Merge branch 'master' into icecast

redbrick · May 21, 2020 · 761208a · 761208a
2 parents dff0791 + 208a8b9
commit 761208a
Show file tree

Hide file tree

Showing 33 changed files with 1,586 additions and 300 deletions.
diff --git a/common/options.nix b/common/options.nix
@@ -7,8 +7,8 @@
       type = lib.types.nullOr lib.types.str;
     };
 
-    skipVhosts = lib.mkOption {
-      description = "Skip compiling the list of vhosts. Useful for development boxes";
+    skipCustomVhosts = lib.mkOption {
+      description = "Skip all vhosts that are not based on the TLD. Useful for development boxes";
       default = false;
       defaultText = "False (compile the vhosts)";
       type = lib.types.nullOr lib.types.bool;
@@ -20,5 +20,17 @@
       defaultText = "Null (this is a master)";
       type = lib.types.nullOr lib.types.str;
     };
+
+    smtpBindAddress = lib.mkOption {
+      description = "Address that Postfix expects to send and receive mail on";
+      default = "192.168.0.158";
+      type = lib.types.str;
+    };
+
+    smtpExternalAddress = lib.mkOption {
+      description = "The appropriate public IP forwarding port 587/993 for this mail host";
+      default = "136.206.15.3";
+      type = lib.types.str;
+    };
   };
 }
diff --git a/common/sysconfig.nix b/common/sysconfig.nix
@@ -3,7 +3,10 @@ let
   common = import ./variables.nix;
   tld = config.redbrick.tld;
 in {
-  imports = [ ./options.nix ];
+  imports = [
+    ./options.nix
+    ../packages/overlays
+  ];
 
   time.timeZone = "Europe/Dublin";
   i18n.defaultLocale = "en_IE.UTF-8";
@@ -57,6 +60,14 @@ in {
     ];
   };
 
+  # Enabled Spare cpu cycles to be used for folding@home
+  services.foldingathome = {
+    enable = true;
+    user = "redbrick";
+    team = 43166;
+    extraArgs = [ "--power" "light" ];
+  };
+
   # Enable LDAP
   users.ldap.enable = true;
   users.ldap.timeLimit = 2;

diff --git a/common/variables.nix b/common/variables.nix
@@ -13,11 +13,9 @@ rec {
     "djbdns.now.ie" = "djbdns.now.ie";
     "romana.now.ie" = "djbdns.now.ie";
     "www.luxgaa.lu" = "www.luxgaa.lu";
-    "www.iahpc.ie" = "www.iahpc.ie";
     "techweek.dcu.ie" = "techweek.dcu.ie";
     "games.dcu.ie" = "www.games.dcu.ie";
     "www.games.dcu.ie" = "www.games.dcu.ie";
-    "interlan.dcu.ie" = "interlan.dcu.ie";
   };
 
   userWebtree = uid: "${webtreeDir}/${builtins.substring 0 1 uid}/${uid}";
@@ -40,10 +38,6 @@ rec {
     sslServerCert = "${certsDir}/${domain}/fullchain.pem";
   };
 
-  dovecotHost = "192.168.0.135";
-  dovecotSaslPort = 3659;
-  dovecotLmtpPort = 24;
-
   # Hard coded otherwise NSCD will crash systems during boot if network is down
   # 50 = daedalus
   ldapHostIp = "192.168.0.50";

diff --git a/hosts/hardcase/configuration.nix b/hosts/hardcase/configuration.nix
@@ -12,6 +12,8 @@ in {
     ../../services/thelounge.nix
     ../../services/certs
     ../../services/httpd
+    ../../services/postfix
+    ../../services/dovecot
     ../../services/grafana
     ../../services/loki.nix
     ../../services/prometheus.nix

diff --git a/hosts/hardcase/hardware-configuration.nix b/hosts/hardcase/hardware-configuration.nix
@@ -29,6 +29,13 @@
   systemd.targets.nfs-client.requiredBy = [ "storage.mount" ];
   systemd.targets.nfs-client.before = [ "storage.mount" ];
 
