
"ref": "refs/heads/main",
"rev": "dfc286ca3dc49118c30d8d6205d6d6af76c62b7a",
"revCount": 617,
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/lix-project/nix-eval-jobs"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731952509,
"narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "7b5f051df789b6b20d259924d349a9ba3319b226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix2container": { "nix2container": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -424,6 +420,50 @@
"type": "github" "type": "github"
} }
}, },
"nix2container_2": {
"flake": false,
"locked": {
"lastModified": 1724996935,
"narHash": "sha256-njRK9vvZ1JJsP8oV2OgkBrpJhgQezI03S7gzskCcHos=",
"owner": "nlewo",
"repo": "nix2container",
"rev": "fa6bb0a1159f55d071ba99331355955ae30b3401",
"type": "github"
},
"original": {
"owner": "nlewo",
"repo": "nix2container",
"type": "github"
}
},
"nix_2_18": {
"inputs": {
"flake-compat": [
"lix",
"flake-compat"
],
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_4",
"nixpkgs-regression": [
"lix",
"nixpkgs-regression"
]
},
"locked": {
"lastModified": 1730375271,
"narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
"owner": "NixOS",
"repo": "nix",
"rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.18.9",
"repo": "nix",
"type": "github"
}
},
"nixos-exporter": { "nixos-exporter": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -431,11 +471,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1683625533, "lastModified": 1746733297,
"narHash": "sha256-GvKE97JdQuEZ697TLSMRTNABbVJfGVnJ0vfzK4AIFyI=", "narHash": "sha256-CPo/F6oJq3tswg2YT6DsWDFPYXOjw00/3m45JN84PVY=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "5e86139ee4af27f84228708fd32903bb0c4230f0", "rev": "f1a832f445c9994d9729a6fa1862b8d4a123bd31",
"revCount": 19, "revCount": 22,
"type": "git", "type": "git",
"url": "https://git.clerie.de/clerie/nixos-exporter.git" "url": "https://git.clerie.de/clerie/nixos-exporter.git"
}, },
@@ -492,6 +532,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-carbon": {
"locked": {
"lastModified": 1751206202,
"narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
"owner": "clerie",
"repo": "nixpkgs",
"rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
"type": "github"
},
"original": {
"owner": "clerie",
"ref": "clerie/always-setup-netdevs",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-regression": { "nixpkgs-regression": {
"locked": { "locked": {
"lastModified": 1643052045, "lastModified": 1643052045,
@@ -508,6 +564,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-regression_2": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1713434076, "lastModified": 1713434076,
@@ -542,11 +614,43 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1739866667, "lastModified": 1751582995,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1705033721,
"narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1756386758,
"narHash": "sha256-1wxxznpW2CKvI9VdniaUnTT2Os6rdRJcRUf65ZK9OtE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb2f12e899db4876308eba6d93455ab7da304cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -579,11 +683,27 @@
"pre-commit-hooks": { "pre-commit-hooks": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1726745158, "lastModified": 1733318908,
"narHash": "sha256-D5AegvGoEjt4rkKedmxlSEmC+nNLMBPWFxvmYnVLhjk=", "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "4e743a6920eab45e8ba0fbe49dc459f1423a4b74", "rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_2": {
"flake": false,
"locked": {
"lastModified": 1733318908,
"narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "6f4e2a2112050951a314d2733a994fbab94864c6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -599,11 +719,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736087671, "lastModified": 1745667868,
"narHash": "sha256-zWeiCs+8SAS1wN5M3w3vSNNpILoKXqX9aj/ZZcgfMms=", "narHash": "sha256-T67ZRk+cuFI2P6qJeu8RwbpJD00OORulHGuXebpg9Nw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "ceab6a148233ffb23de19411a3e5579e3394a35b", "rev": "e43037aa525e36d7a3da187a8fc6baeb71db7fd6",
"revCount": 9, "revCount": 15,
"type": "git", "type": "git",
"url": "https://git.clerie.de/clerie/rainbowrss.git" "url": "https://git.clerie.de/clerie/rainbowrss.git"
}, },
@@ -621,17 +741,20 @@
"fieldpoc": "fieldpoc", "fieldpoc": "fieldpoc",
"harmonia": "harmonia", "harmonia": "harmonia",
"hydra": "hydra", "hydra": "hydra",
"lix": "lix_2",
"lix-module": "lix-module", "lix-module": "lix-module",
"nixos-exporter": "nixos-exporter", "nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_5",
"nixpkgs-0dc1c7": "nixpkgs-0dc1c7", "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
"nixpkgs-carbon": "nixpkgs-carbon",
"nurausstieg": "nurausstieg", "nurausstieg": "nurausstieg",
"rainbowrss": "rainbowrss", "rainbowrss": "rainbowrss",
"scan-to-gpg": "scan-to-gpg", "scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm", "solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"ssh-to-age": "ssh-to-age" "ssh-to-age": "ssh-to-age",
"traveldrafter": "traveldrafter"
} }
}, },
"scan-to-gpg": { "scan-to-gpg": {
@@ -697,7 +820,7 @@
}, },
"ssh-to-age": { "ssh-to-age": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@@ -746,6 +869,26 @@
"type": "github" "type": "github"
} }
}, },
"traveldrafter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751817360,
"narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
"ref": "refs/heads/main",
"rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -766,28 +909,6 @@
"repo": "treefmt-nix", "repo": "treefmt-nix",
"type": "github" "type": "github"
} }
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"hydra",
"nix-eval-jobs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1732292307,
"narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "705df92694af7093dfbb27109ce16d828a79155f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

45
flake.nix
View File

@@ -1,6 +1,7 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
# for etesync-dav # for etesync-dav
nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe"; nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -25,11 +26,17 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
hydra = { hydra = {
url = "git+https://git.lix.systems/lix-project/hydra.git"; url = "git+https://git.lix.systems/lix-project/hydra.git?ref=lix-2.93";
#inputs.lix.follows = "lix";
#inputs.nixpkgs.follows = "nixpkgs";
};
lix = {
url = "git+https://git.lix.systems/lix-project/lix.git?ref=release-2.93";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
lix-module = { lix-module = {
url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=stable"; url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
@@ -61,11 +68,13 @@
url = "github:Mic92/ssh-to-age"; url = "github:Mic92/ssh-to-age";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
traveldrafter = {
url = "git+https://git.clerie.de/clerie/traveldrafter.git";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
lib = import ./lib inputs; lib = import ./lib inputs;
helper = lib.flake-helper;
localNixpkgs = import ./flake/nixpkgs.nix inputs;
in { in {
clerie.hosts = { clerie.hosts = {
aluminium = { aluminium = {
@@ -103,7 +112,11 @@
osmium = {}; osmium = {};
palladium = {}; palladium = {};
porter = {}; porter = {};
storage-2 = {}; storage-2 = {
modules = [
./users/frank
];
};
tungsten = {}; tungsten = {};
web-2 = {}; web-2 = {};
zinc = { zinc = {
@@ -125,14 +138,24 @@
}; };
overlays = { overlays = {
nixfilesInputs = import ./flake/overlay.nix inputs; clerie-inputs = import ./flake/inputs-overlay.nix inputs;
clerie = import ./pkgs/overlay.nix; clerie-pkgs = import ./pkgs/overlay.nix;
default = self.overlays.clerie; clerie-build-support = import ./pkgs/build-support/overlay.nix;
clerie-overrides = import ./pkgs/overrides/overlay.nix;
}; };
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
pkgs = localNixpkgs.${system}; lib.mkNixpkgs {
in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix)); inherit system;
}
);
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs (
(builtins.attrNames (self.overlays.clerie-pkgs null null))
++ (builtins.attrNames (self.overlays.clerie-overrides null null))
) (name: self.nixpkgs."${system}"."${name}")
);
inherit lib self; inherit lib self;

6
flake/hydraJobs.nix
View File

@@ -10,6 +10,12 @@ let
in { in {
inherit (self) inherit (self)
packages; packages;
extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs [
"hydra"
"lix"
] (name: self.nixpkgs."${system}"."${name}")
);
nixosConfigurations = buildHosts self.nixosConfigurations; nixosConfigurations = buildHosts self.nixosConfigurations;
iso = self.nixosConfigurations._iso.config.system.build.isoImage; iso = self.nixosConfigurations._iso.config.system.build.isoImage;
} }

3
flake/overlay.nix → flake/inputs-overlay.nix
View File

@@ -9,6 +9,7 @@
, rainbowrss , rainbowrss
, scan-to-gpg , scan-to-gpg
, ssh-to-age , ssh-to-age
, traveldrafter
, ... , ...
}@inputs: }@inputs:
final: prev: { final: prev: {
@@ -32,4 +33,6 @@ final: prev: {
scan-to-gpg; scan-to-gpg;
inherit (ssh-to-age.packages.${final.system}) inherit (ssh-to-age.packages.${final.system})
ssh-to-age; ssh-to-age;
inherit (traveldrafter.packages.${final.system})
traveldrafter;
} }

26
flake/nixosConfigurations.nix
View File

@@ -11,33 +11,14 @@ let
modules ? [], modules ? [],
}: let }: let
localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
in localNixpkgs.lib.nixosSystem { in self.lib.nixosSystem {
system = system; system = system;
nixpkgs = localNixpkgs;
modules = modules ++ [ modules = modules ++ [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: { ({ config, lib, ... }: {
# Set hostname # Set hostname
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
# Apply overlays
nixpkgs.overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
# Expose host group to monitoring # Expose host group to monitoring
clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; }; clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };
@@ -52,6 +33,9 @@ let
{}; {};
in in
secrets; secrets;
# Enable clerie common config
profiles.clerie.common.enable = true;
}) })
# Config to be applied to every host # Config to be applied to every host

17
flake/nixpkgs.nix
View File

@@ -1,17 +0,0 @@
{ self
, nixpkgs
, ...
}@inputs:
let
mkNixpkgs = { system, ... }@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
};
in
nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

4
hosts/_iso/configuration.nix
View File

@@ -3,9 +3,11 @@
{ {
imports = [ imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-base.nix") (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
../../configuration/gpg-ssh
]; ];
profiles.clerie.gpg-ssh.enable = true;
profiles.clerie.network-fallback-dhcp.enable = true;
# systemd in initrd is broken with ISOs # systemd in initrd is broken with ISOs
# Failed to mount /sysroot/iso # Failed to mount /sysroot/iso
# https://github.com/NixOS/nixpkgs/issues/327187 # https://github.com/NixOS/nixpkgs/issues/327187

2
hosts/aluminium/configuration.nix
View File

@@ -18,7 +18,7 @@
terminal_output serial terminal_output serial
"; ";
services.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8106/128" ];
ipv4s = [ "10.20.30.106/32" ]; ipv4s = [ "10.20.30.106/32" ];

17
hosts/astatine/configuration.nix
View File

@@ -4,30 +4,21 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./ppp.nix
./programs.nix
./users.nix
]; ];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true; boot.loader.grub.device = "/dev/sda";
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.extraConfig = " boot.loader.grub.extraConfig = "
serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1
terminal_input serial terminal_input serial
terminal_output serial terminal_output serial
"; ";
#networking.firewall.enable = false; profiles.clerie.wg-clerie = {
services.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];
ipv4s = [ "10.20.30.108/32" ]; ipv4s = [ "10.20.30.108/32" ];

