forked from pub-solar/infra
refactor: Move all apps into modules
This commit is contained in:
parent
fee6ce74c7
commit
ef94681e11
|
@ -11,6 +11,33 @@
|
||||||
self.nixosModules.unlock-zfs-on-boot
|
self.nixosModules.unlock-zfs-on-boot
|
||||||
self.nixosModules.core
|
self.nixosModules.core
|
||||||
self.nixosModules.docker
|
self.nixosModules.docker
|
||||||
|
|
||||||
|
self.nixosModules.nginx
|
||||||
|
self.nixosModules.collabora
|
||||||
|
self.nixosModules.coturn
|
||||||
|
self.nixosModules.forgejo
|
||||||
|
self.nixosModules.keycloak
|
||||||
|
self.nixosModules.mailman
|
||||||
|
self.nixosModules.mastodon
|
||||||
|
self.nixosModules.nginx-mastodon
|
||||||
|
self.nixosModules.nginx-mastodon-files
|
||||||
|
self.nixosModules.mediawiki
|
||||||
|
self.nixosModules.nextcloud
|
||||||
|
self.nixosModules.nginx-prometheus-exporters
|
||||||
|
self.nixosModules.nginx-website
|
||||||
|
self.nixosModules.nginx-website-miom
|
||||||
|
self.nixosModules.opensearch
|
||||||
|
self.nixosModules.owncast
|
||||||
|
self.nixosModules.postgresql
|
||||||
|
self.nixosModules.prometheus-exporters
|
||||||
|
self.nixosModules.promtail
|
||||||
|
self.nixosModules.searx
|
||||||
|
self.nixosModules.tmate
|
||||||
|
self.nixosModules.obs-portal
|
||||||
|
self.nixosModules.matrix
|
||||||
|
self.nixosModules.matrix-irc
|
||||||
|
self.nixosModules.matrix-telegram
|
||||||
|
self.nixosModules.nginx-matrix
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -21,6 +48,13 @@
|
||||||
./flora-6
|
./flora-6
|
||||||
self.nixosModules.overlays
|
self.nixosModules.overlays
|
||||||
self.nixosModules.core
|
self.nixosModules.core
|
||||||
|
|
||||||
|
self.nixosModules.caddy
|
||||||
|
self.nixosModules.drone
|
||||||
|
self.nixosModules.forgejo-actions-runner
|
||||||
|
self.nixosModules.grafana
|
||||||
|
self.nixosModules.prometheus
|
||||||
|
self.nixosModules.loki
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -8,13 +8,5 @@
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
./triton-vmtools.nix
|
./triton-vmtools.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
|
|
||||||
./apps/caddy.nix
|
|
||||||
|
|
||||||
./apps/drone.nix
|
|
||||||
./apps/forgejo-actions-runner.nix
|
|
||||||
./apps/grafana.nix
|
|
||||||
./apps/prometheus.nix
|
|
||||||
./apps/loki.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,33 +10,6 @@
|
||||||
./networking.nix
|
./networking.nix
|
||||||
./wireguard.nix
|
./wireguard.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
./apps/nginx.nix
|
|
||||||
|
|
||||||
./apps/collabora.nix
|
|
||||||
./apps/coturn.nix
|
|
||||||
./apps/forgejo.nix
|
|
||||||
./apps/keycloak.nix
|
|
||||||
./apps/mailman.nix
|
|
||||||
./apps/mastodon.nix
|
|
||||||
./apps/mediawiki.nix
|
|
||||||
./apps/nextcloud.nix
|
|
||||||
./apps/nginx-mastodon.nix
|
|
||||||
./apps/nginx-mastodon-files.nix
|
|
||||||
./apps/nginx-prometheus-exporters.nix
|
|
||||||
./apps/nginx-website.nix
|
|
||||||
./apps/nginx-website-miom.nix
|
|
||||||
./apps/opensearch.nix
|
|
||||||
./apps/owncast.nix
|
|
||||||
./apps/postgresql.nix
|
|
||||||
./apps/prometheus-exporters.nix
|
|
||||||
./apps/promtail.nix
|
|
||||||
./apps/searx.nix
|
|
||||||
./apps/tmate.nix
|
|
||||||
./apps/obs-portal.nix
|
|
||||||
|
|
||||||
./apps/matrix/irc.nix
|
|
||||||
./apps/matrix/mautrix-telegram.nix
|
|
||||||
./apps/matrix/synapse.nix
|
|
||||||
./apps/nginx-matrix.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,45 +6,29 @@
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
|
"d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = lib.mkForce true;
|
enable = lib.mkForce true;
|
||||||
group = "hakkonaut";
|
group = config.pub-solar-os.authentication.robot.username;
|
||||||
email = "admins@pub.solar";
|
email = config.pub-solar-os.adminEmail;
|
||||||
enableReload = true;
|
enableReload = true;
|
||||||
globalConfig = lib.mkForce ''
|
globalConfig = lib.mkForce ''
|
||||||
grace_period 60s
|
grace_period 60s
|
||||||
'';
|
'';
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"ci.pub.solar" = {
|
|
||||||
logFormat = lib.mkForce ''
|
|
||||||
output discard
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
reverse_proxy :4000
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"flora-6.pub.solar" = {
|
"flora-6.pub.solar" = {
|
||||||
logFormat = lib.mkForce ''
|
logFormat = lib.mkForce ''
|
||||||
output discard
|
output discard
|
||||||
'';
|
'';