+  fileSystems."/var/spool/mail" =
+    { device = "icarus.internal:/zbackup/mail";
+      fsType = "nfs";
+    };
+  systemd.services.dovecot2.requires = [ "var-spool-mail.mount" ];
+  systemd.services.dovecot2.after = [ "var-spool-mail.mount" ];
+
   # zfs create -o dedup=off -o mountpoint=legacy -o recordsize=4K  zroot/postgres
   fileSystems."/var/db/postgres" =
     { device = "zroot/postgres";

diff --git a/hosts/m1vm/configuration.nix b/hosts/m1vm/configuration.nix
@@ -9,15 +9,14 @@
     ../../services/postfix
     ../../services/dovecot
     ../../services/certs
-    ../../services/thelounge.nix
     ../../services/postgres.nix
   ];
 
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "19.09";
+  system.stateVersion = "20.09";
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
@@ -35,8 +34,10 @@
   };
 
   # Dev box, skip loading vhosts
-  redbrick.skipVhosts = true;
-  redbrick.tld = "redbricktest.ml";
+  redbrick.tld = "redbricktest.cf";
+  redbrick.skipCustomVhosts = true;
+  redbrick.smtpBindAddress = "192.168.0.135";
+  redbrick.smtpExternalAddress = "136.206.15.5";
 
   users.users.lucasade = {
     isNormalUser = true;

diff --git a/hosts/m1vm/hardware-configuration.nix b/hosts/m1vm/hardware-configuration.nix
@@ -24,6 +24,13 @@
   systemd.targets.nfs-client.requiredBy = [ "storage.mount" ];
   systemd.targets.nfs-client.before = [ "storage.mount" ];
 
+  fileSystems."/var/spool/mail" =
+    { device = "icarus.internal:/zbackup/mailtest";
+      fsType = "nfs";
+    };
+  systemd.services.dovecot2.requires = [ "var-spool-mail.mount" ];
+  systemd.services.dovecot2.after = [ "var-spool-mail.mount" ];
+
   swapDevices =
     [ { device = "/dev/disk/by-uuid/7ca217d6-538e-4919-a57f-c5cbaeb93832"; }
     ];

diff --git a/hosts/metharme/configuration.nix b/hosts/metharme/configuration.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+let
+  variables = import ../../common/variables.nix;
+in {
+  imports = [
+    ./hardware-configuration.nix
+    ../../common/sysconfig.nix
+    ../../services/ssh.nix
+  ];
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "20.09";
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+
+  networking = {
+    hostName = "metharme";
+    hostId = "1f03060e";
+    defaultGateway = "192.168.0.254";
+    interfaces.eno2.ipv4.addresses = [{
+      address = "192.168.0.156";
+      prefixLength = 24;
+    }];
+  };
+}
diff --git a/hosts/metharme/hardware-configuration.nix b/hosts/metharme/hardware-configuration.nix
@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "mpt3sas" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zroot/nixos";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "zroot/nixos/store";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/b99bbf80-002b-4c10-9d72-96195bb64f4f"; priority = 100; }
+      { device = "/dev/disk/by-uuid/49a2deff-5fcc-4736-895b-130202648b59"; priority = 100; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 16;
+}
diff --git a/hosts/motherlode/configuration.nix b/hosts/motherlode/configuration.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+let
+  variables = import ../../common/variables.nix;
+in {
+  imports = [
+    ./hardware-configuration.nix
+    ../../common/sysconfig.nix
+    ../../services/ssh.nix
+    ../../services/libvirt.nix
+  ];
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "20.09";
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  networking = {
+    hostName = "motherlode";
+    hostId = "fccc9415";
+    defaultGateway = "192.168.0.254";
+  } // (variables.bondConfig [ "eno1" "eno2" ] "192.168.0.130");
+}
diff --git a/hosts/motherlode/hardware-configuration.nix b/hosts/motherlode/hardware-configuration.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "megaraid_sas" "usbhid" "sd_mod" "sr_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/8c34aaec-4f61-4b29-a451-cd8e8d2bd394";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/28c3f2fd-7b98-4bf6-a778-f73b8064c381"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 8;
+}
diff --git a/nixops.nix b/nixops.nix
@@ -0,0 +1,5 @@
+{
+  icarus = { config, pkgs, ... }: {
+    deployment.targetHost = "192.168.0.150";
+  };
+}
diff --git a/packages/overlays/default.nix b/packages/overlays/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./rsyslog.nix
+  ];
+}
diff --git a/packages/overlays/rsyslog.nix b/packages/overlays/rsyslog.nix
@@ -0,0 +1,11 @@
+{
+  # libksi has an outdated dependency on openssl_1_0_2
+  # We don't need it, so remove it from rsyslog
+  nixpkgs.overlays = [
+    (self: super: {
+      rsyslog = super.rsyslog.override {
+        libksi = null;
+      };
+    })
+  ];
+}
diff --git a/services/dns/default.nix b/services/dns/default.nix
@@ -35,13 +35,13 @@ in {
       {
         # Not using tld here becaue we actually want to configure
         # a specific domain
-        file = "${zonePath}/redbricktest.ml";
+        file = "${zonePath}/redbricktest.cf";
         master = true;
-        name = "redbricktest.ml";
+        name = "redbricktest.cf";
         extraConfig = "allow-update { key ${keyName}; };";
       }
       {
-        file = "${zonePath}/redbricktest.ml.rr";
+        file = "${zonePath}/redbricktest.cf.rr";
         master = true;
         name = "15.206.136.in-addr.arpa";
       }

