]>
Commit | Line | Data |
---|---|---|
1 | { pkgs, lib, config, name, nodes, ... }: | |
2 | { | |
3 | config = { | |
4 | networking.hostName = name; | |
5 | deployment.keys."vars.yml" = { | |
6 | keyFile = builtins.toString ../../nixops/secrets/vars.yml; | |
7 | user = "root"; | |
8 | group = "root"; | |
9 | permissions = "0400"; | |
10 | }; | |
11 | ||
12 | networking.extraHosts = builtins.concatStringsSep "\n" | |
13 | (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); | |
14 | ||
15 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; | |
16 | secrets.deleteSecretsVars = true; | |
17 | secrets.gpgKeys = [ | |
18 | ../../nixops/public_keys/Immae.pub | |
19 | ]; | |
20 | secrets.secretsVars = "/run/keys/vars.yml"; | |
21 | ||
22 | services.openssh.enable = true; | |
23 | ||
24 | nixpkgs.overlays = builtins.attrValues (import ../.. {}).overlays ++ [ | |
25 | (self: super: { | |
26 | postgresql = self.postgresql_pam; | |
27 | mariadb = self.mariadb_pam; | |
28 | }) # don’t put them as generic overlay because of home-manager | |
29 | ]; | |
30 | nixpkgs.config.permittedInsecurePackages = [ | |
31 | "nodejs-10.24.1" | |
32 | ]; | |
33 | ||
34 | services.journald.extraConfig = '' | |
35 | #Should be "warning" but disabled for now, it prevents anything from being stored | |
36 | MaxLevelStore=info | |
37 | MaxRetentionSec=1year | |
38 | ''; | |
39 | ||
40 | users.users = | |
41 | builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ | |
42 | isNormalUser = true; | |
43 | home = "/home/${x.name}"; | |
44 | createHome = true; | |
45 | linger = true; | |
46 | # Enable in latest unstable homeMode = "755"; | |
47 | } // x)) (config.hostEnv.users pkgs)) | |
48 | // { | |
49 | root.packages = let | |
50 | nagios-cli = pkgs.writeScriptBin "nagios-cli" '' | |
51 | #!${pkgs.stdenv.shell} | |
52 | sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} | |
53 | ''; | |
54 | in | |
55 | [ | |
56 | pkgs.inetutils | |
57 | pkgs.htop | |
58 | pkgs.iftop | |
59 | pkgs.bind.dnsutils | |
60 | pkgs.httpie | |
61 | pkgs.iotop | |
62 | pkgs.whois | |
63 | pkgs.ngrep | |
64 | pkgs.tcpdump | |
65 | pkgs.wireshark-cli | |
66 | pkgs.tcpflow | |
67 | # pkgs.mitmproxy # failing | |
68 | pkgs.nmap | |
69 | pkgs.p0f | |
70 | pkgs.socat | |
71 | pkgs.lsof | |
72 | pkgs.psmisc | |
73 | pkgs.openssl | |
74 | pkgs.wget | |
75 | ||
76 | pkgs.cnagios | |
77 | nagios-cli | |
78 | ||
79 | pkgs.pv | |
80 | pkgs.smartmontools | |
81 | ]; | |
82 | }; | |
83 | ||
84 | users.mutableUsers = lib.mkDefault false; | |
85 | ||
86 | environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; | |
87 | environment.systemPackages = [ | |
88 | pkgs.git | |
89 | pkgs.vim | |
90 | pkgs.rsync | |
91 | pkgs.strace | |
92 | ] ++ | |
93 | (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); | |
94 | ||
95 | systemd.targets.maintenance = { | |
96 | description = "Maintenance target with only sshd"; | |
97 | after = [ "network-online.target" "sshd.service" ]; | |
98 | requires = [ "network-online.target" "sshd.service" ]; | |
99 | unitConfig.AllowIsolate = "yes"; | |
100 | }; | |
101 | }; | |
102 | } |