modules/private/system.nix

   1 { pkgs, lib, config, name, nodes, ... }:
   2 {
   3   config = {
   4     deployment.secrets."secret_vars.yml" = {
   5       source = builtins.toString ../../nixops/secrets/vars.yml;
   6       destination = config.secrets.secretsVars;
   7       owner.user = "root";
   8       owner.group = "root";
   9       permissions = "0400";
  10     };
  11
  12     networking.extraHosts = builtins.concatStringsSep "\n"
  13       (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
  14
  15     users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
  16     secrets.deleteSecretsVars = true;
  17     secrets.gpgKeys = [
  18       ../../nixops/public_keys/Immae.pub
  19     ];
  20     secrets.secretsVars = "/run/keys/vars.yml";
  21
  22     services.openssh.enable = true;
  23
  24     nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
  25       (self: super: {
  26         postgresql = self.postgresql_pam;
  27         mariadb = self.mariadb_pam;
  28       }) # don’t put them as generic overlay because of home-manager
  29     ];
  30     nixpkgs.config.permittedInsecurePackages = [
  31       "nodejs-10.24.1"
  32     ];
  33
  34     services.journald.extraConfig = ''
  35       #Should be "warning" but disabled for now, it prevents anything from being stored
  36       MaxLevelStore=info
  37       MaxRetentionSec=1year
  38       '';
  39
  40     users.users =
  41       builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
  42         isNormalUser = true;
  43         home = "/home/${x.name}";
  44         createHome = true;
  45         linger = true;
  46       } // x)) (config.hostEnv.users pkgs))
  47       // {
  48         root.packages = let
  49           nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
  50             #!${pkgs.stdenv.shell}
  51             sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
  52             '';
  53         in
  54           [
  55             pkgs.inetutils
  56             pkgs.htop
  57             pkgs.iftop
  58             pkgs.bind.dnsutils
  59             pkgs.httpie
  60             pkgs.iotop
  61             pkgs.whois
  62             pkgs.ngrep
  63             pkgs.tcpdump
  64             pkgs.wireshark-cli
  65             pkgs.tcpflow
  66             # pkgs.mitmproxy # failing
  67             pkgs.nmap
  68             pkgs.p0f
  69             pkgs.socat
  70             pkgs.lsof
  71             pkgs.psmisc
  72             pkgs.openssl
  73             pkgs.wget
  74
  75             pkgs.cnagios
  76             nagios-cli
  77
  78             pkgs.pv
  79             pkgs.smartmontools
  80           ];
  81       };
  82
  83     users.mutableUsers = lib.mkDefault false;
  84
  85     environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
  86     environment.systemPackages = [
  87       pkgs.git
  88       pkgs.vim
  89       pkgs.rsync
  90       pkgs.strace
  91     ] ++
  92     (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
  93
  94     systemd.targets.maintenance = {
  95       description = "Maintenance target with only sshd";
  96       after = [ "network-online.target" "sshd.service" ];
  97       requires = [ "network-online.target" "sshd.service" ];
  98       unitConfig.AllowIsolate = "yes";
  99     };
 100   };
 101 }