X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem.nix;h=8be7368d8d4a2e306f8307c691948062feeb0962;hb=da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2;hp=66208c4b316f2170e5322624f1208390afcffaca;hpb=619e4f46adc15e409122c4e0fa0e0a0b811bb32f;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/system.nix b/modules/private/system.nix index 66208c4..8be7368 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,6 +1,26 @@ -{ pkgs, lib, config, name, ... }: +{ pkgs, lib, config, name, nodes, ... }: { config = { + deployment.secrets."secret_vars.yml" = { + source = builtins.toString ../../nixops/secrets/vars.yml; + destination = config.secrets.secretsVars; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + }; + + networking.extraHosts = builtins.concatStringsSep "\n" + (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); + + users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; + secrets.deleteSecretsVars = true; + secrets.gpgKeys = [ + ../../nixops/public_keys/Immae.pub + ]; + secrets.secretsVars = "/run/keys/vars.yml"; + + services.openssh.enable = true; + services.duplyBackup.profiles.system = { rootDir = "/var/lib"; excludeFile = lib.mkAfter '' @@ -12,52 +32,78 @@ - /var/lib ''; }; - nixpkgs.overlays = builtins.attrValues (import ../../overlays); - _module.args = { - pkgsNext = import {}; - pkgsPrevious = import {}; - }; + nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [ + (self: super: { + postgresql = self.postgresql_pam; + mariadb = self.mariadb_pam; + }) # don’t put them as generic overlay because of home-manager + ]; services.journald.extraConfig = '' - MaxLevelStore="warning" - MaxRetentionSec="1year" + #Should be "warning" but disabled for now, it prevents anything from being stored + MaxLevelStore=info + MaxRetentionSec=1year ''; - users.mutableUsers = false; - users.users.root.packages = let - nagios-cli = pkgs.writeScriptBin "nagios-cli" '' - #!${pkgs.stdenv.shell} - sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} - ''; - in - [ - pkgs.telnet - pkgs.htop - pkgs.iftop - pkgs.bind.dnsutils - pkgs.httpie - pkgs.iotop - pkgs.whois - pkgs.ngrep - pkgs.tcpdump - pkgs.tshark - pkgs.tcpflow - pkgs.mitmproxy - pkgs.nmap - pkgs.p0f - pkgs.socat - pkgs.lsof - pkgs.psmisc - pkgs.wget - - pkgs.cnagios - nagios-cli - ]; + users.users = + builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ + isNormalUser = true; + home = "/home/${x.name}"; + createHome = true; + linger = true; + } // x)) (config.hostEnv.users pkgs)) + // { + root.packages = let + nagios-cli = pkgs.writeScriptBin "nagios-cli" '' + #!${pkgs.stdenv.shell} + sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} + ''; + in + [ + pkgs.telnet + pkgs.htop + pkgs.iftop + pkgs.bind.dnsutils + pkgs.httpie + pkgs.iotop + pkgs.whois + pkgs.ngrep + pkgs.tcpdump + pkgs.tshark + pkgs.tcpflow + # pkgs.mitmproxy # failing + pkgs.nmap + pkgs.p0f + pkgs.socat + pkgs.lsof + pkgs.psmisc + pkgs.openssl + pkgs.wget + + pkgs.cnagios + nagios-cli + + pkgs.pv + pkgs.smartmontools + ]; + }; + + users.mutableUsers = lib.mkDefault false; environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; environment.systemPackages = [ + pkgs.git pkgs.vim - ]; + pkgs.rsync + pkgs.strace + ] ++ + (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); + systemd.targets.maintenance = { + description = "Maintenance target with only sshd"; + after = [ "network-online.target" "sshd.service" ]; + requires = [ "network-online.target" "sshd.service" ]; + unitConfig.AllowIsolate = "yes"; + }; }; }