summary refs log tree commit diff
path: root/fleet/hosts/vityaz
diff options
context:
space:
mode:
Diffstat (limited to 'fleet/hosts/vityaz')
-rw-r--r--fleet/hosts/vityaz/default.nix112
-rw-r--r--fleet/hosts/vityaz/git.nix67
-rw-r--r--fleet/hosts/vityaz/mail.nix58
-rw-r--r--fleet/hosts/vityaz/mumble.nix21
4 files changed, 258 insertions, 0 deletions
diff --git a/fleet/hosts/vityaz/default.nix b/fleet/hosts/vityaz/default.nix
new file mode 100644
index 0000000..18a4c03
--- /dev/null
+++ b/fleet/hosts/vityaz/default.nix
@@ -0,0 +1,112 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ./git.nix
+    ./mail.nix
+    ./mumble.nix
+  ];
+
+  boot.initrd.network.ssh.authorizedKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJ8Ms9z95InM7oGJLuo7DdDPh3r5xKnglvBSZ7FTTZ8 v@january"
+    "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
+  ];
+
+  # TODO(V): Write a proper description for this
+  # It's b/c the default hosts file is borked
+  # And we need the addresses here b/c for some reason the
+  # stub resolver doesn't return the domain name in PTR records
+  networking.hostFiles = mkForce [
+    (pkgs.writeText "hosts" ''
+      157.90.172.8 vityaz.unfathomable.blue
+      2a01:4f8:1c0c:46a9::1:f93f vityaz.unfathomable.blue
+    '')
+  ];
+
+  networking.defaultGateway6.address = "fe80::1";
+  networking.interfaces.ens3.ipv6.addresses = singleton {
+    address = "2a01:4f8:1c0c:46a9::1:f93f";
+    prefixLength = 64;
+  };
+
+  networking.wireguard.interfaces.wg0 = {
+    ips = [ "10.102.120.0" ];
+    listenPort = 51820;
+    privateKeyFile = "/etc/wireguard/0.key";
+    generatePrivateKeyFile = true;
+
+    peers = mapAttrsToList (address: publicKey: {
+      inherit publicKey;
+      allowedIPs = [ "10.102.120.${address}/32" ];
+    }) {
+      "1" = "z6JrEDvTyIB7cPh4RzeyAihNl+pzgHxv08TMyeynQX4=";  # january
+      "2" = "KSigo7Ny3TTOSPBYDOCVm+K92/pIfgawlfAxK/UBfxA=";  # jaguar
+      "3" = "1EcmBoRykRep8IagzhtJ4zZU0r7gx5W7nZFh2m1wSE8=";  # OnePlus 5T
+      "4" = "TqKlPfBk1McfYNk6S7ZtSj/GnyisGWneozQrh0eh1C8=";  # wallaby
+      "5" = "kuEkbQ+6mOGwkNkOHqpnxM/TI3gpc2sQ6L15UxsOMDI=";  # M1
+    };
+
+    preSetup = ''
+      ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -o wg0 -s 10.102.120.0/24 -d 10.102.120.0/24 -j ACCEPT
+    '';
+
+    postShutdown = ''
+      ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -s 10.102.120.0/24 -d 10.102.120.0/24 -j ACCEPT
+    '';
+  };
+
+  networking.firewall.interfaces.ens3.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ];
+
+  networking.firewall.extraCommands = ''
+    iptables -P FORWARD DROP
+  '';
+
+  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
+
+  services.caddy.config = ''
+    vityaz.unfathomable.blue {
+      import common
+      redir / https://en.wikipedia.org/wiki/Vityaz-D_Autonomous_Underwater_Vehicle
+      error 404
+    }
+  '';
+
+  users.users = {
+    root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDz+gGXZUvQiLcDgvon28dErFsbii2cVXJ5wVlsUgaBZ v@january"
+        "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
+      ];
+    };
+
+    v = {
+      isNormalUser = true;
+      description = "V";
+
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKMEXEIK2PIRkXYb3RCVN15q9DhKsQlbMhHa5BxQyuz v@january"
+      ];
+
+      packages = with pkgs; [
+      ];
+    };
+
+    edef = {
+      isNormalUser = true;
+      description = "edef";
+
+      openssh.authorizedKeys.keys = [
+        "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
+      ];
+
+      packages = with pkgs; [
+      ];
+    };
+  };
+}
diff --git a/fleet/hosts/vityaz/git.nix b/fleet/hosts/vityaz/git.nix
new file mode 100644
index 0000000..66f26db
--- /dev/null
+++ b/fleet/hosts/vityaz/git.nix
@@ -0,0 +1,67 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, pkgs, ... }:
+
+with lib;
+
+{
+  # TODO(edef): could we somehow make this use DynamicUser?
