modules/private/system.nix

   1 { pkgs, lib, config, name, nodes, ... }:
   2 {
   3   config = {
   4     networking.extraHosts = builtins.concatStringsSep "\n"
   5       (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);
   6
   7     users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
   8     services.openssh.enable = true;
   9
  10     services.duplyBackup.profiles.system = {
  11       rootDir = "/var/lib";
  12       excludeFile = lib.mkAfter ''
  13         + /var/lib/nixos
  14         + /var/lib/udev
  15         + /var/lib/udisks2
  16         + /var/lib/systemd
  17         + /var/lib/private/systemd
  18         - /var/lib
  19         '';
  20     };
  21     nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
  22       (self: super: {
  23         postgresql = self.postgresql_pam;
  24         mariadb = self.mariadb_pam;
  25       }) # don’t put them as generic overlay because of home-manager
  26     ];
  27
  28     services.journald.extraConfig = ''
  29       MaxLevelStore="warning"
  30       MaxRetentionSec="1year"
  31       '';
  32
  33     users.users =
  34       builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
  35         isNormalUser = true;
  36         home = "/home/${x.name}";
  37         createHome = true;
  38         linger = true;
  39       } // x)) (config.hostEnv.users pkgs))
  40       // {
  41         root.packages = let
  42           nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
  43             #!${pkgs.stdenv.shell}
  44             sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
  45             '';
  46         in
  47           [
  48             pkgs.telnet
  49             pkgs.htop
  50             pkgs.iftop
  51             pkgs.bind.dnsutils
  52             pkgs.httpie
  53             pkgs.iotop
  54             pkgs.whois
  55             pkgs.ngrep
  56             pkgs.tcpdump
  57             pkgs.tshark
  58             pkgs.tcpflow
  59             # pkgs.mitmproxy # failing
  60             pkgs.nmap
  61             pkgs.p0f
  62             pkgs.socat
  63             pkgs.lsof
  64             pkgs.psmisc
  65             pkgs.openssl
  66             pkgs.wget
  67
  68             pkgs.cnagios
  69             nagios-cli
  70
  71             pkgs.pv
  72             pkgs.smartmontools
  73           ];
  74       };
  75
  76     users.mutableUsers = false;
  77
  78     environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
  79     environment.systemPackages = [
  80       pkgs.git
  81       pkgs.vim
  82       pkgs.rsync
  83       pkgs.strace
  84     ] ++
  85     (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
  86
  87     systemd.targets.maintenance = {
  88       description = "Maintenance target with only sshd";
  89       after = [ "network-online.target" "sshd.service" ];
  90       requires = [ "network-online.target" "sshd.service" ];
  91       unitConfig.AllowIsolate = "yes";
  92     };
  93   };
  94 }