summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config/common.nix3
-rw-r--r--config/hydra.nix2
-rw-r--r--config/mail-server.nix32
-rw-r--r--config/web-server.nix8
-rw-r--r--data/dns/db.dynamic.orbekk.com.zone3
-rw-r--r--data/dns/db.kufieta.net.zone6
-rw-r--r--data/dns/db.orbekk.com.zone6
-rw-r--r--data/dns/db.orbekk.no.zone2
-rw-r--r--data/dns/db.orbekk.shared.zone2
-rw-r--r--machines/dragon.nix123
-rw-r--r--pkgs/default.nix1
11 files changed, 112 insertions, 76 deletions
diff --git a/config/common.nix b/config/common.nix
index 2da919d..fbfe28f 100644
--- a/config/common.nix
+++ b/config/common.nix
@@ -39,7 +39,8 @@
gc.automatic = lib.mkDefault true;
nixPath = lib.mkBefore [
"orbekk=https://hydra.orbekk.com/project/orbekk-projects/channel/latest/nixexprs.tar.bz2"
- "nixpkgs-stable=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz"
+ "nixpkgs-stable=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz"
+ "nixpkgs-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs"
"nixos-config=/etc/nixos/configuration.nix"
"/nix/var/nix/profiles/per-user/root/channels"
diff --git a/config/hydra.nix b/config/hydra.nix
index 0f79533..cb9c8e6 100644
--- a/config/hydra.nix
+++ b/config/hydra.nix
@@ -27,7 +27,7 @@ in
wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
- environment = config.systemd.services.hydra-init.environment;
+ environment = lib.mkForce config.systemd.services.hydra-init.environment;
script = ''
if [ ! -e /opt/secret/hydra_key/initialized ]; then
# create signing keys
diff --git a/config/mail-server.nix b/config/mail-server.nix
index cb74b72..97682d2 100644
--- a/config/mail-server.nix
+++ b/config/mail-server.nix
@@ -34,8 +34,8 @@
domain = "orbekk.com";
destination = ["orbekk.com" "kj.orbekk.com" "orbekk.no" "kj.orbekk.no" "kufieta.net"];
- lookupMX = true; # This causes it to use the relayhost verbatim.
- relayHost = "[smtp.sendgrid.net]:2525";
+ relayHost = "smtp.sendgrid.net";
+ relayPort = 587;
enableSubmission = true;
submissionOptions = {
@@ -61,21 +61,19 @@
lise = "lise.orbekk@gmail.com";
katharina = "katharina.kufieta@gmail.com";
in ''
- eo: ${erik}
- erik: ${erik}
-
- orbekk: ${kjetil}
- k: ${kjetil}
- kj: ${kjetil}
- kjetil: ${kjetil}
- root: ${kjetil}
- postmaster: ${kjetil}
-
- katharina: ${katharina}
- kathi: ${katharina}
- kasiunia: ${katharina}
-
- lise: ${lise}
+eo: ${erik}
+erik: ${erik}
+orbekk: ${kjetil}
+k: ${kjetil}
+kj: ${kjetil}
+kjetil: ${kjetil}
+root: ${kjetil}
+postmaster: ${kjetil}
+katharina: ${katharina}
+kathi: ${katharina}
+kasiunia: ${katharina}
+kat: ${katharina}
+lise: ${lise}
'';
sslCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem";
sslCACert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem";
diff --git a/config/web-server.nix b/config/web-server.nix
index 4d5f5f1..9dfe528 100644
--- a/config/web-server.nix
+++ b/config/web-server.nix
@@ -30,10 +30,16 @@
root = "/storage/srv/orbekk.com";
};
"kj.orbekk.com" = template // {
- root = "${pkgs.www-orbekk}";
+ root = "/home/orbekk/www-public";
locations."/" = {
extraConfig = ''
try_files $uri @storage;
+ # kill cache
+ add_header Last-Modified $date_gmt;
+ add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+ if_modified_since off;
+ expires off;
+ etag off;
'';
};
locations."@storage" = {
diff --git a/data/dns/db.dynamic.orbekk.com.zone b/data/dns/db.dynamic.orbekk.com.zone
index 22c3dce..a1cae8f 100644
--- a/data/dns/db.dynamic.orbekk.com.zone
+++ b/data/dns/db.dynamic.orbekk.com.zone
@@ -1,12 +1,11 @@
$TTL 600
-@ IN SOA dragon.orbekk.com. root.orbekk.com. (
+@ IN SOA kakespade.trygveandre.net. root.orbekk.com. (
$serial; serial
601; refresh
900; retry
2419200; expire
3600;
)
- IN NS dragon.orbekk.com.
