-{ privateFiles }:
{ config, pkgs, name, lib, ... }:
{
deployment = {
targetUser = "root";
- targetHost = config.hostEnv.ips.main.ip4;
+ targetHost = lib.head config.hostEnv.ips.main.ip4;
substituteOnDestination = true;
};
+ # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
boot = {
loader = {
"/boot/pass.key" = "/boot/pass.key";
};
kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
+ # available in nixos-20.09
+ #zfs.requestEncryptionCredentials = [ "zpool/root" ];
};
nix.maxJobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
- myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ myEnv = import ../../../nixops/secrets/environment.nix;
swapDevices = [ { label = "swap"; } ];
fileSystems = {
hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4
firewall.enable = false;
interfaces."eth0".ipv4.addresses =
- [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
- ++ pkgs.lib.attrsets.mapAttrsToList
- (n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ [ { address = lib.head config.hostEnv.ips.main.ip4; prefixLength = 27; } ]
+ ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or []))
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips));
interfaces."eth0".ipv6.addresses =
[ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ]
++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
};
myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
- imports = builtins.attrValues (import ../..);
+ imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ];
system.nssModules = [ pkgs.libvirt ];
system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
programs.zsh.enable = true;
+ users.users.libvirt = {
+ hashedPassword = "!";
+ shell = pkgs.bashInteractive;
+ isSystemUser = true;
+ group = "libvirtd";
+ packages = [ pkgs.netcat-openbsd ];
+ openssh.authorizedKeys.keys = [
+ config.myEnv.buildbot.ssh_key.public
+ config.myEnv.sshd.rootKeys.ismael_flony
+ ];
+ };
+
users.users.backup = {
hashedPassword = "!";
isSystemUser = true;
after = [ "network.target" ];
serviceConfig = {
- ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22";
+ ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
};
};
extraOptions = ''
keep-outputs = true
keep-derivations = true
+ allow-unsafe-native-code-during-evaluation = true
+ experimental-features = nix-command flakes
#Assumed in NUR
allow-import-from-derivation = true
'';
nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+ myServices.monitoring.enable = true;
myServices.certificates.enable = true;
+ security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
+ user = "immae";
+ domain = "dilion.immae.eu";
+ };
security.acme.certs."${name}" = {
user = config.services.nginx.user;
group = config.services.nginx.group;
extraDomains = {
- "dev.immae.eu" = null;
- "caldance.immae.eu" = null;
+ "dilion.immae.dev" = null;
+ "caldance.cs.immae.dev" = null;
+ "zulip.carpentier.earth" = null;
+ "zulip.tof.carpentier.earth" = null;
+ "zulip.dine.carpentier.earth" = null;
+ "zulip.quentin.carpentier.earth" = null;
+ "zulip.agnes.carpentier.earth" = null;
+
+ "ofn.nc.immae.dev" = null;
+
+ "bookstack.cc.immae.dev" = null;
};
};
services.nginx = {
recommendedGzipSettings = true;
recommendedProxySettings = true;
upstreams = {
- caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {};
+ caldance.servers."caldance:3031" = {};
};
virtualHosts = {
- "dev.immae.eu" = {
+ "dilion.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
root = "/home/immae/www";
};
- "caldance.immae.eu" = {
+ "caldance.cs.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password};
'';
};
+ "bookstack.cc.immae.dev" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4003";
+ };
+ "ofn.nc.immae.dev" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:3000";
+ };
+ "zulip.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.tof.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.dine.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.quentin.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
+ "zulip.agnes.carpentier.earth" = {
+ acmeRoot = config.myServices.certificates.webroot;
+ useACMEHost = name;
+ forceSSL = true;
+ locations."/".proxyPass = "http://localhost:4002";
+ };
};
};
projects / perso / Immae / Config / Nix.git / blobdiff