[perso/Immae/Config/Nix.git] / modules / private / system.nix

{ pkgs, lib, config, name, nodes, ... }:
{
  config = {
    deployment.secrets."secret_vars.yml" = {
      source = builtins.toString ../../nixops/secrets/vars.yml;
      destination = config.secrets.secretsVars;
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
    };

    networking.extraHosts = builtins.concatStringsSep "\n"
      (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);

    users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
    secrets.deleteSecretsVars = true;
    secrets.gpgKeys = [
      ../../nixops/public_keys/Immae.pub
    ];
    secrets.secretsVars = "/run/keys/vars.yml";

    services.openssh.enable = true;

    services.duplyBackup.profiles.system = {
      rootDir = "/var/lib";
      excludeFile = lib.mkAfter ''
        + /var/lib/nixos
        + /var/lib/udev
        + /var/lib/udisks2
        + /var/lib/systemd
        + /var/lib/private/systemd
        - /var/lib
        '';
    };
    nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
      (self: super: {
        postgresql = self.postgresql_pam;
        mariadb = self.mariadb_pam;
      }) # don’t put them as generic overlay because of home-manager
    ];

    services.journald.extraConfig = ''
      #Should be "warning" but disabled for now, it prevents anything from being stored
      MaxLevelStore=info
      MaxRetentionSec=1year
      '';

    users.users =
      builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
        isNormalUser = true;
        home = "/home/${x.name}";
        createHome = true;
        linger = true;
      } // x)) (config.hostEnv.users pkgs))
      // {
        root.packages = let
          nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
            #!${pkgs.stdenv.shell}
            sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
            '';
        in
          [
            pkgs.telnet
            pkgs.htop
            pkgs.iftop
            pkgs.bind.dnsutils
            pkgs.httpie
            pkgs.iotop
            pkgs.whois
            pkgs.ngrep
            pkgs.tcpdump
            pkgs.tshark
            pkgs.tcpflow
            # pkgs.mitmproxy # failing
            pkgs.nmap
            pkgs.p0f
            pkgs.socat
            pkgs.lsof
            pkgs.psmisc
            pkgs.openssl
            pkgs.wget

            pkgs.cnagios
            nagios-cli

            pkgs.pv
            pkgs.smartmontools
          ];
      };

    users.mutableUsers = lib.mkDefault false;

    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
    environment.systemPackages = [
      pkgs.git
      pkgs.vim
      pkgs.rsync
      pkgs.strace
    ] ++
    (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);

    systemd.targets.maintenance = {
      description = "Maintenance target with only sshd";
      after = [ "network-online.target" "sshd.service" ];
      requires = [ "network-online.target" "sshd.service" ];
      unitConfig.AllowIsolate = "yes";
    };
  };
}
Commit	Line	Data
34abd6af	1	{ pkgs, lib, config, name, nodes, ... }:
8d213e2b IB	2	{
8d213e2b IB	3	config = {
da30ae4f IB	4	deployment.secrets."secret_vars.yml" = {
	5	source = builtins.toString ../../nixops/secrets/vars.yml;
	6	destination = config.secrets.secretsVars;
	7	owner.user = "root";
	8	owner.group = "root";
	9	permissions = "0400";
	10	};
	11
34abd6af IB	12	networking.extraHosts = builtins.concatStringsSep "\n"
	13	(lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
	14
282c67a1 IB	15	users.extraUsers.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.nix_repository ];
	16	secrets.deleteSecretsVars = true;
	17	secrets.gpgKeys = [
	18	../../nixops/public_keys/Immae.pub
	19	];
da30ae4f	20	secrets.secretsVars = "/run/keys/vars.yml";
282c67a1	21
34abd6af IB	22	services.openssh.enable = true;
34abd6af IB	23
d2e703c5	24	services.duplyBackup.profiles.system = {
6a8252b1 IB	25	rootDir = "/var/lib";
	26	excludeFile = lib.mkAfter ''
	27	+ /var/lib/nixos
	28	+ /var/lib/udev
	29	+ /var/lib/udisks2
	30	+ /var/lib/systemd
	31	+ /var/lib/private/systemd
	32	- /var/lib
	33	'';
	34	};
9dd3eb0b	35	nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
4e3e4761 IB	36	(self: super: {
	37	postgresql = self.postgresql_pam;
	38	mariadb = self.mariadb_pam;
	39	}) # don’t put them as generic overlay because of home-manager
9dd3eb0b	40	];
8d213e2b IB	41
8d213e2b IB	42	services.journald.extraConfig = ''
2edbb2d8 IB	43	#Should be "warning" but disabled for now, it prevents anything from being stored
2edbb2d8 IB	44	MaxLevelStore=info
b31b718f	45	MaxRetentionSec=1year
8d213e2b IB	46	'';
8d213e2b IB	47
8a304ef4 IB	48	users.users =
	49	builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
	50	isNormalUser = true;
	51	home = "/home/${x.name}";
	52	createHome = true;
	53	linger = true;
	54	} // x)) (config.hostEnv.users pkgs))
	55	// {
	56	root.packages = let
	57	nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
	58	#!${pkgs.stdenv.shell}
	59	sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
	60	'';
	61	in
	62	[
	63	pkgs.telnet
	64	pkgs.htop
	65	pkgs.iftop
	66	pkgs.bind.dnsutils
	67	pkgs.httpie
	68	pkgs.iotop
	69	pkgs.whois
	70	pkgs.ngrep
	71	pkgs.tcpdump
	72	pkgs.tshark
	73	pkgs.tcpflow
2053ddac	74	# pkgs.mitmproxy # failing
8a304ef4 IB	75	pkgs.nmap
	76	pkgs.p0f
	77	pkgs.socat
	78	pkgs.lsof
	79	pkgs.psmisc
ca732a83	80	pkgs.openssl
8a304ef4	81	pkgs.wget
781c3202	82
8a304ef4 IB	83	pkgs.cnagios
8a304ef4 IB	84	nagios-cli
740a6506 IB	85
	86	pkgs.pv
	87	pkgs.smartmontools
8a304ef4 IB	88	];
8a304ef4 IB	89	};
8d213e2b	90
05a3b252	91	users.mutableUsers = lib.mkDefault false;
8d213e2b	92
8a304ef4	93	environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
258dd18b IB	94	environment.systemPackages = [
	95	pkgs.git
	96	pkgs.vim
34abd6af IB	97	pkgs.rsync
34abd6af IB	98	pkgs.strace
258dd18b IB	99	] ++
258dd18b IB	100	(lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
31e11cdf IB	101
	102	systemd.targets.maintenance = {
	103	description = "Maintenance target with only sshd";
	104	after = [ "network-online.target" "sshd.service" ];
	105	requires = [ "network-online.target" "sshd.service" ];
	106	unitConfig.AllowIsolate = "yes";
	107	};
8d213e2b IB	108	};
8d213e2b IB	109	}