Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

WIP: configure bikkje as login server #24

Draft
felixalb wants to merge 5 commits from setup-bikkje-login into main
pull from: setup-bikkje-login
merge into: Drift:main
Conversation 1 Commits 5 Files Changed 11 +1916 -44
11 changed files with 1916 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
base.nix
View File

@ -73,6 +73,7 @@
# Trusted users on the nix builder machines
users.groups."nix-builder-users".name = "nix-builder-users";
users.motd = builtins.readFile ./misc/motd;
services.openssh = {
enable = true;

44
hosts/bikkje/configuration.nix
View File

@ -1,44 +0,0 @@
{ config, pkgs, values, ... }:
{
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
containers.bikkje = {
autoStart = true;
config = { config, pkgs, ... }: {
#import packages
packages = with pkgs; [
alpine
mutt
mutt-ics
mutt-wizard
weechat
weechatScripts.edit
hexchat
irssi
pidgin
];
networking = {
firewall = {
enable = true;
# Allow SSH and HTTP and ports for email and irc
allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = mkForce false;
};
system.stateVersion = "23.11";
services.resolved.enable = true;
};
};
};

125
hosts/buskerud/bikkje/default.nix Normal file
View File

@ -0,0 +1,125 @@
{ config, pkgs, values, lib, ... }:
{
containers.bikkje = {
autoStart = true;
interfaces = [ "enp4s0f0" ];
config = { config, pkgs, ... }: {
imports = [
../../../modules/home-areas.nix
./services/kerberos
];
environment.systemPackages = with pkgs; [
zsh
bash
fish
tcsh
alpine
mutt
mutt-ics
mutt-wizard
notmuch
mailutils
procmail
irssi
weechat
weechatScripts.edit
coreutils-full
diffutils
findutils
ripgrep
cvs
gawk
git
gnupg
gnused
groff
less
p7zip
rcs
screen
tmux
tree
unzip
zip
oysteikt commented 2024-04-09 02:02:53 +02:00
Review
Copy Link

lmao

lmao
emacs
helix
joe
micro
nano
neovim
autossh
inetutils
lynx
mosh
rsync
w3m
clang
gcc
guile
lua
perl
php
python3
(python3.withPackages (ps: with ps; [
numpy
sympy
scipy
requests
imageio
pillow
httpx
pycryptodome
pandas
matplotlib
]))
ruby
tcl
];
services.openssh = {
enable = true;
ports = [ 22 80 443 ];
openFirewall = true;
extraConfig = ''
PubkeyAcceptedAlgorithms=+ssh-rsa
'';
settings = {
GatewayPorts = "yes";
PermitRootLogin = "yes";
};
};
users.motd = builtins.readFile ../../../misc/motd;
networking = {
firewall.enable = true;
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
hostName = "bikkje";
};
systemd.network.enable = true;
systemd.network.networks."30-enp4s0f0" = values.defaultNetworkConfig // {
matchConfig.Name = "enp4s0f0";
address = with values.hosts.bikkje; [ (ipv4 + "/25") (ipv6 + "/64") ];
};
system.stateVersion = "23.11";
services.resolved.enable = true;
};
};
# TODO
# - Kerberos Authentication
# - Mail Transfer Agent
}

27
hosts/buskerud/bikkje/services/kerberos/default.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
#######################
# TODO: remove these once nixos 24.05 gets released
#######################
imports = [
./krb5.nix
./pam.nix
];
disabledModules = [
"config/krb5/default.nix"
"security/pam.nix"
];
#######################
security.krb5 = {
enable = true;
settings = {
libdefaults = {
default_realm = "PVV.NTNU.NO";
dns_lookup_realm = "yes";
dns_lookup_kdc = "yes";
};
realms."PVV.NTNU.NO".admin_server = "kdc.pvv.ntnu.no";
};
};
}

88
hosts/buskerud/bikkje/services/kerberos/krb5-conf-format.nix Normal file
View File

@ -0,0 +1,88 @@
{ pkgs, lib, ... }:
# Based on
# - https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
# - https://manpages.debian.org/unstable/heimdal-docs/krb5.conf.5heimdal.en.html
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mdDoc mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in submodule {
freeformType = attrsOf section;
options = {
include = mkOption {
default = [ ];
description = mdDoc ''
Files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
includedir = mkOption {
default = [ ];
description = mdDoc ''
Directories containing files to include in the Kerberos configuration.
'';
type = coercedTo path singleton (listOf path);
};
module = mkOption {
default = [ ];
description = mdDoc ''
Modules to obtain Kerberos configuration from.
'';
type = coercedTo path singleton (listOf path);
};
};
};
generate = let
indent = str: concatMapStringsSep "\n" (line: " " + line) (splitString "\n" str);
formatToplevel = args @ {
include ? [ ],
includedir ? [ ],
module ? [ ],
...
}: let
sections = removeAttrs args [ "include" "includedir" "module" ];
in concatStringsSep "\n" (filter (x: x != "") [
(concatStringsSep "\n" (mapAttrsToList formatSection sections))
(concatMapStringsSep "\n" (m: "module ${m}") module)
(concatMapStringsSep "\n" (i: "include ${i}") include)
(concatMapStringsSep "\n" (i: "includedir ${i}") includedir)
]);
formatSection = name: section: ''
[${name}]
${indent (concatStringsSep "\n" (mapAttrsToList formatRelation section))}
'';
formatRelation = name: relation:
if isAttrs relation
then ''
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else formatValue name relation;
formatValue = name: value:
if isList value
then concatMapStringsSep "\n" (formatAtom name) value
else formatAtom name value;
formatAtom = name: atom: let
v = if isBool atom then boolToString atom else toString atom;
in "${name} = ${v}";
in
name: value: pkgs.writeText name ''
${formatToplevel value}
'';
}

