dotfiles/nixos/roles/default.nix

let secrets = import ../secrets.nix;
in { config, pkgs, lib, name, inputs, ... }:
let
  machine = name;
  vpn = import ../vpn.nix;
in {
  imports = [
    ../modules/tor-hidden-service.nix
    ../modules/nginx.nix
    ../modules/lumi-cache.nix
    ../modules/lumi-vpn.nix
    ../deploy/keys.nix
    ../services
  ];

  nix.nixPath = [];# "nixpkgs=${pkgs.path}" ];
  nix.registry.nixpkgs.flake = inputs.nixpkgs;

  networking.domain = "yori.cc";
  networking.hostName = machine;
  time.timeZone = "Europe/Amsterdam";
  users.mutableUsers = false;
  users.users.root = {
    openssh.authorizedKeys.keys =
      config.users.users.yorick.openssh.authorizedKeys.keys;
    # root password is useful from console, ssh has password logins disabled
    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own

  };
  services.timesyncd.enable = true;
  users.users.yorick = {
    isNormalUser = true;
    uid = 1000;
    extraGroups = [ "wheel" ];
    group = "users";
    openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
    hashedPassword = secrets.yorick_hashedPassword;
    createHome = true;
  };

  # Nix
  nixpkgs.config.allowUnfree = true;

  #nix.buildCores = config.nix.maxJobs;
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';

  # Networking
  networking.enableIPv6 = true;

  services.openssh = {
    enable = true;
    passwordAuthentication = false;
    kbdInteractiveAuthentication = false;
  };

  environment.systemPackages = with pkgs; [
    rlwrap

    #vim

    # system stuff
    ethtool
    inetutils
    pciutils
    usbutils
    # iotop
    powertop
    htop
    psmisc
    lsof
    smartmontools
    hdparm
    lm_sensors
    ncdu

    # utils
    file
    which
    reptyr
    tmux
    shadow

    # archiving
    xdelta
    libarchive
    atool

    # network
    nmap
    mtr
    bind
    socat
    libressl.nc
    lftp
    wget
    rsync
    arp-scan

    #gitMinimal
  ];
  nix.gc.automatic = true;

  services.avahi = {
    ipv6 = true;
    hostName = machine;
  };
  deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
  networking.wireguard.interfaces.wg-y = {
    privateKeyFile = "/root/keys/wg.${machine}.key";
    ips = [ vpn.ips.${machine} ];
    listenPort = 31790;
    peers = [{
      publicKey = vpn.keys.pennyworth;
      endpoint = "pennyworth.yori.cc:31790";
      allowedIPs = [ "10.209.0.0/24" ];
      persistentKeepalive = 30;
    }];
    postSetup = "ip link set dev wg-y mtu 1371";
  };
  security.acme.defaults.email = "acme@yori.cc";
  security.acme.acceptTerms = true;
  nix.settings.trusted-public-keys =
    [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];

  nix.settings.trusted-users = [ "@wheel" ];
  services.prometheus.exporters.node = {
    enable = true;
    enabledCollectors = [ "systemd" ];
    disabledCollectors = [ "rapl" ];
  };
  networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];
  xdg.autostart.enable = false;
}
initial commit 2020-05-21 17:39:38 +02:00			`let secrets = import ../secrets.nix;`
flakes fixes 2022-05-15 15:39:25 +02:00			`in { config, pkgs, lib, name, inputs, ... }:`
update for 18.03 2018-03-11 18:28:25 +01:00			`let`
initial commit 2020-05-21 17:39:38 +02:00			`machine = name;`
			`vpn = import ../vpn.nix;`
nixfmt 2021-05-29 18:05:31 +02:00			`in {`
			`imports = [`
some changes after nix 2.0 2018-02-27 16:31:16 +01:00			`../modules/tor-hidden-service.nix`
update for 18.03 2018-03-11 18:28:25 +01:00			`../modules/nginx.nix`
refactoring 2022-04-11 13:26:26 +02:00			`../modules/lumi-cache.nix`
add lumi-vpn module 2021-01-03 17:38:59 +01:00			`../modules/lumi-vpn.nix`
initial commit 2020-05-21 17:39:38 +02:00			`../deploy/keys.nix`
			`../services`
some changes after nix 2.0 2018-02-27 16:31:16 +01:00			`];`
refactoring 2022-04-11 13:26:26 +02:00
flakes fixes 2022-05-15 15:39:25 +02:00			`nix.nixPath = [];# "nixpkgs=${pkgs.path}" ];`
			`nix.registry.nixpkgs.flake = inputs.nixpkgs;`
refactoring 2022-04-11 13:26:26 +02:00
fix nixpkgs bump issues 2021-01-02 20:39:48 +01:00			`networking.domain = "yori.cc";`
			`networking.hostName = machine;`
nixfmt 2021-05-29 18:05:31 +02:00			`time.timeZone = "Europe/Amsterdam";`
			`users.mutableUsers = false;`
			`users.users.root = {`
			`openssh.authorizedKeys.keys =`
			`config.users.users.yorick.openssh.authorizedKeys.keys;`
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`# root password is useful from console, ssh has password logins disabled`
			`hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own`

