Upgrade to nixos-unstable

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-05 15:57:20 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-06 00:25:00 +0200
commit: 258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree: 03ca447495573f6745b701096d8b31283ce30466 /modules/private
parent: e7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
download: Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst
Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip
10 files changed, 54 insertions, 68 deletions
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2bf2730..82ff52f 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
      };
      description = "Default configuration for certificates";
    };
@@ -30,6 +29,7 @@
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;
+    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;
    security.acme.certs = {
@@ -39,18 +39,16 @@
    };
    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
-        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-        '') +
-        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-        '')
+        '';
-      ; })
+      }
    ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 04e4bd6..36edaeb 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
      enable = true;
      package = cfg.package;
      dataDir = cfg.dataDir;
-      extraOptions = ''
+      settings = {
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        mysqld = {
-        ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem
+          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem
+          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
-        # for replication
+          # for replication
-        log-bin=mariadb-bin
+          log-bin = "mariadb-bin";
-        server-id=1
+          server-id = "1";
-        # this introduces a small delay before storing on disk, but
+          # this introduces a small delay before storing on disk, but
-        # makes it order of magnitudes quicker
+          # makes it order of magnitudes quicker
-        innodb_flush_log_at_trx_commit = 0
+          innodb_flush_log_at_trx_commit = "0";
-        '';
+        };
+      };
    };
    users.users.mysql.extraGroups = [ "keys" ];
    security.acme.certs."mysql" = config.myServices.databasesCerts // {
      user = "mysql";
      group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      mysql = {
-        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          '';
-      }
+      };
-      {
+      mysql_replication = {
-        name = "mysql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index efe9379..302aa04 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -107,7 +107,6 @@ in
    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index d0b1a75..c442a63 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -100,7 +100,6 @@ in {
    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
@@ -212,22 +211,20 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      postgresql = {
-        name = "postgresql";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          '';
-      }
+      };
-      {
+      postgresql_replication = {
-        name = "postgresql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 417af87..8ae4e65 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -32,16 +32,13 @@ in
      };
    };
-    users.users = [
+    users.users.ftp = {
-      {
+      uid = config.ids.uids.ftp; # 8
-        name = "ftp";
+      group = "ftp";
-        uid = config.ids.uids.ftp; # 8
+      description = "Anonymous FTP user";
-        group = "ftp";
+      home = "/homeless-shelter";
-        description = "Anonymous FTP user";
+      extraGroups = [ "keys" ];
-        home = "/homeless-shelter";
+    };
-        extraGroups = [ "keys" ];
-      }
-    ];
    users.groups.ftp.gid = config.ids.gids.ftp;
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index d25d934..7810a1f 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -34,7 +34,11 @@
        locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
      };
    };
-    security.acme.certs."${name}".extraDomains."status.immae.eu" = null;
+    security.acme.certs."${name}" = {
+      extraDomains."status.immae.eu" = null;
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
    myServices.certificates.enable = true;
    networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 64fc2d9..70b74d0 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -65,21 +65,10 @@
    users.mutableUsers = false;
    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
-    environment.systemPackages =
+    environment.systemPackages = [
-      let
+      pkgs.git
-        home-manager = builtins.fetchGit {
+      pkgs.vim
-          url = "https://github.com/rycee/home-manager.git";
+    ] ++
-          rev = "ef64bc598f28818d56c86629dad98b468af9c071";
+    (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
-          ref = "release-19.03";
-        };
-      in
-      [
-        pkgs.git
-        pkgs.vim
-      ] ++
-      (lib.optional
-        (builtins.length (config.hostEnv.users pkgs) > 0)
-        ((pkgs.callPackage home-manager {}).home-manager)
-      );
  };
 }
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 4e24c12..6829f1b 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
 { privateFiles }:
-{ config, pkgs, resources, ... }:
+{ config, pkgs, resources, name, ... }:
 {
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -35,6 +35,10 @@
  };
  myServices.certificates.enable = true;
+  security.acme.certs."${name}" = {
+    user = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 788c2dc..911c76d 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -101,8 +101,8 @@
  # This is equivalent to setting environment.sessionVariables.NIX_PATH
  nix.nixPath = [
-    "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
+    "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz"
-    "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
+    "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
  ];
  nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
  nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 42cc8d2..43d40d6 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -197,7 +197,6 @@ in {
    security.acme.certs."task" = config.myServices.certificates.certConfig // {
      inherit user group;
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-05 15:57:20 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-06 00:25:00 +0200
commit	258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch)
tree	03ca447495573f6745b701096d8b31283ce30466 /modules/private
parent	e7b890d0999fe54a99f84fe92d625d9d488358dc (diff)
download	Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip

diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index 2bf2730..82ff52f 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")	12	(lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")	13	(lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
14	];	14	];
15	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
16	};	15	};
17	description = "Default configuration for certificates";	16	description = "Default configuration for certificates";
18	};	17	};
@@ -30,6 +29,7 @@
30	myServices.databasesCerts = config.myServices.certificates.certConfig;	29	myServices.databasesCerts = config.myServices.certificates.certConfig;
31	myServices.ircCerts = config.myServices.certificates.certConfig;	30	myServices.ircCerts = config.myServices.certificates.certConfig;
32		31
		32	security.acme.acceptTerms = true;
33	security.acme.preliminarySelfsigned = true;	33	security.acme.preliminarySelfsigned = true;
34		34
35	security.acme.certs = {	35	security.acme.certs = {
@@ -39,18 +39,16 @@
39	};	39	};
40		40
41	systemd.services = lib.attrsets.mapAttrs' (k: v:	41	systemd.services = lib.attrsets.mapAttrs' (k: v:
42	lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =	42	lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
43	(lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
44	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem	43	cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
45	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem	44	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
46	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem	45	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
47	'') +	46
48	(lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
49	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem	47	cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
50	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem	48	chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
51	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem	49	chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
52	'')	50	'';
53	; })	51	}
54	) config.security.acme.certs //	52	) config.security.acme.certs //
55	lib.attrsets.mapAttrs' (k: data:	53	lib.attrsets.mapAttrs' (k: data:
56	lib.attrsets.nameValuePair "acme-${k}" {	54	lib.attrsets.nameValuePair "acme-${k}" {


diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 04e4bd6..36edaeb 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
94	enable = true;	94	enable = true;
95	package = cfg.package;	95	package = cfg.package;
96	dataDir = cfg.dataDir;	96	dataDir = cfg.dataDir;
97	extraOptions = ''	97	settings = {
98	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt	98	mysqld = {
99	ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem	99	ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
100	ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem	100	ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
		101	ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
101		102
102	# for replication	103	# for replication
103	log-bin=mariadb-bin	104	log-bin = "mariadb-bin";
104	server-id=1	105	server-id = "1";
105		106
106	# this introduces a small delay before storing on disk, but	107	# this introduces a small delay before storing on disk, but
107	# makes it order of magnitudes quicker	108	# makes it order of magnitudes quicker
108	innodb_flush_log_at_trx_commit = 0	109	innodb_flush_log_at_trx_commit = "0";
109	'';	110	};
		111	};
110	};	112	};
111		113
112	users.users.mysql.extraGroups = [ "keys" ];	114	users.users.mysql.extraGroups = [ "keys" ];
113	security.acme.certs."mysql" = config.myServices.databasesCerts // {	115	security.acme.certs."mysql" = config.myServices.databasesCerts // {
114	user = "mysql";	116	user = "mysql";
115	group = "mysql";	117	group = "mysql";
116	plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
117	domain = "db-1.immae.eu";	118	domain = "db-1.immae.eu";
118	postRun = ''	119	postRun = ''
119	systemctl restart mysql.service	120	systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
164		165
165	security.pam.services = let	166	security.pam.services = let
166	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";	167	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
167	in [	168	in {
168	{	169	mysql = {
169	name = "mysql";
170	text = ''	170	text = ''
171	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/	171	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
172	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam	172	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
173	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam	173	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
174	'';	174	'';
175	}	175	};
176	{	176	mysql_replication = {
177	name = "mysql_replication";
178	text = ''	177	text = ''
179	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication	178	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
180	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication	179	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
181	'';	180	'';
182	}	181	};
183	];	182	};
184		183
185	};	184	};
186	}	185	}


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index efe9379..302aa04 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix
@@ -107,7 +107,6 @@ in
107	security.acme.certs."ldap" = config.myServices.databasesCerts // {	107	security.acme.certs."ldap" = config.myServices.databasesCerts // {
108	user = "openldap";	108	user = "openldap";
109	group = "openldap";	109	group = "openldap";
110	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
111	domain = "ldap.immae.eu";	110	domain = "ldap.immae.eu";
112	postRun = ''	111	postRun = ''
113	systemctl restart openldap.service	112	systemctl restart openldap.service


diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index d0b1a75..c442a63 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix
@@ -100,7 +100,6 @@ in {
100	security.acme.certs."postgresql" = config.myServices.databasesCerts // {	100	security.acme.certs."postgresql" = config.myServices.databasesCerts // {
101	user = "postgres";	101	user = "postgres";
102	group = "postgres";	102	group = "postgres";
103	plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
104	domain = "db-1.immae.eu";	103	domain = "db-1.immae.eu";
105	postRun = ''	104	postRun = ''
106	systemctl reload postgresql.service	105	systemctl reload postgresql.service
@@ -212,22 +211,20 @@ in {
212		211
213	security.pam.services = let	212	security.pam.services = let
214	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";	213	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
215	in [	214	in {
216	{	215	postgresql = {
217	name = "postgresql";
218	text = ''	216	text = ''
219	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam	217	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
220	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam	218	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
221	'';	219	'';
222	}	220	};
223	{	221	postgresql_replication = {
224	name = "postgresql_replication";
225	text = ''	222	text = ''
226	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication	223	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
227	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication	224	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
228	'';	225	'';
229	}	226	};
230	];	227	};
231	};	228	};
232	}	229	}
233		230


diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 417af87..8ae4e65 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix
@@ -32,16 +32,13 @@ in
32	};	32	};
33	};	33	};
34		34
35	users.users = [	35	users.users.ftp = {
36	{	36	uid = config.ids.uids.ftp; # 8
37	name = "ftp";	37	group = "ftp";
38	uid = config.ids.uids.ftp; # 8	38	description = "Anonymous FTP user";
39	group = "ftp";	39	home = "/homeless-shelter";
40	description = "Anonymous FTP user";	40	extraGroups = [ "keys" ];
41	home = "/homeless-shelter";	41	};
42	extraGroups = [ "keys" ];
43	}
44	];
45		42
46	users.groups.ftp.gid = config.ids.gids.ftp;	43	users.groups.ftp.gid = config.ids.gids.ftp;
47		44


diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index d25d934..7810a1f 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix
@@ -34,7 +34,11 @@
34	locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";	34	locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
35	};	35	};
36	};	36	};
37	security.acme.certs."${name}".extraDomains."status.immae.eu" = null;	37	security.acme.certs."${name}" = {
		38	extraDomains."status.immae.eu" = null;
		39	user = config.services.nginx.user;
		40	group = config.services.nginx.group;
		41	};
38		42
39	myServices.certificates.enable = true;	43	myServices.certificates.enable = true;
40	networking.firewall.allowedTCPPorts = [ 80 443 ];	44	networking.firewall.allowedTCPPorts = [ 80 443 ];


diff --git a/modules/private/system.nix b/modules/private/system.nix index 64fc2d9..70b74d0 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix
@@ -65,21 +65,10 @@
65	users.mutableUsers = false;	65	users.mutableUsers = false;
66		66
67	environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";	67	environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
68	environment.systemPackages =	68	environment.systemPackages = [
69	let	69	pkgs.git
70	home-manager = builtins.fetchGit {	70	pkgs.vim
71	url = "https://github.com/rycee/home-manager.git";	71	] ++
72	rev = "ef64bc598f28818d56c86629dad98b468af9c071";	72	(lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
73	ref = "release-19.03";
74	};
75	in
76	[
77	pkgs.git
78	pkgs.vim
79	] ++
80	(lib.optional
81	(builtins.length (config.hostEnv.users pkgs) > 0)
82	((pkgs.callPackage home-manager {}).home-manager)
83	);
84	};	73	};
85	}	74	}


diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 4e24c12..6829f1b 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
1	{ privateFiles }:	1	{ privateFiles }:
2	{ config, pkgs, resources, ... }:	2	{ config, pkgs, resources, name, ... }:
3	{	3	{
4	boot.kernelPackages = pkgs.linuxPackages_latest;	4	boot.kernelPackages = pkgs.linuxPackages_latest;
5	myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };	5	myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -35,6 +35,10 @@
35	};	35	};
36		36
37	myServices.certificates.enable = true;	37	myServices.certificates.enable = true;
		38	security.acme.certs."${name}" = {
		39	user = config.services.nginx.user;
		40	group = config.services.nginx.group;
		41	};
38	services.nginx = {	42	services.nginx = {
39	enable = true;	43	enable = true;
40	recommendedOptimisation = true;	44	recommendedOptimisation = true;


diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix index 788c2dc..911c76d 100644 --- a/modules/private/system/dilion.nix +++ b/modules/private/system/dilion.nix
@@ -101,8 +101,8 @@
101		101
102	# This is equivalent to setting environment.sessionVariables.NIX_PATH	102	# This is equivalent to setting environment.sessionVariables.NIX_PATH
103	nix.nixPath = [	103	nix.nixPath = [
104	"home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"	104	"home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz"
105	"nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"	105	"nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
106	];	106	];
107	nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];	107	nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
108	nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];	108	nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];


diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 42cc8d2..43d40d6 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix
@@ -197,7 +197,6 @@ in {
197		197
198	security.acme.certs."task" = config.myServices.certificates.certConfig // {	198	security.acme.certs."task" = config.myServices.certificates.certConfig // {
199	inherit user group;	199	inherit user group;
200	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
201	domain = fqdn;	200	domain = fqdn;
202	postRun = ''	201	postRun = ''
203	systemctl restart taskserver.service	202	systemctl restart taskserver.service