projects / perso / Immae / Config / Nix.git / blame
| Commit | Line | Data |
|---|---|---|
| 34abd6af | 1 | { pkgs, lib, config, name, nodes, ... }: |
| 8d213e2b IB |
2 | { |
| 3 | config = { | |
| c7b16397 IB |
4 | networking.hostName = name; |
| 5 | deployment.keys."vars.yml" = { | |
| 6 | keyFile = builtins.toString ../../nixops/secrets/vars.yml; | |
| 7 | user = "root"; | |
| 8 | group = "root"; | |
| da30ae4f IB |
9 | permissions = "0400"; |
| 10 | }; | |
| 11 | ||
| 34abd6af | 12 | networking.extraHosts = builtins.concatStringsSep "\n" |
| 05becbbb | 13 | (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); |
| 34abd6af | 14 | |
| 282c67a1 IB |
15 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; |
| 16 | secrets.deleteSecretsVars = true; | |
| 17 | secrets.gpgKeys = [ | |
| 18 | ../../nixops/public_keys/Immae.pub | |
| 19 | ]; | |
| da30ae4f | 20 | secrets.secretsVars = "/run/keys/vars.yml"; |
| 282c67a1 | 21 | |
| 34abd6af IB |
22 | services.openssh.enable = true; |
| 23 | ||
| 9dd3eb0b | 24 | nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [ |
| 4e3e4761 IB |
25 | (self: super: { |
| 26 | postgresql = self.postgresql_pam; | |
| 27 | mariadb = self.mariadb_pam; | |
| 28 | }) # don’t put them as generic overlay because of home-manager | |
| 9dd3eb0b | 29 | ]; |
| e34b3079 IB |
30 | nixpkgs.config.permittedInsecurePackages = [ |
| 31 | "nodejs-10.24.1" | |
| 32 | ]; | |
| 8d213e2b IB |
33 | |
| 34 | services.journald.extraConfig = '' | |
| 2edbb2d8 IB |
35 | #Should be "warning" but disabled for now, it prevents anything from being stored |
| 36 | MaxLevelStore=info | |
| b31b718f | 37 | MaxRetentionSec=1year |
| 8d213e2b IB |
38 | ''; |
| 39 | ||
| 8a304ef4 IB |
40 | users.users = |
| 41 | builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ | |
| 42 | isNormalUser = true; | |
| 43 | home = "/home/${x.name}"; | |
| 44 | createHome = true; | |
| 45 | linger = true; | |
| 5db88013 | 46 | # Enable in latest unstable homeMode = "755"; |
| 8a304ef4 IB |
47 | } // x)) (config.hostEnv.users pkgs)) |
| 48 | // { | |
| 49 | root.packages = let | |
| 50 | nagios-cli = pkgs.writeScriptBin "nagios-cli" '' | |
| 51 | #!${pkgs.stdenv.shell} | |
| 52 | sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} | |
| 53 | ''; | |
| 54 | in | |
| 55 | [ | |
| e34b3079 | 56 | pkgs.inetutils |
| 8a304ef4 IB |
57 | pkgs.htop |
| 58 | pkgs.iftop | |
| 59 | pkgs.bind.dnsutils | |
| 60 | pkgs.httpie | |
| 61 | pkgs.iotop | |
| 62 | pkgs.whois | |
| 63 | pkgs.ngrep | |
| 64 | pkgs.tcpdump | |
| e34b3079 | 65 | pkgs.wireshark-cli |
| 8a304ef4 | 66 | pkgs.tcpflow |
| 2053ddac | 67 | # pkgs.mitmproxy # failing |
| 8a304ef4 IB |
68 | pkgs.nmap |
| 69 | pkgs.p0f | |
| 70 | pkgs.socat | |
| 71 | pkgs.lsof | |
| 72 | pkgs.psmisc | |
| ca732a83 | 73 | pkgs.openssl |
| 8a304ef4 | 74 | pkgs.wget |
| 781c3202 | 75 | |
| 8a304ef4 IB |
76 | pkgs.cnagios |
| 77 | nagios-cli | |
| 740a6506 IB |
78 | |
| 79 | pkgs.pv | |
| 80 | pkgs.smartmontools | |
| 8a304ef4 IB |
81 | ]; |
| 82 | }; | |
| 8d213e2b | 83 | |
| 05a3b252 | 84 | users.mutableUsers = lib.mkDefault false; |
| 8d213e2b | 85 | |
| 8a304ef4 | 86 | environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; |
| 258dd18b IB |
87 | environment.systemPackages = [ |
| 88 | pkgs.git | |
| 89 | pkgs.vim | |
| 34abd6af IB |
90 | pkgs.rsync |
| 91 | pkgs.strace | |
| 258dd18b IB |
92 | ] ++ |
| 93 | (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); | |
| 31e11cdf IB |
94 | |
| 95 | systemd.targets.maintenance = { | |
| 96 | description = "Maintenance target with only sshd"; | |
| 97 | after = [ "network-online.target" "sshd.service" ]; | |
| 98 | requires = [ "network-online.target" "sshd.service" ]; | |
| 99 | unitConfig.AllowIsolate = "yes"; | |
| 100 | }; | |
| 8d213e2b IB |
101 | }; |
| 102 | } |