blob: 48266c861fbf395ac6487fdab32daba80e343637 (
plain) (
tree)
|
|
{
network = {
description = "Immae's network";
enableRollback = true;
};
eldiron = { config, pkgs, mylibs, myconfig, ... }:
with mylibs;
{
_module.args = {
mylibs = import ../libs.nix;
myconfig = {
ips = {
main = "176.9.151.89";
production = "176.9.151.154";
integration = "176.9.151.155";
};
};
};
imports = [
./modules/certificates.nix
./modules/gitolite
./modules/databases
./modules/websites
];
services.myGitolite.enable = true;
services.myDatabases.enable = true;
services.myWebsites.production.enable = true;
services.myWebsites.integration.enable = true;
services.myWebsites.tools.enable = true;
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
};
};
deployment = {
targetEnv = "hetzner";
hetzner = {
#robotUser = "defined in HETZNER_ROBOT_USER";
#robotPass = "defined in HETZNER_ROBOT_PASS";
mainIPv4 = myconfig.ips.main;
partitions = ''
clearpart --all --initlabel --drives=sda,sdb
part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
part raid.1 --grow --ondisk=sda
part raid.2 --grow --ondisk=sdb
raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
'';
};
};
environment.systemPackages = [
pkgs.telnet
pkgs.htop
pkgs.vim
];
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
AuthorizedKeysCommandUser nobody
'';
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
wrap {
name = "ldap_authorized_keys";
file = ./ldap_authorized_keys.sh;
vars = {
LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
ECHO = "${pkgs.coreutils}/bin/echo";
};
paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
};
in {
enable = true;
mode = "0755";
user = "root";
source = ldap_authorized_keys;
};
};
}
|