90
hosts/astatine/ppp.nix
View File

@@ -1,90 +0,0 @@
{ pkgs, ... }:
{
# Make space for VLAN header in containing ethernet segment
networking.interfaces."enp1s0".mtu = 1518;
## DSL-Uplink
networking.vlans."enp1s0.7" = {
id = 7;
interface = "enp1s0";
};
services.pppd = {
enable = true;
peers.lns-test = {
config = ''
plugin pppoe.so enp1s0.7
user "criese#regiotest@bsa-vdsl"
ifname ppp-lns-test
persist
maxfail 0
holdoff 5
noipdefault
lcp-echo-interval 20
lcp-echo-failure 3
hide-password
nodefaultroute
+ipv6
debug
'';
};
};
/*
networking.interfaces.lo.useDHCP = true;
networking.interfaces.ppp-lns-test.useDHCP = true;
networking.dhcpcd = {
enable = true;
extraConfig = ''
interface ppp-lns-test
ipv6rs
ia_pd 0 lo/0
'';
};*/
environment.etc."ppp/ip-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
${pkgs.iproute2}/bin/ip route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ip-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip route flush table 20001 || true
'';
mode = "555";
};
environment.etc."ppp/ipv6-up" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
${pkgs.iproute2}/bin/ip -6 route add default dev ppp-lns-test table 20001
'';
mode = "555";
};
environment.etc."ppp/ipv6-down" = {
text = ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute2}/bin/ip -6 route flush table 20001 || true
'';
mode = "555";
};
petabyte.policyrouting = {
enable = true;
rules4 = [
{ rule = "from 212.218.16.237/32 lookup 20001"; prio = 19000; }
{ rule = "from 212.218.16.237/32 unreachable"; prio = 19001; }
];
};
}

9
hosts/astatine/programs.nix
View File

@@ -1,9 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tcpdump # for remote wireshark
];
}

10
hosts/astatine/users.nix
View File

@@ -1,10 +0,0 @@
{ ... }:
{
users.users.criese-nethinks = {
extraGroups = [
"wheel"
];
};
}

21
hosts/backup-4/configuration.nix
View File

@@ -4,19 +4,32 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
./backup.nix ./backup.nix
./replication.nix
./restic-server.nix ./restic-server.nix
./wg-b-palladium.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::c"; prefixLength = 64; } ]; systemd.network.enable = true;
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
address = [
"2001:638:904:ffcb::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true; services.nginx.enable = true;

20
hosts/backup-4/replication.nix Normal file
View File

@@ -0,0 +1,20 @@
{ lib, ... }:
with lib;
{
clerie.backup = {
enable = true;
targets = mkForce {
palladium.serverUrl = "http://[fd90:37fd:ddec:d921::2]:43242";
};
jobs.replication = {
paths = [
"/mnt/backup-4/magenta"
];
exclude = [
"/mnt/backup-4/magenta/.htpasswd"
];
};
};
}

9
hosts/backup-4/secrets.json
View File

@@ -1,5 +1,8 @@
{ {
"clerie-backup-job-replication": "ENC[AES256_GCM,data:BxOj/jT/GFBNSLc=,iv:zKDmEqUpOUWbU3fEeKDLniZ8D1yzs4kdGjoFLeNZOpo=,tag:iKAxHnIUpvtZwVO+eJW3Xw==,type:str]",
"clerie-backup-target-palladium": "ENC[AES256_GCM,data:OaszucYAp4n/ds59nF8D4Qn3U9a6L+ONcbPa+BmSz/EprW7E3kCoJ6+EceahPemTnR53mkP6zAndWaXaBTFfdg==,iv:pqi4+LuLPhtmKucm7JqN6d2hwXzNVx8IPimTL6FgHHg=,tag:+91GgLQNKD/lI7uWojCwjA==,type:str]",
"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]", "restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
"sops": { "sops": {
"kms": null, "kms": null,
@@ -12,8 +15,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-02-16T18:13:41Z", "lastmodified": "2025-04-18T08:37:08Z",
"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]", "mac": "ENC[AES256_GCM,data:50NF4BI0QUhe622J6nwIF89pLlTdgxVB/MWbO5nWKgQI5xuNrnFghs5yVgZIV7FeONcu2pYykp28fSrFKhvbPt+B90i4HvaaIHdZGDepbEV9ZwK4AU66zZW4KCCPxv4NTYh+AuSi7HTHusXUrNIvRhYvAXjESi7nK7JPm3BTfUk=,iv:fvtTaSXNx6IL6D9DdEa5ovymNYeWJObCBiRiIsG7KeE=,tag:LdfXiAuMHLCb0biThHh1GQ==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-04T12:30:52Z", "created_at": "2024-05-04T12:30:52Z",
@@ -22,6 +25,6 @@
} }
], ],
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.9.4"
} }
} }

40
hosts/backup-4/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
ListenPort = 51844;
};
wireguardPeers = [
{
PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::1/64"
];
linkConfig.RequiredForOnline = "no";
};
networking.firewall.allowedUDPPorts = [ 51844 ];
}

36
hosts/beryllium/configuration.nix
View File

@@ -6,6 +6,8 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@@ -20,40 +22,12 @@
networking.firewall.enable = false; networking.firewall.enable = false;
networking.iproute2.enable = true; profiles.clerie.wg-clerie = {
networking.iproute2.rttablesExtraConfig = ''
200 wg-clerie
'';
petabyte.policyrouting = {
enable = true; enable = true;
rules6 = [ ipv6s = [ "2a01:4f8:c0c:15f1::8107/128" ];
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 lookup wg-clerie"; prio = 20000; } ipv4s = [ "10.20.30.107/32" ];
{ rule = "from 2a01:4f8:c0c:15f1::8107/128 unreachable"; prio = 20001; }
];
rules4 = [
{ rule = "from 10.20.30.107/32 lookup wg-clerie"; prio = 20000; }
{ rule = "from 10.20.30.107/32 unreachable"; prio = 20001; }
];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg-clerie = {
ips = [ "2a01:4f8:c0c:15f1::8107/128" "10.20.30.107/32" ];
table = "wg-clerie";
peers = [
{
endpoint = "vpn.clerie.de:51820";
persistentKeepalive = 25;
allowedIPs = [ "0.0.0.0/0" "::/0" "10.20.30.0/24" "2a01:4f8:c0c:15f1::/113" ];
publicKey = "2p1Jqs3bkXbXHFWE6vp1yxHIFoUaZQEARS2nJzbkuBA=";
}
];
privateKeyFile = "/var/src/secrets/wireguard/wg-clerie"; privateKeyFile = "/var/src/secrets/wireguard/wg-clerie";
}; };
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;

10
hosts/carbon/configuration.nix
View File

@@ -4,7 +4,6 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
./dns.nix ./dns.nix
./mdns.nix ./mdns.nix
@@ -22,6 +21,9 @@
./wg-clerie.nix ./wg-clerie.nix
]; ];
profiles.clerie.common-networking.enable = false;
profiles.clerie.router.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@@ -61,10 +63,10 @@
systemd.services.kea-dhcp4-server = { systemd.services.kea-dhcp4-server = {
after = [ after = [
"network-setup.service" "network.target"
]; ];
requires = [ wants = [
"network-setup.service" "network.target"
]; ];
}; };

80
hosts/clerie-backup/configuration.nix
View File

@@ -4,20 +4,26 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
./restic-server.nix ./restic-server.nix
]; ];
profiles.clerie.ruby-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; systemd.network.networks."10-wan" = {
matchConfig.Name = "ens18";
networking.useDHCP = false; address = [
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::6"; prefixLength = 64; } ]; "2a00:fe0:1:21f::a/64"
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; }; ];
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; routes = [
{ Gateway ="2a00:fe0:1:21f::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true; services.nginx.enable = true;
@@ -28,10 +34,6 @@
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ]; authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiUWufpvAj/Rdxt/frAjs5Q4+/lzaN2jmf5+W3Gazjzw+CH+Agplux6op+LlzF7kAA32yP+lwQto8Rz92NzReDssXd+0JhgAAHrSMrPOPnQbZrierKOfVvDOteklEM4k5JXqZ+xHIMtNomuMV3wCFc18nvwc8t95pDBOI/HwzAwn2mGhVBod0CNXZs8EyMeQJNKLCRwpUrddOX6fz5x/fbPYO4KB3iPkC0X+e/d5SuBvrmwFdnpr2RkCboMPdd6i/0AsY4MLdMV54arS9Ed2jaFKqYCQR5wRdLxndn+aByyVQHQxVU0gVfO9+53NOgiVzhOFzXm6K2KcC/HZR5uj1r ceea@olbers.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-ceea"; path = "/mnt/clerie-backup/uberspace-ceea";
}; };
uberspace-cleriewi = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAeU+YezmGNNnntAkOL143NlkADi6ekEcaW9yf9yegdkDxwyIyxaWC89B110kRkNe+6KP+LDwrp9vnFJZjst8Gv+dMs0h9U0IdUafhO7TcbbkqynqmtzIwiSGsLby2K9XOYTMlAa2JOfeNScPWccZ8KgXsIBqRGjo3yQfCHXZu9U/8CGXvYPsTGY5QYNeAw5Uaikuf565GHy4ROx2BN7LGug9lK42Hfv8i1lhCLi7wkhQ0EPGBRPkscjz/0Kb2iABMzyUf6uMrDJX/usKrChxkLfidIM9C5YR1E+wXlmy9lijuNP85NpXUEyVTAp9/XLCp1vskfCjsBLO0l+40XNIt cleriewi@biela.uberspace.de" ];
path = "/mnt/clerie-backup/uberspace-cleriewi";
};
}; };
# fix borgbackup primary grouping # fix borgbackup primary grouping
@@ -51,62 +53,6 @@
compression = "auto,lzma"; compression = "auto,lzma";
startAt = "*-*-* 04:07:00"; startAt = "*-*-* 04:07:00";
}; };
backup-replication-palladium = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = { BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-palladium"; };
compression = "auto,lzma";
startAt = "*-*-* 06:23:00";
};
backup-replication-external-drive = {
paths = [
"/mnt/clerie-backup"
];
doInit = true;
repo = "borg@palladium.net.clerie.de:." ;
encryption = {
mode = "none";
};
environment = {
BORG_RSH = "ssh -i /var/src/secrets/ssh/borg-backup-replication-external-drive";
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
};
compression = "auto,lzma";
startAt = "*-*-* 08:37:00";
};
};
users.users.backup-replication = {
isNormalUser = true;
group = "backup-replication";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8kCLiDfVFKgoNvEoMb34jp2n1lQG+k7wigzc4qGmrROlWkJ46/Ym4UrSeQJAd6hwHTcKTZkeOrqDAjZZ+jlidpncJHT5VMW5Ah965pxbBq6Qh1Yz5tKj7nLAQ/+bwEH4qqBFNd796876n3pY/FqhwAHWONqWhLKzMXpFursMSITUPmRXcaPwJrgS9DIYspZ9bBhhRSdQ5N1SiGtaszOQwdevLnNYqdtFOBG4rt9SO6IBIHtaiTIHrrMGS2Lt3NMwkq+O+N+TGaKLjbwqtfUPfPOCmY0XH12OawjxHP9hZ+WH3dPtcu5p+VORciSybPvyh9qzXUrDeO4HDuii2GEFU8JFELYXdT/qBwdIMp82tkgww0zKbTJuc0y/9eR7LCXop4OALhR8+8xWDI9c1ccxu3T7S7zUI1OmTlR9i8rx85D4sz2dtp1jirDoW2KVuIdwe6G3NLfTL95FZRmveEQM3MO8MPpfzZ4EvaMbiQQd/c4VAmGovtSLQhySTpT6qSv0= root@backup-4"
#"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRANmJ2LYUr0Mavz/JJ7j+7p1zkqvizf6ZLt5XOJ2fj0enDuK7Dc5fxiESLGYTsLRVWuY4hNXVIL7aeJUj1LPf6LEX87APP4hb95t+TFxcES87tFfnFO48eiBbSd25Av2jmHGb6/wY2viYBxfk/vrLjPR6RgICqFsWFcz20bsWmc48FdzXYJCGJfKjHiW+Ut95VL+M/AlGBQHo33FNDyPXV4zh+MeWVkOFicwfh0k+4NH7Psj5n93m9szAlz306t5YZ32HnhSlvObkMk1Ugy6AzPKXrgKBu11pmatf7sFRx1ikYGUiKiezGjatt/8lYZfE8rQKQjwH+6LPt3ZPv06ncfKpH2vbZfonM0KhSsm1OIhJTse+X7ZMxizO6QqYM+BRJJGMbhH1g+6kFRsdlwakHNPE9YvG4NxZ1NxWTUr6F0gPhUEy61LkTnznt3ct1hgQR02KDQ+9i8PvaYeIIzZzRKufv4tV7OZkDLbN97tvAMkgpLjF+8fCg3qjn2Lckzc= root@palladium"
];
};
users.groups.backup-replication = {};
environment.systemPackages = with pkgs; [
bindfs
];
fileSystems."/clerie-backup-replication" = {
device = "/mnt/clerie-backup";
fsType = "fuse.bindfs";
options = [
"ro"
"force-user=backup-replication"
"force-group=backup-replication"
"perms=0000:ug=rD"
];
}; };
clerie.monitoring = { clerie.monitoring = {

