+++ /dev/null
-{ pkgs, lib, config, name, nodes, ... }:
-{
- config = {
- deployment.secrets."secret_vars.yml" = {
- source = builtins.toString ../../nixops/secrets/vars.yml;
- destination = config.secrets.secretsVars;
- owner.user = "root";
- owner.group = "root";
- permissions = "0400";
- };
-
- networking.extraHosts = builtins.concatStringsSep "\n"
- (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
-
- users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
- secrets.deleteSecretsVars = true;
- secrets.gpgKeys = [
- ../../nixops/public_keys/Immae.pub
- ];
- secrets.secretsVars = "/run/keys/vars.yml";
-
- services.openssh.enable = true;
-
- nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
- (self: super: {
- postgresql = self.postgresql_pam;
- mariadb = self.mariadb_pam;
- }) # don’t put them as generic overlay because of home-manager
- ];
-
- services.journald.extraConfig = ''
- #Should be "warning" but disabled for now, it prevents anything from being stored
- MaxLevelStore=info
- MaxRetentionSec=1year
- '';
-
- users.users =
- builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
- isNormalUser = true;
- home = "/home/${x.name}";
- createHome = true;
- linger = true;
- } // x)) (config.hostEnv.users pkgs))
- // {
- root.packages = let
- nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
- #!${pkgs.stdenv.shell}
- sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
- '';
- in
- [
- pkgs.telnet
- pkgs.htop
- pkgs.iftop
- pkgs.bind.dnsutils
- pkgs.httpie
- pkgs.iotop
- pkgs.whois
- pkgs.ngrep
- pkgs.tcpdump
- pkgs.tshark
- pkgs.tcpflow
- # pkgs.mitmproxy # failing
- pkgs.nmap
- pkgs.p0f
- pkgs.socat
- pkgs.lsof
- pkgs.psmisc
- pkgs.openssl
- pkgs.wget
-
- pkgs.cnagios
- nagios-cli
-
- pkgs.pv
- pkgs.smartmontools
- ];
- };
-
- users.mutableUsers = lib.mkDefault false;
-
- environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
- environment.systemPackages = [
- pkgs.git
- pkgs.vim
- pkgs.rsync
- pkgs.strace
- ] ++
- (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
-
- systemd.targets.maintenance = {
- description = "Maintenance target with only sshd";
- after = [ "network-online.target" "sshd.service" ];
- requires = [ "network-online.target" "sshd.service" ];
- unitConfig.AllowIsolate = "yes";
- };
- };
-}