diff options
Diffstat (limited to 'labernix/machines')
-rw-r--r-- | labernix/machines/heinrich.nix | 143 | ||||
-rw-r--r-- | labernix/machines/labtop.nix | 72 | ||||
-rw-r--r-- | labernix/machines/mailserver.nix | 119 |
3 files changed, 334 insertions, 0 deletions
diff --git a/labernix/machines/heinrich.nix b/labernix/machines/heinrich.nix new file mode 100644 index 00000000..8ce69950 --- /dev/null +++ b/labernix/machines/heinrich.nix @@ -0,0 +1,143 @@ +{ config, lib, ... }: + +with lib; + +let + routes = { + moritz = { + id = 14; + address = "192.168.0.12"; + prefixLength = 24; + gateway = "192.168.0.1"; + destination = "144.76.143.122"; + }; + + hotelturm = { + id = 8; + address = "10.11.77.5"; + prefixLength = 24; + gateway = "10.11.77.16"; + destination = "10.11.7.0/24"; + }; + }; + + internalIf = config.heinrich.internalInterface; + externalIf = config.heinrich.externalInterface; + + mkRouteConfig = name: cfg: { + key = "routes-${name}"; + + networking.vlans.${name} = { + inherit (cfg) id; + interface = externalIf; + }; + + networking.interfaces.${name}.ip4 = singleton { + inherit (cfg) address prefixLength; + }; + + systemd.network.networks."40-${name}".routes = singleton { + routeConfig.Gateway = cfg.gateway; + routeConfig.Destination = cfg.destination; + }; + }; + +in { + imports = singleton ../common.nix ++ mapAttrsToList mkRouteConfig routes; + + options.heinrich = { + internalInterface = mkOption { + type = types.str; + default = "enp7s0"; + description = '' + The internal network interface where Heinrich is serving DHCP and DNS + requests. + ''; + }; + + externalInterface = mkOption { + type = types.str; + default = "enp5s0"; + description = '' + The external network interface where Heinrich is connected to the + internet. + ''; + }; + }; + + config = { + networking.useDHCP = false; + networking.interfaces.${externalIf}.ip4 = mkForce []; + networking.interfaces.${internalIf}.ip4 = lib.singleton { + address = "172.16.0.1"; + prefixLength = 24; + }; + + services.dnsmasq.enable = true; + services.dnsmasq.resolveLocalQueries = false; + services.dnsmasq.extraConfig = '' + dhcp-range=172.16.0.100,172.16.0.254,12h + + dhcp-option=3,172.16.0.1 # Gateway + dhcp-option=6,172.16.0.1 # DNS-server + + local=/openlab.lan/ + domain=openlab.lan + + dhcp-leasefile=/var/db/dnsmasq/dhcp.leases + ''; + + systemd.services.dnsmasq-pre = { + description = "Pre-Init DNSMasq"; + before = [ "dnsmasq.service" ]; + wantedBy = [ "multi-user.target" ]; + script = '' + mkdir -p /var/db/dnsmasq + chown dnsmasq:nogroup /var/db/dnsmasq + ''; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + }; + + users.motd = '' + 0. Never touch a running system. + 1. Dokumentiere alle trotz 0 erfolgten Änderungen im Github-Repo: + https://github.com/openlab-aux/labnetz-doku + 2. Mit großer Macht geht große Verantwortung einher. + 3. So weit! + 4. ... + 5. Reisst dir Hannes den Arsch auf, wenn Du die Punkte 0-2 ignorierst. + ''; + + # TODO: This is a dummy, replace it once we know about the real root fs. + fileSystems."/".label = "root"; + boot.loader.grub.device = "nodev"; + + networking.useNetworkd = true; + networking.firewall.enable = false; + networking.nat.enable = true; + networking.nat.externalIP = routes.hotelturm.address; + networking.nat.externalInterface = "hotelturm"; + networking.nat.internalIPs = [ "172.16.0.1/24" ]; + networking.nat.internalInterfaces = [ internalIf ]; + + /* TODO! + services.openvpn.enable = true; + services.openvpn.servers.heinrich.config = '' + dev tun0 + remote 144.76.143.122 + ifconfig 10.9.8.2 10.9.8.1 + secret /etc/openvpn/priv.key + + comp-lzo + + keepalive 10 60 + ping-timer-rem + persist-tun + persist-key + + route 0.0.0.0 0.0.0.0 + ''; + */ + }; +} diff --git a/labernix/machines/labtop.nix b/labernix/machines/labtop.nix new file mode 100644 index 00000000..bf376ba5 --- /dev/null +++ b/labernix/machines/labtop.nix @@ -0,0 +1,72 @@ +{ pkgs, ... }: + +let + greybird = pkgs.stdenv.mkDerivation { + name = "greybird-xfce-theme"; + + src = pkgs.fetchFromGitHub { + repo = "Greybird"; + owner = "shimmerproject"; + rev = "61ec18d22780aa87998381599c941e0cf4f7bfb5"; + sha256 = "03h8hba4lfp337a4drylcplrbggry9gz8dq1f3gjy25fhqkgvq05"; + }; + + phases = [ "unpackPhase" "installPhase" ]; + + installPhase = '' + mkdir -p "$out/share/themes/Greybird" \ + "$out/share/themes/Greybird-compact/xfwm4" + cp -vrt "$out/share/themes/Greybird" \ + gtk-* metacity-1 unity xfce-notify-4.0 xfwm4 + cp -vrt "$out/share/themes/Greybird-compact/xfwm4" \ + xfwm4_compact/* + ''; + }; + +in { + imports = [ ../common.nix ]; + + i18n = { + consoleFont = "lat9w-16"; + consoleKeyMap = "us"; + defaultLocale = "de_DE.UTF-8"; + }; + + # TODO: This is a dummy, replace it once we know about the real root fs. + fileSystems."