7
hosts/clerie-backup/hardware-configuration.nix
View File

@@ -8,7 +8,7 @@
[ (modulesPath + "/profiles/qemu-guest.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
@@ -19,7 +19,7 @@
}; };
fileSystems."/mnt/clerie-backup" = fileSystems."/mnt/clerie-backup" =
{ device = "/dev/disk/by-uuid/69e75b00-23e1-4775-98a6-061a79d806cf"; { device = "/dev/disk/by-uuid/15a42e2e-57dc-43ff-a50d-8b73952d4558";
fsType = "ext4"; fsType = "ext4";
}; };
@@ -33,4 +33,7 @@
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.swraid.enable = true;
} }

333
hosts/dn42-il-gw1/configuration.nix
View File

@@ -4,49 +4,43 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:1::1"; prefixLength = 64; } ]; matchConfig.Name = "ens20";
# VM Nat Netz mercury address = [
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.23"; prefixLength = 24; } ]; "2001:638:904:ffc9::7/64"
# OSPF Netz ];
networking.interfaces.ens19 = {}; routes = [
# IPv6 Uplink { Gateway = "2001:638:904:ffc9::1"; }
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::7"; prefixLength = 64; } ]; ];
linkConfig.RequiredForOnline = "routable";
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; }; ipv6AcceptRAConfig.DHCPv6Client = "no";
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; }; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.23/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
networking.wireguard.enable = true; networking.wireguard.enable = true;
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
# n0emis
wg0197 = {
ips = [
"fe80::42:1/128"
# peer fe80::42:42:1/128
];
postSetup = ''
ip -6 route flush dev wg0197
ip addr del dev wg0197 fe80::42:1/128 && ip addr add dev wg0197 fe80::42:1/128 peer fe80::42:42:1/128
'';
listenPort = 50197;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "himalia.dn42.n0emis.eu:52574";
publicKey = "ObF+xGC6DdddJer0IUw6nzC0RqzeKWwEiQU0ieowzhg=";
}
];
privateKeyFile = config.sops.secrets.wg0197.path;
};
# e1mo # e1mo
wg0565 = { wg0565 = {
ips = [ ips = [
@@ -126,27 +120,6 @@
]; ];
privateKeyFile = config.sops.secrets.wg1280.path; privateKeyFile = config.sops.secrets.wg1280.path;
}; };
# perflyst
wg1302 = {
ips = [
"fe80::a14e/128"
# peer fe80::a14d/128
];
postSetup = ''
ip -6 route flush dev wg1302
ip addr del dev wg1302 fe80::a14e/128 && ip addr add dev wg1302 fe80::a14e/128 peer fe80::a14d/128
'';
listenPort = 51302;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "[2a03:4000:6:f6ed::1]:22574";
publicKey = "TSPvvpMY8dCFk6gd58aYtkibtqUn8EzIF6dXP52b3y8=";
}
];
privateKeyFile = config.sops.secrets.wg1302.path;
};
# lutoma # lutoma
wg4719 = { wg4719 = {
ips = [ ips = [
@@ -167,168 +140,104 @@
]; ];
privateKeyFile = config.sops.secrets.wg4719.path; privateKeyFile = config.sops.secrets.wg4719.path;
}; };
# zaphyra
wg1718 = {
ips = [
"fe80::2574/128"
# peer fe80::6b61/64
];
postSetup = ''
ip addr replace dev wg1718 fe80::2574/128 peer fe80::6b61/128
'';
listenPort = 51718;
allowedIPsAsRoutes = false;
peers = [
{
allowedIPs = [ "fe80::/10" "fd00::/8" ];
endpoint = "router-a.dn42.zaphyra.eu:51831";
publicKey = "Knm6uEpMsTfZAK68Pl98mHORtb8TtswBfYFGznpHUCI=";
}
];
privateKeyFile = config.sops.secrets.wg1718.path;
};
}; };
petabyte.policyrouting = { networking.firewall.allowedUDPPorts = [
50565 # wg0565
51271 # wg1271
51272 # wg1272
51280 # wg1280
54719 # wg4719
51718 # wg1718
];
profiles.clerie.dn42-router = {
enable = true; enable = true;
rules6 = [ loopbackIp = "fd56:4902:eca0:1::1";
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; } routerId = "192.168.10.23";
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; } ospfInterfaces = [
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; } "ens19"
];
ibgpPeers = [
{
peerName = "gw5";
remoteAddress = "fd56:4902:eca0:5::1";
}
{
peerName = "gw6";
remoteAddress = "fd56:4902:eca0:6::1";
}
];
wireguardPeers = [
{
peerName = "peer_0565";
remoteAddress = "fe80::565";
interfaceName = "wg0565";
remoteAsn = "4242420565";
localAddress = "fe80::2574";
}
{
peerName = "peer_1271_north";
remoteAddress = "fe80::2";
interfaceName = "wg1271";
remoteAsn = "4242421271";
localAddress = "fe80::1";
}
{
peerName = "peer_1271_south";
remoteAddress = "fe80::1:2";
interfaceName = "wg1272";
remoteAsn = "4242421271";
localAddress = "fe80::1:1";
}
{
peerName = "peer_1280_wg1";
remoteAddress = "fde3:4c0d:2836:ff00::20";
interfaceName = "wg1280";
remoteAsn = "4242421280";
localAddress = "fde3:4c0d:2836:ff00::21";
}
{
peerName = "peer_4719";
remoteAddress = "fe80::acab";
interfaceName = "wg4719";
remoteAsn = "64719";
localAddress = "fe80::1";
}
{
peerName = "peer_1718";
remoteAddress = "fe80::6b61";
interfaceName = "wg1718";
remoteAsn = "4242421718";
localAddress = "fe80::2574";
}
]; ];
}; };
services.bird.enable = true; services.bijwerken = {
services.bird.package = pkgs.bird2;
services.bird.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address };
ipv6 table ospf6;
ipv6 table bgp6;
protocol direct {
interface "lo";
ipv6 {
table ospf6;
};
}
protocol static {
ipv6 {
table bgp6;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
}
protocol kernel {
ipv6 {
table ospf6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 1337;
}
protocol kernel {
ipv6 {
table bgp6;
export filter {
krt_prefsrc=fd56:4902:eca0:1::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:1::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp bgp_peer {
local as 4242422574;
graceful restart on;
ipv6 {
table bgp6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{48,64}] then accept;
reject;
};
};
}
protocol bgp peer_0197_himalia from bgp_peer {
neighbor fe80::42:42:1%wg0197 as 4242420197;
source address fe80::42:1;
}
protocol bgp peer_0565 from bgp_peer {
neighbor fe80::565%wg0565 as 4242420565;
source address fe80::2574;
}
protocol bgp peer_1271_north from bgp_peer {
neighbor fe80::2%wg1271 as 4242421271;
source address fe80::1;
}
protocol bgp peer_1271_south from bgp_peer {
neighbor fe80::1:2%wg1272 as 4242421271;
source address fe80::1:1;
}
protocol bgp peer_1280_wg1 from bgp_peer {
neighbor fde3:4c0d:2836:ff00::20%wg1280 as 4242421280;
source address fde3:4c0d:2836:ff00::21;
}
protocol bgp peer_1302 from bgp_peer {
neighbor fe80::a14d%wg1302 as 4242421302;
source address fe80::a14e;
}
protocol bgp peer_4719 from bgp_peer {
neighbor fe80::acab%wg4719 as 64719;
}
protocol device {
scan time 10;
}
'';
clerie.system-auto-upgrade = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

