{ config, inputs, lib, pkgs, profiles, latestModulesPath, self, ... }: let psCfg = config.pub-solar; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./triton-vmtools.nix profiles.base-user profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper "${latestModulesPath}/services/web-apps/keycloak.nix" ]; disabledModules = [ "services/web-apps/keycloak.nix" ]; config = { # # # # # # pub.solar options # # # pub-solar.core = { disk-encryption-active = false; iso-options.enable = true; lite = true; }; age.secrets.keycloak-database-password = { file = "${self}/secrets/keycloak-database-password.age"; mode = "700"; #owner = "keycloak"; }; age.secrets.gitea-database-password = { file = "${self}/secrets/gitea-database-password.age"; mode = "700"; owner = "gitea"; }; age.secrets.gitea-mailer-password = { file = "${self}/secrets/gitea-mailer-password.age"; mode = "700"; owner = "gitea"; }; # # # # # # Host packages and configuration # # # # caddy services.caddy = { enable = lib.mkForce true; email = "admins@pub.solar"; globalConfig = lib.mkForce ""; virtualHosts = { "auth.pub.solar" = { logFormat = lib.mkForce '' output discard ''; extraConfig = '' reverse_proxy :8080 ''; }; "git.pub.solar" = { logFormat = lib.mkForce '' output discard ''; extraConfig = '' reverse_proxy :3000 ''; }; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; # keycloak services.keycloak = { enable = true; database.passwordFile = config.age.secrets.keycloak-database-password.path; settings = { hostname = "auth.pub.solar"; http-host = "127.0.0.1"; http-port = 8080; proxy = "edge"; }; }; # gitea services.gitea = { enable = true; appName = "pub.solar git server"; database = { type = "postgres"; passwordFile = config.age.secrets.gitea-database-password.path; }; domain = "git.pub.solar"; httpAddress = "127.0.0.1"; httpPort = 3000; lfs.enable = true; mailerPasswordFile = config.age.secrets.gitea-mailer-password.path; rootUrl = "https://git.pub.solar"; settings = { mailer = { ENABLED = true; MAILER_TYPE = "smtp"; HOST = "mail.greenbaum.cloud:465"; FROM = ''"pub.solar git server" ''; USER = "admins@pub.solar"; }; "repository.signing" = { SIGNING_KEY = "default"; MERGES = "always"; }; openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; }; # uncomment after initial deployment, first user is admin user # required to setup SSO (oauth openid-connect, keycloak auth provider) service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; session.COOKIE_SECURE = lib.mkForce true; }; }; # Required for gitea server side gpg signatures # configured / setup manually in # /var/lib/gitea/data/home/.gitconfig and # /var/lib/gitea/data/home/.gnupg/ programs.gnupg.agent = { enable = true; pinentryFlavor = "curses"; }; # Required to make gpg work without a graphical environment? # otherwise generating a new gpg key fails with this error: # gpg: agent_genkey failed: No pinentry # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 environment.variables = { GPG_TTY = "$(tty)"; }; # netbird # Allow sudo without a password for the barkeeper user security.sudo.extraRules = [ { users = [ "${psCfg.user.name}" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; # # # # # # Triton host specific options # # # DO NOT ALTER below this line, changes might render system unbootable # # # # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Force getting the hostname from cloud-init networking.hostName = lib.mkDefault ""; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. console = { font = "Lat2-Terminus16"; keyMap = "us"; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ git vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: services.cloud-init.enable = true; services.cloud-init.ext4.enable = true; services.cloud-init.network.enable = true; # use the default NixOS cloud-init config, but add some SmartOS customization to it environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' datasource_list: [ SmartOS ] # Do not create the centos/ubuntu/debian user users: [ ] # mount second disk with label ephemeral0, gets formated by cloud-init # this will fail to get added to /etc/fstab as it's read-only, but should # mount at boot anyway mounts: - [ vdb, /data, auto, "defaults,nofail" ] ''; # Enable the OpenSSH daemon. services.openssh = { enable = true; passwordAuthentication = false; permitRootLogin = "no"; }; # We manage the firewall with nix, too # altough triton can also manage firewall rules via the triton fwrule subcommand networking.firewall.enable = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.05"; # Did you read the comment? }; }