};
eldiron = { config, pkgs, mylibs, myconfig, ... }:
- with mylibs;
{
+ nixpkgs.overlays = builtins.attrValues (import ../overlays);
_module.args = {
pkgsNext = import <nixpkgsNext> {};
- mylibs = import ../libs.nix { nixpkgs = pkgs; };
- mypkgs = import ../default.nix;
+ pkgsPrevious = import <nixpkgsPrevious> {};
+ mylibs = import ../libs.nix { inherit pkgs; };
myconfig = {
inherit privateFiles;
env = import "${privateFiles}/environment.nix";
- ips = {
- main = "176.9.151.89";
- production = "176.9.151.154";
- integration = "176.9.151.155";
- };
};
};
+ boot.kernelPackages = pkgs.linuxPackages_latest;
+
+ networking = {
+ firewall.enable = true;
+ # 176.9.151.89 declared in nixops -> infra / tools
+ interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips);
+ interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+ myconfig.env.servers.eldiron.ips);
+ };
+
imports = [
+ ./modules/ssh
./modules/certificates.nix
./modules/gitolite
./modules/databases
./modules/task
./modules/irc
./modules/buildbot
+ ./modules/dns
+ ./modules/secrets
];
services.myGitolite.enable = true;
services.myDatabases.enable = true;
MaxLevelStore="warning"
MaxRetentionSec="1year"
'';
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 22 ];
- };
- };
deployment = {
targetEnv = "hetzner";
hetzner = {
robotUser = myconfig.env.hetzner.user;
robotPass = myconfig.env.hetzner.pass;
- mainIPv4 = myconfig.ips.main;
+ mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4;
partitions = ''
clearpart --all --initlabel --drives=sda,sdb
};
};
- environment.systemPackages = [
+ users.users.root.packages = [
pkgs.telnet
pkgs.htop
- pkgs.vim
+ pkgs.iftop
];
- services.openssh.extraConfig = ''
- AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
- AuthorizedKeysCommandUser nobody
- '';
-
- environment.etc."ssh/ldap_authorized_keys" = let
- ldap_authorized_keys =
- wrap {
- name = "ldap_authorized_keys";
- file = ./ldap_authorized_keys.sh;
- vars = {
- LDAP_PASS = myconfig.env.sshd.ldap.password;
- GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
- ECHO = "${pkgs.coreutils}/bin/echo";
- };
- paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
- };
- in {
- enable = true;
- mode = "0755";
- user = "root";
- source = ldap_authorized_keys;
- };
+ environment.systemPackages = [
+ pkgs.vim
+ ];
services.cron = {
enable = true;