11
hosts/dn42-il-gw1/secrets.json
View File

@@ -5,21 +5,18 @@
"wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]", "wg1272": "ENC[AES256_GCM,data:LU6jtNkNn2Xs+0OH8cD1HJnbHsNNnqlY83lDFa11/dHwVgdFxMtDXMqIMEc=,iv:/A8rWGR6jExa4ms7jTYC0eZVGCvlKw1I58Co41gw3TU=,tag:tIBRkQzFFpEEzflnDrpcOA==,type:str]",
"wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]", "wg1280": "ENC[AES256_GCM,data:F4KLY6jiZNl52ko32nM0iTER0DyHvaCSmxeYAKB0MLUD8l9u1Ugk6kYZnUc=,iv:XcaxnvxM1kE/ahNFX+BH7Jmr9q2Py1vHHqOjFUqs5O8=,tag:a1up4gGFqyHz2lmDRJl3bA==,type:str]",
"wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]", "wg1302": "ENC[AES256_GCM,data:+MzuBPg3ql0/MEnpVvhQTsPIkKB9xnHN9Fk4VlZwK4ijKl+26d6oTSM7/R0=,iv:bPPmhenQLaKTGaDo4rBlKkrXrS1YysRuntbKq6zi2aQ=,tag:lztaTfDGT4kAq+HZMLl0Dw==,type:str]",
"wg1718": "ENC[AES256_GCM,data:lB+j2O15O7ogdB+QdutD3V/h8IREMMlpCsnMJWNPXlz196KM6WNNYCV2v5M=,iv:AwrRPQIFu8A14Vs5A9slkCPMkgU3VZxL1YupJnriEHc=,tag:Vpt0C6SFzUXGotdfc1ocmg==,type:str]",
"wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]", "wg4719": "ENC[AES256_GCM,data:hoOOCUGdYFaAQZ6wkgmQl65M1qArvXa826IeJl+BUGf7UX0vxx9J0C2epTE=,iv:+1JcOgzClehkE0Ihd2mmoenPk51OBZMF0bMqapWah/c=,tag:xI5FU+GJU6BER9/n04ccLA==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:aw11Ygfll6llabXkuxtbTcCn1eb4NZX1IwArcXoRJCJSgwDrQZ3HLatov3w=,iv:J2VD5XS+BrIKeFb0NW1UYZUuGPkbjFmooZ93PVK31gw=,tag:2XLSa/2s6LRq3L7UdrTs/g==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t", "recipient": "age1f0hscql4f4w7vyukzeu693xfedsl596dpjekc23q77ylp92zsvcqf9u75t",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3QWdFYjFjTmRVRlV3U3p4\nTSsyc1E0dWtiYjNtVkV2SXJEWkxnTDhLN1Y0Cng4aGlidjhydUVGaFcvK215aGdq\nN0FGajYwa1lPUCsva0tmNkErUGtlOWsKLS0tIG9pLzJEUDA2WWUzd1kzSVZrdVRX\nbUxjQzBCd3p0R1dWTTJaRmZNQjJEUVkKPz6OUQHpYrhRxMdQzpZRR3exVqkG2JvX\nI32PwvbeQK8cgpYwKLGar8U8aiPPm0Y64pID1wedDsNZzLqLOrS3wQ==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-04-28T09:28:04Z", "lastmodified": "2025-06-10T20:51:10Z",
"mac": "ENC[AES256_GCM,data:PHdhyie0Ya/nN9Kqj4z+zPyyKZFvGkznkv8Uf3LNSdPKWVtXARZc8Xodm4MjI2HvooryyyMFHkW75Aln02Rlvk3R8oI7rfFZC7s2P+LotumsYgRFf0JOUMxsxOtKW0ehuLy83Bw0rMJQo1gzTgBykcvdc2pkMmALF/vU/1VqgJ4=,iv:0JwcY0Q+8VAiVHYjynhcpsobQXOkK8EBe3QUJ8YUwFE=,tag:9xAcoxAPGxTvHVBydf3u9Q==,type:str]", "mac": "ENC[AES256_GCM,data:9lF4HV0oJyGHXdtYdMxR7+ev7JLAQVr6kE55nLoZcrbC92MHJzQpgM9XAhIynvwdAmC7ARd3orCn6eYkQJDdNX0JjMtebsBE+H4B7mEUCz8wtTN0iHS+oHmQxrqjnoSw2uHh9udgqAJa+sd6VGU3t2XUuuKtVHPwzROqVgvas9M=,iv:KT+BlFeXGZQc5pbBX+XOsmKEydUtir1LuPvseDkFeqw=,tag:hlRskY6b5EAZkUYs7ph/JA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-04-28T09:25:37Z", "created_at": "2024-04-28T09:25:37Z",
@@ -28,6 +25,6 @@
} }
], ],
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.8.1" "version": "3.10.2"
} }
} }

213
hosts/dn42-il-gw5/configuration.nix
View File

@@ -4,158 +4,91 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
# VM Nat Netz mercury matchConfig.Name = "ens21";
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.25"; prefixLength = 24; } ]; address = [
# OSPF Netz "2001:638:904:ffc9::a/64"
networking.interfaces.ens19 = {};
# Lokales Netz
networking.interfaces.ens20.ipv6.addresses = [ { address = "fd56:4902:eca0:5::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens21.ipv6.addresses = [ { address = "2001:638:904:ffc9::a"; prefixLength = 64; } ];
# Ildix
networking.interfaces.ens22.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::5"; prefixLength = 64; } ];
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens21"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
]; ];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.25/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens19";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-lokales-netz" = {
# Aktuell nicht verwendet, da in lo-dn42 umgezogen
matchConfig.Name = "ens20";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens22";
address = [
"fd81:edb3:71d8:ffff:2574::5/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
}; };
services.bird.enable = true; profiles.clerie.dn42-router = {
services.bird.package = pkgs.bird2; enable = true;
services.bird.config = '' loopbackIp = "fd56:4902:eca0:5::1";
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address }; routerId = "192.168.10.25";
ipv6 table ospf6; ospfInterfaces = [
ipv6 table bgp6; "ens19"
];
protocol direct { ibgpPeers = [
interface "ens20"; {
ipv6 { peerName = "gw1";
table ospf6; remoteAddress = "fd56:4902:eca0:1::1";
};
} }
{
protocol static { peerName = "gw6";
ipv6 { remoteAddress = "fd56:4902:eca0:6::1";
table bgp6;
};
route fd56:4902:eca0::/48 via "lo";
route fd56:4902:eca0::/52 via "lo";
} }
];
protocol kernel { bgpPeers = [
ipv6 { {
table ospf6; peerName = "peer_ildix_clerie";
export filter { localAddress = "fd81:edb3:71d8:ffff:2574::5";
krt_prefsrc=fd56:4902:eca0:5::1; remoteAddress = "fd81:edb3:71d8:ffff::13";
accept; remoteAsn = "4242422953";
};
import none;
};
kernel table 1337;
} }
{
protocol kernel { peerName = "peer_ildix_nex";
ipv6 { localAddress = "fd81:edb3:71d8:ffff:2574::5";
table bgp6; remoteAddress = "fd81:edb3:71d8:ffff::14";
export filter { remoteAsn = "4242422953";
krt_prefsrc=fd56:4902:eca0:5::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens19" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw6 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:6::1 as 4242422574;
source address fd56:4902:eca0:5::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::5;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
} }
];
birdExtraConfig = ''
# Internal # Internal
protocol bgp peer_2953_dn42_ildix_service { protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574; local as 4242422574;
@@ -175,14 +108,10 @@
}; };
}; };
} }
protocol device {
scan time 10;
}
''; '';
};
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 06:22:00"; startAt = "*-*-* 06:22:00";
}; };

207
hosts/dn42-il-gw6/configuration.nix
View File

@@ -4,158 +4,85 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/dn42
]; ];
profiles.clerie.cybercluster-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.lo.ipv6.addresses = [ { address = "fd56:4902:eca0:6::1"; prefixLength = 64; } ]; matchConfig.Name = "ens18";
# IPv6 Uplink address = [
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc9::9"; prefixLength = 64; } ]; "2001:638:904:ffc9::9/64"
# Ildix
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2574::6"; prefixLength = 64; } ];
# VM Nat Netz mercury
networking.interfaces.ens20.ipv4.addresses = [ { address = "192.168.10.26"; prefixLength = 24; } ];
# OSPF Netz
networking.interfaces.ens21 = {};
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens20"; };
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
petabyte.policyrouting = {
enable = true;
rules6 = [
{ rule = "from all to fd56:4902:eca0::/48 lookup 1337"; prio = 10000; }
{ rule = "from all to all lookup 2342"; prio = 10000; }
{ rule = "from all to fd56:4902:eca0::/48 unreachable"; prio = 20000; }
{ rule = "from fd56:4902:eca0::/48 to all unreachable"; prio = 20000; }
]; ];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens20";
address = [
"192.168.10.26/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ospf-netz" = {
matchConfig.Name = "ens21";
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2574::6/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
}; };
services.bird.enable = true; profiles.clerie.dn42-router = {
services.bird.package = pkgs.bird2; enable = true;
services.bird.config = '' loopbackIp = "fd56:4902:eca0:6::1";
router id ${ (lib.head config.networking.interfaces.ens20.ipv4.addresses).address }; routerId = "192.168.10.26";
ipv6 table ospf6; ospfInterfaces = [
ipv6 table bgp6; "ens21"
];
protocol direct { ibgpPeers = [
interface "lo"; {
ipv6 { peerName = "gw1";
table ospf6; remoteAddress = "fd56:4902:eca0:1::1";
};
} }
{
protocol static { peerName = "gw5";
ipv6 { remoteAddress = "fd56:4902:eca0:5::1";
table bgp6;
};
#route fd56:4902:eca0::/48 via "lo";
#route fd56:4902:eca0::/52 via "lo";
} }
];
protocol kernel { bgpPeers = [
ipv6 { {
table ospf6; peerName = "peer_ildix_clerie";
export filter { localAddress = "fd81:edb3:71d8:ffff:2574::6";
krt_prefsrc=fd56:4902:eca0:6::1; remoteAddress = "fd81:edb3:71d8:ffff::13";
accept; remoteAsn = "4242422953";
};
import none;
};
kernel table 1337;
} }
{
protocol kernel { peerName = "peer_ildix_nex";
ipv6 { localAddress = "fd81:edb3:71d8:ffff:2574::6";
table bgp6; remoteAddress = "fd81:edb3:71d8:ffff::14";
export filter { remoteAsn = "4242422953";
krt_prefsrc=fd56:4902:eca0:6::1;
accept;
};
import none;
};
kernel table 2342;
}
protocol ospf v3 {
ipv6 {
table ospf6;
import all;
export all;
};
area 0 {
interface "ens21" {
cost 80;
type broadcast;
};
};
}
protocol bgp gw1 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:1::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
protocol bgp gw5 {
local as 4242422574;
graceful restart on;
neighbor fd56:4902:eca0:5::1 as 4242422574;
source address fd56:4902:eca0:6::1;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import all;
export all;
};
}
template bgp ildix {
local as 4242422574;
graceful restart on;
source address fd81:edb3:71d8:ffff:2574::6;
ipv6 {
table bgp6;
igp table ospf6;
next hop self;
import keep filtered;
import filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
export filter {
if net ~ [fd00::/8{8,64}] then accept;
reject;
};
};
}
protocol bgp peer_ildix_clerie from ildix {
neighbor fd81:edb3:71d8:ffff::13 as 4242422953;
}
protocol bgp peer_ildix_nex from ildix {
neighbor fd81:edb3:71d8:ffff::14 as 4242422953;
} }
];
birdExtraConfig = ''
# Internal # Internal
protocol bgp peer_2953_dn42_ildix_service { protocol bgp peer_2953_dn42_ildix_service {
local as 4242422574; local as 4242422574;
@@ -175,14 +102,10 @@
}; };
}; };
} }
protocol device {
scan time 10;
}
''; '';
};
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 07:22:00"; startAt = "*-*-* 07:22:00";
}; };

