From cf537f3c7b6e005a1f2e14871576827e7f9246b6 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Mon, 25 Sep 2023 21:03:23 +0200 Subject: [PATCH 01/12] [#5] adding sops support --- .sops.yaml | 16 ++++++++++++++++ README.md | 25 +++++++++++++++++++++++++ flake.lock | 40 +++++++++++++++++++++++++++++++++++++++- flake.nix | 4 ++++ nixos/flake-module.nix | 2 +- nixos/roles/default.nix | 4 ++++ 6 files changed, 89 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 nixos/roles/default.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..825333b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,16 @@ +keys: + - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + + - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 + +creation_rules: + - path_regex nixos/machines/nyarlathotep/.* + key_groups: + - age: + *nerf + *nyarlathotep + # this is the catchall clause if nothing above machtes. Encrypt to users but not + # to machines + - key_groups: + - age: + *nerf diff --git a/README.md b/README.md index 03dc6fa..44e28aa 100644 --- a/README.md +++ b/README.md @@ -11,3 +11,28 @@ nix build .#nixosConfiguration..config.system.build.toplevel ### On the machine clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select the appropriate machine based on hostname + + +### sops + +We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix) +As of right now we use only `age` keys. +The machine keys are derived from their server ssh keys, that they generate at first boot. +User keys are generated by the users. +New keys and machines need entries into the `.sops.yaml` file within the root directory of this repo. + +To make a secret available on a given machine you need to do the following. Configure the following keys + +``` +sops.secrets.example-key = { + sopsFile = "relative path to file in the repo containing the secrets (optional else the sops.defaultSopsFile is used) + path = "optinal path where the secret gets symlinked to, practical if some programm expects a specific path" + owner = user that owns the secret file: config.users.users.nerf.name (for example) + group = same as user just with groups: config.users.users.nerf.group + mode = "premission in usual octet: 0400 (for example)" +``` +afterwards the secret should be available in `/run/secrets/example-key`. +If the accessing process is not root it must be member of the group `config.users.groups.keys` +for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];` +it the service config. + diff --git a/flake.lock b/flake.lock index 4f71017..e3f7e40 100644 --- a/flake.lock +++ b/flake.lock @@ -104,11 +104,49 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1694908564, + "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "596611941a74be176b98aeba9328aa9d01b8b322", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "flake-parts": "flake-parts", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1695284550, + "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "utils": { diff --git a/flake.nix b/flake.nix index d2c7384..727dd91 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,10 @@ nixpkgs.follows = ""; }; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = inputs@{ flake-parts, ... }: diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index cca5849..ef87e41 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -11,7 +11,7 @@ pkgs.nixos { imports = [ (import (./. + "/machines/${name}/configuration.nix") inputs) - # inputs.secrets.nixosModules.default + inputs.sops-nix.nixosModules.sops ]; }; in lib.genAttrs machines makeSystem); diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix new file mode 100644 index 0000000..3c24242 --- /dev/null +++ b/nixos/roles/default.nix @@ -0,0 +1,4 @@ +{ ... } : { + +sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; +} From a9a95f4ca35375bc35cf27854641fad06b08d8b3 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 15:09:01 +0200 Subject: [PATCH 02/12] added sensible credentials to nerf user --- nixos/roles/admins.