},
"locked": {
"lastModified": 1,
- "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",
+ "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
"path": "../flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+ "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
"path": "../systems/zoldene",
"type": "path"
},
"nixpkgs": "nixpkgs_106"
},
"locked": {
- "lastModified": 1700953172,
- "narHash": "sha256-KcFb43yLFsVOMevka1G2ddTE5JFsS72h+6XfjO7ivAs=",
+ "lastModified": 1708773401,
+ "narHash": "sha256-5UeCrBFAypxoiJ3TkmtXw40g1durDVV6AiPmzaumeQk=",
"ref": "master",
- "rev": "4518b25634f2274d2a65bf5bfc4c78c4ab450787",
- "revCount": 715,
+ "rev": "890a76ab7f560b8a8d547d2066fe5e10083b0689",
+ "revCount": 721,
"type": "git",
"url": "git+ssh://gitolite@git.immae.eu/perso/Immae/Config/Nix/Nixops/Secrets"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-JZAb5V2upUFe8gDKiHtA0iksciLTuZgtLikxZpE2ZkY=",
+ "narHash": "sha256-On+vOgbdQGNAUM9YxLHmju3ci2yvD5Us4pVLGMAIUw4=",
"path": "./flakes",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+ "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
"path": "../systems/zoldene",
"type": "path"
},
},
"locked": {
"lastModified": 1,
- "narHash": "sha256-/H0YNxn7csP3GR/5e5DSv5FLAK8VBCySiyGXch+ykMg=",
+ "narHash": "sha256-26XpjFSVM3B3k2dsnmGGLwUwctJPaGiCr0u2I6MaXFA=",
"path": "../systems/zoldene",
"type": "path"
},
-{ name, config, lib, pkgs, secrets, ... }:
+{ name, config, lib, pkgs, secrets, pkgs-no-overlay, ... }:
let
# udev rules to be able to boot from qemu in a rescue
udev-qemu-rules =
'') (builtins.attrNames disks));
in
{
+ imports = [
+ secrets.nixosModules.users-config-zoldene
+ ./virtualisation.nix
+ ./certificates.nix
+ ];
+
services.openssh = {
settings.KbdInteractiveAuthentication = false;
hostKeys = [
secrets.decryptKey = "/persist/zpool/etc/ssh/ssh_host_ed25519_key";
# ssh-keyscan zoldene | nix-shell -p ssh-to-age --run ssh-to-age
secrets.ageKeys = [ "age1rqr7qdpjm8fy9nf3x07fa824v87n40g0ljrgdysuayuklnvhcynq4c8en8" ];
+
+
}
--- /dev/null
+{ ... }:
+{
+ disko.devices.zpool.zfast.datasets."root/persist/var/lib/acme" =
+ { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/acme"; options.mountpoint = "legacy"; };
+
+ environment.persistence."/persist/zfast".directories = [
+ {
+ directory = "/var/lib/acme";
+ user = "root";
+ group = "root";
+ mode = "0755";
+ }
+ ];
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ services.nginx = {
+ enable = true;
+ recommendedOptimisation = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
+ };
+
+}
system = "x86_64-linux";
targetHost = "88.198.39.152";
targetUser = "root";
+ moduleArgs = {
+ pkgs-no-overlay = inputs.nixpkgs.legacyPackages.x86_64-linux;
+ };
nixosModules = with inputs; {
impermanence = impermanence.nixosModule;
base = ./base.nix;
--- /dev/null
+{ pkgs-no-overlay, ... }:
+{
+ boot.kernelModules = [ "nf_nat_ftp" ];
+
+ ### Enable Docker
+ virtualisation.docker.enable = true;
+ disko.devices.zpool.zfast.datasets."root/persist/var/lib/docker" =
+ { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/docker"; options.mountpoint = "legacy"; };
+
+ ### Enable LXC
+ disko.devices.zpool.zfast.datasets."root/persist/var/lib/lxc" =
+ { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/lxc"; options.mountpoint = "legacy"; };
+ virtualisation.lxc = {
+ enable = true;
+ lxcfs.enable = true;
+ };
+
+ ### Enable libvirtd
+ virtualisation.libvirtd = {
+ enable = true;
+ qemu.package = pkgs-no-overlay.qemu;
+ };
+
+ ### Persistence for LXC / Docker
+ environment.persistence."/persist/zfast".directories = [
+ {
+ directory = "/var/lib/lxc";
+ user = "root";
+ group = "root";
+ mode = "0755";
+ }
+ {
+ directory = "/var/lib/docker";
+ user = "root";
+ group = "root";
+ mode = "0750";
+ }
+ ];
+
+ # ip forwarding is needed for NAT'ing to work in containers/VMs.
+ boot.kernel.sysctl = {
+ "net.ipv4.conf.all.forwarding" = true;
+ "net.ipv4.conf.default.forwarding" = true;
+ };
+}
+
projects / perso / Immae / Config / Nix.git / commitdiff