54
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -4,26 +4,47 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
# VM Nat Netz mercury matchConfig.Name = "ens20";
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.27"; prefixLength = 24; } ]; address = [
# Ildix "2001:638:904:ffcb::4/64"
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff::13"; prefixLength = 64; } ]; ];
routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.27/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff::13/64"
];
routes = [
# Route to dn42-ildix-service # Route to dn42-ildix-service
networking.interfaces.ens19.ipv6.routes = [ { address = "fd81:edb3:71d8::"; prefixLength = 48; via = "fd81:edb3:71d8:ffff:2953::1"; } ]; { Destination = "fd81:edb3:71d8::/48"; Gateway = "fd81:edb3:71d8:ffff:2953::1"; }
];
# public address linkConfig.RequiredForOnline = "no";
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffcb::4"; prefixLength = 64; } ]; ipv6AcceptRAConfig.DHCPv6Client = "no";
};
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens20"; };
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ];
# Open Firewall for BGP # Open Firewall for BGP
networking.firewall.allowedTCPPorts = [ 179 ]; networking.firewall.allowedTCPPorts = [ 179 ];
@@ -36,7 +57,7 @@
services.bird.enable = true; services.bird.enable = true;
services.bird.package = pkgs.bird2; services.bird.package = pkgs.bird2;
services.bird.config = '' services.bird.config = ''
router id ${ (lib.head config.networking.interfaces.ens18.ipv4.addresses).address }; router id 192.168.10.27;
protocol direct { protocol direct {
interface "ens19"; interface "ens19";
@@ -140,8 +161,7 @@
} }
''; '';
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

4
hosts/dn42-ildix-service/bird.nix
View File

@@ -7,7 +7,7 @@
services.bird.enable = false; services.bird.enable = false;
services.bird.package = pkgs.bird2; services.bird.package = pkgs.bird2;
services.bird.config = '' services.bird.config = ''
router id ${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}; router id 192.168.10.28;
ipv6 table bgp6; ipv6 table bgp6;
@@ -22,7 +22,7 @@
ipv6 { ipv6 {
table bgp6; table bgp6;
export filter { export filter {
krt_prefsrc=${(lib.head config.networking.interfaces.lo.ipv6.addresses).address}; krt_prefsrc=fd81:edb3:71d8::1;
accept; accept;
}; };
import none; import none;

66
hosts/dn42-ildix-service/configuration.nix
View File

@@ -4,11 +4,13 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
./bird.nix ./bird.nix
./fernglas.nix ./fernglas.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true; # boot.loader.grub.efiSupport = true;
@@ -17,28 +19,58 @@
# Define on which hard drive you want to install Grub. # Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
networking.useDHCP = false; systemd.network.netdevs."10-lo-dn42" = {
networking.interfaces.lo.ipv6.addresses = [ netdevConfig = {
{ address = "fd81:edb3:71d8::1"; prefixLength = 128; } Kind = "dummy";
{ address = "fd81:edb3:71d8::53"; prefixLength = 128; } Name = "lo-dn42";
]; };
# VM Nat Netz mercury };
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.28"; prefixLength = 24; } ];
# ildix peering lan
networking.interfaces.ens19.ipv6.addresses = [ { address = "fd81:edb3:71d8:ffff:2953::1"; prefixLength = 64; } ];
# IPv6 Uplink
networking.interfaces.ens20.ipv6.addresses = [ { address = "2001:638:904:ffc9::c"; prefixLength = 64; } ];
networking.defaultGateway6 = { address = "2001:638:904:ffc9::1"; interface = "ens20"; }; systemd.network.networks."10-lo-dn42" = {
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; }; matchConfig.Name = "lo-dn42";
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; address = [
"fd81:edb3:71d8::1/128"
"fd81:edb3:71d8::53/128"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens20";
address = [
"2001:638:904:ffc9::c/64"
];
routes = [
{ Gateway = "2001:638:904:ffc9::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.28/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-dn42-ildix" = {
matchConfig.Name = "ens19";
address = [
"fd81:edb3:71d8:ffff:2953::1/64"
];
linkConfig.RequiredForOnline = "no";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true; services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

11
hosts/dn42-ildix-service/fernglas.nix
View File

@@ -5,20 +5,21 @@
services.fernglas = { services.fernglas = {
enable = true; enable = true;
useMimalloc = false;
settings = { settings = {
api.bind = "[::1]:3000"; api.bind = "[::1]:3000";
collectors = [ collectors = {
{ bgp_any = {
collector_type = "Bgp"; collector_type = "Bgp";
bind = "[::]:1179"; bind = "[::]:1179";
default_peer_config = { default_peer_config = {
asn = 4242422953; asn = 4242422953;
router_id = "${(lib.head config.networking.interfaces.ens18.ipv4.addresses).address}"; router_id = "192.168.10.28";
route_state = "Accepted"; route_state = "Accepted";
add_path = true; add_path = true;
}; };
} };
]; };
}; };
}; };

8
hosts/gatekeeper/configuration.nix
View File

@@ -4,17 +4,14 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
]; ];
profiles.clerie.hetzner-cloud.enable = true; profiles.clerie.hetzner-cloud.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
address = [ address = [
"2a01:4f8:c0c:15f1::1/64" "2a01:4f8:c0c:15f1::1/64"
@@ -77,7 +74,7 @@
{ {
# palladium # palladium
allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ]; allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k="; publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
} }
#{ #{
# allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ]; # allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
@@ -134,6 +131,7 @@
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = true; enable = true;
resolver = "127.0.0.53";
tcpPorts."443" = { tcpPorts."443" = {
host = "localhost"; host = "localhost";
port = 22; port = 22;

33
hosts/hydra-1/configuration.nix
View File

@@ -4,14 +4,15 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
./build-machines.nix ./build-machines.nix
./hydra.nix ./hydra.nix
./nix-cache.nix ./nix-cache.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
@@ -21,12 +22,28 @@
"aarch64-linux" "aarch64-linux"
]; ];
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffcb::a"; prefixLength = 64; } ]; matchConfig.Name = "ens18";
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.36"; prefixLength = 24; } ]; address = [
networking.defaultGateway6 = { address = "2001:638:904:ffcb::1"; interface = "ens18"; }; "2001:638:904:ffcb::a/64"
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; }; ];
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; routes = [
{ Gateway = "2001:638:904:ffcb::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.36/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true; services.nginx.enable = true;

24
hosts/hydra-2/configuration.nix
View File

@@ -4,10 +4,11 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/hydra-build-machine
]; ];
profiles.clerie.cybercluster-vm.enable = true;
profiles.clerie.hydra-build-machine.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
@@ -17,12 +18,19 @@
"aarch64-linux" "aarch64-linux"
]; ];
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc1::100"; prefixLength = 64; } ]; matchConfig.Name = "ens18";
networking.interfaces.ens18.ipv4.addresses = [ { address = "141.24.50.112"; prefixLength = 24; } ]; address = [
networking.defaultGateway6 = { address = "2001:638:904:ffc1::1"; interface = "ens18"; }; "2001:638:904:ffc1::100/64"
networking.defaultGateway = { address = "141.24.50.1"; interface = "ens18"; }; "141.24.50.112/24"
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; ];
routes = [
{ Gateway = "2001:638:904:ffc1::1"; }
{ Gateway = "141.24.50.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;

4
hosts/krypton/configuration.nix
View File

@@ -5,8 +5,6 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./android.nix ./android.nix
./backup.nix ./backup.nix
./etesync-dav.nix ./etesync-dav.nix
@@ -15,6 +13,8 @@
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

2
hosts/krypton/network.nix
View File

@@ -1,7 +1,7 @@
{ ... }: { ... }:
{ {
services.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8011/128" ];
ipv4s = [ "10.20.30.11/32" ]; ipv4s = [ "10.20.30.11/32" ];

9
hosts/krypton/programs.nix
View File

@@ -1,9 +1,7 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
environment.systemPackages = with pkgs; [ profiles.clerie.firefox.enable = true;
firefox-wayland
];
users.users.clerie.packages = with pkgs; [ users.users.clerie.packages = with pkgs; [
keepassxc keepassxc
@@ -16,16 +14,17 @@
tio tio
xournalpp xournalpp
onlyoffice-bin libreoffice
krita krita
inkscape inkscape
dune3d
wireshark wireshark
tcpdump tcpdump
nmap nmap
okular kdePackages.okular
chromium-incognito chromium-incognito
print-afra print-afra

3
hosts/mail-2/configuration.nix
View File

@@ -13,9 +13,6 @@
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
address = [ address = [
"2a01:4f8:1c1c:9577::1/64" "2a01:4f8:1c1c:9577::1/64"

42
hosts/monitoring-3/blackbox.nix
View File

@@ -25,6 +25,48 @@
fail_if_not_ssl: true fail_if_not_ssl: true
fail_if_body_not_matches_regexp: fail_if_body_not_matches_regexp:
- "Synapse is running" - "Synapse is running"
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
http4:
prober: http
http:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
fail_if_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
http6:
prober: http
http:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
fail_if_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
https4:
prober: http
http:
preferred_ip_protocol: ip4
ip_protocol_fallback: false
fail_if_not_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
https6:
prober: http
http:
preferred_ip_protocol: ip6
ip_protocol_fallback: false
fail_if_not_ssl: true
follow_redirects: false
valid_status_codes: [ 200, 204, 301, 302, 303, 307, 308 ]
headers:
User-Agent: "monitoring.clerie.de, blackbox exporter"
''; '';
}; };
} }

32
hosts/monitoring-3/configuration.nix
View File

@@ -4,25 +4,43 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
./alertmanager.nix ./alertmanager.nix
./berlinerbaeder-exporter.nix ./berlinerbaeder-exporter.nix
./blackbox.nix ./blackbox.nix
./grafana.nix ./grafana.nix
./nixos-validator.nix ./nixos-validator.nix
./prometheus.nix ./prometheus.nix
./targets.nix
./uptimestatus.nix ./uptimestatus.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.32"; prefixLength = 24; } ]; matchConfig.Name = "ens19";
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffca::7"; prefixLength = 64; } ]; address = [
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; }; "2001:638:904:ffca::7/64"
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens19"; }; ];
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; routes = [
{ Gateway = "2001:638:904:ffca::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.32/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.prometheus.exporters.node.enable = true; services.prometheus.exporters.node.enable = true;

77
hosts/monitoring-3/dashboards/home.json Normal file
View File

@@ -0,0 +1,77 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 10,
"links": [],
"panels": [
{
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"includeVars": false,
"keepTime": false,
"maxItems": 10,
"query": "",
"showFolderNames": true,
"showHeadings": false,
"showRecentlyViewed": false,
"showSearch": true,
"showStarred": false,
"tags": []
},
"pluginVersion": "12.0.2+security-01",
"title": "Dashboards",
"type": "dashlist"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"hidden": true
},
"timezone": "browser",
"title": "Home",
"uid": "OqTN9p2nz",
"version": 1
}

