diff --git a/flake-module.nix b/flake-module.nix index c30fff4..0cb9369 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -15,7 +15,6 @@ perSystem = { config, pkgs, - system, ... }: { devShells.default = config.pre-commit.devShell; @@ -50,10 +49,6 @@ # Per-system attributes can be defined here. The self' and inputs' # module parameters provide easy access to attributes of the same # system. - _module.args.pkgs = import inputs.nixpkgs { - inherit system; - config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; - }; }; # Equivalent to inputs'.nixpkgs.legacyPackages.hello; diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index 9889238..cb27add 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -48,6 +48,13 @@ in { path = "/var/lib/backups/cthulhu"; allowSubRepos = true; }; + dagon = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup" + ]; + path = "/var/lib/backups/dagon"; + allowSubRepos = true; + }; eihort = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup" diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 5cfa63d..597a2f1 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -29,6 +29,8 @@ in { postfix = { enable = true; relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"]; + sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem"; + sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem"; config = { transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"]; @@ -46,17 +48,25 @@ in { # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise. settings.mta.verp_confirmations = "no"; }; + nginx.virtualHosts.${cfg.hostName} = { + enableACME = true; # Get certificates (primarily for postfix) + forceSSL = false; # Don't use HTTPS behind the proxy + }; }; environment.persistence.${config.impermanence.name} = { directories = [ + "/var/lib/acme" # Persist TLS keys and account "/var/lib/mailman" "/var/lib/mailman-web" ]; files = ["/root/.ssh/known_hosts"]; # for the backup server bragi }; - networking.firewall.allowedTCPPorts = [25 80]; + security.acme.defaults.email = cfg.siteOwner; + security.acme.acceptTerms = true; + + networking.firewall.allowedTCPPorts = [25 80 443]; # Update HRZ allowlist # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ diff --git a/nixos/roles/admins.nix b/nixos/roles/admins.nix index 7b8c524..1bc6d4c 100644 --- a/nixos/roles/admins.nix +++ b/nixos/roles/admins.nix @@ -3,28 +3,21 @@ with lib; let admins = { nerf = { hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7"; - sshKeys = [ + keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2" ]; - nixKeys = [ - "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" - ]; }; gonne = { hashedPassword = "$6$EtGpHEcFkOi0yUWp$slXf0CvIUrhdqaoCrQ5YwtYu2IVuE1RGGst4fnDPRLWVm.lYx0ruvSAF2/vw/sLbW37ORJjlb0NHQ.kSG7cVY/"; - sshKeys = [ + keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAhwkSDISCWLN2GhHfxdZsVkK4J7JoEcPwtNbAesb+BZAAAABHNzaDo= Gonne" ]; - nixKeys = [ - "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" - ]; }; }; mkAdmin = name: { hashedPassword, - sshKeys, - ... + keys, }: { "${name}" = { isNormalUser = true; @@ -32,12 +25,10 @@ with lib; let extraGroups = ["wheel"]; group = "users"; home = "/home/${name}"; - openssh.authorizedKeys = {keys = sshKeys;}; + openssh.authorizedKeys = {inherit keys;}; inherit hashedPassword; }; }; - mkNixKeys = _: {nixKeys, ...}: nixKeys; in { users.users = mkMerge (mapAttrsToList mkAdmin admins); - nix.settings.trusted-public-keys = lists.concatLists (mapAttrsToList mkNixKeys admins); } diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 851db7c..2936ac3 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -5,11 +5,18 @@ }: { imports = [ ./admins.nix - ./nix.nix + ./nix_keys.nix ./prometheusNodeExporter.nix ../modules/impermanence.nix ]; + nix = { + extraOptions = '' + experimental-features = nix-command flakes + builders-use-substitutes = true + ''; + }; + networking = { firewall = { # these shoud be default, but better make sure! diff --git a/nixos/roles/nix.nix b/nixos/roles/nix.nix deleted file mode 100644 index 543ac7d..0000000 --- a/nixos/roles/nix.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - nix = { - settings = { - # trusted-public-keys belonging to specific persons are set in rolse/admins.nix - trusted-public-keys = []; - experimental-features = [ - "flakes" - "nix-command" - ]; - auto-optimise-store = true; - fallback = true; - builders-use-substitutes = true; - }; - gc = { - automatic = true; - persistent = false; - dates = "weekly"; - options = "-d"; - randomizedDelaySec = "5h"; - }; - }; -} diff --git a/nixos/roles/nix_keys.nix b/nixos/roles/nix_keys.nix new file mode 100644 index 0000000..97e5dc5 --- /dev/null +++ b/nixos/roles/nix_keys.nix @@ -0,0 +1,7 @@ +{ + imports = []; + nix.settings.trusted-public-keys = [ + "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc=" + "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0=" + ]; +}