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
basicauth * {
|
basicauth * {
|
||||||
hakkonaut $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
|
${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
|
||||||
}
|
}
|
||||||
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
|
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
"grafana.pub.solar" = {
|
|
||||||
logFormat = lib.mkForce ''
|
|
||||||
output discard
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
"obs-portal.pub.solar" = {
|
"obs-portal.pub.solar" = {
|
||||||
logFormat = lib.mkForce ''
|
logFormat = lib.mkForce ''
|
||||||
output discard
|
output discard
|
|
@ -30,6 +30,15 @@
|
||||||
"d '/var/lib/drone-db' 0750 drone drone - -"
|
"d '/var/lib/drone-db' 0750 drone drone - -"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."ci.pub.solar" = {
|
||||||
|
logFormat = lib.mkForce ''
|
||||||
|
output discard
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
reverse_proxy :4000
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services."docker-network-drone" =
|
systemd.services."docker-network-drone" =
|
||||||
let
|
let
|
||||||
docker = config.virtualisation.oci-containers.backend;
|
docker = config.virtualisation.oci-containers.backend;
|
|
@ -33,6 +33,15 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.caddy.virtualHosts."grafana.pub.solar" = {
|
||||||
|
logFormat = lib.mkForce ''
|
||||||
|
output discard
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
services.grafana = {
|
services.grafana = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
|
@ -5,7 +5,7 @@ let
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
'';
|
'';
|
||||||
clientConfig = import ./matrix/element-client-config.nix { inherit lib pkgs; };
|
clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
|
||||||
wellKnownClient = domain: {
|
wellKnownClient = domain: {
|
||||||
"m.homeserver".base_url = "https://matrix.${domain}";
|
"m.homeserver".base_url = "https://matrix.${domain}";
|
||||||
"m.identity_server".base_url = "https://matrix.${domain}";
|
"m.identity_server".base_url = "https://matrix.${domain}";
|
Before Width: | Height: | Size: 29 KiB After Width: | Height: | Size: 29 KiB |
Before Width: | Height: | Size: 8.7 KiB After Width: | Height: | Size: 8.7 KiB |
35
modules/core/default.nix
Normal file
35
modules/core/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ pkgs, config, flake, lib, ... }: {
|
||||||
|
imports = [
|
||||||
|
./nix.nix
|
||||||
|
./networking.nix
|
||||||
|
./terminal-tooling.nix
|
||||||
|
./users.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
options.pub-solar-os = with lib; {
|
||||||
|
adminEmail = mkOption {
|
||||||
|
description = "Email address to use for administrative stuff like ACME";
|
||||||
|
type = types.str;
|
||||||
|
default = "admins@pub.solar";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
environment = {
|
||||||
|
# Just a couple of global packages to make our lives easier
|
||||||
|
systemPackages = with pkgs; [ git vim wget ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Select internationalization properties
|
||||||
|
console = {
|
||||||
|
font = "Lat2-Terminus16";
|
||||||
|
keyMap = "us";
|
||||||
|
};
|
||||||
|
|
||||||
|
time.timeZone = "Etc/UTC";
|
||||||
|
|
||||||
|
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||||
|
home.stateVersion = "23.05";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
67
modules/core/networking.nix
Normal file
67
modules/core/networking.nix
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options.pub-solar-os.networking = with lib; {
|
||||||
|
domain = mkOption {
|
||||||
|
description = "domain on which all services should run. This defaults to pub.solar";
|
||||||
|
type = types.str;
|
||||||
|
default = "pub.solar";
|
||||||
|
};
|
||||||
|
|
||||||
|
defaultInterface = mkOption {
|
||||||
|
description = "Network interface which should be used as the default internet-connected one";
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
|
||||||
|
# Don't expose SSH via public interfaces
|
||||||
|
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
networking.hosts = {
|
||||||
|
"10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"];
|
||||||
|
"10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = lib.mkDefault false;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "prohibit-password";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
