{ config, latestModulesPath, lib, inputs, pkgs, profiles, self, ... }: let psCfg = config.pub-solar; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./triton-vmtools.nix ./caddy.nix ./drone.nix # Disable services migrated to nachtigall.pub.solar #./keycloak.nix #./gitea.nix #./mailman.nix #./owncast.nix #./collabora.nix ./forgejo-actions-runner.nix profiles.base-user profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper "${latestModulesPath}/services/continuous-integration/gitea-actions-runner.nix" "${latestModulesPath}/services/web-servers/caddy/default.nix" ]; disabledModules = [ "services/continuous-integration/gitea-actions-runner.nix" "services/web-servers/caddy/default.nix" ]; config = { # # # # # # pub.solar options # # # pub-solar.core = { disk-encryption-active = false; iso-options.enable = true; lite = true; }; # Allow sudo without a password for the barkeeper user security.sudo.extraRules = [ { users = ["${psCfg.user.name}"]; commands = [ { command = "ALL"; options = ["NOPASSWD"]; } ]; } ]; # Override nix.conf for more agressive garbage collection nix.extraOptions = lib.mkForce '' min-free = 536870912 keep-outputs = false keep-derivations = false fallback = true ''; # Machine user for CI pipelines users.users.hakkonaut = { description = "CI and automation user"; home = "/var/nix/iso-cache"; useDefaultShell = true; uid = 998; group = "hakkonaut"; isSystemUser = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6" ]; }; users.groups.hakkonaut = {}; # # # # # # Triton host specific options # # # DO NOT ALTER below this line, changes might render system unbootable # # # # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Force getting the hostname from cloud-init networking.hostName = lib.mkDefault ""; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. console = { font = "Lat2-Terminus16"; keyMap = "us"; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ git vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: services.cloud-init.enable = true; services.cloud-init.ext4.enable = true; services.cloud-init.network.enable = true; # use the default NixOS cloud-init config, but add some SmartOS customization to it environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' datasource_list: [ SmartOS ] # Do not create the centos/ubuntu/debian user users: [ ] # mount second disk with label ephemeral0, gets formated by cloud-init # this will fail to get added to /etc/fstab as it's read-only, but should # mount at boot anyway mounts: - [ vdb, /data, auto, "defaults,nofail" ] ''; # Enable the OpenSSH daemon. services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; }; }; # We manage the firewall with nix, too # altough triton can also manage firewall rules via the triton fwrule subcommand networking.firewall.enable = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.05"; # Did you read the comment? }; }