diff --git a/services/dns/redbricktest.ml b/services/dns/redbricktest.ml
@@ -1,7 +1,7 @@
 $ORIGIN redbricktest.ml.
 $TTL 300
 @       IN      SOA     ns1.redbricktest.ml.     admins.redbricktest.ml. (
-                        2019060506      ; Serial
+                        2019060507      ; Serial
                         1M              ; Slave refresh interval
                         5M              ; Query retry interval
                         1H              ; Expiry
@@ -20,3 +20,4 @@ mail            IN      A       136.206.15.5
 
 www             IN      CNAME   server1
 wiki            IN      CNAME   server1
+lists           IN      CNAME   mail
diff --git a/services/dovecot/auth.nix b/services/dovecot/auth.nix
@@ -1,11 +1,10 @@
-{common, pkgs, vmailUserName, ...}:
+{common, pkgs, tld, ...}:
 let
   bindCreds = import /var/secrets/dovecot_auth.nix;
 
   ldapConfig = pkgs.writeText "dovecot-ldap-config" ''
+    !include /var/secrets/dovecot_auth.conf
     hosts = ${common.ldapHost}
-    dn = ${bindCreds.dn}
-    dnpass = ${bindCreds.password}
     ldap_version = 3
     auth_bind = no
     base = ou=accounts,o=redbrick
@@ -15,6 +14,8 @@ let
     user_filter = (&(objectclass=posixAccount)(uid=%n))
     pass_attrs = uid=uid,homeDirectory=home,userPassword=password
     pass_filter = (&(objectclass=posixAccount)(uid=%n))
+    iterate_attrs = =user=%{ldap:uid}
+    iterate_filter = (objectClass=posixAccount)
     default_pass_scheme = CRYPT
   '';
 
@@ -24,9 +25,15 @@ in pkgs.writeText "dovecot-auth-config" ''
   auth_cache_ttl = 1 hour
   auth_cache_negative_ttl = 1 hour
 
+  # Set domain for login names without a domain specified
+  auth_default_realm = ${tld}
+
   # only use plain username/password auth - OK since everything is over TLS
   auth_mechanisms = plain
 
+  # Don't strip domain from username. Means that mail_location can reference %d
+  auth_username_format = %Lu
+
   # passdb specifies how users are authenticated - LDAP in my case
   passdb {
     driver = ldap