};
blacklistedKernelModules = [ "nvidiafb" ];
supportedFilesystems = [ "zfs" ];
- kernelPackages = pkgs.linuxPackages_latest;
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelModules = [ "kvm-intel" ];
initrd.availableKernelModules = [ "ahci" "sd_mod" ];
initrd.secrets = {
# available in nixos-20.09
#zfs.requestEncryptionCredentials = [ "zpool/root" ];
};
- nix.maxJobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
shell = pkgs.bashInteractive;
isSystemUser = true;
group = "libvirtd";
- packages = [ pkgs.netcat-openbsd ];
+ packages = [ pkgs.libressl.nc ];
openssh.authorizedKeys.keys = [
config.myEnv.buildbot.ssh_key.public
config.myEnv.sshd.rootKeys.ismael_flony
];
};
+ users.groups.backup = {};
users.users.backup = {
hashedPassword = "!";
isSystemUser = true;
extraGroups = [ "keys" ];
+ group = "backup";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = let
zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "zfs";
virtualisation.libvirtd.enable = true;
- users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ];
+ systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
+ users.groups.immae = {};
+ users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
systemd.services.libvirtd.postStart = ''
install -m 0770 -g libvirtd -d /var/lib/libvirt/images
'';
time.timeZone = "Europe/Paris";
nix = {
- useSandbox = "relaxed";
+ settings = {
+ sandbox = "relaxed";
+ max-jobs = 8;
+ substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
+ trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+ };
extraOptions = ''
keep-outputs = true
keep-derivations = true
"home-manager=${pkgs.sources.home-manager.url}"
"nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
];
- nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
- nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
myServices.monitoring.enable = true;
myServices.certificates.enable = true;
security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
- user = "immae";
+ group = "immae";
domain = "dilion.immae.eu";
};
security.acme.certs."${name}" = {
- user = config.services.nginx.user;
group = config.services.nginx.group;
- extraDomains = {
- "dilion.immae.dev" = null;
- "caldance.cs.immae.dev" = null;
- "zulip.carpentier.earth" = null;
- "zulip.tof.carpentier.earth" = null;
- "zulip.dine.carpentier.earth" = null;
- "zulip.quentin.carpentier.earth" = null;
- "zulip.agnes.carpentier.earth" = null;
+ extraDomainNames = [
+ "dilion.immae.dev"
+ "caldance.cs.immae.dev"
+ "zulip.carpentier.earth"
+ "zulip.tof.carpentier.earth"
+ "zulip.dine.carpentier.earth"
+ "zulip.quentin.carpentier.earth"
+ "zulip.agnes.carpentier.earth"
- "ofn.nc.immae.dev" = null;
+ "ofn.nc.immae.dev"
- "bookstack.cc.immae.dev" = null;
- };
+ "bookstack.cc.immae.dev"
+ ];
};
+ systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = {
enable = true;
recommendedOptimisation = true;
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
- root = "/home/immae/www";
+ locations."/".root = "/home/immae/www";
};
"caldance.cs.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver";
systemd.services.zrepl.serviceConfig.User = "backup";
+ # pour eldiron:
# zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
- services.zrepl = {
+ # pour flony:
+ # zfs allow backup hold,release,bookmark,snapshot,send zpool
+ immaeServices.zrepl = {
enable = true;
config = ''
global:
name: "backup-from-eldiron"
root_fs: "zpool/backup"
serve:
- type: stdinserver
- client_identities:
+ type: tls
+ listen: :19000
+ ca: ${config.secrets.fullPaths."zrepl/certificates/eldiron.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
- eldiron
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool"
+ # not encrypted!
+ serve:
+ type: tls
+ listen: :19001
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/libvirt<": true
+ "zpool/root<": true
+ snapshotting:
+ type: manual
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool-docker"
+ # not encrypted!
+ serve:
+ type: tls
+ listen: :19002
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/docker<": true
+ snapshotting:
+ type: manual
'';
};
# This value determines the NixOS release with which your system is