nixos: cleanup

2021-11-21 21:56:17 +01:00 · 2021-11-21 21:56:17 +01:00 · 8f0eb95dda
commit 8f0eb95dda
parent a967b6ab05
7 changed files with 31 additions and 44 deletions
--- a/hosts.nix
+++ b/hosts.nix
@ -10,7 +10,6 @@
    hostname = "nuc";
    ip = "10.42.42.42";
    mac = "1C:69:7A:62:30:88";
-    ip6 = "";
    nix = false;
  }
  {
--- a/nixos/common/default.nix
+++ b/nixos/common/default.nix
@ -32,6 +32,7 @@
  };

  nixpkgs.config.allowUnfree = true;
+  nixpkgs.overlays = [ (import ../pkgs) ];

  # Limit the systemd journal to 100 MB of disk or the
  # last 7 days of logs, whichever happens first.
--- a/nixos/hosts/dns/configuration.nix
+++ b/nixos/hosts/dns/configuration.nix
@ -1,7 +1,8 @@
 { config, pkgs, hosts, ... }:
-let 
+let
+  inherit (builtins) filter hasAttr;
  localdomain = "olympus";
-  ipv6Hosts = builtins.filter (builtins.hasAttr ip6) hosts;
+  ipv6Hosts = filter (hasAttr "ip6") hosts;

  localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"'';
  local6Data = { hostname, ip6, ... }: ''"${hostname}.${localdomain}. AAAA ${ip6}"'';
@ -21,13 +22,14 @@ in {
  system.stateVersion = "21.11"; # Did you read the comment?

  # Additional packages
-  environment.systemPackages = with pkgs; [ dig ];
+  environment.systemPackages = with pkgs; [ dig dog drill ];

  networking.firewall.allowedTCPPorts = [ 53 ];
  networking.firewall.allowedUDPPorts = [ 53 ];

  services.unbound = {
    enable = true;
+    package = pkgs.v.unbound;
    settings = {
      server = {
        use-syslog = "yes";
@ -37,7 +39,7 @@ in {

        local-zone = ''"${localdomain}." transparent'';
        local-data = (map localData hosts) ++ (map local6Data ipv6Hosts);
-        local-data-ptr = (map ptrData hosts);
+        local-data-ptr = (map ptrData hosts) ++ (map ptr6Data ipv6Hosts);

        access-control = [
          "127.0.0.1/32 allow_snoop"
@ -61,10 +63,6 @@ in {
          "fe80::/10"
        ];
      };
-      # forward-zone = {
-      #   name = ''"."'';
-      #   forward-addr = [ "8.8.8.8" "9.9.9.9" ];
-      # };
    };
  };
 }
--- a/nixos/hosts/mosquitto/configuration.nix
+++ b/nixos/hosts/mosquitto/configuration.nix
@ -5,8 +5,7 @@
 { config, pkgs, ... }:
 let mosquittoPort = 1883;
 in {
-  imports = [
-  ];
+  imports = [ ];

  networking.hostName = "mosquitto";

@ -56,5 +55,6 @@ in {
    };
  };

-  networking.firewall.allowedTCPPorts = [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
+  networking.firewall.allowedTCPPorts =
+    [ mosquittoPort config.services.zigbee2mqtt.settings.frontend.port ];
 }
--- a/nixos/hosts/nginx/configuration.nix
+++ b/nixos/hosts/nginx/configuration.nix
@ -1,20 +1,16 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, ... }:
 let
-  k8s_proxy = {
+  proxy = url: {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
-      proxyPass = "http://10.42.42.150:8000/";
+      proxyPass = url;
      proxyWebsockets = true;
    };
  };
+  k8s_proxy = proxy "http://10.42.42.150:8000/";
 in {
-  imports = [
-  ];
+  imports = [ ];

  networking.hostName = "nginx";

@ -36,23 +32,9 @@ in {
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

-    virtualHosts."ha.0x76.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://10.42.42.8:8123/";
-        proxyWebsockets = true;
-      };
-    };
-
-    virtualHosts."zookeeper-dev.0x76.dev" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://10.42.43.28:8085/";
-        proxyWebsockets = true;
-      };
-    };
+    # Reverse Proxies
+    virtualHosts."ha.0x76.dev" = proxy "http://10.42.42.8:8123/";
+    virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://10.42.43.28:8085/";

    # Kubernetes endpoints
    virtualHosts."0x76.dev" = k8s_proxy;
--- a/nixos/hosts/vault/configuration.nix
+++ b/nixos/hosts/vault/configuration.nix
@ -3,11 +3,8 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { config, pkgs, ... }:
-
-{
-  imports = [
-  ];
-
+let port = 8200;
+in {
  networking.hostName = "vault";

  # This value determines the NixOS release from which the default
@ -22,13 +19,13 @@
  environment.systemPackages = with pkgs; [ ];

  # Vault
-  networking.firewall.allowedTCPPorts = [ 8200 ];
+  networking.firewall.allowedTCPPorts = [ port ];

  services.vault = {
    enable = true;
    # bin version includes the UI
    package = pkgs.vault-bin;
-    address = "0.0.0.0:8200";
+    address = "0.0.0.0:${toString port}";
    storageBackend = "file";
    storagePath = "/var/lib/vault";
    extraConfig = ''
--- a/nixos/pkgs/default.nix
+++ b/nixos/pkgs/default.nix
@ -0,0 +1,10 @@
+final: prev: {
+  v = {
+    unbound = prev.unbound.override {
+      withSystemd = true;
+      withDoH = true;
+      withDNSCrypt = true;
+      withTFO = true;
+    };
+  };
+}