diff options
| -rw-r--r-- | modules/acme/default.nix | 11 | ||||
| -rw-r--r-- | modules/bgp/default.nix | 14 | ||||
| -rw-r--r-- | modules/common/default.nix | 4 | ||||
| -rw-r--r-- | modules/default.nix | 4 | ||||
| -rw-r--r-- | modules/kubernetes/default.nix | 4 | ||||
| -rw-r--r-- | modules/postgresql/default.nix | 26 | ||||
| -rw-r--r-- | modules/quassel/default.nix | 55 | ||||
| -rw-r--r-- | modules/quassel/quassel.nix | 487 | ||||
| -rw-r--r-- | modules/teamspeak/default.nix | 13 | ||||
| m--------- | secrets | 0 |
10 files changed, 612 insertions, 6 deletions
diff --git a/modules/acme/default.nix b/modules/acme/default.nix new file mode 100644 index 0000000..f67681e --- /dev/null +++ b/modules/acme/default.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "hostmaster@vapor.systems"; + dnsProvider = "pdns"; + }; + }; +} diff --git a/modules/bgp/default.nix b/modules/bgp/default.nix index 79187da..712f003 100644 --- a/modules/bgp/default.nix +++ b/modules/bgp/default.nix @@ -12,8 +12,14 @@ } ]; - networking.interfaces.eth0.ipv6.addresses = [{ - address = "2a0f:9400:8020::"; - prefixLength = 48; - }]; + networking.interfaces.eth0.ipv6.addresses = [ + { + address = "2a0f:9400:8020::200"; + prefixLength = 128; + } + { + address = "2a0f:9400:8020::100"; + prefixLength = 128; + } + ]; } diff --git a/modules/common/default.nix b/modules/common/default.nix index e6e68c5..bf61be0 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -12,7 +12,9 @@ }; # Default Packages Set - environment.systemPackages = with pkgs; [ git vim htop wget nftables wireguard-tools ]; + environment.systemPackages = with pkgs; [ git vim htop wget nftables wireguard-tools tmux ]; + + nixpkgs.config.allowUnfree = true; # Security networking.firewall.enable = false; diff --git a/modules/default.nix b/modules/default.nix index 54af828..bf9787e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -11,4 +11,8 @@ vultr = import ./vultr; wireguard = import ./wireguard; zfs = import ./zfs; + + teamspeak = import ./teamspeak; + postgresql = import ./postgresql; + quassel = import ./quassel; } diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix index 078545b..59d5adc 100644 --- a/modules/kubernetes/default.nix +++ b/modules/kubernetes/default.nix @@ -64,6 +64,8 @@ in { }; config = { + boot.kernelModules = [ "ip6table_mangle" "ip6table_raw" "ip6table_filter" "ip6table_nat" ]; + networking.extraHosts = '' 10.10.0.1 ${clusterDomain} fd15:3d8c:d429:beef::1 ${clusterDomain} @@ -86,7 +88,7 @@ in { } // (if cfg.role == "server" then { advertise-address = "${internalIP.v4}"; - kube-controller-manager-arg = "node-cidr-mask-size-ipv6=72"; + kube-controller-manager-arg = "node-cidr-mask-size-ipv6=80"; cluster-cidr = "10.102.0.0/16,fd15:3d8c:d429:0102::/64"; service-cidr = "10.101.0.0/16,fd15:3d8c:d429:0101::/108"; diff --git a/modules/postgresql/default.nix b/modules/postgresql/default.nix new file mode 100644 index 0000000..98169a0 --- /dev/null +++ b/modules/postgresql/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +{ + services.postgresql = { + enable = true; + ensureDatabases = [ "quassel" ]; + ensureUsers = [ + { + name = "quassel"; + ensurePermissions = { "DATABASE quassel" = "ALL PRIVILEGES"; }; + } + { + name = "audron"; + ensureClauses.superuser = true; + } + { + name = "d3fus"; + ensureClauses.superuser = true; + } + ]; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser origin-address auth-method + local all all trust + ''; + }; +} diff --git a/modules/quassel/default.nix b/modules/quassel/default.nix new file mode 100644 index 0000000..e69d275 --- /dev/null +++ b/modules/quassel/default.