host nomic: init
This commit is contained in:
parent
36d7524038
commit
0e3cf4d393
69
modules/nomic/default.nix
Normal file
69
modules/nomic/default.nix
Normal file
@ -0,0 +1,69 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
./users.nix
|
||||
../tv/base.nix
|
||||
../tv/exim-retiolum.nix
|
||||
../tv/git/public.nix
|
||||
../tv/sanitize.nix
|
||||
../tv/smartd.nix
|
||||
{
|
||||
imports = [ ../tv/iptables ];
|
||||
tv.iptables = {
|
||||
enable = true;
|
||||
input-internet-accept-new-tcp = [
|
||||
"ssh"
|
||||
"http"
|
||||
"tinc"
|
||||
"smtp"
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [ ../tv/nginx ];
|
||||
tv.nginx = {
|
||||
enable = true;
|
||||
retiolum-locations = [
|
||||
(location "~ ^/~(.+?)(/.*)?\$" ''
|
||||
alias /home/$1/public_html$2;
|
||||
'')
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [ ../tv/retiolum ];
|
||||
tv.retiolum = {
|
||||
enable = true;
|
||||
hosts = <retiolum-hosts>;
|
||||
connectTo = [
|
||||
"gum"
|
||||
"pigstarter"
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
# Enable IPv6 Privacy Extensions
|
||||
"net.ipv6.conf.all.use_tempaddr" = 2;
|
||||
"net.ipv6.conf.default.use_tempaddr" = 2;
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "nomic";
|
||||
wireless.enable = true;
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
hostKeys = [
|
||||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||
];
|
||||
};
|
||||
}
|
49
modules/nomic/hardware-configuration.nix
Normal file
49
modules/nomic/hardware-configuration.nix
Normal file
@ -0,0 +1,49 @@
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
boot.initrd.luks = {
|
||||
cryptoModules = [ "aes" "sha1" "xts" ];
|
||||
devices = [
|
||||
{
|
||||
name = "luks1";
|
||||
device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" ];
|
||||
boot.kernelModules = [ "kvm-intel" "wl" ];
|
||||
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
|
||||
|
||||
boot.loader.grub = {
|
||||
device = "/dev/sda";
|
||||
splashImage = null;
|
||||
};
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
|
||||
fsType = "btrfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
nix = {
|
||||
buildCores = 2;
|
||||
maxJobs = 2;
|
||||
daemonIONiceLevel = 1;
|
||||
daemonNiceLevel = 1;
|
||||
};
|
||||
|
||||
# For config.boot.kernelPackages.broadcom_sta
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
}
|
12
modules/nomic/paths.nix
Normal file
12
modules/nomic/paths.nix
Normal file
@ -0,0 +1,12 @@
|
||||
{
|
||||
lib.file.url = ../../lib;
|
||||
modules.file.url = ../../modules;
|
||||
nixpkgs.git = {
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
|
||||
cache = ../../tmp/git-cache;
|
||||
};
|
||||
pubkeys.file.url = ../../pubkeys;
|
||||
retiolum-hosts.file.url = ../../hosts;
|
||||
secrets.file.url = ../../secrets/nomic/nix;
|
||||
}
|
42
modules/nomic/users.nix
Normal file
42
modules/nomic/users.nix
Normal file
@ -0,0 +1,42 @@
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
{ users = import <secrets/users.nix>; }
|
||||
{
|
||||
users.extraUsers = {
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
(pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
|
||||
];
|
||||
};
|
||||
tv = {
|
||||
uid = 1337;
|
||||
group = "users";
|
||||
home = "/home/tv";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
extraGroups = [
|
||||
"audio"
|
||||
"video"
|
||||
"wheel"
|
||||
];
|
||||
openssh.authorizedKeys.keys = [
|
||||
(pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
users.defaultUserShell = "/run/current-system/sw/bin/bash";
|
||||
users.mutableUsers = false;
|
||||
|
||||
security.setuidPrograms = [
|
||||
"sendmail" # for sudo
|
||||
];
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
Defaults mailto="tv@wu.retiolum"
|
||||
'';
|
||||
}
|
Loading…
Reference in New Issue
Block a user