diff options
Diffstat (limited to 'makefu/1systems')
| -rw-r--r-- | makefu/1systems/darth.nix | 30 | ||||
| -rw-r--r-- | makefu/1systems/omo.nix | 47 | ||||
| -rw-r--r-- | makefu/1systems/pornocauster.nix | 4 | ||||
| -rw-r--r-- | makefu/1systems/shoney.nix | 38 | ||||
| -rw-r--r-- | makefu/1systems/wry.nix | 4 |
5 files changed, 93 insertions, 30 deletions
diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 2f2358ddc..08ac7e66e 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -17,19 +17,37 @@ in { ../2configs/exim-retiolum.nix ../2configs/virtualization.nix ]; - - networking.firewall.allowedUDPPorts = [ 80 655 67 ]; - networking.firewall.allowedTCPPorts = [ 80 655 ]; - networking.firewall.checkReversePath = false; + services.tinc.networks.siem = { + name = "sdarth"; + extraConfig = "ConnectTo = sjump"; + }; #networking.firewall.enable = false; - # virtualisation.nova.enableSingleNode = true; krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; - networking.wireless.enable = true; + networking = { + wireless.enable = true; + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedUDPPorts = [ 80 655 67 ]; + allowedTCPPorts = [ 80 655 ]; + }; + nat = { + enable = true; + internalIPs = [ "10.8.10.0/24" ]; + #internalInterfaces = [ "tinc.siem" ]; + externalIP = "10.8.8.2"; + externalInterface = "virbr3"; + }; + interfaces.virbr3.ip4 = [{ + address = "10.8.8.2"; + prefixLength = 24; + }]; + }; # TODO smartd omo darth gum all-in-one services.smartd.devices = builtins.map (x: { device = x; }) allDisks; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index fbd06a9c7..e71055f54 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -5,9 +5,10 @@ { config, pkgs, lib, ... }: let byid = dev: "/dev/disk/by-id/" + dev; - keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; - rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; - homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3"; + keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; + rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; + rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2"; + primaryInterface = "enp1s0"; # cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512 # cryptsetup luksAddKey $dev tmpkey # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096 @@ -15,14 +16,14 @@ let # omo Chassis: # __FRONT_ - # |* d2 | + # |* d0 | # | | # |* d3 | # | | - # |* d0 | + # |* d3 | # | | - # |* d1 | # |* | + # |* d2 | # | * r0 | # |_______| cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6"; @@ -38,27 +39,31 @@ in { [ ../. # TODO: unlock home partition via ssh - ../2configs/fs/single-partition-ext4.nix + ../2configs/fs/sda-crypto-root.nix ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix - ../2configs/share-user-sftp.nix - ../2configs/graphite-standalone.nix + #../2configs/graphite-standalone.nix + #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + + ## as long as pyload is not in nixpkgs: + # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; krebs.retiolum.enable = true; - networking.firewall.trustedInterfaces = [ "enp3s0" ]; + networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files # tcp:655 udp:655 - tinc # tcp:8111 - graphite + # tcp:8112 - pyload # tcp:9090 - sabnzbd # tcp:9200 - elasticsearch # tcp:5601 - kibana networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ]; + networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ]; # services.openssh.allowSFTP = false; @@ -66,6 +71,9 @@ in { services.sabnzbd.enable = true; systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + virtualisation.docker.enable = true; + + # HDD Array stuff services.smartd.devices = builtins.map (x: { device = x; }) allDisks; @@ -76,15 +84,11 @@ in { disks = map toMapper [ 0 1 ]; parity = toMapper 2; }; + fileSystems = let cryptMount = name: { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; - in { - "/home" = { - device = "/dev/mapper/home"; - fsType = "ext4"; - }; - } // cryptMount "crypt0" + in cryptMount "crypt0" // cryptMount "crypt1" // cryptMount "crypt2"; @@ -101,15 +105,16 @@ in { usbkey = name: device: { inherit name device keyFile; keyFileSize = 4096; + allowDiscards = true; }; in [ - (usbkey "home" homePartition) + (usbkey "luksroot" rootPartition) (usbkey "crypt0" cryptDisk0) (usbkey "crypt1" cryptDisk1) (usbkey "crypt2" cryptDisk2) ]; }; - loader.grub.device = rootDisk; + loader.grub.device = lib.mkForce rootDisk; initrd.availableKernelModules = [ "ahci" @@ -121,12 +126,12 @@ in { "usbhid" ]; - kernelModules = [ "kvm-amd" ]; + kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; }; hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; + hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index fa39b121c..2fb93798a 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -31,6 +31,7 @@ # hardware specifics are in here ../2configs/hw/tp-x220.nix + ../2configs/hw/rtl8812au.nix # mount points ../2configs/fs/sda-crypto-root-home.nix # ../2configs/mediawiki.nix @@ -59,7 +60,6 @@ networking.firewall.allowedUDPPorts = [ 665 ]; krebs.build.host = config.krebs.hosts.pornocauster; - krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.retiolum = { enable = true; @@ -68,4 +68,6 @@ networking.extraHosts = '' 192.168.1.11 omo.local ''; + # hard dependency because otherwise the device will not be unlocked + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; } diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix new file mode 100644 index 000000000..48679fe58 --- /dev/null +++ b/makefu/1systems/shoney.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: +let + ip = "64.137.234.215"; + alt-ip = "64.137.234.210"; + extra-ip = "64.137.234.114"; #currently unused + gw = "64.137.234.1"; +in { + imports = [ + ../. + ../2configs/hw/CAC.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix + + ]; + + + services.tinc.networks.siem.name = "sjump"; + + # minimal resources + services.nixosManual.enable = false; + programs.man.enable = false; + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + + krebs = { + enable = true; + retiolum.enable = true; + build.host = config.krebs.hosts.shoney; + }; + networking.interfaces.enp2s1.ip4 = [ + { address = ip; prefixLength = 24; } + { address = alt-ip; prefixLength = 24; } + ]; + + networking.defaultGateway = gw; + networking.nameservers = [ "8.8.8.8" ]; + networking.firewall.allowedUDPPorts = [ 655 1655 ]; + networking.firewall.allowedTCPPorts = [ 655 1655 ]; +} diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index d9f8ded83..ed48c6abe 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -9,8 +9,8 @@ in { imports = [ ../. # TODO: copy this config or move to krebs - ../../tv/2configs/hw/CAC.nix - ../../tv/2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/hw/CAC.nix + ../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/headless.nix ../2configs/bepasty-dual.nix |