forked from Fachschaft/nixConfig
74 lines
1.9 KiB
Nix
74 lines
1.9 KiB
Nix
{
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
imports = [
|
|
./admins.nix
|
|
./nix.nix
|
|
./prometheusNodeExporter.nix
|
|
../modules/impermanence.nix
|
|
];
|
|
|
|
networking = {
|
|
firewall = {
|
|
# these shoud be default, but better make sure!
|
|
enable = true;
|
|
allowPing = true;
|
|
};
|
|
nftables.enable = true;
|
|
useDHCP = false; # We don't speak DHCP and even if we would, we should enable it per interface
|
|
# hosts = # TODO write something to autogenerate ip adresses!
|
|
};
|
|
|
|
users = {
|
|
mutableUsers = false;
|
|
users.root.hashedPassword = "!";
|
|
};
|
|
|
|
impermanence.enable = true;
|
|
|
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
|
|
|
# additional trusted keys for substituters for every machine
|
|
# right now it is only nodens so nodens can build system configs
|
|
# and we can deploy them from nodens.
|
|
# For security reasons we might want to move this to the vm part, as
|
|
# someone who can get control of nodens and get hold of the build process
|
|
# can gain control of the other machines. While this is very handy
|
|
# and a step towards CI, we might not want this for backups.
|
|
# (This is a tradeof between security and convenience)
|
|
nix.settings.trusted-public-keys = ["nodens-deploy.key:VHJmEr17pdoEEnWlSfC03TIf4GBbClxGRiInHuWaUvU="];
|
|
|
|
environment = {
|
|
systemPackages = builtins.attrValues {
|
|
inherit
|
|
(pkgs)
|
|
htop
|
|
lsof
|
|
tmux
|
|
btop
|
|
;
|
|
};
|
|
};
|
|
|
|
services = {
|
|
journald.extraConfig = "SystemMaxUse=5G";
|
|
|
|
nginx = {
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedTlsSettings = true;
|
|
};
|
|
|
|
openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
#Prevent clock drift due to interaction problem with xen hardware clock
|
|
timesyncd.enable = lib.mkForce true;
|
|
};
|
|
}
|