IN NS kakespade.trygveandre.net.
IN NS kremkake.trygveandre.net.
@ IN CAA 0 issue "buypass.com"
diff --git a/data/dns/db.kufieta.net.zone b/data/dns/db.kufieta.net.zone
index e94f1ba..23bb060 100644
--- a/data/dns/db.kufieta.net.zone
+++ b/data/dns/db.kufieta.net.zone
@@ -14,5 +14,11 @@ $TTL 3600
@ IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:58f7
@ IN A 96.232.156.38
+@ IN CAA 0 issue "buypass.com"
+@ IN CAA 0 issue "letsencrypt.org"
+@ IN CAA 0 issuewild "letsencrypt.org"
+
latdyr IN A 96.232.156.38
latdyr IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:7a20
+
+_acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com.
diff --git a/data/dns/db.orbekk.com.zone b/data/dns/db.orbekk.com.zone
index 59c0bd7..3df89f1 100644
--- a/data/dns/db.orbekk.com.zone
+++ b/data/dns/db.orbekk.com.zone
@@ -7,10 +7,10 @@ $INCLUDE db.orbekk.shared.zone
@ IN CAA 0 issue "buypass.com"
@ IN CAA 0 issue "letsencrypt.org"
-@ IN CAA 0 issuewild ";"
+@ IN CAA 0 issuewild "letsencrypt.org"
_matrix._tcp IN SRV 10 0 8448 kj.orbekk.com.
-dynamic.orbekk.com IN NS dragon.orbekk.com.
-dynamic.orbekk.com IN NS kremkake.trygveandre.net.
+dynamic IN NS kremkake.trygveandre.net.
+dynamic IN NS kakespade.trygveandre.net.
diff --git a/data/dns/db.orbekk.no.zone b/data/dns/db.orbekk.no.zone
index f1beec3..6255fc6 100644
--- a/data/dns/db.orbekk.no.zone
+++ b/data/dns/db.orbekk.no.zone
@@ -5,4 +5,4 @@ $INCLUDE db.orbekk.shared.zone
@ IN CAA 128 issue "letsencrypt.org"
@ IN CAA 128 issue "buypass.com"
@ IN CAA 128 issue "buypass.no"
-@ IN CAA 0 issuewild ";"
+@ IN CAA 0 issuewild "letsencrypt.org"
diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone
index 04d6979..a7557e9 100644
--- a/data/dns/db.orbekk.shared.zone
+++ b/data/dns/db.orbekk.shared.zone
@@ -15,6 +15,8 @@ $TTL 600
@ IN AAAA 2001:470:8e2e:20::d
@ IN A 96.232.156.38
+_acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com.
+
smtp IN CNAME semeai
home IN CNAME orbekk.duckdns.org.
