X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Feldiron.nix;h=8b2784d0d315ce87d0b1fbfe546f6689854e55ce;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hp=4b332d32bc6d5396f320d9b44dd10595a6331782;hpb=d43e0c61af84940447dbcdd1deac848328dde46d;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix deleted file mode 100644 index 4b332d3..0000000 --- a/modules/private/system/eldiron.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ privateFiles }: -{ config, pkgs, ... }: -{ - boot.kernelPackages = pkgs.linuxPackages_latest; - myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; }; - - networking = { - firewall.enable = true; - # 176.9.151.89 declared in nixops -> infra / tools - interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); - interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); - }; - - imports = builtins.attrValues (import ../..); - - boot.kernel.sysctl = { - # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md - "net.ipv4.tcp_sack" = 0; - }; - myServices.buildbot.enable = true; - myServices.databases.enable = true; - myServices.gitolite.enable = true; - myServices.monitoring.enable = true; - myServices.irc.enable = true; - myServices.pub.enable = true; - myServices.tasks.enable = true; - myServices.mpd.enable = true; - myServices.dns.enable = true; - myServices.certificates.enable = true; - myServices.websites.enable = true; - myServices.mail.enable = true; - myServices.ejabberd.enable = true; - myServices.vpn.enable = true; - services.pure-ftpd.enable = true; - services.duplyBackup.enable = true; - services.duplyBackup.profiles.oldies.rootDir = "/var/lib/oldies"; - - secrets.keys = [ - { - dest = "rsync_backup/identity"; - user = "root"; - group = "root"; - permissions = "0400"; - text = config.myEnv.rsync_backup.ssh_key.private; - } - ]; - programs.ssh.knownHosts.dilion = { - hostNames = ["dilion.immae.eu"]; - publicKey = let - profile = config.myEnv.rsync_backup.profiles.dilion; - in - "${profile.host_key_type} ${profile.host_key}"; - }; - - deployment = { - targetEnv = "hetzner"; - hetzner = { - robotUser = config.myEnv.hetzner.user; - robotPass = config.myEnv.hetzner.pass; - mainIPv4 = config.hostEnv.ips.main.ip4; - partitions = '' - clearpart --all --initlabel --drives=sda,sdb - - part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda - part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb - - part raid.1 --grow --ondisk=sda - part raid.2 --grow --ondisk=sdb - - raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 - ''; - }; - }; - - services.cron = { - enable = true; - mailto = "cron@immae.eu"; - systemCronJobs = [ - '' - # The star after /var/lib/* avoids deleting all folders in case of problem - 0 3,9,15,21 * * * root rsync -e "ssh -i /var/secrets/rsync_backup/identity" --new-compress -aAXv --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* backup@dilion.immae.eu: > /dev/null - 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -g "immae.eu.*Recipient address rejected" - '' - ]; - }; - - # This value determines the NixOS release with which your system is - # to be compatible, in order to avoid breaking some software such as - # database servers. You should change this only after NixOS release - # notes say you should. - # https://nixos.org/nixos/manual/release-notes.html - system.stateVersion = "20.03"; # Did you read the comment? -}