{ config, latestModulesPath, lib, inputs, pkgs, profiles, self, ... }: let psCfg = config.pub-solar; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./triton-vmtools.nix ./caddy.nix ./keycloak.nix ./gitea.nix ./mailman.nix profiles.base-user profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper "${latestModulesPath}/services/misc/gitea.nix" ]; disabledModules = [ "services/misc/gitea.nix" ]; config = { age.secrets.mailing-password = { file = "${self}/secrets/gitea-database-password.age"; mode = "700"; owner = "root"; }; # # # # # # pub.solar options # # # pub-solar.core = { disk-encryption-active = false; iso-options.enable = true; lite = true; }; pub-solar.infra-node = { mailing = { type = "smtp"; user = "admin@momo.koeln"; host = "mx2.greenbaum.cloud:465"; from = ''"pub.solar git server" ''; passwordFile = config.age.secrets.mailing-password.path; }; }; # Allow sudo without a password for the barkeeper user security.sudo.extraRules = [ { users = ["${psCfg.user.name}"]; commands = [ { command = "ALL"; options = ["NOPASSWD"]; } ]; } ]; # Machine user for CI pipelines users.users.www-user = { description = "user"; home = "/var/nix/iso-cache"; useDefaultShell = true; uid = 10001; group = "www-user"; isSystemUser = true; openssh.authorizedKeys.keys = []; }; users.groups.www-user = {}; # # # # # # Triton host specific options # # # DO NOT ALTER below this line, changes might render system unbootable # # # # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # Force getting the hostname from cloud-init networking.hostName = lib.mkDefault ""; # Set your time zone. time.timeZone = "Europe/Berlin"; # Select internationalisation properties. console = { font = "Lat2-Terminus16"; keyMap = "us"; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ git vim wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: services.cloud-init.enable = true; services.cloud-init.ext4.enable = true; services.cloud-init.network.enable = true; # use the default NixOS cloud-init config, but add some SmartOS customization to it environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = '' datasource_list: [ SmartOS ] # Do not create the centos/ubuntu/debian user users: [ ] # mount second disk with label ephemeral0, gets formated by cloud-init # this will fail to get added to /etc/fstab as it's read-only, but should # mount at boot anyway mounts: - [ vdb, /data, auto, "defaults,nofail" ] ''; # Enable the OpenSSH daemon. services.openssh = { enable = true; passwordAuthentication = false; permitRootLogin = "no"; }; # We manage the firewall with nix, too # altough triton can also manage firewall rules via the triton fwrule subcommand networking.firewall.enable = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "22.05"; # Did you read the comment? }; }