forked from Fachschaft/nixConfig
Compare commits
9 commits
90c3543d40
...
f2db7dbd95
Author | SHA1 | Date | |
---|---|---|---|
f2db7dbd95 | |||
ac85711356 | |||
ec46a28278 | |||
e7154785dd | |||
ace96d5f7c | |||
b50d7d0e6a | |||
b9b7a1fa58 | |||
1ab6e5d868 | |||
0550754cdd |
7 changed files with 42 additions and 37 deletions
|
@ -15,6 +15,7 @@
|
||||||
perSystem = {
|
perSystem = {
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
system,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
devShells.default = config.pre-commit.devShell;
|
devShells.default = config.pre-commit.devShell;
|
||||||
|
@ -49,6 +50,10 @@
|
||||||
# Per-system attributes can be defined here. The self' and inputs'
|
# Per-system attributes can be defined here. The self' and inputs'
|
||||||
# module parameters provide easy access to attributes of the same
|
# module parameters provide easy access to attributes of the same
|
||||||
# system.
|
# system.
|
||||||
|
_module.args.pkgs = import inputs.nixpkgs {
|
||||||
|
inherit system;
|
||||||
|
config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Equivalent to inputs'.nixpkgs.legacyPackages.hello;
|
# Equivalent to inputs'.nixpkgs.legacyPackages.hello;
|
||||||
|
|
|
@ -48,13 +48,6 @@ in {
|
||||||
path = "/var/lib/backups/cthulhu";
|
path = "/var/lib/backups/cthulhu";
|
||||||
allowSubRepos = true;
|
allowSubRepos = true;
|
||||||
};
|
};
|
||||||
dagon = {
|
|
||||||
authorizedKeysAppendOnly = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup"
|
|
||||||
];
|
|
||||||
path = "/var/lib/backups/dagon";
|
|
||||||
allowSubRepos = true;
|
|
||||||
};
|
|
||||||
eihort = {
|
eihort = {
|
||||||
authorizedKeysAppendOnly = [
|
authorizedKeysAppendOnly = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"
|
||||||
|
|
|
@ -29,8 +29,6 @@ in {
|
||||||
postfix = {
|
postfix = {
|
||||||
enable = true;
|
enable = true;
|
||||||
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
|
||||||
sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
|
|
||||||
sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
|
|
||||||
config = {
|
config = {
|
||||||
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
|
||||||
|
@ -48,25 +46,17 @@ in {
|
||||||
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
# Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
|
||||||
settings.mta.verp_confirmations = "no";
|
settings.mta.verp_confirmations = "no";
|
||||||
};
|
};
|
||||||
nginx.virtualHosts.${cfg.hostName} = {
|
|
||||||
enableACME = true; # Get certificates (primarily for postfix)
|
|
||||||
forceSSL = false; # Don't use HTTPS behind the proxy
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment.persistence.${config.impermanence.name} = {
|
environment.persistence.${config.impermanence.name} = {
|
||||||
directories = [
|
directories = [
|
||||||
"/var/lib/acme" # Persist TLS keys and account
|
|
||||||
"/var/lib/mailman"
|
"/var/lib/mailman"
|
||||||
"/var/lib/mailman-web"
|
"/var/lib/mailman-web"
|
||||||
];
|
];
|
||||||
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
files = ["/root/.ssh/known_hosts"]; # for the backup server bragi
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme.defaults.email = cfg.siteOwner;
|
networking.firewall.allowedTCPPorts = [25 80];
|
||||||
security.acme.acceptTerms = true;
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [25 80 443];
|
|
||||||
|
|
||||||
# Update HRZ allowlist
|
# Update HRZ allowlist
|
||||||
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
# For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/
|
||||||
|
|
|
@ -3,21 +3,28 @@ with lib; let
|
||||||
admins = {
|
admins = {
|
||||||
nerf = {
|
nerf = {
|
||||||
hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
|
hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
|
||||||
keys = [
|
sshKeys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
|
||||||
];
|
];
|
||||||
|
nixKeys = [
|
||||||
|
"nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
gonne = {
|
gonne = {
|
||||||
hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/";
|
||||||
keys = [
|
sshKeys = [
|
||||||
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
|
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne"
|
||||||
];
|
];
|
||||||
|
nixKeys = [
|
||||||
|
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
mkAdmin = name: {
|
mkAdmin = name: {
|
||||||
hashedPassword,
|
hashedPassword,
|
||||||
keys,
|
sshKeys,
|
||||||
|
...
|
||||||
}: {
|
}: {
|
||||||
"${name}" = {
|
"${name}" = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
@ -25,10 +32,12 @@ with lib; let
|
||||||
extraGroups = ["wheel"];
|
extraGroups = ["wheel"];
|
||||||
group = "users";
|
group = "users";
|
||||||
home = "/home/${name}";
|
home = "/home/${name}";
|
||||||
openssh.authorizedKeys = {inherit keys;};
|
openssh.authorizedKeys = {keys = sshKeys;};
|
||||||
inherit hashedPassword;
|
inherit hashedPassword;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
mkNixKeys = _: {nixKeys, ...}: nixKeys;
|
||||||
in {
|
in {
|
||||||
users.users = mkMerge (mapAttrsToList mkAdmin admins);
|
users.users = mkMerge (mapAttrsToList mkAdmin admins);
|
||||||
|
nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins);
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,18 +5,11 @@
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
./admins.nix
|
./admins.nix
|
||||||
./nix_keys.nix
|
./nix.nix
|
||||||
./prometheusNodeExporter.nix
|
./prometheusNodeExporter.nix
|
||||||
../modules/impermanence.nix
|
../modules/impermanence.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
nix = {
|
|
||||||
extraOptions = ''
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
builders-use-substitutes = true
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
firewall = {
|
firewall = {
|
||||||
# these shoud be default, but better make sure!
|
# these shoud be default, but better make sure!
|
||||||
|
|
22
nixos/roles/nix.nix
Normal file
22
nixos/roles/nix.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
# trusted-public-keys belonging to specific persons are set in rolse/admins.nix
|
||||||
|
trusted-public-keys = [];
|
||||||
|
experimental-features = [
|
||||||
|
"flakes"
|
||||||
|
"nix-command"
|
||||||
|
];
|
||||||
|
auto-optimise-store = true;
|
||||||
|
fallback = true;
|
||||||
|
builders-use-substitutes = true;
|
||||||
|
};
|
||||||
|
gc = {
|
||||||
|
automatic = true;
|
||||||
|
persistent = false;
|
||||||
|
dates = "weekly";
|
||||||
|
options = "-d";
|
||||||
|
randomizedDelaySec = "5h";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +0,0 @@
|
||||||
{
|
|
||||||
imports = [];
|
|
||||||
nix.settings.trusted-public-keys = [
|
|
||||||
"nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
|
|
||||||
"gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
|
|
||||||
];
|
|
||||||
}
|
|
Loading…
Reference in a new issue