-{ privateFiles }:
{ config, pkgs, name, lib, ... }:
{
deployment = {
targetHost = config.hostEnv.ips.main.ip4;
substituteOnDestination = true;
};
+ # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ];
nixpkgs.system = lib.mkOverride 900 "x86_64-linux";
boot = {
loader = {
"/boot/pass.key" = "/boot/pass.key";
};
kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak
+ # available in nixos-20.09
+ #zfs.requestEncryptionCredentials = [ "zpool/root" ];
};
nix.maxJobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
- myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ myEnv = import ../../../nixops/secrets/environment.nix;
swapDevices = [ { label = "swap"; } ];
fileSystems = {
};
myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
- imports = builtins.attrValues (import ../..);
+ imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ];
system.nssModules = [ pkgs.libvirt ];
system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ];
programs.zsh.enable = true;
+ users.users.libvirt = {
+ hashedPassword = "!";
+ shell = pkgs.bashInteractive;
+ isSystemUser = true;
+ group = "libvirtd";
+ packages = [ pkgs.netcat-openbsd ];
+ openssh.authorizedKeys.keys = [
+ config.myEnv.buildbot.ssh_key.public
+ config.myEnv.sshd.rootKeys.ismael_flony
+ ];
+ };
+
users.users.backup = {
hashedPassword = "!";
isSystemUser = true;
after = [ "network.target" ];
serviceConfig = {
- ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:22";
+ ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22";
};
};
extraOptions = ''
keep-outputs = true
keep-derivations = true
+ allow-unsafe-native-code-during-evaluation = true
+ experimental-features = nix-command flakes
#Assumed in NUR
allow-import-from-derivation = true
'';
nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+ myServices.monitoring.enable = true;
myServices.certificates.enable = true;
+ security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
+ user = "immae";
+ domain = "dilion.immae.eu";
+ };
security.acme.certs."${name}" = {
user = config.services.nginx.user;
group = config.services.nginx.group;
extraDomains = {
- "dev.immae.eu" = null;
- "caldance.immae.eu" = null;
+ "dilion.immae.dev" = null;
+ "caldance.cs.immae.dev" = null;
};
};
services.nginx = {
recommendedGzipSettings = true;
recommendedProxySettings = true;
upstreams = {
- caldance.servers."nixops-99a7e1ba-54dc-11ea-a965-10bf487fe63b-caldance:3031" = {};
+ caldance.servers."caldance:3031" = {};
};
virtualHosts = {
- "dev.immae.eu" = {
+ "dilion.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
root = "/home/immae/www";
};
- "caldance.immae.eu" = {
+ "caldance.cs.immae.dev" = {
acmeRoot = config.myServices.certificates.webroot;
useACMEHost = name;
forceSSL = true;
projects / perso / Immae / Config / Nix.git / blobdiff