+  users.users.git = {
+    isSystemUser = true;
+
+    group = "git";
+
+    home = "/var/lib/git";
+    createHome = true;
+
+    useDefaultShell = true;
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFovWcdS0vQAJiEvwjEIUOv7eip52oX7rVOEMQDJkSL6 v@january"
+      "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvb/7ojfcbKvHIyjnrNUOOgzy44tCkgXY9HLuyFta1jQOE9pFIK19B4dR9bOglPKf145CCL0mSFJNNqmNwwavU2uRn+TQrW+U1dQAk8Gt+gh3O49YE854hwwyMU+xD6bIuUdfxPr+r5al/Ov5Km28ZMlHOs3FoAP0hInK+eAibioxL5rVJOtgicrOVCkGoXEgnuG+LRbOYTwzdClhRUxiPjK8alCbcJQ53AeZHO4G6w9wTr+W5ILCfvW4OmUXCX01sKzaBiQuuFCF6M/H4LlnsPWLMra2twXxkOIhZblwC+lncps9lQaUgiD4koZeOCORvHW00G0L39ilFbbnVcL6Itp/m8RRWm/xRxS4RMnsdV/AhvpRLrhL3lfQ7E2oCeSM36v1S9rdg6a47zcnpL+ahG76Gz39Y7KmVRQciNx7ezbwxj3Q5lZtFykgdfGIAN+bT8ijXMO6m68g60i9Bz4IoMZGkiJGqMYLTxMQ+oRgR3Ro5lbj7E11YBHyeimoBYXYGHMkiuxopQZ7lIj3plxIzhmUlXJBA4jMw9KGHdYaLhaicIYhvQmCTAjrkt2HvxEe6lU8iws2Qv+pB6tAGundN36RVVWAckeQPZ4ZsgDP8V2FfibZ1nsrQ+zBKqaslYMAHs01Cf0Hm0PnCqagf230xaobu0iooNuXx44QKoDnB+w== openpgp:0x803010E7"
+    ];
+
+    packages = with pkgs; [
+      git
+    ];
+  };
+
+  users.groups.git = {};
+
+  # TODO(V): Enable the reflog?
+  declarative.git.repositories = flip genAttrs (repo: {
+    hooks.post-receive = [
+      # FIXME(V): There are more than a number of issues with this!
+      # - non-generic (we could use $GIT_DIR or such)
+      # - requires an explicit remote (we could add this to the config)
+      # - only updates trunk (even if other branches were pushed)
+      # - has no way to filter specific branches from being published
+      # - does not synchronize tags
+      (pkgs.writeShellScript "sync-repository" ''
+        git push trieste:${repo} trunk
+      '')
+    ];
+  }) [
+    # TODO(V): Take the list of public repositories from hosts/trieste/git.nix
+    # (or do the inverse)
+    # (or put this information in a shared location)
+    "ripple"
+    "ripple-website"
+    "nixos-config"
+
+    # Note: private repositories are currently not configured here.
+    # If we find it acceptable to leak their names, they could take advantage of this module as well.
+  ];
+
+  # TODO(V): Linting hooks (honestly, these should just go in CI)
+  # - reuse lint
+  # - check there's a (owner) for every TODO, FIXME, XXX, etc
+  # - make sure everything has been run through rustfmt
+
+  # TODO(V): An equivalent of Bors ("Tolby"?) for our workflow
+  # (or, at least, a queue of commits that must individually pass CI to get merged)
+
+  # TODO(V): Set up CI
+}
diff --git a/fleet/hosts/vityaz/mail.nix b/fleet/hosts/vityaz/mail.nix
new file mode 100644
index 0000000..58d6866
--- /dev/null
+++ b/fleet/hosts/vityaz/mail.nix
@@ -0,0 +1,58 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-FileCopyrightText: edef <edef@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ pkgs, ... }:
+
+{
+  services.postfix = {
+    # TODO(V): Set myorigin to $mydomain?
+
+    # We accept mail to ourselves and to the apex
+    destination = [ "$myhostname" "$mydomain" ];
+
+    # TODO(V): Restrict authorized_submit_users to system users
+
+    # TODO(V): Authenticate users
+    networks = [
+      # Defaults
+      "127.0.0.1/32"
+      "157.90.172.8/32"
+      "10.102.120.0/32"
+      "[::1]/128"
+      "[2a01:4f8:1c0c:46a9::1:f93f]/128"
+      "[fe80::9400:ff:feae:b407]/128"
+
+      # Intranet
+      "10.102.120.0/24"
+    ];
+
+    # Wait, why is this enabled here?
+    recipientDelimiter = "+";
+
+    # TODO(V): postscreen + DNSBLs
+    # TODO(V): postgrey
+
+    rootAlias = "v, edef";
+
+    # TODO(V): Forward mails to root to both edef & V
+    # TODO(V): Forward mails to postmaster to both edef & V
+    # TODO(V): Add extra aliases (Alyssa has abuse, noc, security, hostmaster, usenet, news, webmaster, www, uucp, and ftp)
+    # TODO(V): Add more notify_classes
+  };
+
+  systemd.user.paths.mail = {
+    description = "New mail trigger";
+    wantedBy = [ "paths.target" ];
+    pathConfig.PathChanged = "/var/mail/%u/new";
+    unitConfig.ConditionPathExists = "%h/.notmuch-config";
+  };
+
+  systemd.user.services.mail = {
+    description = "New mail indexing";
+    serviceConfig = {
+      Type = "exec";
+      ExecStart = "${pkgs.notmuch}/bin/notmuch new";
+    };
+  };
+}
diff --git a/fleet/hosts/vityaz/mumble.nix b/fleet/hosts/vityaz/mumble.nix
new file mode 100644
index 0000000..dffc6a6
--- /dev/null
+++ b/fleet/hosts/vityaz/mumble.nix
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ config, ... }:
+
+{
+  services.murmur = {
+    enable = true;
+
+    # This isn't actually the hostname, it's the address to bind on.
+    hostName = builtins.head config.networking.wireguard.interfaces.wg0.ips;
+
+    # Another misleading name— it's also used as the root channel name.
+    registerName = "Pool";
+  };
+
+  networking.firewall.interfaces.wg0 = {
+    allowedTCPPorts = [ config.services.murmur.port ];
+    allowedUDPPorts = [ config.services.murmur.port ];
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-14 04:56:42 +0000