-{ pkgs, lib, config, name, ... }:
+{ pkgs, lib, config, name, nodes, ... }:
{
config = {
- services.duplyBackup.profiles.system = {
- rootDir = "/var/lib";
- excludeFile = lib.mkAfter ''
- + /var/lib/nixos
- + /var/lib/udev
- + /var/lib/udisks2
- + /var/lib/systemd
- + /var/lib/private/systemd
- - /var/lib
- '';
- };
- nixpkgs.overlays = builtins.attrValues (import ../../overlays);
- _module.args = {
- pkgsNext = import <nixpkgsNext> {};
- pkgsPrevious = import <nixpkgsPrevious> {};
+ deployment.secrets."secret_vars.yml" = {
+ source = builtins.toString ../../nixops/secrets/vars.yml;
+ destination = config.secrets.secretsVars;
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
};
+ networking.extraHosts = builtins.concatStringsSep "\n"
+ (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
+
+ users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
+ secrets.deleteSecretsVars = true;
+ secrets.gpgKeys = [
+ ../../nixops/public_keys/Immae.pub
+ ];
+ secrets.secretsVars = "/run/keys/vars.yml";
+
+ services.openssh.enable = true;
+
+ nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
+ (self: super: {
+ postgresql = self.postgresql_pam;
+ mariadb = self.mariadb_pam;
+ }) # don’t put them as generic overlay because of home-manager
+ ];
+ nixpkgs.config.permittedInsecurePackages = [
+ "nodejs-10.24.1"
+ ];
+
services.journald.extraConfig = ''
- MaxLevelStore="warning"
- MaxRetentionSec="1year"
+ #Should be "warning" but disabled for now, it prevents anything from being stored
+ MaxLevelStore=info
+ MaxRetentionSec=1year
'';
users.users =
home = "/home/${x.name}";
createHome = true;
linger = true;
+ # Enable in latest unstable homeMode = "755";
} // x)) (config.hostEnv.users pkgs))
// {
root.packages = let
'';
in
[
- pkgs.telnet
+ pkgs.inetutils
pkgs.htop
pkgs.iftop
pkgs.bind.dnsutils
pkgs.whois
pkgs.ngrep
pkgs.tcpdump
- pkgs.tshark
+ pkgs.wireshark-cli
pkgs.tcpflow
- pkgs.mitmproxy
+ # pkgs.mitmproxy # failing
pkgs.nmap
pkgs.p0f
pkgs.socat
pkgs.lsof
pkgs.psmisc
+ pkgs.openssl
pkgs.wget
pkgs.cnagios
nagios-cli
+
+ pkgs.pv
+ pkgs.smartmontools
];
};
- users.mutableUsers = false;
+ users.mutableUsers = lib.mkDefault false;
environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
environment.systemPackages = [
pkgs.git
pkgs.vim
+ pkgs.rsync
+ pkgs.strace
] ++
(lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
+
+ systemd.targets.maintenance = {
+ description = "Maintenance target with only sshd";
+ after = [ "network-online.target" "sshd.service" ];
+ requires = [ "network-online.target" "sshd.service" ];
+ unitConfig.AllowIsolate = "yes";
+ };
};
}