X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem.nix;h=d0943abef708036d34531ccdae9e0e8b4a8bad72;hb=bbea22c02b6c059a6be1064391f06737ee244ba6;hp=0e72d9962fec977563a3607002aa44910cc42f89;hpb=2edbb2d889bd9d1787bc1745a75c1b6969d148ab;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system.nix b/modules/private/system.nix
index 0e72d99..d0943ab 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -1,29 +1,35 @@
 { pkgs, lib, config, name, nodes, ... }:
 {
   config = {
+    deployment.secrets."secret_vars.yml" = {
+      source = builtins.toString ../../nixops/secrets/vars.yml;
+      destination = config.secrets.secretsVars;
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+    };
+
     networking.extraHosts = builtins.concatStringsSep "\n"
-      (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
+      (lib.mapAttrsToList (n: v: "${lib.head v.config.hostEnv.ips.main.ip4} ${n}") nodes);
+
+    users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
+    secrets.deleteSecretsVars = true;
+    secrets.gpgKeys = [
+      ../../nixops/public_keys/Immae.pub
+    ];
+    secrets.secretsVars = "/run/keys/vars.yml";
 
-    users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
     services.openssh.enable = true;
 
-    services.duplyBackup.profiles.system = {
-      rootDir = "/var/lib";
-      excludeFile = lib.mkAfter ''
-        + /var/lib/nixos
-        + /var/lib/udev
-        + /var/lib/udisks2
-        + /var/lib/systemd
-        + /var/lib/private/systemd
-        - /var/lib
-        '';
-    };
     nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
       (self: super: {
         postgresql = self.postgresql_pam;
         mariadb = self.mariadb_pam;
       }) # don’t put them as generic overlay because of home-manager
     ];
+    nixpkgs.config.permittedInsecurePackages = [
+      "nodejs-10.24.1"
+    ];
 
     services.journald.extraConfig = ''
       #Should be "warning" but disabled for now, it prevents anything from being stored
@@ -37,6 +43,7 @@
         home = "/home/${x.name}";
         createHome = true;
         linger = true;
+        # Enable in latest unstable homeMode = "755";
       } // x)) (config.hostEnv.users pkgs))
       // {
         root.packages = let
@@ -46,7 +53,7 @@
             '';
         in
           [
-            pkgs.telnet
+            pkgs.inetutils
             pkgs.htop
             pkgs.iftop
             pkgs.bind.dnsutils
@@ -55,7 +62,7 @@
             pkgs.whois
             pkgs.ngrep
             pkgs.tcpdump
-            pkgs.tshark
+            pkgs.wireshark-cli
             pkgs.tcpflow
             # pkgs.mitmproxy # failing
             pkgs.nmap