X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem.nix;h=949f07d0567d4ded81b4163ad688e64ade0609fb;hb=05becbbb4be5cd18cb12d60a2d2bc0fbcda74fe4;hp=64fc2d972b3452ed61ec7137ec6497ee54100694;hpb=8a304ef46e1ad221253f883a8a296a12018e3d30;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/system.nix b/modules/private/system.nix index 64fc2d9..949f07d 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,26 +1,37 @@ -{ pkgs, lib, config, name, ... }: +{ pkgs, lib, config, name, nodes, ... }: { config = { - services.duplyBackup.profiles.system = { - rootDir = "/var/lib"; - excludeFile = lib.mkAfter '' - + /var/lib/nixos - + /var/lib/udev - + /var/lib/udisks2 - + /var/lib/systemd - + /var/lib/private/systemd - - /var/lib - ''; - }; - nixpkgs.overlays = builtins.attrValues (import ../../overlays); - _module.args = { - pkgsNext = import {}; - pkgsPrevious = import {}; + deployment.secrets."secret_vars.yml" = { + source = builtins.toString ../../nixops/secrets/vars.yml; + destination = config.secrets.secretsVars; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; }; + networking.extraHosts = builtins.concatStringsSep "\n" + (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes); + + users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; + secrets.deleteSecretsVars = true; + secrets.gpgKeys = [ + ../../nixops/public_keys/Immae.pub + ]; + secrets.secretsVars = "/run/keys/vars.yml"; + + services.openssh.enable = true; + + nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [ + (self: super: { + postgresql = self.postgresql_pam; + mariadb = self.mariadb_pam; + }) # don’t put them as generic overlay because of home-manager + ]; + services.journald.extraConfig = '' - MaxLevelStore="warning" - MaxRetentionSec="1year" + #Should be "warning" but disabled for now, it prevents anything from being stored + MaxLevelStore=info + MaxRetentionSec=1year ''; users.users = @@ -49,37 +60,39 @@ pkgs.tcpdump pkgs.tshark pkgs.tcpflow - pkgs.mitmproxy + # pkgs.mitmproxy # failing pkgs.nmap pkgs.p0f pkgs.socat pkgs.lsof pkgs.psmisc + pkgs.openssl pkgs.wget pkgs.cnagios nagios-cli + + pkgs.pv + pkgs.smartmontools ]; }; - users.mutableUsers = false; + users.mutableUsers = lib.mkDefault false; environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; - environment.systemPackages = - let - home-manager = builtins.fetchGit { - url = "https://github.com/rycee/home-manager.git"; - rev = "ef64bc598f28818d56c86629dad98b468af9c071"; - ref = "release-19.03"; - }; - in - [ - pkgs.git - pkgs.vim - ] ++ - (lib.optional - (builtins.length (config.hostEnv.users pkgs) > 0) - ((pkgs.callPackage home-manager {}).home-manager) - ); + environment.systemPackages = [ + pkgs.git + pkgs.vim + pkgs.rsync + pkgs.strace + ] ++ + (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); + + systemd.targets.maintenance = { + description = "Maintenance target with only sshd"; + after = [ "network-online.target" "sshd.service" ]; + requires = [ "network-online.target" "sshd.service" ]; + unitConfig.AllowIsolate = "yes"; + }; }; }