From b815919ef4d55ad2bddd97135a1bb653848f0262 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kjetil=20=C3=98rbekk?= Date: Sun, 17 Jun 2018 16:30:07 -0400 Subject: dragon-changes --- config/common.nix | 3 +- config/hydra.nix | 2 +- config/mail-server.nix | 32 +++++----- config/web-server.nix | 8 ++- data/dns/db.dynamic.orbekk.com.zone | 3 +- data/dns/db.kufieta.net.zone | 6 ++ data/dns/db.orbekk.com.zone | 6 +- data/dns/db.orbekk.no.zone | 2 +- data/dns/db.orbekk.shared.zone | 2 + machines/dragon.nix | 123 +++++++++++++++++++++--------------- pkgs/default.nix | 1 + 11 files changed, 112 insertions(+), 76 deletions(-) diff --git a/config/common.nix b/config/common.nix index 2da919d..fbfe28f 100644 --- a/config/common.nix +++ b/config/common.nix @@ -39,7 +39,8 @@ gc.automatic = lib.mkDefault true; nixPath = lib.mkBefore [ "orbekk=https://hydra.orbekk.com/project/orbekk-projects/channel/latest/nixexprs.tar.bz2" - "nixpkgs-stable=https://nixos.org/channels/nixos-17.03/nixexprs.tar.xz" + "nixpkgs-stable=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz" + "nixpkgs-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz" "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" diff --git a/config/hydra.nix b/config/hydra.nix index 0f79533..cb9c8e6 100644 --- a/config/hydra.nix +++ b/config/hydra.nix @@ -27,7 +27,7 @@ in wantedBy = [ "multi-user.target" ]; requires = [ "hydra-init.service" ]; after = [ "hydra-init.service" ]; - environment = config.systemd.services.hydra-init.environment; + environment = lib.mkForce config.systemd.services.hydra-init.environment; script = '' if [ ! -e /opt/secret/hydra_key/initialized ]; then # create signing keys diff --git a/config/mail-server.nix b/config/mail-server.nix index cb74b72..97682d2 100644 --- a/config/mail-server.nix +++ b/config/mail-server.nix @@ -34,8 +34,8 @@ domain = "orbekk.com"; destination = ["orbekk.com" "kj.orbekk.com" "orbekk.no" "kj.orbekk.no" "kufieta.net"]; - lookupMX = true; # This causes it to use the relayhost verbatim. - relayHost = "[smtp.sendgrid.net]:2525"; + relayHost = "smtp.sendgrid.net"; + relayPort = 587; enableSubmission = true; submissionOptions = { @@ -61,21 +61,19 @@ lise = "lise.orbekk@gmail.com"; katharina = "katharina.kufieta@gmail.com"; in '' - eo: ${erik} - erik: ${erik} - - orbekk: ${kjetil} - k: ${kjetil} - kj: ${kjetil} - kjetil: ${kjetil} - root: ${kjetil} - postmaster: ${kjetil} - - katharina: ${katharina} - kathi: ${katharina} - kasiunia: ${katharina} - - lise: ${lise} +eo: ${erik} +erik: ${erik} +orbekk: ${kjetil} +k: ${kjetil} +kj: ${kjetil} +kjetil: ${kjetil} +root: ${kjetil} +postmaster: ${kjetil} +katharina: ${katharina} +kathi: ${katharina} +kasiunia: ${katharina} +kat: ${katharina} +lise: ${lise} ''; sslCert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem"; sslCACert = "${config.security.acme.directory}/shape.orbekk.com/fullchain.pem"; diff --git a/config/web-server.nix b/config/web-server.nix index 4d5f5f1..9dfe528 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -30,10 +30,16 @@ root = "/storage/srv/orbekk.com"; }; "kj.orbekk.com" = template // { - root = "${pkgs.www-orbekk}"; + root = "/home/orbekk/www-public"; locations."/" = { extraConfig = '' try_files $uri @storage; + # kill cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; ''; }; locations."