description = "Host FQDN";
type = str;
};
+ users = mkOption {
+ type = unspecified;
+ default = pkgs: [];
+ description = ''
+ Sublist of users from realUsers. Function that takes pkgs as
+ argument and gives an array as a result
+ '';
+ };
emails = mkOption {
default = [];
description = "List of e-mails that the server can be a sender of";
};
};
};
+ realUsers = mkOption {
+ description = ''
+ Attrset of function taking pkgs as argument.
+ Real users settings, should provide a subattr of users.users.<name>
+ with at least: name, (hashed)Password, shell
+ '';
+ type = attrsOf unspecified;
+ };
users = mkOption {
description = "System and regular users uid/gid";
type = attrsOf (submodule {
MaxRetentionSec="1year"
'';
- users.mutableUsers = false;
- users.users.root.packages = let
- nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
- #!${pkgs.stdenv.shell}
- sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
- '';
- in
- [
- pkgs.telnet
- pkgs.htop
- pkgs.iftop
- pkgs.bind.dnsutils
- pkgs.httpie
- pkgs.iotop
- pkgs.whois
- pkgs.ngrep
- pkgs.tcpdump
- pkgs.tshark
- pkgs.tcpflow
- pkgs.mitmproxy
- pkgs.nmap
- pkgs.p0f
- pkgs.socat
- pkgs.lsof
- pkgs.psmisc
- pkgs.wget
+ users.users =
+ builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
+ isNormalUser = true;
+ home = "/home/${x.name}";
+ createHome = true;
+ linger = true;
+ } // x)) (config.hostEnv.users pkgs))
+ // {
+ root.packages = let
+ nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
+ #!${pkgs.stdenv.shell}
+ sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
+ '';
+ in
+ [
+ pkgs.telnet
+ pkgs.htop
+ pkgs.iftop
+ pkgs.bind.dnsutils
+ pkgs.httpie
+ pkgs.iotop
+ pkgs.whois
+ pkgs.ngrep
+ pkgs.tcpdump
+ pkgs.tshark
+ pkgs.tcpflow
+ pkgs.mitmproxy
+ pkgs.nmap
+ pkgs.p0f
+ pkgs.socat
+ pkgs.lsof
+ pkgs.psmisc
+ pkgs.wget
- pkgs.cnagios
- nagios-cli
- ];
+ pkgs.cnagios
+ nagios-cli
+ ];
+ };
- environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
- environment.systemPackages = [
- pkgs.vim
- ];
+ users.mutableUsers = false;
+ environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
+ environment.systemPackages =
+ let
+ home-manager = builtins.fetchGit {
+ url = "https://github.com/rycee/home-manager.git";
+ rev = "ef64bc598f28818d56c86629dad98b468af9c071";
+ ref = "release-19.03";
+ };
+ in
+ [
+ pkgs.git
+ pkgs.vim
+ ] ++
+ (lib.optional
+ (builtins.length (config.hostEnv.users pkgs) > 0)
+ ((pkgs.callPackage home-manager {}).home-manager)
+ );
};
}
--- /dev/null
+{ privateFiles }:
+{ config, pkgs, ... }:
+{
+ boot.kernelPackages = pkgs.linuxPackages_latest;
+ myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+
+ networking = {
+ firewall.enable = false;
+ interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: { address = ips.ip4; prefixLength = 32; })
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
+ interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+ (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+ config.hostEnv.ips);
+ };
+
+ myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ];
+ imports = builtins.attrValues (import ../..);
+
+ deployment = {
+ targetEnv = "hetzner";
+ hetzner = {
+ robotUser = config.myEnv.hetzner.user;
+ robotPass = config.myEnv.hetzner.pass;
+ mainIPv4 = config.hostEnv.ips.main.ip4;
+ partitions = ''
+ clearpart --all --initlabel --drives=sda,sdb,sdc,sdd
+
+ part swap --recommended --label=swap --fstype=swap --ondisk=sda
+
+ part raid.1 --grow --ondisk=sdc
+ part raid.2 --grow --ondisk=sdd
+
+ raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
+
+ part /nix --grow --label=nix --ondisk=sda
+ part /data --grow --label=data --ondisk=sdb
+ '';
+ };
+ };
+
+ programs.zsh.enable = true;
+
+ time.timeZone = "Europe/Paris";
+ nix = {
+ useSandbox = "relaxed";
+ extraOptions = ''
+ keep-outputs = true
+ keep-derivations = true
+ #Assumed in NUR
+ allow-import-from-derivation = true
+ '';
+ };
+
+ # This is equivalent to setting environment.sessionVariables.NIX_PATH
+ nix.nixPath = [
+ "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
+ "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
+ ];
+
+ # This value determines the NixOS release with which your system is
+ # to be compatible, in order to avoid breaking some software such as
+ # database servers. You should change this only after NixOS release
+ # notes say you should.
+ # https://nixos.org/nixos/manual/release-notes.html
+ system.stateVersion = "19.03"; # Did you read the comment?
+}
+
ssh-eldiron:
$(NIXOPS_PRIV) ssh eldiron -- $(SSH_ARGS)
+ssh-dilion:
+ $(NIXOPS_PRIV) ssh dilion -- $(SSH_ARGS)
+
ssh-backup-2:
$(NIXOPS_PRIV) ssh backup-2 -- $(SSH_ARGS)
delete-generations:
nix-env -p $(profile) --delete-generations $(GEN)
$(NIXOPS_PRIV) ssh eldiron -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
+ $(NIXOPS_PRIV) ssh dilion -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
$(NIXOPS_PRIV) ssh backup-2 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
$(NIXOPS_PRIV) ssh monitoring-1 -- nix-env -p /nix/var/nix/profiles/system --delete-generations $(GEN)
.PHONY: delete-generations
cleanup: delete-generations
nix-store --gc
$(NIXOPS_PRIV) ssh eldiron -- nix-store --gc
+ $(NIXOPS_PRIV) ssh dilion -- nix-store --gc
$(NIXOPS_PRIV) ssh backup-2 -- nix-store --gc
$(NIXOPS_PRIV) ssh monitoring-1 -- nix-store --gc
.PHONY: cleanup
# Used by hetzner cloud to provision machines
resources.sshKeyPairs.ssh-key = {};
+ dilion = import ../modules/private/system/dilion.nix { inherit privateFiles; };
eldiron = import ../modules/private/system/eldiron.nix { inherit privateFiles; };
backup-2 = import ../modules/private/system/backup-2.nix { inherit privateFiles; };
monitoring-1 = import ../modules/private/system/monitoring-1.nix { inherit privateFiles; };