diff --git a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt new file mode 100644 index 0000000..a836e9b --- /dev/null +++ b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d0:17:d1:86:81:d4:f1:28 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Validity + Not Before: Nov 2 15:37:13 2018 GMT + Not After : Jan 17 15:37:13 2038 GMT + Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ba:03:39:e3:af:3e:c7:89:bd:d0:07:66:83:18: + 9c:c0:da:56:e8:bb:37:fe:03:67:94:9a:1c:9d:47: + da:6a:a7:6e:56:6d:0a:73:05:79:0e:44:61:71:78: + 33:33:79:b1:ce:a6:9d:87:d0:01:81:10:d5:e3:21: + 0f:d0:e9:ef:86:dc:13:34:62:42:47:81:f6:ce:d8: + 78:de:00:0c:a6:5d:25:d8:cc:72:6a:c4:7c:e1:5b: + 84:2b:e2:3c:b6:51:7e:8e:e6:e1:55:7d:b4:c8:e7: + 98:76:eb:20:15:48:6f:2e:91:ca:b7:17:d4:d9:76: + 5b:40:1c:7e:4c:0b:6f:2c:63:fa:78:c5:8b:b5:36: + b6:01:d9:da:58:a9:06:76:32:18:ca:b2:7c:2d:aa: + 4f:4e:f5:67:30:4c:a6:a3:e3:ef:7c:1d:d3:67:de: + da:a5:b9:57:0d:74:01:c3:24:a9:03:61:98:91:c2: + 1f:1d:a4:36:d2:a6:f4:95:6f:01:6a:99:41:ea:f0: + 8c:7a:7d:a0:0d:34:93:a3:80:cb:19:fb:1a:e1:c4: + 0b:60:5c:8d:33:ea:90:ed:98:d2:2a:06:6e:a2:02: + 1f:f8:2c:1e:d4:d0:d4:8f:93:8d:c9:fe:21:39:6a: + 5b:7b:60:5d:2a:9c:1e:3f:51:31:b1:be:56:28:cb: + 4d:cd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Digital Signature, Key Encipherment, Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Netscape Cert Type: + SSL Server, SSL CA + Netscape Comment: + Katello SSL Tool Generated Certificate + X509v3 Subject Key Identifier: + 72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + X509v3 Authority Key Identifier: + keyid:72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=sat-r220-02.lab.eng.rdu2.redhat.com + serial:D0:17:D1:86:81:D4:F1:28 + + Signature Algorithm: sha256WithRSAEncryption + 70:fe:c6:9f:1a:62:e8:b0:a6:25:df:e8:51:6c:e9:08:48:00: + 72:2b:d8:a2:95:6e:57:01:8e:2a:9c:a0:14:f8:c9:8a:e3:5d: + 48:64:f9:0f:81:e7:3e:b1:c2:cb:a0:ec:55:d6:e4:7f:c0:46: + 7b:bc:66:15:88:61:73:3b:ea:9e:ea:cb:32:79:35:bc:dc:eb: + 6f:d8:d0:89:c2:ae:fd:02:43:cd:e0:38:d6:9c:16:d7:6d:bb: + 2c:73:53:3c:82:56:51:d8:96:71:e1:28:49:31:be:fb:ed:23: + 08:e5:8d:eb:48:c7:25:5d:ef:0e:30:22:d3:93:7f:f1:66:b8: + 7f:8f:5c:d2:97:e7:13:0e:5b:06:1d:fd:97:1d:a5:24:93:d9: + 8a:d2:ba:51:00:b3:71:c8:61:da:79:31:64:75:96:d0:b8:d8: + 45:57:24:40:2f:11:d6:63:70:f5:bf:8d:fc:7f:1b:b9:ad:e0: + 16:6a:89:9b:6a:0c:d3:e3:b5:14:b4:5c:36:8a:b0:dd:15:4d: + 4e:77:e9:9b:29:df:e9:e3:27:dc:87:f8:6e:5d:a9:14:42:5c: + 8b:7b:13:9d:8b:c7:7a:4d:6d:52:7e:5f:02:9f:21:15:de:98: + 5d:f5:25:30:d3:fa:b4:34:f3:ff:8d:36:c7:e3:1c:d3:b1:f7: + b6:7b:ad:40 +-----BEGIN CERTIFICATE----- +MIIFEDCCA/igAwIBAgIJANAX0YaB1PEoMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp +Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYD +VQQDDCNzYXQtcjIyMC0wMi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTAeFw0xODEx +MDIxNTM3MTNaFw0zODAxMTcxNTM3MTNaMIGOMQswCQYDVQQGEwJVUzEXMBUGA1UE +CAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB0th +dGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYDVQQDDCNzYXQtcjIyMC0w +Mi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALoDOeOvPseJvdAHZoMYnMDaVui7N/4DZ5SaHJ1H2mqnblZtCnMF +eQ5EYXF4MzN5sc6mnYfQAYEQ1eMhD9Dp74bcEzRiQkeB9s7YeN4ADKZdJdjMcmrE +fOFbhCviPLZRfo7m4VV9tMjnmHbrIBVIby6RyrcX1Nl2W0AcfkwLbyxj+njFi7U2 +tgHZ2lipBnYyGMqyfC2qT071ZzBMpqPj73wd02fe2qW5Vw10AcMkqQNhmJHCHx2k +NtKm9JVvAWqZQerwjHp9oA00k6OAyxn7GuHEC2BcjTPqkO2Y0ioGbqICH/gsHtTQ +1I+Tjcn+ITlqW3tgXSqcHj9RMbG+VijLTc0CAwEAAaOCAW0wggFpMAwGA1UdEwQF +MAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD +AjARBglghkgBhvhCAQEEBAMCAkQwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM +IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRyzYgGA/5dotCz +IMc3dAaEqKgT3zCBwwYDVR0jBIG7MIG4gBRyzYgGA/5dotCzIMc3dAaEqKgT36GB +lKSBkTCBjjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw +DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l +T3JnVW5pdDEsMCoGA1UEAwwjc2F0LXIyMjAtMDIubGFiLmVuZy5yZHUyLnJlZGhh +dC5jb22CCQDQF9GGgdTxKDANBgkqhkiG9w0BAQsFAAOCAQEAcP7Gnxpi6LCmJd/o +UWzpCEgAcivYopVuVwGOKpygFPjJiuNdSGT5D4HnPrHCy6DsVdbkf8BGe7xmFYhh +czvqnurLMnk1vNzrb9jQicKu/QJDzeA41pwW1227LHNTPIJWUdiWceEoSTG+++0j +COWN60jHJV3vDjAi05N/8Wa4f49c0pfnEw5bBh39lx2lJJPZitK6UQCzcchh2nkx +ZHWW0LjYRVckQC8R1mNw9b+N/H8bua3gFmqJm2oM0+O1FLRcNoqw3RVNTnfpmynf +6eMn3If4bl2pFEJci3sTnYvHek1tUn5fAp8hFd6YXfUlMNP6tDTz/402x+Mc07H3 +tnutQA== +-----END CERTIFICATE----- diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 70d9557..9f2b880 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -87,6 +87,7 @@ in { nix-index nox nix-prefetch-scripts + nix-prefetch-github # Version Control Systems unstablepkgs.pijul @@ -303,6 +304,7 @@ in { testdisk python27Packages.binwalk gptfdisk + gparted # games zeroad diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix index 79d653d..c049f24 100644 --- a/nix/home-manager/configuration/text-minimal.nix +++ b/nix/home-manager/configuration/text-minimal.nix @@ -1,5 +1,5 @@ { pkgs -, config, +, config, ... }: let @@ -23,5 +23,6 @@ in { home.packages = [] ++ (with pkgs; [ iperf3 - ]); + telnet + ]); } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix new file mode 100644 index 0000000..d750eed --- /dev/null +++ b/nix/os/containers/mailserver.nix @@ -0,0 +1,147 @@ +{ ... } @ args: + +let + passwords = import ../../variables/passwords.crypt.nix; + +in args // { + config = { pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ../profiles/common/user.nix + ]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = "mailserver.svc.stefanjunker.de"; + }; + + services.dovecot2 = { + enable = true; + + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = "/etc/secrets/server.pem"; + sslServerKey = "/etc/secrets/server.key"; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + ''; + + }; + + environment.etc."dovecot/users".text = '' + steveej:${passwords.email.steveej} + ''; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "users"; + description = "Getmail service"; + path = [ pkgs.getmail ]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password = ${passwords.email.mailStefanjunkerDe} + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "users"; + description = "Getmail service"; + path = [ pkgs.getmail ]; + serviceConfig.RestartSec = 900; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password = ${passwords.email.schtifATwebDe} + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} + ''; + }; + }; + + autoStart = true; + + bindMounts = { + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; + isReadOnly = false; + }; + + "/home" = { + hostPath = "/var/lib/container-volumes/mailserver/home"; + isReadOnly = false; + }; + }; + + privateNetwork = true ; + forwardPorts = [ + { + # imaps + containerPort = 993; + hostPort = 993; + protocol = "tcp"; + } + + { + # sieve + containerPort = 4190; + hostPort = 4190; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix new file mode 100644 index 0000000..56d201d --- /dev/null +++ b/nix/os/containers/webserver.nix @@ -0,0 +1,88 @@ +{ ... } @ args: + +let + +in args // { + config = { config, pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = "www.stefanjunker.de"; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."stefanjunker.de" = { + default = true; + onlySSL = true; + root = "/var/www/stefanjunker.de/htdocs"; + + sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = { + index = "index.php"; + }; + + locations."~ ^(.+\.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + ''; + }; + + services.phpfpm.phpPackage = pkgs.php56; + + services.phpfpm.poolConfigs.mypool = '' + listen = 127.0.0.1:9000 + user = nobody + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + pm.max_requests = 500 + + php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED + ''; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + }; + + autoStart = true; + + bindMounts = { + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; + + "/var/www" = { + hostPath = "/var/lib/container-volumes/webserver/var-www"; + isReadOnly = false; + }; + + "/var/lib/mysql" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + isReadOnly = false; + }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # https + containerPort = 443; + hostPort = 443; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/devices/steveej-laptop/configuration.nix b/nix/os/devices/steveej-laptop/configuration.nix index da100b3..794bafd 100644 --- a/nix/os/devices/steveej-laptop/configuration.nix +++ b/nix/os/devices/steveej-laptop/configuration.nix @@ -1,7 +1,7 @@ { ... }: { - imports = [ + imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index a7700f1..17a021d 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -15,5 +15,7 @@ ./system.nix ./hw.nix ./pkg.nix + + ../../profiles/podman/configuration.nix ]; } diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index c280844..7d3aa74 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -72,4 +72,9 @@ in { authorizedKeys = keys.users.steveej.openssh; }; }; + + security.pki.certificateFiles = [ + "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt + ]; } diff --git a/nix/os/devices/CFB4ED74/boot.nix b/nix/os/devices/vmd32387.contaboserver.net/boot.nix similarity index 100% rename from nix/os/devices/CFB4ED74/boot.nix rename to nix/os/devices/vmd32387.contaboserver.net/boot.nix diff --git a/nix/os/devices/CFB4ED74/configuration.nix b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix similarity index 100% rename from nix/os/devices/CFB4ED74/configuration.nix rename to nix/os/devices/vmd32387.contaboserver.net/configuration.nix diff --git a/nix/os/devices/CFB4ED74/hw.nix b/nix/os/devices/vmd32387.contaboserver.net/hw.nix similarity index 100% rename from nix/os/devices/CFB4ED74/hw.nix rename to nix/os/devices/vmd32387.contaboserver.net/hw.nix diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix similarity index 100% rename from nix/os/devices/CFB4ED74/pkg.nix rename to nix/os/devices/vmd32387.contaboserver.net/pkg.nix diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix similarity index 62% rename from nix/os/devices/CFB4ED74/system.nix rename to nix/os/devices/vmd32387.contaboserver.net/system.nix index 257996d..51dc7b4 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix @@ -8,18 +8,24 @@ let in { # TASK: new device - networking.hostName = "contabo1"; # Define your hostname. - networking.domain = "bootstrap.clusters.stefanjunker.de"; + networking.hostName = "vmd32387"; # Define your hostname. + networking.domain = "contaboserver.net"; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 5201 ]; + networking.firewall.logRefusedConnections = false; - networking.useDHCP = true; networking.usePredictableInterfaceNames = false; + networking.dhcpcd = { + enable = true; + persistent = true; + }; + networking.interfaces.eth0 = { + useDHCP = true; ipv6.addresses = [ { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } ]; @@ -29,6 +35,12 @@ in { interface = "eth0"; }; + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + # Kubernetes # services.kubernetes.roles = ["master" "node"]; @@ -57,4 +69,16 @@ in { ip link set $iface down done ''; + + containers = { + mailserver = import ../../containers/mailserver.nix { + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + }; + + webserver = import ../../containers/webserver.nix { + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + }; + }; } diff --git a/nix/os/devices/CFB4ED74/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix similarity index 100% rename from nix/os/devices/CFB4ED74/versions.nix rename to nix/os/devices/vmd32387.contaboserver.net/versions.nix diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix new file mode 100644 index 0000000..43d9c1c --- /dev/null +++ b/nix/os/modules/ddclient-ovh.nix @@ -0,0 +1,30 @@ +{ lib +, config +, ... }: + +let + cfg = config.services.ddclientovh; + + passwords = import ../../variables/passwords.crypt.nix; + +in { + + options.services.ddclientovh = with lib; { + enable = mkEnableOption "Enable ddclient-ovh"; + domain = mkOption { + type = types.string; + }; + }; + + config = lib.mkIf cfg.enable { + services.ddclient = { + enable = true; + protocol = "dyndns2"; + server = "www.ovh.com"; + ssl = true; + domains = [ cfg.domain ]; + use = "web, web=ifconfig.co"; + inherit (passwords.dyndns.