aboutsummaryrefslogblamecommitdiff
path: root/modules/private/system.nix
blob: 0e72d9962fec977563a3607002aa44910cc42f89 (plain) (tree)
1
2
3
4
5
6
7
8
9
                                        

            





                                                                                                              
                                            









                                  
                                                                       



                                                                      
      

                                      

                                                                                       
                           

         

























                                                                                              
                                      




                       
                        
                     
 

                        


                              

            
 
                                             
 
                                                                         


                                  

                 

                                                                                       






                                                            

    
{ pkgs, lib, config, name, nodes, ... }:
{
  config = {
    networking.extraHosts = builtins.concatStringsSep "\n"
      (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes);

    users.extraUsers.root.openssh.authorizedKeys.keyFiles = [ "${config.myEnv.privateFiles}/id_ed25519.pub" ];
    services.openssh.enable = true;

    services.duplyBackup.profiles.system = {
      rootDir = "/var/lib";
      excludeFile = lib.mkAfter ''
        + /var/lib/nixos
        + /var/lib/udev
        + /var/lib/udisks2
        + /var/lib/systemd
        + /var/lib/private/systemd
        - /var/lib
        '';
    };
    nixpkgs.overlays = builtins.attrValues (import ../../overlays) ++ [
      (self: super: {
        postgresql = self.postgresql_pam;
        mariadb = self.mariadb_pam;
      }) # don’t put them as generic overlay because of home-manager
    ];

    services.journald.extraConfig = ''
      #Should be "warning" but disabled for now, it prevents anything from being stored
      MaxLevelStore=info
      MaxRetentionSec=1year
      '';

    users.users =
      builtins.listToAttrs (map (x: lib.attrsets.nameValuePair x.name ({
        isNormalUser = true;
        home = "/home/${x.name}";
        createHome = true;
        linger = true;
      } // x)) (config.hostEnv.users pkgs))
      // {
        root.packages = let
          nagios-cli = pkgs.writeScriptBin "nagios-cli" ''
            #!${pkgs.stdenv.shell}
            sudo -u naemon ${pkgs.nagios-cli}/bin/nagios-cli -c ${./monitoring/nagios-cli.cfg}
            '';
        in
          [
            pkgs.telnet
            pkgs.htop
            pkgs.iftop
            pkgs.bind.dnsutils
            pkgs.httpie
            pkgs.iotop
            pkgs.whois
            pkgs.ngrep
            pkgs.tcpdump
            pkgs.tshark
            pkgs.tcpflow
            # pkgs.mitmproxy # failing
            pkgs.nmap
            pkgs.p0f
            pkgs.socat
            pkgs.lsof
            pkgs.psmisc
            pkgs.openssl
            pkgs.wget

            pkgs.cnagios
            nagios-cli

            pkgs.pv
            pkgs.smartmontools
          ];
      };

    users.mutableUsers = lib.mkDefault false;

    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
    environment.systemPackages = [
      pkgs.git
      pkgs.vim
      pkgs.rsync
      pkgs.strace
    ] ++
    (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);

    systemd.targets.maintenance = {
      description = "Maintenance target with only sshd";
      after = [ "network-online.target" "sshd.service" ];
      requires = [ "network-online.target" "sshd.service" ];
      unitConfig.AllowIsolate = "yes";
    };
  };
}