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let + quassel = pkgs.libsForQt5.callPackage ./package.nix { + tag = "-core"; + postgresql = pkgs.postgresql; + withLdap = true; + + client = false; + monolithic = false; + enableDaemon = true; + + withKDE = false; + }; +in +{ + disabledModules = + [ "services/networking/quassel.nix" ]; + imports = [ ./quassel.nix ]; + + services.quassel = { + enable = true; + configFromEnvironment = true; + # package = quassel; + settings = { + dataDir = "/var/lib/quassel"; + listen = [ "178.63.224.10" "2a01:4f8:231:56a::10" ]; + db = { + backend = "PostgreSQL"; + pgsql = { + database = "quassel"; + }; + }; + auth = { + # authenticator = "Ldap"; + ldap = { + hostname = "10.10.0.1"; + port = 389; + bindDN = "cn=quassel,ou=users,dc=quassel,dc=vapor,dc=systems"; + baseDN = "dc=quassel,dc=vapor,dc=systems"; + filter = "(objectClass=inetOrgPerson)"; + uidAttribute = "cn"; + }; + }; + }; + environmentFile = "/etc/secrets/quassel-ldap"; + }; + + secrets = { + quasselLdap = { + source = ../../secrets/authentik/quassel; + dest = "/etc/secrets/quassel-ldap"; + }; + }; +} diff --git a/modules/quassel/quassel.nix b/modules/quassel/quassel.nix new file mode 100644 index 0000000..6d259d0 --- /dev/null +++ b/modules/quassel/quassel.nix @@ -0,0 +1,487 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.quassel; + opt = options.services.quassel; + quassel = cfg.package; + user = if cfg.user != null then cfg.user else "quassel"; +in + +{ + options = { + services.quassel = { + enable = mkEnableOption ("the Quassel IRC client daemon"); + + package = mkOption { + type = types.package; + default = pkgs.quasselDaemon; + defaultText = literalExpression "pkgs.quasselDaemon"; + description = '' + The package of the quassel daemon. + ''; + }; + + user = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + The existing user the Quassel daemon should run as. If left empty, a default "quassel" user will be created. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to an environment file loaded for the quassel service. + + This can be used to securely store tokens and secrets outside of the world-readable Nix store. + Since this file is read by systemd, it may have permission 0400 and be owned by root. + ''; + }; + + configFromEnvironment = mkOption { + default = false; + type = types.bool; + description = '' + Configure quassels authenticator and database settings using environment variables, + Instead of imperatively setting it up using the setup wizard during first connection to the quassel core. + ''; + }; + + settings = mkOption { + description = literalExpression '' + Configuration for quassel daemon. + ''; + type = types.submodule { + options = { + listen = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" "::1" ]; + description = '' + The address(es) quasselcore will listen on. + ''; + }; + + port = mkOption { + default = 4242; + type = types.port; + description = '' + The port quasselcore will listen at. + ''; + }; + + dataDir = mkOption { + default = "/home/${user}/.config/quassel-irc.org"; + defaultText = literalExpression '' + "/home/''${config.${opt.user}}/.config/quassel-irc.org" + ''; + type = types.str; + description = '' + The directory holding configuration files, the SQlite database and the SSL Cert. + ''; + }; + + ident = mkOption { + description = literalExpression '' + Configuration for quassels internal ident daemon. + ''; + default = { }; + type = types.submodule { + options = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable internal ident daemon. + ''; + }; + + strict = mkOption { + type = types.bool; + default = false; + description = '' + Use users quasselcore username as ident reply. Ignores each user's configured ident setting. + ''; + }; + + listen = mkOption { + default = [ "127.0.0.1" "::1" ]; + type = types.listOf types.str; + description = '' + The address(es) quasselcore will listen on for ident requests. + ''; + }; + + port = mkOption { + default = 10113; + type = types.port; + description = '' + The port quasselcore will listen at for ident requests. + ''; + }; + }; + }; + }; + + oidentd = mkOption { + description = literalExpression '' + Configuration for quassels integration with oidentd. + ''; + default = { }; + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable oidentd integration. + ''; + }; + + confFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Set path to oidentd configuration file. + ''; + }; + }; + }; + }; + + ssl = mkOption { + default = { }; + type = types.submodule { + options = { + required = mkOption { + type = types.bool; + default = false; + description = '' + Require SSL for remote (non-loopback) client