90
hosts/buskerud/bikkje/services/kerberos/krb5.nix Normal file
View File

@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mdDoc mkIf mkOption mkPackageOption mkRemovedOptionModule;
inherit (lib.types) bool;
mkRemovedOptionModule' = name: reason: mkRemovedOptionModule ["krb5" name] reason;
mkRemovedOptionModuleCfg = name: mkRemovedOptionModule' name ''
The option `krb5.${name}' has been removed. Use
`security.krb5.settings.${name}' for structured configuration.
'';
cfg = config.security.krb5;
format = import ./krb5-conf-format.nix { inherit pkgs lib; } { };
in {
imports = [
(mkRemovedOptionModuleCfg "libdefaults")
(mkRemovedOptionModuleCfg "realms")
(mkRemovedOptionModuleCfg "domain_realm")
(mkRemovedOptionModuleCfg "capaths")
(mkRemovedOptionModuleCfg "appdefaults")
(mkRemovedOptionModuleCfg "plugins")
(mkRemovedOptionModuleCfg "config")
(mkRemovedOptionModuleCfg "extraConfig")
(mkRemovedOptionModule' "kerberos" ''
The option `krb5.kerberos' has been moved to `security.krb5.package'.
'')
];
options = {
security.krb5 = {
enable = mkOption {
default = false;
description = mdDoc "Enable and configure Kerberos utilities";
type = bool;
};
package = mkPackageOption pkgs "krb5" {
example = "heimdal";
};
settings = mkOption {
default = { };
type = format.type;
description = mdDoc ''
Structured contents of the {file}`krb5.conf` file. See
{manpage}`krb5.conf(5)` for details about configuration.
'';
example = {
include = [ "/run/secrets/secret-krb5.conf" ];
includedir = [ "/run/secrets/secret-krb5.conf.d" ];
libdefaults = {
default_realm = "ATHENA.MIT.EDU";
};
realms = {
"ATHENA.MIT.EDU" = {
admin_server = "athena.mit.edu";
kdc = [
"athena01.mit.edu"
"athena02.mit.edu"
];
};
};
domain_realm = {
"mit.edu" = "ATHENA.MIT.EDU";
};
logging = {
kdc = "SYSLOG:NOTICE";
admin_server = "SYSLOG:NOTICE";
default = "SYSLOG:NOTICE";
};
};
};
};
};
config = mkIf cfg.enable {
environment = {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};
};
meta.maintainers = builtins.attrValues {
inherit (lib.maintainers) dblsaiko h7x4;
};
}

1543
hosts/buskerud/bikkje/services/kerberos/pam.nix Normal file
View File

File diff suppressed because it is too large Load Diff

2
hosts/buskerud/configuration.nix
View File

@ -4,6 +4,8 @@
./hardware-configuration.nix
../../base.nix
../../misc/metrics-exporters.nix
./bikkje
];
# buskerud does not support efi?

16
misc/motd Normal file
View File

@ -0,0 +1,16 @@
███████████ █████ █████ █████ █████
░░███░░░░░███░░███ ░░███ ░░███ ░░███
░███ ░███ ░███ ░███ ░███ ░███
░██████████ ░███ ░███ ░███ ░███
░███░░░░░░ ░░███ ███ ░░███ ███
░███ ░░░█████░ ░░░█████░
█████ ░░███ ░░███
░░░░░ ░░░ ░░░
================= EN ==================|================== NB =================
Welcome to a PVV machine, life is good.|Velkommen til en PVV-maskin,
|livet er deilig.
If you are confused, try pvv.ntnu.no or|Hvis du er forvirret prøv pvv.ntnu.no
our discord server. |eller vår discord-server.
More info at pvv.ntnu.no/kontakt/ |Mer info på pvv.ntnu.no/kontakt/
===============================================================================

20
modules/home-areas.nix Normal file
View File

@ -0,0 +1,20 @@
{ pkgs, lib, ... }:
{
fileSystems = let
# See microbel:/etc/exports
homeMounts = (lib.listToAttrs (map
(l: lib.nameValuePair "/home/pvv/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
[ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]));
in { }
//
(lib.mapAttrs (_: device: {
inherit device;
fsType = "nfs";
options = [
"nfsvers=3"
"proto=tcp"
"nofail"
"_netdev"
];
}) homeMounts);
}

4
values.nix
View File

@ -56,6 +56,10 @@ in rec {
ipv4 = pvv-ipv4 204;
ipv6 = pvv-ipv6 "1:4f"; # Wtf øystein og daniel why
};
bikkje = {
ipv4 = pvv-ipv4 216;
ipv6 = pvv-ipv6 216;
};
buskerud = {
ipv4 = pvv-ipv4 231;
ipv6 = pvv-ipv6 231;