355
hosts/monitoring-3/dashboards/nginx-exporter.json Normal file
View File

@@ -0,0 +1,355 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 16,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Total requests",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: {{method}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Status codes",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 10
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: HTTP {{status}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Response codes",
"type": "timeseries"
}
],
"preload": false,
"refresh": "30s",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": [
"$__all"
]
},
"definition": "label_values(nginxlog_http_response_count_total,server_name)",
"includeAll": true,
"label": "vHost",
"multi": true,
"name": "server_name",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginxlog_http_response_count_total,server_name)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-3h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Nginx Exporter",
"uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
"version": 7
}

135
hosts/monitoring-3/dashboards/nixos-status.json Normal file
View File

@@ -0,0 +1,135 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 15,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-RdYlGr"
},
"custom": {
"axisPlacement": "auto",
"fillOpacity": 70,
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineWidth": 0,
"spanNulls": false
},
"mappings": [
{
"options": {
"0": {
"index": 1,
"text": "mismatch"
},
"1": {
"index": 0,
"text": "sync"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"alignValue": "left",
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"mergeValues": true,
"rowHeight": 0.9,
"showValue": "auto",
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "builder",
"expr": "nixos_current_system_is_sync",
"legendFormat": "{{instance}}",
"range": true,
"refId": "A"
}
],
"title": "Config is Sync",
"type": "state-timeline"
}
],
"preload": false,
"refresh": "5m",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-7d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "NixOS Status",
"uid": "W4j3nz1Vz",
"version": 3
}

211
hosts/monitoring-3/dashboards/smokeping.json Normal file
View File

@@ -0,0 +1,211 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 11,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 22,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
"interval": "",
"legendFormat": "IPv6 {{target}} ({{instance}})",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
"hide": false,
"interval": "",
"legendFormat": "IPv4 {{target}} ({{instance}})",
"range": true,
"refId": "B"
}
],
"title": "Smokeping",
"type": "timeseries"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"includeAll": true,
"label": "Target:",
"multi": true,
"name": "target",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": [
"All"
],
"value": [
"$__all"
]
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"includeAll": true,
"label": "Instance:",
"multi": true,
"name": "instance",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Smokeping",
"uid": "IytTVZL7z",
"version": 9
}

201
hosts/monitoring-3/prometheus.nix
View File

@@ -52,6 +52,12 @@ let
attrByPath ["clerie" "monitoring" "blackbox"] false host.config) attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
monitoringHosts); monitoringHosts);
nginxlogMonitoringTargets = mapAttrsToList (name: host:
"${host.config.networking.hostName}.mon.clerie.de:9117")
(filterAttrs (name: host:
attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
monitoringHosts);
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b)))); eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in { in {
@@ -104,6 +110,21 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "alertmanager";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9093"
];
}
];
relabel_configs = [
relabelAddressToInstance
];
}
{ {
job_name = "node-exporter"; job_name = "node-exporter";
scrape_interval = "20s"; scrape_interval = "20s";
@@ -141,10 +162,7 @@ in {
}; };
static_configs = [ static_configs = [
{ {
targets = [ targets = map (target: "${target};infra") config.profiles.clerie.monitoring-server.probeTargets.node-exporter-uberspace;
"clerie.uber.space;infra"
"cleriewi.uber.space;infra"
];
} }
]; ];
relabel_configs = [ relabel_configs = [
@@ -200,7 +218,7 @@ in {
relabelAddressToInstance relabelAddressToInstance
{ {
target_label = "__address__"; target_label = "__address__";
replacement = "[::1]:9153"; replacement = "monitoring-3.mon.clerie.de:9153";
} }
]; ];
} }
@@ -225,17 +243,7 @@ in {
}; };
static_configs = [ static_configs = [
{ {
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [ targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp6;
"clerie.de"
"tagesschau.de"
"google.com"
"achtbaan.nikhef.nl"
"fluorine.net.clerie.de"
"www.fem.tu-ilmenau.de"
"www.heise.de"
"dyon.net.entr0py.de"
"matrix.fachschaften.org"
];
} }
]; ];
relabel_configs = [ relabel_configs = [
@@ -267,18 +275,7 @@ in {
}; };
static_configs = [ static_configs = [
{ {
targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets [ targets = eachWithEachOther (instance: target: "${instance};${target}") blackboxMonitoringTargets config.profiles.clerie.monitoring-server.probeTargets.blackbox-icmp4;
"clerie.de"
"tagesschau.de"
"google.com"
"achtbaan.nikhef.nl"
"www.fem.tu-ilmenau.de"
"www.heise.de"
"matrix.bau-ha.us"
"dyon.net.entr0py.de"
"matrix.entr0py.de"
"matrix.fachschaften.org"
];
} }
]; ];
relabel_configs = [ relabel_configs = [
@@ -310,10 +307,7 @@ in {
}; };
static_configs = [ static_configs = [
{ {
targets = [ targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-synapse;
"matrix.entr0py.de"
"matrix.fachschaften.org"
];
} }
]; ];
relabel_configs = [ relabel_configs = [
@@ -393,6 +387,122 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "blackbox_local_http6";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "http6" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "http://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_http4";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "http4" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "http://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_https6";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "https6" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http6;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "https://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{
job_name = "blackbox_local_https4";
scrape_interval = "100s";
metrics_path = "/probe";
params = {
module = [ "https4" ];
};
static_configs = [
{
targets = config.profiles.clerie.monitoring-server.probeTargets.blackbox-local-http4;
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
replacement = "https://\${1}";
}
{
source_labels = [ "__address__" ];
target_label = "target";
}
{
target_label = "__address__";
replacement = "monitoring-3.mon.clerie.de:9115";
}
relabelAddressToInstance
];
}
{ {
job_name = "hydra"; job_name = "hydra";
scrape_interval = "20s"; scrape_interval = "20s";
@@ -419,12 +529,37 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "clerie_keys";
scrape_interval = "5m";
scheme = "https";
metrics_path = "/gpg/clerie@clerie.de.metrics.txt";
static_configs = [
{
targets = [
"clerie.de"
];
}
];
}
{
job_name = "nginxlog-exporter";
scrape_interval = "20s";
static_configs = [
{
targets = nginxlogMonitoringTargets;
}
];
relabel_configs = [
relabelAddressToInstance
];
}
]; ];
alertmanagers = [ alertmanagers = [
{ {
static_configs = [ { static_configs = [ {
targets = [ targets = [
"[::1]:9093" "monitoring-3.mon.clerie.de:9093"
]; ];
} ]; } ];
} }

41
hosts/monitoring-3/rules.yml
View File

@@ -18,7 +18,7 @@ groups:
summary: "Current system of {{ $labels.instance }} not in sync with config" summary: "Current system of {{ $labels.instance }} not in sync with config"
description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config" description: "The current system hash of {{ $labels.instance }} does not match the one generated by hydra based on the current config"
- alert: StorageFull - alert: StorageFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 5 expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 5
for: 30m for: 30m
labels: labels:
severity: critical severity: critical
@@ -26,7 +26,7 @@ groups:
summary: "Storage of {{ $labels.instance }} is full" summary: "Storage of {{ $labels.instance }} is full"
description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full" description: "Storage of {{ $labels.instance }} for {{ $labels.mountpoint }} on {{ $labels.device }} is full"
- alert: StorageAlmostFull - alert: StorageAlmostFull
expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter"}[5m])) * 100) < 10 expr: ((last_over_time(node_filesystem_avail_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m]) / last_over_time(node_filesystem_size_bytes{job="node-exporter", mountpoint!="/nix/store"}[5m])) * 100) < 10
for: 30m for: 30m
labels: labels:
severity: warning severity: warning
@@ -73,3 +73,40 @@ groups:
annotations: annotations:
summary: "Synapse of {{ $labels.target }} unavailable" summary: "Synapse of {{ $labels.target }} unavailable"
description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage" description: "The Synapse backend of {{ $labels.target }} is unreachable or returns garbage"
- alert: ClerieKeysExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 1209600
labels:
severity: critical
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then two weeks"
- alert: ClerieKeysAlmostExpire
expr: last_over_time(clerie_keys_gpg_key_expire_time[15m]) - time() < 3628800
labels:
severity: warning
annotations:
summary: "GPG {{ $labels.fingerprint }} is expiring soon"
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
- alert: NadjaTopIPv4ProxyBroken
expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
for: 15m
labels:
severity: critical
annotations:
summary: "blog.nadja.top unreachable via IPv4"
description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
- alert: AlertmanagerNotificationRequestsFailed
expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
labels:
severity: critical
annotations:
summary: "Too many notification requests failed"
description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
- alert: FemSocialDown
expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
for: 5m
labels:
severity: critical
annotations:
summary: "fem.social unavailable via HTTP"
description: "fem.social is not fully reachable via HTTP"

7
hosts/monitoring-3/targets.nix Normal file
View File

@@ -0,0 +1,7 @@
{ ... }:
{
profiles.clerie.monitoring-server.targets = builtins.fromJSON (builtins.readFile ../../monitoring/targets.json);
}

36
hosts/nonat/configuration.nix
View File

@@ -4,28 +4,33 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
../../configuration/router
]; ];
profiles.clerie.mercury-vm.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
# Network matchConfig.Name = "ens18";
networking.interfaces.ens18.ipv4.addresses = [ address = [
{ address = "141.24.46.169"; prefixLength = 24; } "2001:638:904:ffca::6/64"
"141.24.46.169/24"
]; ];
networking.interfaces.ens18.ipv6.addresses = [ routes = [
{ address = "2001:638:904:ffca::6"; prefixLength = 64; } { Gateway = "141.24.46.1"; }
{ Gateway = "2001:638:904:ffca::1"; }
]; ];
networking.defaultGateway = { address = "141.24.46.1"; interface = "ens18"; }; linkConfig.RequiredForOnline = "routable";
networking.defaultGateway6 = { address = "2001:638:904:ffca::1"; interface = "ens18"; }; };
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
networking.interfaces.ens19.ipv4.addresses = [ address = [
{ address = "192.168.10.1"; prefixLength = 24; } "192.168.10.1/24"
]; ];
linkConfig.RequiredForOnline = "no";
};
networking.nat = { networking.nat = {
enableIPv6 = true; enableIPv6 = true;
@@ -36,8 +41,7 @@
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

31
hosts/osmium/configuration.nix
View File

@@ -4,12 +4,13 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm
./nixfiles-updated-inputs.nix ./nixfiles-updated-inputs.nix
./polkit-test.nix ./polkit-test.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
@@ -19,12 +20,28 @@
"aarch64-linux" "aarch64-linux"
]; ];
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.ens18.ipv4.addresses = [ { address = "192.168.10.29"; prefixLength = 24; } ]; matchConfig.Name = "ens19";
networking.interfaces.ens19.ipv6.addresses = [ { address = "2001:638:904:ffc7::6"; prefixLength = 64; } ]; address = [
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens18"; }; "2001:638:904:ffc7::6/64"
networking.defaultGateway6 = { address = "2001:638:904:ffc7::1"; interface = "ens19"; }; ];
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; routes = [
{ Gateway = "2001:638:904:ffc7::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens18";
address = [
"192.168.10.29/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git

