From 0932b22d61118b05762d8f2ce42b71ddcb0760fc Mon Sep 17 00:00:00 2001 From: john bargman Date: Sat, 9 Sep 2023 20:21:59 +0100 Subject: initial server config --- commander.nix | 29 ++++++ flake.lock | 275 +++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 106 +++++++++++++++++++++ openstack.nix | 31 ++++++ webroot/index.html | 1 + website.nix | 34 +++++++ 6 files changed, 476 insertions(+) create mode 100755 commander.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 openstack.nix create mode 100644 webroot/index.html create mode 100644 website.nix diff --git a/commander.nix b/commander.nix new file mode 100755 index 0000000..294d269 --- /dev/null +++ b/commander.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: +{ + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + programs.ssh.enableAskPassword = false; + programs.gnupg.agent = + { + pinentryFlavor = "tty"; + enable = true; + enableSSHSupport = true; + }; + security.sudo.wheelNeedsPassword = false; + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.commander = { + isNormalUser = true; + uid = 1009; + name = "commander"; + description = "system administration"; + createHome = true; + home = "/home/commander"; + hashedPassword = "$6$irFKKFRDPP$H5EaeHornoVvWcKtUBj.29tPvw.SspaSi/vOPGc3GG2bW//M.ld3E7E3XCevJ6vn175A/raHvNIotXayvMqzz0"; + openssh.authorizedKeys.keys = + [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhzz/CAb74rLQkDF2weTCb0DICw1oyXNv6XmdLfEsT5 darthpjb@gmail.com" + ]; + extraGroups = [ "wheel" "dialout" "disk" "networkManager" ]; # Enable ‘sudo’ for the user. + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..4edfa53 --- /dev/null +++ b/flake.lock @@ -0,0 +1,275 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", + "owner": "ryantm", + "repo": "agenix", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixinate": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1688141737, + "narHash": "sha256-qHrNMYWukOKmKVf6wXOGKj1xxUnOGjvTRbt/PLLXuBE=", + "owner": "matthewcroughan", + "repo": "nixinate", + "rev": "7902ae845e6cc5bd450e510cdf5e009a6e4a44d9", + "type": "github" + }, + "original": { + "owner": "matthewcroughan", + "repo": "nixinate", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-22_11": { + "locked": { + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1653060744, + "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dfd82985c273aac6eced03625f454b334daae2e8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1694048570, + "narHash": "sha256-PEQptwFCVaJ+jLFJgrZll2shQ9VI/7xVhrCYkJo8iIw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4f77ea639305f1de0a14d9d41eef83313360638c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_unstable": { + "locked": { + "lastModified": 1693985761, + "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "nixinate": "nixinate", + "nixpkgs": "nixpkgs_3", + "nixpkgs_unstable": "nixpkgs_unstable", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_4", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1689976554, + "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "utils": { + "locked": { + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..36b6b3b --- /dev/null +++ b/flake.nix @@ -0,0 +1,106 @@ +{ + description = "Cybertrike.org"; + + inputs = { + nixinate.url = "github:matthewcroughan/nixinate"; + agenix.url = "github:ryantm/agenix"; + nixpkgs_unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; + }; + + outputs = inputs@{ self, nixpkgs, agenix, nixinate, nixpkgs_unstable, simple-nixos-mailserver }: + let + pkgs = nixpkgs.legacyPackages.x86_64-linux; + webroot = "${self}/webroot"; + in + { + formatter.x86_64-linux = pkgs.nixpkgs-fmt; + apps.x86_64-linux = (inputs.nixinate.nixinate.x86_64-linux inputs.self).nixinate; + devShell.x86_64-linux = + pkgs.mkShell { + buildInputs = with pkgs; [ figlet tmux ]; + shellHook = '' + # Session Name + session="project-env-sh" + + # Check if the session exists, discarding output + # We can check $? for the exit status (zero for success, non-zero for failure) + tmux has-session -t $session 2>/dev/null + + if [ $? != 0 ]; then + # Start New Session with our name + tmux new-session -d -s $session + + # Name first Window and start zsh + tmux rename-window -t 0 'Main' + tmux send-keys -t 'Main' 'nix flake show' C-m + tmux send-keys -t 'Main' 'clear' C-m + + # Create and setup pane for btop + tmux split-window -h + tmux rename-window 'btop' + tmux send-keys -t 'btop' 'ssh -t commander@193.16.42.36 btop' C-m + + tmux select-pane -t 0 + + # Create and setup pane for btop + tmux split-window -v + tmux rename-window 'ssh' + tmux send-keys -t 'ssh' 'ssh commander@193.16.42.36' C-m + + tmux select-pane -t 0 + fi + tmux attach-session -t $session''; + }; + nixosConfigurations = { + crash-over-burn-1 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + simple-nixos-mailserver.nixosModule + { + mailserver = { + fqdn = "mail.crashoverburn.com"; + domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; + enable = true; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "crash@crashoverburn.com" = { + hashedPasswordFile = "${self}/password.file"; + aliases = [ "postmaster@mail.cybertrike.org" "overburn@cybertrike.org"]; + }; + }; + certificateScheme = "acme-nginx"; + }; + } + agenix.nixosModules.default + ./openstack.nix + (import ./website.nix { inherit webroot; }) + ./commander.nix + { + security.acme = { + acceptTerms = true; + defaults.email = "security@mail.cybertrike.org"; + }; + environment.systemPackages = [ + pkgs.btop + pkgs.tmux + pkgs.neovim + ]; + imports = [ + "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" + ]; + _module.args.nixinate = { + host = "193.16.42.36"; + sshUser = "commander"; + substituteOnTarget = true; + hermetic = true; + buildOn = "local"; + }; + } + ]; + }; + }; + }; +} diff --git a/openstack.nix b/openstack.nix new file mode 100644 index 0000000..ebf4eca --- /dev/null +++ b/openstack.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + nix = { + settings.trusted-users = [ "root" "commander" ]; + package = pkgs.nixUnstable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + # Set your time zone. + time.timeZone = "Europe/London"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_GB.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "uk"; + }; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.ports = [ 1108 22 ]; + services.openssh.settings.PermitRootLogin = lib.mkForce "no"; + services.openssh.settings.PasswordAuthentication = false; + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 1108 22 ]; + networking.firewall.allowedUDPPorts = [ ]; + + # Configure keymap in X11 + services.xserver.layout = "gb"; + system.stateVersion = "22.11"; +} diff --git a/webroot/index.html b/webroot/index.html new file mode 100644 index 0000000..95d09f2 --- /dev/null +++ b/webroot/index.html @@ -0,0 +1 @@ +hello world \ No newline at end of file diff --git a/website.nix b/website.nix new file mode 100644 index 0000000..fe61856 --- /dev/null +++ b/website.nix @@ -0,0 +1,34 @@ +{ webroot }:{ config, lib, pkgs, ... }: +{ + services.nginx.enable = true; + services.nginx.virtualHosts."crash-over-burn.com" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crash-over-burn.site" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crash-over-burn.online" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.com" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.site" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.online" = { + addSSL = true; + enableACME = true; + root = webroot; + }; +} \ No newline at end of file -- cgit v1.2.3