os/hosts/0001/0001.nix
Benjamin Bädorf f291e88d86
All checks were successful
continuous-integration/drone/push Build is passing
Initial proposal for momo infrastructure setup
2023-02-25 04:24:27 +01:00

161 lines
4.2 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
latestModulesPath,
lib,
inputs,
pkgs,
profiles,
self,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./triton-vmtools.nix
./caddy.nix
./keycloak.nix
./gitea.nix
./mailman.nix
profiles.base-user
profiles.users.root # make sure to configure ssh keys
profiles.users.barkeeper
"${latestModulesPath}/services/misc/gitea.nix"
];
disabledModules = [
"services/misc/gitea.nix"
];
config = {
age.secrets.mailing-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "700";
owner = "root";
};
# # #
# # # pub.solar options
# # #
pub-solar.core = {
disk-encryption-active = false;
iso-options.enable = true;
lite = true;
};
pub-solar.infra-node = {
mailing = {
type = "smtp";
user = "admin@momo.koeln";
host = "mx2.greenbaum.cloud:465";
from = ''"pub.solar git server" <gitea@pub.solar>'';
passwordFile = config.age.secrets.mailing-password.path;
};
};
# Allow sudo without a password for the barkeeper user
security.sudo.extraRules = [
{
users = ["${psCfg.user.name}"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# Machine user for CI pipelines
users.users.www-user = {
description = "user";
home = "/var/nix/iso-cache";
useDefaultShell = true;
uid = 10001;
group = "www-user";
isSystemUser = true;
openssh.authorizedKeys.keys = [];
};
users.groups.www-user = {};
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
passwordAuthentication = false;
permitRootLogin = "no";
};
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}