diff --git a/flake.lock b/flake.lock index 7018cb2..1485c8d 100644 --- a/flake.lock +++ b/flake.lock @@ -196,16 +196,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1637348621, - "narHash": "sha256-dTxccBfFK5ViweuYqx2GwtDo+m9SBSjyBZj0+zMds5M=", + "lastModified": 1637469704, + "narHash": "sha256-tNbrZZDHCLBw5/3REe8Dm/WMYiAXgXy7n5GuhRn5lI0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2d97acad3b9cc16063b554d850a8fe1c2e7bb36d", + "rev": "296032dd5ff5e4c266782e73f9c00ee044f19c70", "type": "github" }, "original": { "owner": "NixOS", - "ref": "master", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 6f4a69d..e442592 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ inputs = { deploy-rs.url = "github:serokell/deploy-rs"; - nixpkgs.url = "github:NixOS/nixpkgs/master"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; serokell-nix.url = "github:serokell/serokell.nix"; vault-secrets.url = "github:serokell/vault-secrets"; }; @@ -16,8 +16,9 @@ { self, nixpkgs, deploy-rs, vault-secrets, serokell-nix, ... }@inputs: let inherit (nixpkgs) lib; - inherit (builtins) filter; + inherit (builtins) filter mapAttrs; system = "x86_64-linux"; + hosts = import ./hosts.nix; # Create a nixosConfiguration based on a foldername (nixname) and if the host is an LXC container or a VM. mkConfig = { hostname, profile ? hostname, lxc ? true, ... }: { @@ -30,7 +31,7 @@ ./nixos/common/generic-lxc.nix ] else [ ./nixos/common/generic-vm.nix ]); - specialArgs.inputs = inputs; + specialArgs = { inherit hosts inputs; }; }; }; @@ -41,16 +42,19 @@ fastConnection = true; profiles.system = { user = "root"; - path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${profile}; + path = deploy-rs.lib.${system}.activate.nixos + self.nixosConfigurations.${profile}; }; }; }; # Import all nixos host definitions that are actual nix machines - nixHosts = filter ({ nix ? true, ... }: nix) (import ./hosts.nix); + nixHosts = filter ({ nix ? true, ... }: nix) hosts; in { # Make the config and deploy sets - nixosConfigurations = lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; + nixosConfigurations = + lib.foldr (el: acc: acc // mkConfig el) { } nixHosts; + deploy.nodes = lib.foldr (el: acc: acc // mkDeploy el) { } nixHosts; # Use by running `nix develop` @@ -76,6 +80,7 @@ ]; }; - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) + deploy-rs.lib; }; } diff --git a/hosts.nix b/hosts.nix index 49eab26..8b4a3c1 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,35 +1,71 @@ [ - { - hostname = "bastion"; - ip = "10.42.42.4"; - mac = "82:F0:7C:CB:BD:6D"; - lxc = false; - } - { - hostname = "k3s-node1"; - profile = "k3s"; - ip = "10.42.42.10"; - mac = "2E:F8:55:23:D9:9B"; - lxc = false; - } - { - hostname = "vault"; - ip = "10.42.42.6"; - mac = "16:2B:87:55:0C:0C"; - } - { - hostname = "mosquitto"; - ip = "10.42.42.7"; - mac = "C6:F9:8B:3D:9E:37"; - } - { - hostname = "nginx"; - ip = "10.42.42.9"; - mac = "6A:C2:89:85:CF:A6"; - } - { - hostname = "consul"; - ip = "10.42.42.14"; - mac = "D6:DE:07:41:73:81"; - } + { + hostname = "edgerouter"; + ip = "10.42.42.1"; + mac = "B4:FB:E4:53:9C:0A"; + nix = false; + } + { + hostname = "nuc"; + ip = "10.42.42.42"; + mac = "1C:69:7A:62:30:88"; + nix = false; + } + { + hostname = "LGwebOSTV"; + ip = "10.42.42.13"; + mac = "74:40:be:48:85:a4"; + nix = false; + } + { + hostname = "home-assistant"; + ip = "10.42.42.8"; + mac = "74:40:be:48:85:a4"; + nix = false; + } + { + hostname = "bastion"; + ip = "10.42.42.4"; + mac = "82:F0:7C:CB:BD:6D"; + lxc = false; + } + { + hostname = "k3s-node1"; + profile = "k3s"; + ip = "10.42.42.10"; + mac = "2E:F8:55:23:D9:9B"; + lxc = false; + } + { + hostname = "vault"; + ip = "10.42.42.6"; + mac = "16:2B:87:55:0C:0C"; + } + { + hostname = "mosquitto"; + ip = "10.42.42.7"; + mac = "C6:F9:8B:3D:9E:37"; + } + { + hostname = "nginx"; + ip = "10.42.42.9"; + mac = "6A:C2:89:85:CF:A6"; + } + { + hostname = "consul"; + ip = "10.42.42.14"; + mac = "D6:DE:07:41:73:81"; + } + { + hostname = "dns-1"; + profile = "dns"; + ip = "10.42.42.15"; + mac = "5E:F6:36:23:16:E3"; + } + { + hostname = "dns-2"; + profile = "dns"; + ip = "10.42.42.16"; + mac = "B6:04:0B:CD:0F:9F"; + } ] diff --git a/nixos/hosts/dns/configuration.nix b/nixos/hosts/dns/configuration.nix new file mode 100644 index 0000000..565d124 --- /dev/null +++ b/nixos/hosts/dns/configuration.nix @@ -0,0 +1,66 @@ +{ config, pkgs, hosts, ... }: +let + localdomain = "olympus"; + localData = { hostname, ip, ... }: ''"${hostname}.${localdomain}. A ${ip}"''; + ptrData = { hostname, ip, ... }: ''"${ip} ${hostname}.${localdomain}"''; +in { + imports = [ ]; + + networking.hostName = "dns"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ dig ]; + + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + + services.unbound = { + enable = true; + settings = { + server = { + use-syslog = "yes"; + module-config = ''"validator iterator"''; + interface-automatic = "yes"; + interface = [ "0.0.0.0" "::0" ]; + + local-zone = ''"${localdomain}." transparent''; + local-data = map localData hosts; + local-data-ptr = map ptrData hosts; + + access-control = [ + "127.0.0.1/32 allow_snoop" + "::1 allow_snoop" + "10.42.0.0/16 allow" + "127.0.0.0/8 allow" + "192.168.2.0/24 allow" + "::1/128 allow" + ]; + private-address = [ + "127.0.0.0/8" + "10.0.0.0/8" + "::ffff:a00:0/104" + "172.16.0.0/12" + "::ffff:ac10:0/108" + "169.254.0.0/16" + "::ffff:a9fe:0/112" + "192.168.0.0/16" + "::ffff:c0a8:0/112" + "fd00::/8" + "fe80::/10" + ]; + }; + # forward-zone = { + # name = ''"."''; + # forward-addr = [ "8.8.8.8" "9.9.9.9" ]; + # }; + }; + }; +} diff --git a/nixos/hosts/template/configuration.nix b/nixos/hosts/template/configuration.nix new file mode 100644 index 0000000..0feed4a --- /dev/null +++ b/nixos/hosts/template/configuration.nix @@ -0,0 +1,24 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = [ ]; + + networking.hostName = "template"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "21.11"; # Did you read the comment? + + # Additional packages + environment.systemPackages = with pkgs; [ ]; + + networking.firewall.allowedTCPPorts = [ ]; +}