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 nixos/roles/admins.nix diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix new file mode 100644 index 0000000..4f189e0 --- /dev/null +++ b/nixos/roles/admins.nix @@ -0,0 +1,30 @@ +{lib, ...} : +with lib; + +let + admins = { + nerf = { + hashedPassword = + "$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" + ]; + }; + }; + + mkAdmin = name : + {hashedPassword, keys}: { + "${name}" = { + isNormalUser = true; + createHome = true; + extraGroups = [ "wheel" ]; + group = "users"; + home = "/home/${name}"; + openssh.authorizedKeys = { inherit keys; }; + inherit hashedPassword; + }; + }; + +in { + users.users = mkMerge (mapAttrsToList mkAdmin admins); +} From fe7ea8aee1c07d5a7be85a3e2d12b345a40f3f71 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Mon, 12 Jun 2023 08:37:49 +0200 Subject: [PATCH 03/12] first working steps on nyarlathotep --- nixos/machines/nyarlathotep/configuration.nix | 7 +++ nixos/machines/nyarlathotep/mail.nix | 46 +++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 nixos/machines/nyarlathotep/configuration.nix create mode 100644 nixos/machines/nyarlathotep/mail.nix diff --git a/nixos/machines/nyarlathotep/configuration.nix b/nixos/machines/nyarlathotep/configuration.nix new file mode 100644 index 0000000..b2714bb --- /dev/null +++ b/nixos/machines/nyarlathotep/configuration.nix @@ -0,0 +1,7 @@ +flake-inputs: +{config, pkgs, lib, ... }: { + +imports = [(import ./mail.nix flake-inputs)]; + +# System configuration here +} diff --git a/nixos/machines/nyarlathotep/mail.nix b/nixos/machines/nyarlathotep/mail.nix new file mode 100644 index 0000000..ebf1d38 --- /dev/null +++ b/nixos/machines/nyarlathotep/mail.nix @@ -0,0 +1,46 @@ +flake-inputs: +{pkgs, config, lib, ...}: { + imports = [flake-inputs.nixos-mailserver.nixosModule]; + + mailserver = { + enable = true; + debug = true; # TODO disable + fqdn = "mathebau.de"; + sendingFqdn = "fb04184.mathematik.tu-darmstadt.de"; + domains = [ + "mathebau.de" + "lists.mathebau.de" + ]; + # forwards = #TODO + # loginAccounts = #TODO + # extraVirtualAliases = # TODO # only for local things (maybe don't use?) + certificateDomains = ["imap.mathebau.de"]; + # certificateScheme = "manual"; # Do we need CERTS? We don't want to run a webmailer YES IMAP!! + # certificateFile = #TODO + # keyFile = #TODO + + enableSubmission = false; # no starttls smtp + + # Fun dovecot stuff : + + # mailDirectory = "/var/vmail/"; # directory to store mail leave at default. + + hierarchySeparator = "/"; # seperator for imap mailboxes from client view + + # Caching of search indices + indexDir = "/var/lib/dovecot/indices"; + fullTextSearch = { + enforced = "body"; # only brute force headers if no search index is available + }; + lmtpSaveToDetailMailbox = "no"; + # no starttls + enableImap = false; + + + # TODO checkout redis `config.services.redis.servers.rspamd.` + + # TODO + # borgbackup = { + # }; + }; +} From 60885b4cb5b00d1a0474180beca39a4b77553b8f Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 14:20:11 +0200 Subject: [PATCH 04/12] added actual hardware identifiers & atual network config --- nixos/machines/.gitkeep | 0 nixos/machines/nyarlathotep/boot.nix | 8 +++ nixos/machines/nyarlathotep/configuration.nix | 10 +++- .../nyarlathotep/hardware-configuration.nix | 24 +++++++++ nixos/machines/nyarlathotep/mail.nix | 4 +- nixos/machines/nyarlathotep/network.nix | 15 ++++++ nixos/roles/default.nix | 50 ++++++++++++++++++- 7 files changed, 107 insertions(+), 4 deletions(-) delete mode 100644 nixos/machines/.gitkeep create mode 100644 nixos/machines/nyarlathotep/boot.nix create mode 100644 nixos/machines/nyarlathotep/hardware-configuration.nix create mode 100644 nixos/machines/nyarlathotep/network.nix diff --git a/nixos/machines/.gitkeep b/nixos/machines/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/nixos/machines/nyarlathotep/boot.nix b/nixos/machines/nyarlathotep/boot.nix new file mode 100644 index 0000000..745f410 --- /dev/null +++ b/nixos/machines/nyarlathotep/boot.nix @@ -0,0 +1,8 @@ +{ + imports = [ ]; + boot.loader.grub = { + device = "nodev"; + enable = true; + }; +} + diff --git a/nixos/machines/nyarlathotep/configuration.nix b/nixos/machines/nyarlathotep/configuration.nix index b2714bb..1a0e12a 100644 --- a/nixos/machines/nyarlathotep/configuration.nix +++ b/nixos/machines/nyarlathotep/configuration.nix @@ -1,7 +1,15 @@ flake-inputs: {config, pkgs, lib, ... }: { -imports = [(import ./mail.nix flake-inputs)]; +imports = [ + ./hardware-configuration.nix + (import ./mail.nix flake-inputs) + ../../roles + ./boot.nix + ./network.nix +]; # System configuration here + + system.stateVersion = "23.11"; } diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix new file mode 100644 index 0000000..078d8e1 --- /dev/null +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -0,0 +1,24 @@ +{config, lib, pkgs, modulesPath, ...}: { + imports = [ ]; + + boot.initrd.availableKernelModules = + [ "ata_piix" "sr_mod" "xen_bklfront" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; + fsType = "ext4"; + }; + fileSystems."/var/mail" = { + device = "/dev/disk/by-uuid/23c44c93-5035-4e29-9e46-75c1c08f4cea"; + fsType = "ext4"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/8bc30d17-3c08-4648-ab18-8c723523be1a"; }]; + + nix.settings.max-jobs = lib.mkDefault 4; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/nyarlathotep/mail.nix b/nixos/machines/nyarlathotep/mail.nix index ebf1d38..a954a5d 100644 --- a/nixos/machines/nyarlathotep/mail.nix +++ b/nixos/machines/nyarlathotep/mail.nix @@ -23,12 +23,12 @@ flake-inputs: # Fun dovecot stuff : - # mailDirectory = "/var/vmail/"; # directory to store mail leave at default. + mailDirectory = "/var/mail/vmail/"; # directory to store mail hierarchySeparator = "/"; # seperator for imap mailboxes from client view # Caching of search indices - indexDir = "/var/lib/dovecot/indices"; + indexDir = "/var/mail/lib/dovecot/indices"; fullTextSearch = { enforced = "body"; # only brute force headers if no search index is available }; diff --git a/nixos/machines/nyarlathotep/network.nix b/nixos/machines/nyarlathotep/network.nix new file mode 100644 index 0000000..3641375 --- /dev/null +++ b/nixos/machines/nyarlathotep/network.nix @@ -0,0 +1,15 @@ +# We sohuld put that config somewhere in roles and give it a parameter or something, +# everyone gets the same nameserver and the same prefixLength and address vs defaultGateway alsways +# depend on the same thing +{ + imports = [ ]; + networking = { + interfaces.enX0.ipv4.addresses = [ { + addresses = "192.168.0.28"; + prefixLength = 16; + } ]; + defaultGateway = "192.168.0.155"; + nameservers = ["130.83.2.22" "130.83.56.60" "130.83.22.60" "130.82.22.63"]; + }; +} + diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 3c24242..72ad163 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,4 +1,52 @@ -{ ... } : { +{pkgs, config, lib, ...} : { + +imports = [ ./admins.nix ]; +nix = { + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; +}; + +networking = { + firewall = { # these shoud be default, but better make sure! + enable = true; + allowPing = true; + }; + nftables.enable = true; + useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface + # hosts = # TODO write something to autogenerate ip adresses! +}; + +users = { + mutableUsers = false; +}; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + +environment = { + systemPackages = builtins.attrValues { + inherit (pkgs) + htop lsof tmux btop; + }; +}; + +services = { + journald.extraConfig = "SystemMaxUse=5G"; + + nginx = { + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedTlsSettings = true; + }; + + openssh = { + enable = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; +}; +>>>>>>> 2b0eec7 (added actual hardware identifiers & atual network config) } From 0c6bb20db2de0e7df49413fc60eb0c9bed994445 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 15:32:16 +0200 Subject: [PATCH 05/12] updated dependencies --- flake.lock | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index e3f7e40..2ad8261 100644 --- a/flake.lock +++ b/flake.lock @@ -21,11 +21,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1685662779, - "narHash": "sha256-cKDDciXGpMEjP1n6HlzKinN0H+oLmNpgeCTzYnsA2po=", + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "71fb97f0d875fd4de4994dfb849f2c75e17eb6c3", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", "type": "github" }, "original": { @@ -39,14 +39,15 @@ "flake-compat": [], "nixpkgs": [], "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", "utils": "utils" }, "locked": { - "lastModified": 1686468558, - "narHash": "sha256-K69Ojlx3N8I6tRTZsrKFMIqK4yrnJ6/PjfKZi3wchYg=", + "lastModified": 1689976554, + "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", "ref": "refs/heads/master", - "rev": "290d00f6db4e80467013728819ad73dd4a394d9a", - "revCount": 554, + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "revCount": 570, "type": "git", "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" }, @@ -57,11 +58,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1686412476, - "narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=", + "lastModified": 1695145219, + "narHash": "sha256-Eoe9IHbvmo5wEDeJXKFOpKUwxYJIOxKUesounVccNYk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "21951114383770f96ae528d0ae68824557768e81", + "rev": "5ba549eafcf3e33405e5f66decd1a72356632b96", "type": "github" }, "original": { @@ -86,14 +87,29 @@ "type": "indirect" } }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1685564631, - "narHash": "sha256-8ywr3AkblY4++3lIVxmrWZFzac7+f32ZEhH/A8pNscI=", + "lastModified": 1693471703, + "narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4f53efe34b3a8877ac923b9350c874e3dcd5dc0a", + "rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85", "type": "github" }, "original": { From ba8862cb0ce2cda52481ee9415a6d4afbe90ffd1 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 19:36:48 +0200 Subject: [PATCH 06/12] first running config (fingers crossed) --- nixos/machines/nyarlathotep/hardware-configuration.nix | 2 +- nixos/machines/nyarlathotep/network.nix | 2 +- nixos/roles/nix_keys.nix | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 nixos/roles/nix_keys.nix diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index 078d8e1..bc541e1 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -2,7 +2,7 @@ imports = [ ]; boot.initrd.availableKernelModules = - [ "ata_piix" "sr_mod" "xen_bklfront" ]; + [ "ata_piix" "sr_mod" "xen_blkfront" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/nixos/machines/nyarlathotep/network.nix b/nixos/machines/nyarlathotep/network.nix index 3641375..b5389eb 100644 --- a/nixos/machines/nyarlathotep/network.nix +++ b/nixos/machines/nyarlathotep/network.nix @@ -5,7 +5,7 @@ imports = [ ]; networking = { interfaces.enX0.ipv4.addresses = [ { - addresses = "192.168.0.28"; + address = "192.168.0.28"; prefixLength = 16; } ]; defaultGateway = "192.168.0.155"; diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix new file mode 100644 index 0000000..af3f21d --- /dev/null +++ b/nixos/roles/nix_keys.nix @@ -0,0 +1,4 @@ +{lib, ...} : + nix.settings.trusted-public-keys = [ + "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" + ]; From cb771c4abb1a35b658f00a6da7404fd00623a140 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 20:00:35 +0200 Subject: [PATCH 07/12] fixed small error in trusted nix keys handling --- nixos/roles/admins.nix | 2 +- nixos/roles/default.nix | 5 ++++- nixos/roles/nix_keys.nix | 4 +++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix index 4f189e0..43a86aa 100644 --- a/nixos/roles/admins.nix +++ b/nixos/roles/admins.nix @@ -5,7 +5,7 @@ let admins = { nerf = { hashedPassword = - "$6$rounds=424242$FaEtIXMUScxgAYyF$Fl8GbPFgiEv.1iwrhtVpTixG1BTJys3aIfLyTzocQYZV4JymrYEXtnyCTURmVDe8stxbxgDutmtlyElfn1DQc/"; + "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" ]; diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 72ad163..2bcf4dc 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,6 +1,9 @@ {pkgs, config, lib, ...} : { -imports = [ ./admins.nix ]; +imports = [ + ./admins.nix + ./nix_keys.nix + ]; nix = { extraOptions = '' experimental-features = nix-command flakes diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix index af3f21d..85c7835 100644 --- a/nixos/roles/nix_keys.nix +++ b/nixos/roles/nix_keys.nix @@ -1,4 +1,6 @@ -{lib, ...