2 inputs.environment.url = "path:../environment";
3 inputs.secrets-public.url = "path:../../secrets";
4 inputs.mypackages.url = "path:../../mypackages";
5 inputs.myuids.url = "path:../../myuids";
6 inputs.backports.url = "path:../../backports";
7 outputs = { self, secrets-public, mypackages, backports, environment, myuids }: {
8 nixosModule = self.nixosModules.system;
9 nixosModules.system = { pkgs, lib, config, name, nodes, secrets, options, ... }:
12 secrets.nixosModules.users-config-common
13 environment.nixosModule
14 secrets-public.nixosModule
17 myEnv = import secrets.environment-file;
18 networking.hostName = name;
19 deployment.keys."vars.yml" = {
20 keyCommand = [ pkgs.stdenv.shell "-c" "cat ${secrets.vars-file}" ];
26 networking.extraHosts = builtins.concatStringsSep "\n"
27 (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
29 users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
30 secrets.deleteSecretsVars = true;
32 ./public_keys/Immae.pub
34 secrets.secretsVars = "/run/keys/vars.yml";
36 services.openssh.enable = true;
39 builtins.attrValues mypackages.overlays ++
40 builtins.attrValues backports.overlays ++
43 postgresql = self.postgresql_pam;
44 mariadb = self.mariadb_106.overrideAttrs(old: {
45 passthru = old.passthru // { mysqlVersion = "5.7"; };
47 }) # don’t put them as generic overlay because of home-manager
50 services.journald.extraConfig = ''
51 #Should be "warning" but disabled for now, it prevents anything from being stored
56 users.groups.acme.gid = myuids.lib.gids.acme;
58 builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
60 home = "/home/${x.name}";
63 # Enable in latest unstable homeMode = "755";
64 } // x)) (config.hostEnv.users pkgs))
66 acme.uid = myuids.lib.uids.acme;
68 environment.systemPackages = [
102 users.mutableUsers = lib.mkDefault false;
104 systemd.services."vars.yml-key".enable = lib.mkForce false;
105 systemd.targets.maintenance = {
106 description = "Maintenance target with only sshd";
107 after = [ "network-online.target" "sshd.service" ];
108 requires = [ "network-online.target" "sshd.service" ];
109 unitConfig.AllowIsolate = "yes";
112 security.acme.acceptTerms = true;
113 security.acme.preliminarySelfsigned = true;
115 security.acme.certs = {
117 domain = config.hostEnv.fqdn;
120 security.acme.defaults = {
121 email = "ismael@bouya.org";
122 webroot = "/var/lib/acme/acme-challenges";
123 postRun = builtins.concatStringsSep "\n" [
124 (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
126 extraLegoRenewFlags = [ "--reuse-key" ];
127 keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
128 #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
129 #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
133 recommendedTlsSettings = true;
135 "${config.hostEnv.fqdn}" = {
136 acmeRoot = config.security.acme.defaults.webroot;
143 services.fail2ban.jails.DEFAULT = {
144 settings.bantime = "12h";
145 settings.findtime = "12h";
147 services.fail2ban = {
151 bantime-increment = {
152 enable = true; # Enable increment of bantime after each violation
153 formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
154 #multipliers = "1 2 4 8 16 32 64";
155 maxtime = "168h"; # Do not ban for more than 1 week
156 overalljails = true; # Calculate the bantime based on all the violations
160 ip4s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip4 or []) v.ips)) (config.myEnv.servers));
161 ip6s = lib.flatten (lib.mapAttrsToList (n: v: (lib.mapAttrsToList (n: v: v.ip6 or []) v.ips)) (config.myEnv.servers));