# Add back openssh MACs that got removed from defaults
|
||||||
|
# for backwards compatibility
|
||||||
|
#
|
||||||
|
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
|
||||||
|
# This breaks compatibilty with clients that do not offer these MACs. For
|
||||||
|
# compatibility reasons, we add back the old defaults.
|
||||||
|
# See: https://github.com/NixOS/nixpkgs/pull/231165
|
||||||
|
#
|
||||||
|
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
|
||||||
|
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
||||||
|
Macs = [
|
||||||
|
"hmac-sha2-512-etm@openssh.com"
|
||||||
|
"hmac-sha2-256-etm@openssh.com"
|
||||||
|
"umac-128-etm@openssh.com"
|
||||||
|
"hmac-sha2-512"
|
||||||
|
"hmac-sha2-256"
|
||||||
|
"umac-128@openssh.com"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.resolved = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
||||||
|
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||||
|
Domains=~.
|
||||||
|
DNSOverTLS=yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -41,7 +41,7 @@
|
||||||
|
|
||||||
nixPath = [
|
nixPath = [
|
||||||
"nixpkgs=${flake.inputs.nixpkgs}"
|
"nixpkgs=${flake.inputs.nixpkgs}"
|
||||||
"nixos-config=${../lib/compat/nixos}"
|
"nixos-config=${../../lib/compat/nixos}"
|
||||||
"home-manager=${flake.inputs.home-manager}"
|
"home-manager=${flake.inputs.home-manager}"
|
||||||
];
|
];
|
||||||
};
|
};
|
|
@ -1,5 +1,5 @@
|
||||||
{ flake, ... }: {
|
{ flake, config, ... }: {
|
||||||
home-manager.users.${flake.self.username} = {
|
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||||
programs.git.enable = true;
|
programs.git.enable = true;
|
||||||
programs.starship.enable = true;
|
programs.starship.enable = true;
|
||||||
programs.bash.enable = true;
|
programs.bash.enable = true;
|
70
modules/core/users.nix
Normal file
70
modules/core/users.nix
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
{
|
||||||
|
flake,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
options.pub-solar-os.authentication = with lib; {
|
||||||
|
username = mkOption {
|
||||||
|
description = "Username for the adminstrative user";
|
||||||
|
type = types.str;
|
||||||
|
default = flake.self.username;
|
||||||
|
};
|
||||||
|
|
||||||
|
sshPubKeys = mkOption {
|
||||||
|
description = "SSH Keys that should have administrative root access";
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = flake.self.logins.admins.sshPubKeys;
|
||||||
|
};
|
||||||
|
|
||||||
|
root.initialHashedPassword = mkOption {
|
||||||
|
description = "Hashed password of the root account";
|
||||||
|
type = types.str;
|
||||||
|
default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
||||||
|
};
|
||||||
|
|
||||||
|
robot.username = mkOption {
|
||||||
|
description = "username for the robot user";
|
||||||
|
type = types.str;
|
||||||
|
default = "hakkonaut";
|
||||||
|
};
|
||||||
|
|
||||||
|
robot.sshPubKeys = mkOption {
|
||||||
|
description = "SSH Keys to use for the robot user";
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = flake.self.logins.robots.sshPubKeys;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
users.users.${config.pub-solar-os.authentication.username} = {
|
||||||
|
name = config.pub-solar-os.authentication.username;
|
||||||
|
group = config.pub-solar-os.authentication.username;
|
||||||
|
extraGroups = [ "wheel" "docker" ];
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||||
|
};
|
||||||
|
users.groups.${config.pub-solar-os.authentication.username} = { };