@storage" = { diff --git a/data/dns/db.dynamic.orbekk.com.zone b/data/dns/db.dynamic.orbekk.com.zone index 22c3dce..a1cae8f 100644 --- a/data/dns/db.dynamic.orbekk.com.zone +++ b/data/dns/db.dynamic.orbekk.com.zone @@ -1,12 +1,11 @@ $TTL 600 -@ IN SOA dragon.orbekk.com. root.orbekk.com. ( +@ IN SOA kakespade.trygveandre.net. root.orbekk.com. ( $serial; serial 601; refresh 900; retry 2419200; expire 3600; ) - IN NS dragon.orbekk.com. IN NS kakespade.trygveandre.net. IN NS kremkake.trygveandre.net. @ IN CAA 0 issue "buypass.com" diff --git a/data/dns/db.kufieta.net.zone b/data/dns/db.kufieta.net.zone index e94f1ba..23bb060 100644 --- a/data/dns/db.kufieta.net.zone +++ b/data/dns/db.kufieta.net.zone @@ -14,5 +14,11 @@ $TTL 3600 @ IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:58f7 @ IN A 96.232.156.38 +@ IN CAA 0 issue "buypass.com" +@ IN CAA 0 issue "letsencrypt.org" +@ IN CAA 0 issuewild "letsencrypt.org" + latdyr IN A 96.232.156.38 latdyr IN AAAA 2001:470:8e2e:20:f05b:e3ff:fed9:7a20 + +_acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com. diff --git a/data/dns/db.orbekk.com.zone b/data/dns/db.orbekk.com.zone index 59c0bd7..3df89f1 100644 --- a/data/dns/db.orbekk.com.zone +++ b/data/dns/db.orbekk.com.zone @@ -7,10 +7,10 @@ $INCLUDE db.orbekk.shared.zone @ IN CAA 0 issue "buypass.com" @ IN CAA 0 issue "letsencrypt.org" -@ IN CAA 0 issuewild ";" +@ IN CAA 0 issuewild "letsencrypt.org" _matrix._tcp IN SRV 10 0 8448 kj.orbekk.com. -dynamic.orbekk.com IN NS dragon.orbekk.com. -dynamic.orbekk.com IN NS kremkake.trygveandre.net. +dynamic IN NS kremkake.trygveandre.net. +dynamic IN NS kakespade.trygveandre.net. diff --git a/data/dns/db.orbekk.no.zone b/data/dns/db.orbekk.no.zone index f1beec3..6255fc6 100644 --- a/data/dns/db.orbekk.no.zone +++ b/data/dns/db.orbekk.no.zone @@ -5,4 +5,4 @@ $INCLUDE db.orbekk.shared.zone @ IN CAA 128 issue "letsencrypt.org" @ IN CAA 128 issue "buypass.com" @ IN CAA 128 issue "buypass.no" -@ IN CAA 0 issuewild ";" +@ IN CAA 0 issuewild "letsencrypt.org" diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone index 04d6979..a7557e9 100644 --- a/data/dns/db.orbekk.shared.zone +++ b/data/dns/db.orbekk.shared.zone @@ -15,6 +15,8 @@ $TTL 600 @ IN AAAA 2001:470:8e2e:20::d @ IN A 96.232.156.38 +_acme-challenge IN CNAME _acme-challenge.dynamic.orbekk.com. + smtp IN CNAME semeai home IN CNAME orbekk.duckdns.org. diff --git a/machines/dragon.nix b/machines/dragon.nix index 0097bf3..d6b72ec 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -1,6 +1,16 @@ { config, lib, pkgs, ... }: +let + # XXX: Temporary hack because of an accidental database upgrade + lxdNix = import (pkgs.fetchFromGitHub { + owner = "NixOS"; + repo = "nixpkgs"; + rev = "d308ac923376b76183a0b4078f808ce40af8f86b"; + sha256 = "0c08rkchyfbq5d08iifn3dkarwryn1l5yg0pm2x2as2586ir6k9s"; + }) {}; +in { imports = [ + ../config/acme-sh.nix ../config/mpd.nix ../config/borg-backup.nix ../config/common.nix @@ -19,58 +29,64 @@ environment.systemPackages = with pkgs; [ ipmitool ]; - virtualisation.lxd.enable = true; - security.apparmor = { - enable = true; - profiles = [ - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" - "${pkgs.lxc}/etc/apparmor.d/lxc-containers" - ]; - packages = [ pkgs.lxc ]; + nixpkgs.config.packageOverrides = pkgs: { + lxd = lxdNix.lxd; + lxc = lxdNix.lxc; }; - containers.kick = { - autoStart = true; - hostBridge = "br0"; - privateNetwork = true; - config = { config, pkgs, ... }: { - system.activationScripts = { - resolvconf = { - text = '' - chmod +w /etc/resolv.conf - echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf - chmod -w /etc/resolv.conf - ''; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; - services.nginx = { - enable = true; - virtualHosts = { - "kick.orbekk.no" = { - enableACME = true; - }; - }; - }; - environment.systemPackages = [ - pkgs.simp_le - ]; - nixpkgs.config.packageOverrides = pkgs: { - simp_le = pkgs.stdenv.mkDerivation { - name = "simp_le"; - nativeBuildInputs = [ pkgs.makeWrapper ]; - buildCommand = '' - mkdir -p $out/bin - makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \ - --add-flags "--server https://api.buypass.com/acme/directory" \ - --add-flags "--email kj@orbekk.com" \ - --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1" - ''; - }; - }; - }; - }; + virtualisation.lxd.enable = true; + #security.apparmor = { + # enable = true; + # profiles = [ + # "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" + # "${pkgs.lxc}/etc/apparmor.d/lxc-containers" + # ]; + # packages = [ pkgs.lxc pkgs.apparmor-parser ]; + #}; + + # containers.kick = { + # autoStart = true; + # hostBridge = "br0"; + # privateNetwork = true; + # config = { config, pkgs, ... }: { + # system.activationScripts = { + # resolvconf = { + # text = '' + # chmod +w /etc/resolv.conf + # echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf + # chmod -w /etc/resolv.conf + # ''; + # }; + # }; + # networking.firewall.allowedTCPPorts = [ 80 443 ]; + # networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; + # services.nginx = { + # enable = true; + # virtualHosts = { + # "kick.orbekk.no" = { + # enableACME = true; + # addSSL = true; + # }; + # }; + # }; + # environment.systemPackages = [ + # pkgs.simp_le pkgs.certbot + # ]; + # # nixpkgs.config.packageOverrides = pkgs: { + # # simp_le = pkgs.stdenv.mkDerivation { + # # name = "simp_le"; + # # nativeBuildInputs = [ pkgs.makeWrapper ]; + # # buildCommand = '' + # # mkdir -p $out/bin + # # makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \ + # # --add-flags "--server https://api.buypass.com/acme/directory" \ + # # --add-flags "--email kj@orbekk.com" \ + # # --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1" + # # ''; + # # }; + # # }; + # }; + # }; boot = { kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ]; @@ -101,6 +117,10 @@ }; }; + dhcpcd.extraConfig = '' + ipv6ra_noautoconf + ''; + # interfaces.br0.ip6 = [ # # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; } # { address = "2001:470:8e2e:20::d"; prefixLength = 64; } @@ -116,6 +136,9 @@ # ''; }; + # XXX: temorary hack because of an accidental upgrade. + systemd.services.lxd.serviceConfig.ExecStart = lib.mkForce "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd"; + services = { openssh = { enable = lib.mkDefault true; diff --git a/pkgs/default.nix b/pkgs/default.nix index 7972826..317b079 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -2,4 +2,5 @@ with import nixpkgs {}; rec { zone-files = callPackage ./zone-files/default.nix {}; + acme-sh = callPackage ./acme-sh/default.nix {}; } -- cgit v1.2.3