29
hosts/palladium/configuration.nix
View File

@@ -4,6 +4,9 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./restic-server.nix
./wg-b-palladium.nix
]; ];
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];
@@ -30,19 +33,33 @@
boot.swraid.enable = true; boot.swraid.enable = true;
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.enp3s0.ipv6.addresses = [ matchConfig.Name = "enp3s0";
{ address = "fd00:152:152:4::11"; prefixLength = 64; } address = [
{ address = "2001:4cd8:100:1337::11"; prefixLength = 64; } "fd00:152:152:4::11/64"
]; ];
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp3s0"; }; networkConfig.DHCP = true;
networking.nameservers = [ "fd00:152:152::1" ]; linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
# Keeping the harddrives quiet # Keeping the harddrives quiet
services.udev.extraRules = '' services.udev.extraRules = ''
KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k" KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
''; '';
profiles.clerie.wg-clerie = {
enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
ipv4s = [ "10.20.30.103/32" ];
};
clerie.monitoring = {
enable = true;
id = "206";
pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
};
system.stateVersion = "25.05"; system.stateVersion = "25.05";
} }

20
hosts/palladium/restic-server.nix Normal file
View File

@@ -0,0 +1,20 @@
{ ... }:
{
services.restic.server = {
enable = true;
privateRepos = true;
dataDir = "/data/backup";
listenAddress = "[::]:43242";
};
# restic rest server does not support --htpasswd-file in the current version of nixpkgs
# until then we copy the secrets to the common location
sops.secrets.restic-server-backup-htpasswd = {
path = "/data/backup/.htpasswd";
owner = "restic";
group = "restic";
};
networking.firewall.interfaces.wg-b-palladium.allowedTCPPorts = [ 43242 ];
}

29
hosts/palladium/secrets.json Normal file
View File

@@ -0,0 +1,29 @@
{
"restic-server-backup-htpasswd": "ENC[AES256_GCM,data:ouHDwNJ3UQID54qq+6tEc9Zmpa/i5jDMvzIw5baBV4oGy27JI+f40A6tqmQlbRRsX68XhMhfRcpczfTDmf2tFV7TcWB4yA==,iv:PkjCOHFQxbBvYdmOhARJUNUUsAbJiEDnLDM1UWZhHXA=,tag:3cGdkx0xNdtse9hHPa9mUQ==,type:str]",
"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-04-18T08:56:54Z",
"mac": "ENC[AES256_GCM,data:QEEcjNqO+tXpl/4TWx+r8WT+ZsdoBw/CBiz6XpG8rsIl0prBWtQ8YW/DeYAxLPMOlb55HuDsneLEpR2DsBB1x6b0lSyjES/hgMRkweKczFLRxrhHh3qXff/wK9sDaEPLvEzvH99x63+1dAZh7z8CVESDTt8QLKK1qCxOf36QNdc=,iv:NbYc0qz0AUGKWpwKg/1QCuTnZ1+m+e6tQxWAuDogVrw=,tag:JEPtLP7V3N+Lx/quMGq/AQ==,type:str]",
"pgp": [
{
"created_at": "2025-04-15T17:32:56Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"
}
}

38
hosts/palladium/wg-b-palladium.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, ... }:
{
sops = {
secrets.wg-b-palladium = {
owner = "systemd-network";
group = "systemd-network";
};
};
systemd.network.netdevs."10-wg-b-palladium" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-b-palladium";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
};
wireguardPeers = [
{
PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
PersistentKeepalive = 25;
Endpoint = "backup-4.net.clerie.de:51844";
}
];
};
systemd.network.networks."10-wg-b-palladium" = {
matchConfig.Name = "wg-b-palladium";
address = [
"fd90:37fd:ddec:d921::2/64"
];
linkConfig.RequiredForOnline = "no";
};
}

30
hosts/porter/configuration.nix
View File

@@ -4,16 +4,14 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/router
]; ];
profiles.clerie.netcup.enable = true; profiles.clerie.netcup.enable = true;
profiles.clerie.router.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
matchConfig.Name = "ens3"; matchConfig.Name = "ens3";
address = [ address = [
@@ -25,10 +23,32 @@
{ Gateway = "5.45.100.1"; } { Gateway = "5.45.100.1"; }
]; ];
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "127.0.0.1" ];
};
};
}; };
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = true; enable = true;
resolver = "127.0.0.1";
tcpPorts."80" = {
host = "baikonur.dyn.weimarnetz.de";
port = 80;
};
tcpPorts."443" = {
host = "baikonur.dyn.weimarnetz.de";
port = 443;
};
tcpPorts."2022" = { tcpPorts."2022" = {
host = "nonat.net.clerie.de"; host = "nonat.net.clerie.de";
port = 22; port = 22;
@@ -38,6 +58,10 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
services.bijwerken = {
autoUpgrade = true;
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;
id = "102"; id = "102";

35
hosts/storage-2/configuration.nix
View File

@@ -4,22 +4,40 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/proxmox-vm ./em.nix
./firmware.nix ./firmware.nix
./mixcloud.nix ./mixcloud.nix
./syncthing.nix ./syncthing.nix
./users.nix ./users.nix
]; ];
profiles.clerie.mercury-vm.enable = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
networking.useDHCP = false; systemd.network.networks."10-wan" = {
networking.interfaces.ens19.ipv4.addresses = [ { address = "192.168.10.35"; prefixLength = 24; } ]; matchConfig.Name = "ens18";
networking.interfaces.ens18.ipv6.addresses = [ { address = "2001:638:904:ffc0::4"; prefixLength = 64; } ]; address = [
networking.defaultGateway = { address = "192.168.10.1"; interface = "ens19"; }; "2001:638:904:ffc0::4/64"
networking.defaultGateway6 = { address = "2001:638:904:ffc0::1"; interface = "ens18"; }; ];
networking.nameservers = [ "2001:638:904:ffcc::3" "2001:638:904:ffcc::4" "141.24.40.3" "141.24.40.4" ]; routes = [
{ Gateway = "2001:638:904:ffc0::1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
systemd.network.networks."10-nat-netz-mercury" = {
matchConfig.Name = "ens19";
address = [
"192.168.10.35/24"
];
routes = [
{ Gateway = "192.168.10.1"; }
];
linkConfig.RequiredForOnline = "routable";
ipv6AcceptRAConfig.DHCPv6Client = "no";
};
services.nginx.enable = true; services.nginx.enable = true;
@@ -34,8 +52,7 @@
}; };
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

17
hosts/storage-2/em.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
{
users.users.data-em = {
group = "data-em";
home = "/data/em";
useDefaultShell = true;
isSystemUser = true;
};
users.groups.data-em = {};
systemd.tmpfiles.rules = [
"d /data/em - data-em data-em - -"
];
}

1
hosts/storage-2/users.nix
View File

@@ -2,4 +2,5 @@
{ {
users.users.clerie.extraGroups = [ "data-firmware" ]; users.users.clerie.extraGroups = [ "data-firmware" ];
users.users.frank.extraGroups = [ "data-em" ];
} }

5
hosts/tungsten/configuration.nix
View File

@@ -6,6 +6,8 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
profiles.clerie.network-fallback-dhcp.enable = true;
boot.kernelParams = [ "console=ttyS0,115200n8" ]; boot.kernelParams = [ "console=ttyS0,115200n8" ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@@ -16,10 +18,9 @@
terminal_output serial terminal_output serial
"; ";
networking.hostName = "tungsten"; networking.hostName = "tungsten";
services.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8112/128" ];
ipv4s = [ "10.20.30.112/32" ]; ipv4s = [ "10.20.30.112/32" ];

195
hosts/web-2/blocked-prefixes.txt Normal file
View File

@@ -0,0 +1,195 @@
ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

10
hosts/web-2/clerie.nix
View File

@@ -27,18 +27,13 @@
root = pkgs.clerie-keys; root = pkgs.clerie-keys;
}; };
locations."= /ssh/known_hosts" = { locations."= /ssh/known_hosts" = {
alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix); alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
extraConfig = '' extraConfig = ''
types { } types { }
default_type "text/plain; charset=utf-8"; default_type "text/plain; charset=utf-8";
''; '';
}; };
locations."/gpg" = { locations."/gpg" = {
extraConfig = ''
types {
text/plain asc;
}
'';
root = pkgs.clerie-keys; root = pkgs.clerie-keys;
}; };
locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = { locations."~ ^/.well-known/openpgpkey/hu/[a-z0-9]+/?$" = {
@@ -58,9 +53,6 @@
''; '';
return = "200 ''"; return = "200 ''";
}; };
extraConfig = ''
access_log /var/log/nginx/clerie.de.log combined_anon;
'';
}; };
}; };
} }

6
hosts/web-2/configuration.nix
View File

@@ -24,6 +24,7 @@
./public.nix ./public.nix
./radicale.nix ./radicale.nix
./reichartstrasse.nix ./reichartstrasse.nix
./traveldrafter.nix
./uptimestatus.nix ./uptimestatus.nix
./wetter.nix ./wetter.nix
]; ];
@@ -33,9 +34,6 @@
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = { systemd.network.networks."10-wan" = {
address = [ address = [
"2a01:4f8:c0c:c580::1/64" "2a01:4f8:c0c:c580::1/64"
@@ -54,6 +52,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;

3
hosts/web-2/gitea.nix
View File

@@ -83,9 +83,6 @@
proxyPass = "http://[::1]:3000"; proxyPass = "http://[::1]:3000";
}; };
}; };
extraConfig = ''
access_log /var/log/nginx/git.clerie.de.log combined_anon;
'';
}; };
}; };
} }

9
hosts/web-2/ip.nix
View File

@@ -53,9 +53,6 @@
types { } default_type "text/html; charset=utf-8"; types { } default_type "text/html; charset=utf-8";
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip4.clerie.de" = { "ip4.clerie.de" = {
enableACME = true; enableACME = true;
@@ -67,9 +64,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip6.clerie.de" = { "ip6.clerie.de" = {
enableACME = true; enableACME = true;
@@ -81,9 +75,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
}; };
} }

4
hosts/web-2/legal.nix
View File

@@ -7,8 +7,8 @@
forceSSL = true; forceSSL = true;
root = pkgs.fetchgit { root = pkgs.fetchgit {
url = "https://git.clerie.de/clerie/legal.clerie.de.git"; url = "https://git.clerie.de/clerie/legal.clerie.de.git";
rev = "c6900226e3107a2e370a32759d83db472ab5450d"; rev = "b271b9729f4545c340ce9d16ecbca136031da409";
sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU="; sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
}; };
locations."/impressum" = { locations."/impressum" = {
return = ''301 https://legal.clerie.de/#impressum''; return = ''301 https://legal.clerie.de/#impressum'';

9
hosts/web-2/secrets.json
View File

@@ -4,19 +4,16 @@
"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]", "clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]", "radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az", "recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-05-10T13:32:34Z", "lastmodified": "2025-07-06T16:08:39Z",
"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]", "mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-10T13:29:58Z", "created_at": "2024-05-10T13:29:58Z",