} : +{ + imports = [ ]; nix.settings.trusted-public-keys = [ "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" ]; +} From 53787ba7bb29c8ee444cfc5c23c1b4aec8e3d533 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Fri, 22 Sep 2023 21:33:23 +0200 Subject: [PATCH 08/12] /var/mail is special OOOPS --- nixos/machines/nyarlathotep/hardware-configuration.nix | 2 +- nixos/machines/nyarlathotep/mail.nix | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index bc541e1..81be995 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -10,7 +10,7 @@ device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; fsType = "ext4"; }; - fileSystems."/var/mail" = { + fileSystems."/var/vmail" = { device = "/dev/disk/by-uuid/23c44c93-5035-4e29-9e46-75c1c08f4cea"; fsType = "ext4"; }; diff --git a/nixos/machines/nyarlathotep/mail.nix b/nixos/machines/nyarlathotep/mail.nix index a954a5d..9eb7ce1 100644 --- a/nixos/machines/nyarlathotep/mail.nix +++ b/nixos/machines/nyarlathotep/mail.nix @@ -23,12 +23,13 @@ flake-inputs: # Fun dovecot stuff : - mailDirectory = "/var/mail/vmail/"; # directory to store mail + mailDirectory = "/var/vmail/vmail/"; # directory to store mail it was /var/mail/vmail but + # /var/mail ist special hierarchySeparator = "/"; # seperator for imap mailboxes from client view # Caching of search indices - indexDir = "/var/mail/lib/dovecot/indices"; + indexDir = "/var/vmail/lib/dovecot/indices"; fullTextSearch = { enforced = "body"; # only brute force headers if no search index is available }; From 72c98986a0f6234c7d70ed2f596eb2ac44d469a5 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Sun, 24 Sep 2023 01:50:41 +0200 Subject: [PATCH 09/12] some documentation I wrote without proofreading at 2 in the morning --- README.md | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 103 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 44e28aa..c2455c9 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,116 @@ # nixConfig ## Build a machine +There are multiple ways to build and deploy a machine configuration. Which is the +most appropriate depends on the context and scenario. So first there will be a general +explanation how this works and afterwards we will talk about some scenarios. + +If you run `nix flake show` you should get an output similiar to this +``` +$ nix flake show +git+file:///home/nerf/git/nixConfig?ref=refs%2fheads%2fnyarlathtop&rev=9d0eb749287d1e9e793811759dfa29469ab706dc +├───apps +│ └───x86_64-linux +├───checks +│ └───x86_64-linux +├───devShells +│ └───x86_64-linux +├───formatter +├───legacyPackages +│ └───x86_64-linux omitted (use '--legacy' to show) +├───nixosConfigurations +│ └───nyarlathotep: NixOS configuration +├───nixosModules +├───overlays +└───packages + └───x86_64-linux +``` +we can see there is an output callled `nixosConfigurations.nyarlathotep`. Which contains the config of the machine +called nyarlathotep. `nixosConfigurations` is special in that sense, that `nixos-rebuild` will automatically look +for this key and assume how it is structured. The interesting part for us is the derivation `config.system.build.toplevel`. +Its closure contains the whole system and the resulting derivation a script that changes the current system to +that derivation. (called `/bin/switch-to-configuration`). + +So what we want to archive is populate the nix store of the target machine with the closure of the derivation +`.#nixosConfigurations..config.system.build.toplevel` and run the the resulting script on the target machine. + + ### Local -If you want to build the machineconfiguration for machine -run +It has multiple benefits to build the system config on the local computer and push it to the target server. +For example one doesn't stress the server with the load coming with evaluating the expression. Also the server +doesn't need to fetch the build dependencies this way. One has a local check if at least the nix syntax was correct. +And so on... + +#### Build +If you have this repository local in your current directory you can just run: ``` -nix build .