2022-10-05 10:02:28 +00:00
|
|
|
|
{ config, inputs, lib, pkgs, profiles, latestModulesPath, self, ... }:
|
|
|
|
|
let
|
|
|
|
|
psCfg = config.pub-solar;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
imports = [
|
|
|
|
|
# Include the results of the hardware scan.
|
|
|
|
|
./hardware-configuration.nix
|
|
|
|
|
./triton-vmtools.nix
|
|
|
|
|
|
|
|
|
|
profiles.base-user
|
|
|
|
|
profiles.users.root # make sure to configure ssh keys
|
|
|
|
|
profiles.users.barkeeper
|
|
|
|
|
|
|
|
|
|
"${latestModulesPath}/services/web-apps/keycloak.nix"
|
|
|
|
|
];
|
|
|
|
|
disabledModules = [ "services/web-apps/keycloak.nix" ];
|
|
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
# # #
|
|
|
|
|
# # # pub.solar options
|
|
|
|
|
# # #
|
2022-11-26 01:40:51 +00:00
|
|
|
|
pub-solar.core = {
|
2022-10-05 10:02:28 +00:00
|
|
|
|
disk-encryption-active = false;
|
|
|
|
|
iso-options.enable = true;
|
|
|
|
|
lite = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
age.secrets.keycloak-database-password = {
|
|
|
|
|
file = "${self}/secrets/keycloak-database-password.age";
|
|
|
|
|
mode = "700";
|
|
|
|
|
#owner = "keycloak";
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitea-database-password = {
|
|
|
|
|
file = "${self}/secrets/gitea-database-password.age";
|
|
|
|
|
mode = "700";
|
|
|
|
|
owner = "gitea";
|
|
|
|
|
};
|
|
|
|
|
age.secrets.gitea-mailer-password = {
|
|
|
|
|
file = "${self}/secrets/gitea-mailer-password.age";
|
|
|
|
|
mode = "700";
|
|
|
|
|
owner = "gitea";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# # #
|
|
|
|
|
# # # Host packages and configuration
|
|
|
|
|
# # #
|
|
|
|
|
|
|
|
|
|
# caddy
|
|
|
|
|
services.caddy = {
|
|
|
|
|
enable = lib.mkForce true;
|
|
|
|
|
email = "admins@pub.solar";
|
|
|
|
|
globalConfig = lib.mkForce "";
|
|
|
|
|
virtualHosts = {
|
|
|
|
|
"auth.pub.solar" = {
|
|
|
|
|
logFormat = lib.mkForce ''
|
|
|
|
|
output discard
|
|
|
|
|
'';
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
reverse_proxy :8080
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
"git.pub.solar" = {
|
|
|
|
|
logFormat = lib.mkForce ''
|
|
|
|
|
output discard
|
|
|
|
|
'';
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
reverse_proxy :3000
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
|
|
|
|
|
|
# keycloak
|
|
|
|
|
services.keycloak = {
|
|
|
|
|
enable = true;
|
|
|
|
|
database.passwordFile = config.age.secrets.keycloak-database-password.path;
|
|
|
|
|
settings = {
|
|
|
|
|
hostname = "auth.pub.solar";
|
|
|
|
|
http-host = "127.0.0.1";
|
|
|
|
|
http-port = 8080;
|
|
|
|
|
proxy = "edge";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# gitea
|
|
|
|
|
services.gitea = {
|
|
|
|
|
enable = true;
|
|
|
|
|
appName = "pub.solar git server";
|
|
|
|
|
database = {
|
|
|
|
|
type = "postgres";
|
|
|
|
|
passwordFile = config.age.secrets.gitea-database-password.path;
|
|
|
|
|
};
|
|
|
|
|
domain = "git.pub.solar";
|
|
|
|
|
httpAddress = "127.0.0.1";
|
|
|
|
|
httpPort = 3000;
|
|
|
|
|
lfs.enable = true;
|
|
|
|
|
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
|
|
|
|
|
rootUrl = "https://git.pub.solar";
|
|
|
|
|
settings = {
|
|
|
|
|
mailer = {
|
2022-11-26 01:40:51 +00:00
|
|
|
|
ENABLED = true;
|
|
|
|
|
MAILER_TYPE = "smtp";
|
|
|
|
|
HOST = "mail.greenbaum.cloud:465";
|
|
|
|
|
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
|
|
|
|
|
USER = "admins@pub.solar";
|
2022-10-05 10:02:28 +00:00
|
|
|
|
};
|
|
|
|
|
"repository.signing" = {
|
|
|
|
|
SIGNING_KEY = "default";
|
|
|
|
|
MERGES = "always";
|
|
|
|
|
};
|
|
|
|
|
openid = {
|
|
|
|
|
ENABLE_OPENID_SIGNIN = true;
|
|
|
|
|
ENABLE_OPENID_SIGNUP = true;
|
|
|
|
|
};
|
|
|
|
|
# uncomment after initial deployment, first user is admin user
|
|
|
|
|
# required to setup SSO (oauth openid-connect, keycloak auth provider)
|
|
|
|
|
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
|
|
|
session.COOKIE_SECURE = lib.mkForce true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
# Required for gitea server side gpg signatures
|
|
|
|
|
# configured / setup manually in
|
|
|
|
|
# /var/lib/gitea/data/home/.gitconfig and
|
|
|
|
|
# /var/lib/gitea/data/home/.gnupg/
|
|
|
|
|
programs.gnupg.agent = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pinentryFlavor = "curses";
|
|
|
|
|
};
