From b815919ef4d55ad2bddd97135a1bb653848f0262 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kjetil=20=C3=98rbekk?= <kj@orbekk.com>
Date: Sun, 17 Jun 2018 16:30:07 -0400
Subject: dragon-changes

---
 machines/dragon.nix | 123 +++++++++++++++++++++++++++++++---------------------
 1 file changed, 73 insertions(+), 50 deletions(-)

(limited to 'machines')

diff --git a/machines/dragon.nix b/machines/dragon.nix
index 0097bf3..d6b72ec 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -1,6 +1,16 @@
 { config, lib, pkgs, ... }:
+let
+  # XXX: Temporary hack because of an accidental database upgrade
+  lxdNix = import (pkgs.fetchFromGitHub {
+    owner = "NixOS";
+    repo = "nixpkgs";
+    rev = "d308ac923376b76183a0b4078f808ce40af8f86b";
+    sha256 = "0c08rkchyfbq5d08iifn3dkarwryn1l5yg0pm2x2as2586ir6k9s";
+  }) {};
+in
 {
   imports = [
+    ../config/acme-sh.nix
     ../config/mpd.nix
     ../config/borg-backup.nix
     ../config/common.nix
@@ -19,58 +29,64 @@
 
   environment.systemPackages = with pkgs; [ ipmitool ];
 
-  virtualisation.lxd.enable = true;
-  security.apparmor = {
-    enable = true;
-    profiles = [
-      "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" 
-      "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
-    ];
-    packages = [ pkgs.lxc ];
+  nixpkgs.config.packageOverrides = pkgs: {
+    lxd = lxdNix.lxd;
+    lxc = lxdNix.lxc;
   };
 
-  containers.kick = {
-    autoStart = true;
-    hostBridge = "br0";
-    privateNetwork = true;
-    config = { config, pkgs, ... }: {
-      system.activationScripts = {
-        resolvconf = {
-          text = ''
-	    chmod +w /etc/resolv.conf
-	    echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf
-	    chmod -w /etc/resolv.conf
-	  '';
-	};
-      };
-      networking.firewall.allowedTCPPorts = [ 80 443 ];
-      networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];
-      services.nginx = {
-        enable = true;
-	virtualHosts = {
-          "kick.orbekk.no" = {
-	    enableACME = true;  
-	  };
-	};
-      };
-      environment.systemPackages = [
-        pkgs.simp_le
-      ];
-      nixpkgs.config.packageOverrides = pkgs: {
-        simp_le = pkgs.stdenv.mkDerivation {
-          name = "simp_le";
-	  nativeBuildInputs = [ pkgs.makeWrapper ];
-	  buildCommand = ''
-	    mkdir -p $out/bin
-	    makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \
-	      --add-flags "--server https://api.buypass.com/acme/directory" \
-	      --add-flags "--email kj@orbekk.com" \
-	      --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1"
-	  '';  
-	};
-      };
-    };
-  };
+  virtualisation.lxd.enable = true;
+  #security.apparmor = {
+  #  enable = true;
+  #  profiles = [
+  #    "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" 
+  #    "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
+  #  ];
+  #  packages = [ pkgs.lxc pkgs.apparmor-parser ];
+  #};
+
+  # containers.kick = {
+  #   autoStart = true;
+  #   hostBridge = "br0";
+  #   privateNetwork = true;
+  #   config = { config, pkgs, ... }: {
+  #     system.activationScripts = {
+  #       resolvconf = {
+  #         text = ''
+  #           chmod +w /etc/resolv.conf
+  #           echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf
+  #           chmod -w /etc/resolv.conf
+  #         '';
+  #       };
+  #     };
+  #     networking.firewall.allowedTCPPorts = [ 80 443 ];
+  #     networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];
+  #     services.nginx = {
+  #       enable = true;
+  #       virtualHosts = {
+  #         "kick.orbekk.no" = {
+  #           enableACME = true;  
+  #           addSSL = true;
+  #         };
+  #       };
+  #     };
+  #     environment.systemPackages = [
+  #       pkgs.simp_le pkgs.certbot
+  #     ];
+  #     # nixpkgs.config.packageOverrides = pkgs: {
+  #     #   simp_le = pkgs.stdenv.mkDerivation {
+  #     #     name = "simp_le";
+  #     #     nativeBuildInputs = [ pkgs.makeWrapper ];
+  #     #     buildCommand = ''
+  #     #       mkdir -p $out/bin
+  #     #       makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \
+  #     #         --add-flags "--server https://api.buypass.com/acme/directory" \
+  #     #         --add-flags "--email kj@orbekk.com" \
+  #     #         --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1"
+  #     #     '';  
+  #     #   };
+  #     # };
+  #   };
+  # };
 
   boot = {
     kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ];
@@ -101,6 +117,10 @@
       };
     };
 
+    dhcpcd.extraConfig = ''
+    ipv6ra_noautoconf
+    '';
+
     # interfaces.br0.ip6 = [
     #   # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; }
     #   { address = "2001:470:8e2e:20::d"; prefixLength = 64; }
@@ -116,6 +136,9 @@
     # '';
   };
 
+  # XXX: temorary hack because of an accidental upgrade.
+  systemd.services.lxd.serviceConfig.ExecStart = lib.mkForce "@${pkgs.lxd.bin}/bin/lxd lxd --group lxd";
+
   services = {
     openssh = {
       enable = lib.mkDefault true;
-- 
cgit v1.2.3