40
hosts/web-2/traveldrafter.nix Normal file
View File

@@ -0,0 +1,40 @@
{ pkgs, lib, config, ... }: {
services.update-from-hydra.paths.traveldrafter = {
enable = true;
hydraUrl = "https://hydra.clerie.de";
hydraProject = "clerie";
hydraJobset = "traveldrafter";
hydraJob = "packages.x86_64-linux.traveldrafter";
nixStoreUri = "https://nix-cache.clerie.de";
resultPath = "/srv/traveldrafter";
};
sops.secrets.traveldrafter-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx.virtualHosts = {
"traveldrafter.clerie.de" = {
enableACME = true;
forceSSL = true;
root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
locations."/api" = {
proxyPass = "http://[::1]:3001";
};
};
};
systemd.services."traveldrafter" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "traveldrafter";
DynamicUser = true;
};
environment = {
HTTP_PORT = "3001";
};
script = lib.getExe pkgs.traveldrafter;
};
}

6
hosts/zinc/configuration.nix
View File

@@ -5,12 +5,12 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./initrd.nix ./initrd.nix
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
@@ -25,7 +25,7 @@
boot.initrd.systemd.enable = false; boot.initrd.systemd.enable = false;
services.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8109/128" ];
ipv4s = [ "10.20.30.109/32" ]; ipv4s = [ "10.20.30.109/32" ];

4
hosts/zinc/programs.nix
View File

@@ -2,9 +2,9 @@
{ {
users.users.clerie.packages = with pkgs; [ profiles.clerie.firefox.enable = true;
firefox
users.users.clerie.packages = with pkgs; [
blender blender
#cura # libarcus library is currently broken, required for curaengine #cura # libarcus library is currently broken, required for curaengine

2
lib/default.nix
View File

@@ -8,6 +8,8 @@ let
lib = { lib = {
clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix; clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
mkNixpkgs = callLibs ./mkNixpkgs.nix;
nixosSystem = callLibs ./nixosSystem.nix;
}; };
in in

22
lib/link-local-wireguard.nix
View File

@@ -1,22 +0,0 @@
{ ... }:
rec {
llIPv6 = localIP: peerIP: interface: {
ips = [
"${localIP}/128"
];
postSetup = ''
ip -6 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
'';
};
llIPv4 = localIP: peerIP: interface: {
ips = [
"${localIP}/32"
];
postSetup = ''
ip -4 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
'';
};
}

27
lib/mkNixpkgs.nix Normal file
View File

@@ -0,0 +1,27 @@
{
inputs,
self,
...
}:
/*
Loads a version of nixpkgs with nixfiles overlays loaded
*/
{
system,
nixpkgs ? inputs.nixpkgs,
overlays ? [],
...
}@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.clerie-inputs
self.overlays.clerie-pkgs
self.overlays.clerie-build-support
self.overlays.clerie-overrides
] ++ overlays;
}

42
lib/nixosSystem.nix Normal file
View File

@@ -0,0 +1,42 @@
{
inputs,
self,
...
}:
/*
nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
with nixfiles overlays and modules already populated
*/
{
system ? null,
nixpkgs ? inputs.nixpkgs,
pkgs ? null,
modules ? [],
...
}@args:
nixpkgs.lib.nixosSystem ({
system = system;
pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
inherit system nixpkgs;
});
modules = [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: {
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
})
] ++ modules;
} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )

4
modules/backup/default.nix
View File

@@ -64,7 +64,7 @@ let
targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username; targetUsername = if targetOptions.username == null then config.networking.hostName else targetOptions.username;
in { in {
"clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile; "clerie-backup/${jobName}-${targetName}/repo_password".source = jobPasswordFile;
"clerie-backup/${jobName}-${targetName}/repo_url".text = "https://${targetOptions.serverName}${repoPath}"; "clerie-backup/${jobName}-${targetName}/repo_url".text = "${targetOptions.serverUrl}${repoPath}";
"clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername; "clerie-backup/${jobName}-${targetName}/auth_username".text = targetUsername;
"clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile; "clerie-backup/${jobName}-${targetName}/auth_password".source = targetPasswordFile;
"clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths; "clerie-backup/${jobName}-${targetName}/files".text = concatStringsSep "\n" jobOptions.paths;
@@ -82,7 +82,7 @@ let
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = null;
}; };
serverName = mkOption { serverUrl = mkOption {
type = types.str; type = types.str;
}; };
}; };

24
modules/clerie-system-upgrade/default.nix → modules/bijwerken/default.nix
View File

@@ -3,18 +3,13 @@
with lib; with lib;
let let
cfg = config.clerie.system-auto-upgrade; cfg = config.services.bijwerken;
in in
{ {
options = { options = {
clerie.system-auto-upgrade = { services.bijwerken = {
enable = mkEnableOption "clerie system upgrade"; enable = mkEnableOption "Automatic system upgrades";
allowReboot = mkOption {
type = types.bool;
default = false;
description = "Monitor NixOS";
};
autoUpgrade = mkOption { autoUpgrade = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -25,10 +20,15 @@ in
default = null; default = null;
description = "Systemd time string for starting the unit"; description = "Systemd time string for starting the unit";
}; };
nodeExporterTextfilePath = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to node exporter textfile for putting metrics";
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.clerie-system-auto-upgrade = { systemd.services.bijwerken-system-upgrade = {
requires = [ "network-online.target" ]; requires = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
@@ -38,10 +38,10 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}"; ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
}; };
}; };
systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade { systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt; OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
after = [ "network-online.target" ]; after = [ "network-online.target" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
clerie-system-upgrade bijwerken-system-upgrade
]; ];
}; };
} }

2
modules/default.nix
View File

@@ -5,9 +5,9 @@
./policyrouting ./policyrouting
./akne ./akne
./backup ./backup
./bijwerken
./clerie-firewall ./clerie-firewall
./clerie-gc-dir ./clerie-gc-dir
./clerie-system-upgrade
./dhcpcd-prefixdelegation ./dhcpcd-prefixdelegation
./minecraft-server ./minecraft-server
./monitoring ./monitoring

49
modules/monitoring/default.nix
View File

@@ -61,9 +61,6 @@ in
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
#listenAddress = "${monitoring-network-base}${cfg.id}";
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
enabledCollectors = [ enabledCollectors = [
"systemd" "systemd"
]; ];
@@ -78,16 +75,14 @@ in
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ]; systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
services.prometheus.exporters.bird = mkIf cfg.bird { services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true; enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
}; };
services.prometheus.exporters.blackbox = mkIf cfg.blackbox { services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
enable = true; enable = true;
openFirewall = true;
firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
configFile = pkgs.writeText "blackbox.yml" '' configFile = pkgs.writeText "blackbox.yml" ''
modules: modules:
icmp6: icmp6:
@@ -109,8 +104,42 @@ in
listen = "[::]:9152"; listen = "[::]:9152";
}; };
networking.firewall.extraCommands = '' services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept enable = true;
''; settings = {
namespaces = [
{
name = "nginxlog";
format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
source = {
files = [
"/var/log/nginx/access.log"
];
};
relabel_configs = [
{
target_label = "server_name";
from = "server_name";
}
];
}
];
};
};
systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
SupplementaryGroups = "nginx";
};
networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
9100 # node-exporter
9152 # nixos-exporter
] ++ (if cfg.bird then [
9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter
] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
config.services.prometheus.exporters.nginxlog.port
] else []);
}; };
} }

10
modules/nginx-port-forward/default.nix
View File

@@ -9,6 +9,8 @@ let
mkServerBlock = isUDP: port: forward: '' mkServerBlock = isUDP: port: forward: ''
server { server {
resolver ${cfg.resolver} ipv4=off valid=30s;
listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"}; listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"}; listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -18,7 +20,9 @@ let
${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" } ${ optionalString (sslDhparam != null) "ssl_dhparam ${sslDhparam};" }
'' } '' }
proxy_pass ${forward.host}:${toString forward.port}; set $upstream_server ${forward.host}:${toString forward.port};
proxy_pass $upstream_server;
} }
''; '';
@@ -50,6 +54,10 @@ in
options = { options = {
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = mkEnableOption "Nginx Port Forward"; enable = mkEnableOption "Nginx Port Forward";
resolver = mkOption {
type = types.str;
description = "IP address of the resolver to use for upstream hostnames";
};
tcpPorts = mkOption { tcpPorts = mkOption {
type = with types; attrsOf (submodule portOpts); type = with types; attrsOf (submodule portOpts);
default = {}; default = {};

52
monitoring/targets.json Normal file
View File

@@ -0,0 +1,52 @@
{
"clerie.de": {
"icmp": { "enable": true },
"http": { "enable": true }
},
"wiki.clerie.de": {
"http": { "enable": true }
},
"blog.nadja.top": {
"http": { "enable": true }
},
"fem.social": {
"http": { "enable": true }
},
"tagesschau.de": {
"icmp": { "enable": true }
},
"google.com": {
"icmp": { "enable": true }
},
"achtbaan.nikhef.nl": {
"icmp": { "enable": true }
},
"www.fem.tu-ilmenau.de": {
"icmp": { "enable": true }
},
"www.heise.de": {
"icmp": { "enable": true }
},
"dyon.net.entr0py.de": {
"_comment": "Backend server of matrix.entr0py.de",
"icmp": { "enable": true }
},
"matrix.bau-ha.us": {
"synapse": { "enable": true }
},
"matrix.entr0py.de": {
"synapse": { "enable": true }
},
"matrix.fachschaften.org": {
"synapse": { "enable": true }
},
"clerie.uber.space": {
"clerie-uberspace": { "enable": true }
},
"cleriewi.uber.space": {
"clerie-uberspace": { "enable": true }
}
}

5
pkgs/bijwerken-poke/bijwerken-poke.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

10
pkgs/bijwerken-poke/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "bijwerken-poke";
text = builtins.readFile ./bijwerken-poke.sh;
runtimeInputs = with pkgs; [
pssh
];
}

12
pkgs/clerie-system-upgrade/clerie-system-upgrade.sh → pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
View File

@@ -2,16 +2,11 @@
set -euo pipefail set -euo pipefail
ALLOW_REBOOT=
NO_CONFIRM= NO_CONFIRM=
NODE_EXPORTER_METRICS_PATH= NODE_EXPORTER_METRICS_PATH=
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
--allow-reboot)
ALLOW_REBOOT=1
shift
;;
--no-confirm) --no-confirm)
NO_CONFIRM=1 NO_CONFIRM=1
shift shift
@@ -55,7 +50,7 @@ echo "Set as boot target"
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
echo "Write monitoring check data" echo "Write monitoring check data"
echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH" echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
fi fi
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
echo "Reboot is required" echo "Reboot is required"
if [[ -n "$ALLOW_REBOOT" ]]; then
echo "Rebooting system now" echo "Rebooting system now"
shutdown -r +1 "System update requires reboot" shutdown -r +1 "System update requires reboot"
else
echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
echo "The system upgrade is staged, please reboot manually soon"
fi
else else
echo "No reboot is required" echo "No reboot is required"
echo "Activating system now" echo "Activating system now"

Some files were not shown because too many files have changed in this diff Show More