connections. + ''; + }; + + certFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Specify the path to the SSL certificate. + ''; + }; + + keyFile = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Specify the path to the SSL key. + ''; + }; + }; + }; + }; + + metrics = mkOption { + description = literalExpression '' + Export metrics in prometheus format + ''; + default = { }; + type = types.submodule { + options = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable prometheus metrics API. + ''; + }; + + listen = mkOption { + default = [ "127.0.0.1" "::1" ]; + type = types.listOf types.str; + description = '' + The address(es) quasselcore will listen on for metrics requests. + ''; + }; + + port = mkOption { + default = 9558; + type = types.port; + description = '' + The port quasselcore will listen at for metrics requests. + ''; + }; + }; + }; + }; + + logLevel = mkOption { + type = types.enum [ "Debug" "Info" "Warning" "Error" ]; + default = "Info"; + description = '' + Supports one of Debug|Info|Warning|Error; + ''; + }; + + db = mkOption { + default = { }; + type = types.submodule { + options = { + backend = mkOption { + type = types.enum [ "SQLite" "PostgreSQL" ]; + default = "SQLite"; + description = literalExpression '' + Specify the database backend. + + In case SQLite is used, the database will be stored in ''${opt.settings.dataDir}/quassel-storage.sqlite + ''; + }; + + pgsql = mkOption { + description = '' + Configuration for PostgreSQL Connection if ''${opt.settings.db.type} is set to "PostgreSQL". + + TCP and UNIX Sockets are supported + ''; + default = null; + type = types.nullOr (types.submodule { + options = { + username = mkOption { + type = types.str; + default = user; + description = '' + Specifies the Postgres connection username. + ''; + }; + + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Specifies the Postgres connection user password. Warning: do not set confidential + information here because it is world-readable in the Nix store. + ''; + }; + + hostname = mkOption { + type = types.nullOr types.str; + default = "/var/run/postgresql/"; + description = '' + Specifies the Postgres connection hostname. + + Either an IP Address or hostname for a TCP Connection or the path to the directory + that contains a UNIX Socket. + ''; + }; + + port = mkOption { + default = 5432; + type = types.port; + description = '' + Specifies the Postgres connection port. + ''; + }; + + database = mkOption { + type = types.str; + default = "quassel"; + description = '' + Specifies the Postgres connection database name. + ''; + }; + }; + }); + }; + }; + }; + }; + + auth = mkOption { + default = { }; + type = types.submodule { + options = { + authenticator = mkOption { + type = types.enum [ "Database" "Ldap" ]; + default = "Database"; + description = '' + Specify the backend used to authenticate users to quassel. Either "Database" to + use quassel database or "Ldap" to use an external LDAP Server + ''; + }; + + ldap = mkOption { + default = null; + type = types.nullOr (types.submodule { + options = { + hostname = mkOption { + type = types.str; + description = '' + Specifies the LDAP authenticator connection hostname. + ''; + }; + + port = mkOption { + default = 389; + type = types.port; + description = '' + Specifies the LDAP authenticator connection port. + ''; + }; + + bindDN = mkOption { + type = types.str; + description = '' + Specifies the LDAP authenticator bind DN. + ''; + }; + + bindPassword = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Specifies the LDAP authenticator bind password. Warning: do not set + confidential information here because it is world-readable in the Nix store. + ''; + }; + + baseDN = mkOption { + type = types.str; + description = '' + Specifies the LDAP authenticator base DN. + ''; + }; + + filter = mkOption { + type = types.str; + description = '' + Specifies the LDAP authenticator filter. + ''; + example = "(objectClass=inetOrgPerson)"; + }; + + uidAttribute = mkOption { + default = "uid"; + type = types.str; + description = '' + Specifies the LDAP authenticator UID attribute. + ''; + example = "cn"; + }; + }; + }); + }; + }; + }; + }; + }; + }; + }; + }; + }; + + ###### implementation + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.settings.ssl.required -> cfg.settings.ssl.certFile != null; + message = "Quassel needs a certificate file in order to require SSL"; + } + { + assertion = cfg.settings.db.backend == "PostgreSQL" -> cfg.settings.db.pgsql != null; + message = "Quassel needs postgresql connection settings if database type is set to PostgreSQL"; + } + { + assertion = cfg.settings.auth.authenticator == "Ldap" -> cfg.settings.auth.ldap != null; + message = "Quassel needs ldap connection settings if authenticator type is set to Ldap"; + } + ]; + + users.users = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; + description = "Quassel IRC client daemon"; + group = "quassel"; + uid = config.ids.uids.quassel; + }; + }; + + users.groups = optionalAttrs (cfg.user == null) { + quassel = { + name = "quassel"; + gid = config.ids.gids.quassel; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.settings.dataDir}' - ${user} - - -" + ]; + + systemd.services.quassel = + { + description = "Quassel IRC client daemon"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] + ++ optional config.services.postgresql.enable "postgresql.service" + ++ optional config.services.mysql.enable "mysql.service"; + + serviceConfig = + { + ExecStart = (concatStringsSep " " ([ + "${quassel}/bin/quasselcore" + "--listen=${concatStringsSep "," cfg.settings.listen}" + "--port=${toString cfg.settings.port}" + "--configdir=${cfg.settings.dataDir}" + "--loglevel=${cfg.settings.logLevel}" + ] + ++ (optionals cfg.settings.ident.enable + [ + "--ident-daemon" + "--ident-listen=${concatStringsSep "," cfg.settings.ident.listen}" + "--ident-port=${toString cfg.settings.ident.port}" + ] ++ (optional cfg.settings.ident.strict "--strict-ident")) + ++ optionals cfg.settings.oidentd.enable [ + "--oidentd" + "--oidentd-conffile=${cfg.settings.ident.listen}" + ] + ++ optionals cfg.settings.metrics.enable [ + "--metrics-daemon" + "--metrics-listen=${concatStringsSep "," cfg.settings.metrics.listen}" + "--metrics-port=${toString cfg.settings.metrics.port}" + ] + ++ optional cfg.configFromEnvironment "--config-from-environment" + + # SSL + ++ optional cfg.settings.ssl.required "--require-ssl" + ++ optional (cfg.settings.ssl.certFile != null) "--ssl-cert=${cfg.settings.ssl.certFile}" + ++ optional (cfg.settings.ssl.keyFile != null) "--ssl-key=${cfg.settings.ssl.keyFile}" + )); + + EnvironmentFile = mkIf + (cfg.environmentFile != null) [ cfg.environmentFile ]; + Environment = mkIf cfg.configFromEnvironment ([ + "AUTH_AUTHENTICATOR=${cfg.settings.auth.authenticator}" + "DB_BACKEND=${cfg.settings.db.backend}" + ] ++ (optional (cfg.settings.db.backend == "PostgreSQL") [ + "DB_PGSQL_DATABASE=${cfg.settings.db.pgsql.database}" + "DB_PGSQL_HOSTNAME=${cfg.settings.db.pgsql.hostname}" + "DB_PGSQL_USERNAME=${cfg.settings.db.pgsql.username}" + "DB_PGSQL_PORT=${toString cfg.settings.db.pgsql.port}" + ] ++ optional (cfg.settings.db.pgsql.password != null) "DB_PGSQL_PASSWORD=${cfg.settings.db.pgsql.password}" + ) ++ (optional (cfg.settings.auth.authenticator == "Ldap") [ + "AUTH_LDAP_BASE_DN=${cfg.settings.auth.ldap.baseDN}" + "AUTH_LDAP_BIND_DN=${cfg.settings.auth.ldap.bindDN}" + "AUTH_LDAP_FILTER=${cfg.settings.auth.ldap.filter}" + "AUTH_LDAP_HOSTNAME=${cfg.settings.auth.ldap.hostname}" + "AUTH_LDAP_PORT=${toString cfg.settings.auth.ldap.port}" + "AUTH_LDAP_UID_ATTRIBUTE=${cfg.settings.auth.ldap.uidAttribute}" + ] /* ++ optional (cfg.settings.auth.ldap.bindPassword != null) "AUTH_LDAP_BIND_PASSWORD=${cfg.settings.auth.ldap.bindPassword}" */ + )); + User = user; + }; + }; + }; +} diff --git a/modules/teamspeak/default.nix b/modules/teamspeak/default.nix new file mode 100644 index 0000000..60b5627 --- /dev/null +++ b/modules/teamspeak/default.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + services.teamspeak3 = + let + ip = "178.63.224.12"; in + { + enable = true; + voiceIP = ip; + queryIP = ip; + fileTransferIP = ip; + }; +} diff --git a/secrets b/secrets -Subproject 8890cd313ce5dd17b4e723d90ce399cee5a3da8 +Subproject 720f8d26eb7bed4034f0ebd6d708b7ea8f02c1c |