|
||||||
|
|
||||||
|
# TODO: Remove when we stop locking ourselves out.
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||||
|
|
||||||
|
users.users.${config.pub-solar-os.authentication.robot.username} = {
|
||||||
|
description = "CI and automation user";
|
||||||
|
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||||
|
createHome = true;
|
||||||
|
useDefaultShell = true;
|
||||||
|
uid = 998;
|
||||||
|
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||||
|
isSystemUser = true;
|
||||||
|
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
||||||
|
|
||||||
|
users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||||
|
|
||||||
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,38 +2,43 @@
|
||||||
{
|
{
|
||||||
flake = {
|
flake = {
|
||||||
nixosModules = rec {
|
nixosModules = rec {
|
||||||
nix = import ./nix.nix;
|
core = import ./core;
|
||||||
networking = import ./networking.nix;
|
|
||||||
unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix;
|
unlock-zfs-on-boot = import ./unlock-zfs-on-boot.nix;
|
||||||
docker = import ./docker.nix;
|
docker = import ./docker.nix;
|
||||||
terminal-tooling = import ./terminal-tooling.nix;
|
|
||||||
users = import ./users.nix;
|
|
||||||
|
|
||||||
core = { pkgs, ... }: {
|
caddy = import ./apps/caddy.nix;
|
||||||
imports = [
|
collabora = import ./apps/collabora.nix;
|
||||||
nix
|
coturn = import ./apps/coturn.nix;
|
||||||
networking
|
drone = import ./apps/drone.nix;
|
||||||
terminal-tooling
|
forgejo-actions-runner = import ./apps/forgejo/forgejo-actions-runner.nix;
|
||||||
users
|
forgejo = import ./apps/forgejo/forgejo.nix;
|
||||||
];
|
grafana = import ./apps/grafana/grafana.nix;
|
||||||
|
keycloak = import ./apps/keycloak.nix;
|
||||||
environment = {
|
loki = import ./apps/loki.nix;
|
||||||
# Just a couple of global packages to make our lives easier
|
mailman = import ./apps/mailman.nix;
|
||||||
systemPackages = with pkgs; [ git vim wget ];
|
mastodon = import ./apps/mastodon/mastodon.nix;
|
||||||
};
|
nginx-mastodon = import ./apps/mastodon/nginx-mastodon.nix;
|
||||||
|
nginx-mastodon-files = import ./apps/mastodon/nginx-mastodon-files.nix;
|
||||||
# Select internationalization properties
|
matrix = import ./apps/matrix/synapse.nix;
|
||||||
console = {
|
nginx-matrix = import ./apps/matrix/nginx-matrix.nix;
|
||||||
font = "Lat2-Terminus16";
|
matrix-telegram = import ./apps/matrix/mautrix-telegram.nix;
|
||||||
keyMap = "us";
|
matrix-irc = import ./apps/matrix/irc.nix;
|
||||||
};
|
mediawiki = import ./apps/mediawiki.nix;
|
||||||
|
nextcloud = import ./apps/nextcloud/nextcloud.nix;
|
||||||
time.timeZone = "Etc/UTC";
|
nginx-website-miom = import ./apps/nginx-website-miom.nix;
|
||||||
|
nginx-website = import ./apps/nginx-website.nix;
|
||||||
home-manager.users.${self.username} = {
|
nginx = import ./apps/nginx.nix;
|
||||||
home.stateVersion = "23.05";
|
obs-portal = import ./apps/obs-portal.nix;
|
||||||
};
|
opensearch = import ./apps/opensearch.nix;
|
||||||
};
|
owncast = import ./apps/owncast.nix;
|
||||||
|
postgresql = import ./apps/postgresql.nix;
|
||||||
|
prometheus = import ./apps/prometheus/prometheus.nix;
|
||||||
|
prometheus-exporters = import ./apps/prometheus/prometheus-exporters.nix;
|
||||||
|
nginx-prometheus-exporters = import ./apps/prometheus/nginx-prometheus-exporters.nix;
|
||||||
|
promtail = import ./apps/promtail.nix;
|
||||||
|
searx = import ./apps/searx.nix;
|
||||||
|
tmate = import ./apps/tmate.nix;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,46 +0,0 @@
|
||||||
{ pkgs, lib, ... }: {
|
|
||||||
# Don't expose SSH via public interfaces
|
|
||||||
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
|
|
||||||
|
|
||||||
networking.hosts = {
|
|
||||||
"10.7.6.1" = ["nachtigall.pub.solar"];
|
|
||||||
"10.7.6.2" = ["flora-6.pub.solar"];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
openFirewall = lib.mkDefault false;
|
|
||||||
settings = {
|
|
||||||
PermitRootLogin = "prohibit-password";
|
|
||||||
PasswordAuthentication = false;