/".label = "root"; + boot.loader.grub.device = "nodev"; + + environment.systemPackages = [ + greybird + #repetierhost <- TODO + pkgs.firefox + pkgs.gimp + pkgs.freecad + pkgs.openscad + #pkgs.pronterface <- TODO + pkgs.blender + pkgs.slic3r + pkgs.libreoffice + pkgs.inkscape + pkgs.filezilla + pkgs.gmpc + pkgs.vlc + ]; + + # TODO: Needed for slic3r right now. + nixpkgs.config.allowBroken = true; + + services.xserver.enable = true; + services.xserver.layout = "us"; + services.xserver.xkbOptions = "eurosign:e"; + + services.xserver.displayManager.auto.enable = true; + services.xserver.displayManager.auto.user = "openlab"; + services.xserver.desktopManager.xfce.enable = true; + + users.mutableUsers = false; + users.extraUsers.openlab = { + uid = 1000; + isNormalUser = true; + }; +} diff --git a/labernix/machines/mailserver.nix b/labernix/machines/mailserver.nix new file mode 100644 index 00000000..7d4bd397 --- /dev/null +++ b/labernix/machines/mailserver.nix @@ -0,0 +1,119 @@ +{ config, pkgs, lib, ... }: let + vhostMap = { + smtpd_sender_login_maps = [ + "SELECT username AS allowedUser" + "FROM mailbox" + "WHERE username='%s' AND active = 1" + "UNION SELECT goto FROM alias" + "WHERE address='%s' AND active = 1" + ]; + + virtual_alias_maps = [ + "SELECT goto" + "FROM alias" + "WHERE address='%s' AND active = '1'" + ]; + + virtual_mailbox_domains = [ + "SELECT domain" + "FROM domain" + "WHERE domain='%s' AND active = '1'" + ]; + + virtual_mailbox_maps = [ + "SELECT maildir" + "FROM mailbox" + "WHERE username='%s' AND active = '1'" + ]; + }; + + mkDbMap = query: "proxy:pgsql:${pkgs.writeText "database.cf" '' + hosts = localhost + user = postfix + dbname = postfix + query = ${query} + ''}"; + +in { + imports = [ ../common.nix ]; + + services.spamassassin.enable = true; + + services.postfix.enable = true; + services.postfix.hostname = "mailtest.lan"; + + # TODO: This is a dummy, replace it once we know about the real root fs. + fileSystems."/".label = "root"; + boot.loader.grub.device = "nodev"; + + labernix.postfix.restrictions = { + sender = [ + "reject_authenticated_sender_login_mismatch" + "reject_unknown_sender_domain" + ]; + recipient = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + "reject_invalid_hostname" + "reject_non_fqdn_hostname" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_reverse_client_hostname" + ]; + helo = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_invalid_hostname" + "reject_unauth_pipelining" + "reject_non_fqdn_hostname" + ]; + }; + + services.postfix.extraConfig = '' + ${lib.concatStrings (lib.mapAttrsToList (cfgvar: query: '' + ${cfgvar} = ${mkDbMap (lib.concatStringsSep " " query)} + '') vhostMap)} + + # a bit more spam protection + disable_vrfy_command = yes + + smtpd_sasl_type=dovecot + smtpd_sasl_path=private/auth_dovecot XXXXXXXXXXXXXXX + smtpd_sasl_auth_enable = yes + smtpd_sasl_authenticated_header = yes + broken_sasl_auth_clients = yes + + proxy_read_maps = ${lib.concatStringsSep " " (map (s: "\$${s}") [ + "local_recipient_maps" "mydestination" "virtual_alias_maps" + "virtual_alias_domains" "virtual_mailbox_maps" "virtual_mailbox_domains" + "relay_recipient_maps" "relay_domains" "canonical_maps" + "sender_canonical_maps" "recipient_canonical_maps" "relocated_maps" + "transport_maps" "mynetworks" "smtpd_sender_login_maps" + ])} + + local_transport = virtual + virtual_transport = dovecot + + virtual_uid_maps = static:5000 XXXXXXXXXXXX + virtual_gid_maps = static:5000 XXXXXXXXXXXX + + smtpd_tls_cert_file=/etc/ssl/mail.crt XXXX: KEYS + smtpd_tls_key_file=/etc/ssl/mail.key XXXX: KEYS + smtpd_use_tls=yes + ''; + + services.postfix.extraMasterConf = '' + mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ''${nexthop} ''${user} + # ^^^ FIXME: maybe not needed! + + dovecot unix - n n - - pipe + flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ''${recipient} + # ^^^ FIXME: maybe not needed! + + spamassassin unix - n n - - pipe + user=${toString config.ids.uids.spamd} argv=${pkgs.spamassassin}/bin/spamc -f -e /var/setuid-wrappers/sendmail -oi -f ''${sender} ''${recipient} + # ^^^ FIXME: maybe not needed! + ''; +} |