diff --git a/machines/dragon.nix b/machines/dragon.nix
index 0097bf3..d6b72ec 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -1,6 +1,16 @@
{ config, lib, pkgs, ... }:
+let
+ # XXX: Temporary hack because of an accidental database upgrade
+ lxdNix = import (pkgs.fetchFromGitHub {
+ owner = "NixOS";
+ repo = "nixpkgs";
+ rev = "d308ac923376b76183a0b4078f808ce40af8f86b";
+ sha256 = "0c08rkchyfbq5d08iifn3dkarwryn1l5yg0pm2x2as2586ir6k9s";
+ }) {};
+in
{
imports = [
+ ../config/acme-sh.nix
../config/mpd.nix
../config/borg-backup.nix
../config/common.nix
@@ -19,58 +29,64 @@
environment.systemPackages = with pkgs; [ ipmitool ];
- virtualisation.lxd.enable = true;
- security.apparmor = {
- enable = true;
- profiles = [
- "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star"
- "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
- ];
- packages = [ pkgs.lxc ];
+ nixpkgs.config.packageOverrides = pkgs: {
+ lxd = lxdNix.lxd;
+ lxc = lxdNix.lxc;
};
- containers.kick = {
- autoStart = true;
- hostBridge = "br0";
- privateNetwork = true;
- config = { config, pkgs, ... }: {
- system.activationScripts = {
- resolvconf = {
- text = ''
- chmod +w /etc/resolv.conf
- echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf
- chmod -w /etc/resolv.conf
- '';
- };
- };
- networking.firewall.allowedTCPPorts = [ 80 443 ];
- networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];
- services.nginx = {
- enable = true;
- virtualHosts = {
- "kick.orbekk.no" = {
- enableACME = true;
- };
- };
- };
- environment.systemPackages = [
- pkgs.simp_le
- ];
- nixpkgs.config.packageOverrides = pkgs: {
- simp_le = pkgs.stdenv.mkDerivation {
- name = "simp_le";
- nativeBuildInputs = [ pkgs.makeWrapper ];
- buildCommand = ''
- mkdir -p $out/bin
- makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \
- --add-flags "--server https://api.buypass.com/acme/directory" \
- --add-flags "--email kj@orbekk.com" \
- --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1"
- '';
- };
- };
- };
- };
+ virtualisation.lxd.enable = true;
+ #security.apparmor = {
+ # enable = true;
+ # profiles = [
+ # "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star"
+ # "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
+ # ];
+ # packages = [ pkgs.lxc pkgs.apparmor-parser ];
+ #};
+
+ # containers.kick = {
+ # autoStart = true;
+ # hostBridge = "br0";
+ # privateNetwork = true;
+ # config = { config, pkgs, ... }: {
+ # system.activationScripts = {
+ # resolvconf = {
+ # text = ''
+ # chmod +w /etc/resolv.conf
+ # echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf
+ # chmod -w /etc/resolv.conf
+ # '';
+ # };
+ # };
+ # networking.firewall.allowedTCPPorts = [ 80 443 ];
+ # networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];
+ # services.nginx = {
+ # enable = true;
+ # virtualHosts = {
+ # "kick.orbekk.no" = {
+ # enableACME = true;
+ # addSSL = true;
+ # };
+ # };
+ # };
+ # environment.systemPackages = [
+ # pkgs.simp_le pkgs.certbot
+ # ];
+ # # nixpkgs.config.packageOverrides = pkgs: {
+ # # simp_le = pkgs.stdenv.mkDerivation {
+ # # name = "simp_le";
+ # # nativeBuildInputs = [ pkgs.makeWrapper ];
+ # # buildCommand = ''
+ # # mkdir -p $out/bin
+ # # makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \
+ # # --add-flags "--server https://api.buypass.com/acme/directory" \
+ # # --add-flags "--email kj@orbekk.com" \
+ # # --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1"
+ # # '';
+ # # };
+ # # };
+ # };
+ # };
boot = {
kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ];
@@ -101,6 +117,10 @@
};
};
+ dhcpcd.extraConfig = ''
+ ipv6ra_noautoconf
+ '';
+
# interfaces.br0.ip6 = [
# # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; }
# { address = "2001:470:8e2e:20::d"; prefixLength = 64; }
@@ -116,6 +136,9 @@
# '';
};
+ # XXX: temorary hack because of an accidental upgrade.
+ systemd.services.lxd.serviceConfig.ExecStart = lib.mkForce "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd";
+
services = {
openssh = {
enable = lib.mkDefault true;
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 7972826..317b079 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -2,4 +2,5 @@
with import nixpkgs {};
rec {
zone-files = callPackage ./zone-files/default.nix {};
+ acme-sh = callPackage ./acme-sh/default.nix {};
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-14 08:32:46 +0000