|
|
|
|
|
# Required to make gpg work without a graphical environment?
|
|
|
|
|
# otherwise generating a new gpg key fails with this error:
|
|
|
|
|
# gpg: agent_genkey failed: No pinentry
|
|
|
|
|
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
|
|
|
|
|
environment.variables = {
|
|
|
|
|
GPG_TTY = "$(tty)";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# netbird
|
|
|
|
|
|
|
|
|
|
# Allow sudo without a password for the barkeeper user
|
|
|
|
|
security.sudo.extraRules = [
|
|
|
|
|
{
|
|
|
|
|
users = [ "${psCfg.user.name}" ];
|
|
|
|
|
commands = [
|
|
|
|
|
{
|
|
|
|
|
command = "ALL";
|
|
|
|
|
options = [ "NOPASSWD" ];
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# # #
|
|
|
|
|
# # # Triton host specific options
|
|
|
|
|
# # # DO NOT ALTER below this line, changes might render system unbootable
|
|
|
|
|
# # #
|
|
|
|
|
|
|
|
|
|
# Use the systemd-boot EFI boot loader.
|
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
|
|
|
|
|
|
# Force getting the hostname from cloud-init
|
|
|
|
|
networking.hostName = lib.mkDefault "";
|
|
|
|
|
|
|
|
|
|
# Set your time zone.
|
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
|
|
|
|
|
|
# Select internationalisation properties.
|
|
|
|
|
console = {
|
|
|
|
|
font = "Lat2-Terminus16";
|
|
|
|
|
keyMap = "us";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# List packages installed in system profile. To search, run:
|
|
|
|
|
# $ nix search wget
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
git
|
|
|
|
|
vim
|
|
|
|
|
wget
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
# Some programs need SUID wrappers, can be configured further or are
|
|
|
|
|
# started in user sessions.
|
|
|
|
|
# programs.mtr.enable = true;
|
|
|
|
|
# programs.gnupg.agent = {
|
|
|
|
|
# enable = true;
|
|
|
|
|
# enableSSHSupport = true;
|
|
|
|
|
# };
|
|
|
|
|
|
|
|
|
|
# List services that you want to enable:
|
|
|
|
|
services.cloud-init.enable = true;
|
|
|
|
|
services.cloud-init.ext4.enable = true;
|
|
|
|
|
services.cloud-init.network.enable = true;
|
|
|
|
|
# use the default NixOS cloud-init config, but add some SmartOS customization to it
|
|
|
|
|
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
|
|
|
|
|
datasource_list: [ SmartOS ]
|
|
|
|
|
|
|
|
|
|
# Do not create the centos/ubuntu/debian user
|
|
|
|
|
users: [ ]
|
|
|
|
|
|
|
|
|
|
# mount second disk with label ephemeral0, gets formated by cloud-init
|
|
|
|
|
# this will fail to get added to /etc/fstab as it's read-only, but should
|
|
|
|
|
# mount at boot anyway
|
|
|
|
|
mounts:
|
|
|
|
|
- [ vdb, /data, auto, "defaults,nofail" ]
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
# Enable the OpenSSH daemon.
|
|
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
passwordAuthentication = false;
|
|
|
|
|
permitRootLogin = "no";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# We manage the firewall with nix, too
|
|
|
|
|
# altough triton can also manage firewall rules via the triton fwrule subcommand
|
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
|
|
|
|
|
|
# This value determines the NixOS release from which the default
|
|
|
|
|
# settings for stateful data, like file locations and database versions
|
|
|
|
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
|
|
|
# this value at the release version of the first install of this system.
|
|
|
|
|
# Before changing this value read the documentation for this option
|
|
|
|
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
|
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
|
};
|
|
|
|
|
}
|