${cfg.domain}) username password; + }; + }; +} diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix new file mode 100644 index 0000000..b6f3f61 --- /dev/null +++ b/nix/os/profiles/containers/configuration.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + nixpkgs.overlays = [ + (import ../../../overlay.nix) + ]; + + imports = [ + ../../modules/ddclient-ovh.nix + ]; +} diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix new file mode 100644 index 0000000..3d2b3a7 --- /dev/null +++ b/nix/os/profiles/podman/configuration.nix @@ -0,0 +1,187 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + podman + runc + conmon + cni + cni-plugins + slirp4netns + ]; + + environment.etc."containers/registries.conf".text = '' + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + + [registries.search] + registries = [ 'docker.io' + , 'registry.fedoraproject.org' + , 'registry.access.redhat.com' + , 'quay.io' + ] + + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = ['localhost:5000'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + + environment.etc."cni/net.d/00-loopback.conf".text = '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + + environment.etc."containers/libpod.conf".text = '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "/etc/cni/net.d/" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] +''; + + environment.etc."subuid".text = '' + steveej:10000:65536 + ''; + environment.etc."subgid".text = '' + steveej:10000:65536 + ''; +} diff --git a/nix/overlay.nix b/nix/overlay.nix index 0306421..de75f52 100644 --- a/nix/overlay.nix +++ b/nix/overlay.nix @@ -1,15 +1,26 @@ +self: super: + let nixpkgs-master = import (builtins.fetchTarball { url = "https://github.com/NixOS/nixpkgs-channels/archive/de5fd9e6110489722e8667664dce9fdc17331866.tar.gz"; sha256 = "0z1j2pmvn15m2ir2i9l2prr81cq7f1x8xs4cv2s7q4fslz586ghn"; }) {}; + # one application requires php5 + nixpkgsWithPhp5 = super.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "846d8f8305192dcc3a63139102698b4ac6b9ef9f"; + sha256 = "1qifgc1q2i4g0ivpfjnxp4jl2cc82gfjws08dsllgw7q7kw4b4rb"; + }; -in self: super: { +in { podman = nixpkgs-master.podman; + conmon = nixpkgs-master.conmon; duplicacy = super.callPackage ./pkgs/duplicacy {}; just = super.callPackage ./pkgs/just.nix {}; mfcl3770cdw = super.callPackage ./pkgs/mfcl3770cdw.nix {}; + slirp4netns = super.callPackage ./pkgs/slirp4netns.nix {}; staruml = super.callPackage ./pkgs/staruml.nix { inherit (super.gnome2) GConf; libgcrypt = super.libgcrypt_1_5; }; busyboxStatic = super.busybox.override { @@ -23,4 +34,18 @@ in self: super: { dropbearStatic = super.dropbear.override { enableStatic = true; }; + + php56 = (super.callPackages + "${nixpkgsWithPhp5}/pkgs/development/interpreters/php/default.nix" {}) + .php56.overrideAttrs(drv: rec { + # See https://secure.php.net/ChangeLog-5.php + version = "5.6.40"; + name = "php-${version}"; + + sha256 = "005s7w167dypl41wlrf51niryvwy1hfv53zxyyr3lm938v9jbl7z"; + src = super.fetchurl { + url = "http://www.php.net/distributions/php-${version}.tar.bz2"; + inherit sha256; + }; + }); } diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix new file mode 100644 index 0000000..8d456d6 --- /dev/null +++ b/nix/pkgs/slirp4netns.nix @@ -0,0 +1,49 @@ +{ stdenv +, fetchFromGitHub +, autoconf +, automake +, libtool +, gnumake +, gcc +}: + +stdenv.mkDerivation rec { + name = "slirp4netns-${version}"; + version = "v0.2.1"; + + src = fetchFromGitHub { + owner = "rootless-containers"; + repo = "slirp4netns"; + rev = "${version}"; + sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; + }; + + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; + + configurePhase = '' + ./autogen.sh + ./configure --prefix="" + ''; + + buildPhase = '' + make + ''; + + installPhase = '' + make DESTDIR="$out" install + ''; + + meta = with stdenv.lib; { + description = "User-mode networking for unprivileged network namespaces"; + homepage = https://github.com/rootless-containers/slirp4netns; + license = null; + maintainers = [ maintainers.steveej ]; + platforms = platforms.all; + }; +} diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 2ff89f7..f2d3a02 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