#nixosConfiguration..config.system.build.toplevel +$ nix build .#nixosConfigurations..config.system.build.toplevel ``` +But you don't need to clone this repository for more on flake urls see the `nix flake --help` documentation. + +#### Copy +After we build the derivation we need to get the closure onto the target system. Luckily nix has tools to do that +via ssh. We could just run: +``` +$ nix copy -s --to .#nixosConfigurations..config.system.build.toplevel +``` +we do not need the flake anymore, instead of specifying the derivation name we could also give the store path +directly. + +The `-s` is important it makes the target machine substitute all derivations it can (by default from chache.nixos.org). +So you only upload config files and self build things. + +To be able to copy things to a machine they need to be signed by someone trusted. Additional trusted nix keys are handled +in `./nixos/roles/nix_keys.nix`. So to get yourself trusted you either need to install one derivation from the machine itself, +or find someone who is already trusted. + +For more information on signing and key creation see `nix store sign --help` and `nix key --help`. + +#### Activate +Log into the remote machine and execute +``` +# /nix/store//bin/switch-to-configuration boot +``` +That will setup a configuration switch at reboot. You can also switch the configuration live. For more +details consider the `--help` output of that script. + + +If you have a `nixos-rebuild` available on your system it can automatize these things with the `--flake` and +`--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand. + ### On the machine -clone this repo to `/etc/nixos/` and `nixos-rebuild` that will select -the appropriate machine based on hostname + +clone this repo to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select +the appropriate machine based on hostname. + +If the hostname is not correct, or you don't want to clone this flake you can also use the `--flake` parameter. + +In any case, to switch the system configuration you will need to have root priviledges on the target machine. -### sops +## How this flake is organized + +This flake uses `flake-parts` see [flake.parts](https://flake.parts) for more details. It makes handling +`system` and some other moudles related things more convenient. +For the general layout of nixos system config and modules, please see the corresponding documentation. + +The toplevel `flake.nix` contains the flake inputs as usual and only calls a file `flake-module.nix` +this toplevel `flake-module.nix` imports further more specialiesed `flake-modules.nix` files from subdirectories. +Right now the only one is `nixos/flake-module.nix`. + +the `nixos` folder contains all machine configurations. It sepreates in two folders `nixos/machines` and `nixos/roles`. + +`nixos/machines` contains all machine specific configuration (in a subfolder per machine). Like hardware configuration, specific +network configuration. And service configuration that are too closely intervowen with the rest of that machine. It also +contains the root config for that machine called `configuration.nix`. This file usually only includes other modules. + +`nixos/roles` contains config that is pontentially shared by some machines. It is expected that `nixos/roles/default.nix` +is imported as (`../../roles`) in every machine. Notable are the files `nixos/roles/admins.nix` which contains +common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted +keys for the nix store. + +## sops We are sharing secrets using [`sops`](https://github.com/getsops/sops) and [`sops-nix`](https://github.com/Mic92/sops-nix) As of right now we use only `age` keys. @@ -35,4 +132,3 @@ afterwards the secret should be available in `/run/secrets/example-key`. If the accessing process is not root it must be member of the group `config.users.groups.keys` for systemd services this can be archived by setting `serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];` it the