]>
Commit | Line | Data |
---|---|---|
34abd6af | 1 | { pkgs, lib, config, name, nodes, ... }: |
8d213e2b IB |
2 | { |
3 | config = { | |
da30ae4f IB |
4 | deployment.secrets."secret_vars.yml" = { |
5 | source = builtins.toString ../../nixops/secrets/vars.yml; | |
6 | destination = config.secrets.secretsVars; | |
7 | owner.user = "root"; | |
8 | owner.group = "root"; | |
9 | permissions = "0400"; | |
10 | }; | |
11 | ||
34abd6af IB |
12 | networking.extraHosts = builtins.concatStringsSep "\n" |
13 | (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); | |
14 | ||
282c67a1 IB |
15 | users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ]; |
16 | secrets.deleteSecretsVars = true; | |
17 | secrets.gpgKeys = [ | |
18 | ../../nixops/public_keys/Immae.pub | |
19 | ]; | |
da30ae4f | 20 | secrets.secretsVars = "/run/keys/vars.yml"; |
282c67a1 | 21 | |
34abd6af IB |
22 | services.openssh.enable = true; |
23 | ||
d2e703c5 | 24 | services.duplyBackup.profiles.system = { |
6a8252b1 IB |
25 | rootDir = "/var/lib"; |
26 | excludeFile = lib.mkAfter '' | |
27 | + /var/lib/nixos | |
28 | + /var/lib/udev | |
29 | + /var/lib/udisks2 | |
30 | + /var/lib/systemd | |
31 | + /var/lib/private/systemd | |
32 | - /var/lib | |
33 | ''; | |
34 | }; | |
9dd3eb0b | 35 | nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [ |
4e3e4761 IB |
36 | (self: super: { |
37 | postgresql = self.postgresql_pam; | |
38 | mariadb = self.mariadb_pam; | |
39 | }) # don’t put them as generic overlay because of home-manager | |
9dd3eb0b | 40 | ]; |
8d213e2b IB |
41 | |
42 | services.journald.extraConfig = '' | |
2edbb2d8 IB |
43 | #Should be "warning" but disabled for now, it prevents anything from being stored |
44 | MaxLevelStore=info | |
b31b718f | 45 | MaxRetentionSec=1year |
8d213e2b IB |
46 | ''; |
47 | ||
8a304ef4 IB |
48 | users.users = |
49 | builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({ | |
50 | isNormalUser = true; | |
51 | home = "/home/${x.name}"; | |
52 | createHome = true; | |
53 | linger = true; | |
54 | } // x)) (config.hostEnv.users pkgs)) | |
55 | // { | |
56 | root.packages = let | |
57 | nagios-cli = pkgs.writeScriptBin "nagios-cli" '' | |
58 | #!${pkgs.stdenv.shell} | |
59 | sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg} | |
60 | ''; | |
61 | in | |
62 | [ | |
63 | pkgs.telnet | |
64 | pkgs.htop | |
65 | pkgs.iftop | |
66 | pkgs.bind.dnsutils | |
67 | pkgs.httpie | |
68 | pkgs.iotop | |
69 | pkgs.whois | |
70 | pkgs.ngrep | |
71 | pkgs.tcpdump | |
72 | pkgs.tshark | |
73 | pkgs.tcpflow | |
2053ddac | 74 | # pkgs.mitmproxy # failing |
8a304ef4 IB |
75 | pkgs.nmap |
76 | pkgs.p0f | |
77 | pkgs.socat | |
78 | pkgs.lsof | |
79 | pkgs.psmisc | |
ca732a83 | 80 | pkgs.openssl |
8a304ef4 | 81 | pkgs.wget |
781c3202 | 82 | |
8a304ef4 IB |
83 | pkgs.cnagios |
84 | nagios-cli | |
740a6506 IB |
85 | |
86 | pkgs.pv | |
87 | pkgs.smartmontools | |
8a304ef4 IB |
88 | ]; |
89 | }; | |
8d213e2b | 90 | |
05a3b252 | 91 | users.mutableUsers = lib.mkDefault false; |
8d213e2b | 92 | |
8a304ef4 | 93 | environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios"; |
258dd18b IB |
94 | environment.systemPackages = [ |
95 | pkgs.git | |
96 | pkgs.vim | |
34abd6af IB |
97 | pkgs.rsync |
98 | pkgs.strace | |
258dd18b IB |
99 | ] ++ |
100 | (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager); | |
31e11cdf IB |
101 | |
102 | systemd.targets.maintenance = { | |
103 | description = "Maintenance target with only sshd"; | |
104 | after = [ "network-online.target" "sshd.service" ]; | |
105 | requires = [ "network-online.target" "sshd.service" ]; | |
106 | unitConfig.AllowIsolate = "yes"; | |
107 | }; | |
8d213e2b IB |
108 | }; |
109 | } |