|
|
||||||
# Add back openssh MACs that got removed from defaults
|
|
||||||
# for backwards compatibility
|
|
||||||
#
|
|
||||||
# NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
|
|
||||||
# This breaks compatibilty with clients that do not offer these MACs. For
|
|
||||||
# compatibility reasons, we add back the old defaults.
|
|
||||||
# See: https://github.com/NixOS/nixpkgs/pull/231165
|
|
||||||
#
|
|
||||||
# https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
|
|
||||||
# https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
|
|
||||||
Macs = [
|
|
||||||
"hmac-sha2-512-etm@openssh.com"
|
|
||||||
"hmac-sha2-256-etm@openssh.com"
|
|
||||||
"umac-128-etm@openssh.com"
|
|
||||||
"hmac-sha2-512"
|
|
||||||
"hmac-sha2-256"
|
|
||||||
"umac-128@openssh.com"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.resolved = {
|
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
|
||||||
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
|
||||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
|
||||||
Domains=~.
|
|
||||||
DNSOverTLS=yes
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ flake, ... }: {
|
{ flake, config, ... }: {
|
||||||
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
|
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
|
||||||
boot.initrd.network = {
|
boot.initrd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
# Please create this manually the first time.
|
# Please create this manually the first time.
|
||||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||||
authorizedKeys = flake.self.logins.admins.sshPubKeys;
|
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
||||||
};
|
};
|
||||||
# this will automatically load the zfs password prompt on login
|
# this will automatically load the zfs password prompt on login
|
||||||
# and kill the other prompt so boot can continue
|
# and kill the other prompt so boot can continue
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{ flake, pkgs, ... }: {
|
|
||||||
users.users.${flake.self.username} = {
|
|
||||||
name = flake.self.username;
|
|
||||||
group = flake.self.username;
|
|
||||||
extraGroups = [ "wheel" "docker" ];
|
|
||||||
isNormalUser = true;
|
|
||||||
openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
|
||||||
};
|
|
||||||
users.groups.${flake.self.username} = { };
|
|
||||||
|
|
||||||
# TODO: Remove when we stop locking ourselves out.
|
|
||||||
users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
|
||||||
|
|
||||||
users.users.hakkonaut = {
|
|
||||||
description = "CI and automation user";
|
|
||||||
home = "/home/hakkonaut";
|
|
||||||
createHome = true;
|
|
||||||
useDefaultShell = true;
|
|
||||||
uid = 998;
|
|
||||||
group = "hakkonaut";
|
|
||||||
isSystemUser = true;
|
|
||||||
openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.hakkonaut = { };
|
|
||||||
|
|
||||||
users.users.root.initialHashedPassword = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
|
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
|
||||||
}
|
|
23
tests/website.nix
Normal file
23
tests/website.nix
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
{
|
||||||
|
self,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
name = "website";
|
||||||
|
|
||||||
|
nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test;
|
||||||
|
|
||||||
|
node.specialArgs = self.outputs.nixosConfigurations.nachtigall._module.specialArgs;
|
||||||
|
hostPkgs = pkgs;
|
||||||
|
|
||||||
|
enableOCR = true;
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
machine.wait_for_unit("system.slice")
|
||||||
|
machine.succeed("ping 127.0.0.1 -c 2")
|
||||||
|
machine.wait_for_unit("nginx.service")
|
||||||
|
machine.succeed("curl -H 'Host:pub.solar' http://127.0.0.1/")
|
||||||
|
'';
|
||||||
|
}
|
Loading…
Reference in a new issue