service config. - From bc8b37f38da0f3b09736560abcd1631102cc0bea Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Sun, 24 Sep 2023 02:04:39 +0200 Subject: [PATCH 10/12] refactored xen_guest.nix --- nixos/machines/nyarlathotep/boot.nix | 8 -------- nixos/machines/nyarlathotep/configuration.nix | 2 +- .../nyarlathotep/hardware-configuration.nix | 5 ----- nixos/roles/xen_guest.nix | 15 +++++++++++++++ 4 files changed, 16 insertions(+), 14 deletions(-) delete mode 100644 nixos/machines/nyarlathotep/boot.nix create mode 100644 nixos/roles/xen_guest.nix diff --git a/nixos/machines/nyarlathotep/boot.nix b/nixos/machines/nyarlathotep/boot.nix deleted file mode 100644 index 745f410..0000000 --- a/nixos/machines/nyarlathotep/boot.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - imports = [ ]; - boot.loader.grub = { - device = "nodev"; - enable = true; - }; -} - diff --git a/nixos/machines/nyarlathotep/configuration.nix b/nixos/machines/nyarlathotep/configuration.nix index 1a0e12a..05616fa 100644 --- a/nixos/machines/nyarlathotep/configuration.nix +++ b/nixos/machines/nyarlathotep/configuration.nix @@ -5,7 +5,7 @@ imports = [ ./hardware-configuration.nix (import ./mail.nix flake-inputs) ../../roles - ./boot.nix + ../../roles/xen_guest.nix ./network.nix ]; diff --git a/nixos/machines/nyarlathotep/hardware-configuration.nix b/nixos/machines/nyarlathotep/hardware-configuration.nix index 81be995..d75ae28 100644 --- a/nixos/machines/nyarlathotep/hardware-configuration.nix +++ b/nixos/machines/nyarlathotep/hardware-configuration.nix @@ -1,11 +1,6 @@ {config, lib, pkgs, modulesPath, ...}: { imports = [ ]; - boot.initrd.availableKernelModules = - [ "ata_piix" "sr_mod" "xen_blkfront" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - fileSystems."/" = { device = "/dev/disk/by-uuid/a72da670-f631-49b1-bcb3-6d378cc1f2d0"; fsType = "ext4"; diff --git a/nixos/roles/xen_guest.nix b/nixos/roles/xen_guest.nix new file mode 100644 index 0000000..9c9ee32 --- /dev/null +++ b/nixos/roles/xen_guest.nix @@ -0,0 +1,15 @@ +{...}: { + imports = [ ]; + boot = { + loader.grub = { + device = "nodev"; + enable = true; + }; + initrd = { + availableKernelModules = [ "ata_piix" "sr_mod" "xen_blkfront" ]; + kernelModules = [ ]; + }; + extraModulePackages = [ ]; + }; +} + From 8d3731eeb3de2d102f44d2e477215a7a64774da2 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Mon, 25 Sep 2023 15:00:15 +0200 Subject: [PATCH 11/12] added a comment regarding the use of `pkgs.nixos` --- nixos/flake-module.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index ef87e41..d82fbd4 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -2,6 +2,15 @@ # This automatically searches for nixos configs in ./machines/${name}/configuration.nix # and exposes them as outputs.nixosConfigurations.${name} +# + +# a comment regarding pkgs.nixos vs lib.nixosSystem +# while lib.nixosSystem is the usual enduser way to evaluate nixos configurations +# in flakes, pkgs.nixos sets the package set to the packages it comes from. +# This spares us tracking our potentiell overlays and own package additions, but just +# using the right package set to begin with. Using lib.nixosSystem from the flake we would +# need to specify that again. + { withSystem, lib, inputs, ... }: { flake = { nixosConfigurations = withSystem "x86_64-linux" ({ pkgs, ... }: From 977bfa7114c13eaad664e126db466dfb736e9252 Mon Sep 17 00:00:00 2001 From: Dennis Frieberg Date: Mon, 25 Sep 2023 22:03:19 +0200 Subject: [PATCH 12/12] fixed a merge thingy in README --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 759e36e..26734c0 100644 --- a/README.md +++ b/README.md @@ -80,10 +80,6 @@ If you have a `nixos-rebuild` available on your system it can automatize these t `--target-host` parameters. But there are some pitfalls so look at the `nixos-rebuild` documentation beforehand. ### On the machine -<<<<<<< HEAD - -======= ->>>>>>> d89313e25d9c66bafdaed10bb11716589472bac3 clone this repo to `/etc/nixos/` and `nixos-rebuild boot` or `nixos-rebuild switch` that will select the appropriate machine based on hostname.