nixfmt 2021-05-29 18:05:31 +02:00			`};`
add jarvis, fix i3-gaps, add spotify ports 2016-12-08 15:31:45 +01:00			`services.timesyncd.enable = true;`
nixfmt 2021-05-29 18:05:31 +02:00			`users.users.yorick = {`
			`isNormalUser = true;`
			`uid = 1000;`
			`extraGroups = [ "wheel" ];`
			`group = "users";`
			`openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;`
initial commit 2020-05-21 17:39:38 +02:00			`hashedPassword = secrets.yorick_hashedPassword;`
finish smithers setup 2021-10-19 11:16:42 +02:00			`createHome = true;`
nixfmt 2021-05-29 18:05:31 +02:00			`};`
change all the things 2016-01-28 02:59:31 +01:00
			`# Nix`
			`nixpkgs.config.allowUnfree = true;`

initial commit 2020-05-21 17:39:38 +02:00			`#nix.buildCores = config.nix.maxJobs;`
fix nix experimental feature 2021-11-15 21:08:11 +01:00			`nix.extraOptions = ''`
			`experimental-features = nix-command flakes`
			`'';`
change all the things 2016-01-28 02:59:31 +01:00
			`# Networking`
enable ipv6 everywhere, unify nix cache config 2018-11-20 22:26:42 +01:00			`networking.enableIPv6 = true;`
change all the things 2016-01-28 02:59:31 +01:00
			`services.openssh = {`
better hardware/logical separation 2017-02-02 16:31:19 +01:00			`enable = true;`
nixfmt 2021-05-29 18:05:31 +02:00			`passwordAuthentication = false;`
update 2022-03-16 17:12:11 +01:00			`kbdInteractiveAuthentication = false;`
change all the things 2016-01-28 02:59:31 +01:00			`};`

			`environment.systemPackages = with pkgs; [`
There is no capslock, only escape. Also, other changes. 2018-02-25 21:29:39 +01:00			`rlwrap`
change all the things 2016-01-28 02:59:31 +01:00
initial commit 2020-05-21 17:39:38 +02:00			`#vim`
change all the things 2016-01-28 02:59:31 +01:00
			`# system stuff`
nixfmt 2021-05-29 18:05:31 +02:00			`ethtool`
			`inetutils`
			`pciutils`
			`usbutils`
			`# iotop`
			`powertop`
			`htop`
			`psmisc`
			`lsof`
			`smartmontools`
			`hdparm`
change all the things 2016-01-28 02:59:31 +01:00			`lm_sensors`
			`ncdu`
nixfmt 2021-05-29 18:05:31 +02:00
change all the things 2016-01-28 02:59:31 +01:00			`# utils`
nixfmt 2021-05-29 18:05:31 +02:00			`file`
			`which`
change all the things 2016-01-28 02:59:31 +01:00			`reptyr`
			`tmux`
update 2016-04-12 16:48:36 +02:00			`shadow`
nixfmt 2021-05-29 18:05:31 +02:00
change all the things 2016-01-28 02:59:31 +01:00			`# archiving`
			`xdelta`
initial commit 2020-05-21 17:39:38 +02:00			`libarchive`
change all the things 2016-01-28 02:59:31 +01:00			`atool`

			`# network`
nixfmt 2021-05-29 18:05:31 +02:00			`nmap`
			`mtr`
			`bind`
			`socat`
update 2022-03-16 17:12:11 +01:00			`libressl.nc`
nixfmt 2021-05-29 18:05:31 +02:00			`lftp`
			`wget`
			`rsync`
tweak some shell aliases 2022-04-11 13:37:52 +02:00			`arp-scan`
change all the things 2016-01-28 02:59:31 +01:00
initial commit 2020-05-21 17:39:38 +02:00			`#gitMinimal`
change all the things 2016-01-28 02:59:31 +01:00			`];`
			`nix.gc.automatic = true;`
split off functionality into roles 2017-02-02 16:58:48 +01:00
initial commit 2020-05-21 17:39:38 +02:00			`services.avahi = {`
			`ipv6 = true;`
			`hostName = machine;`
			`};`
polish conf script a bit 2021-11-15 12:59:44 +01:00			`deployment.keyys = [ (../keys + "/wg.${machine}.key") ];`
initial commit 2020-05-21 17:39:38 +02:00			`networking.wireguard.interfaces.wg-y = {`
			`privateKeyFile = "/root/keys/wg.${machine}.key";`
			`ips = [ vpn.ips.${machine} ];`
			`listenPort = 31790;`
nixfmt 2021-05-29 18:05:31 +02:00			`peers = [{`
initial commit 2020-05-21 17:39:38 +02:00			`publicKey = vpn.keys.pennyworth;`
			`endpoint = "pennyworth.yori.cc:31790";`
			`allowedIPs = [ "10.209.0.0/24" ];`
			`persistentKeepalive = 30;`
			`}];`
			`postSetup = "ip link set dev wg-y mtu 1371";`
			`};`
blackadder: update 2022-01-17 20:35:48 +01:00			`security.acme.defaults.email = "acme@yori.cc";`
initial commit 2020-05-21 17:39:38 +02:00			`security.acme.acceptTerms = true;`
update 2022-03-16 17:12:11 +01:00			`nix.settings.trusted-public-keys =`
initial commit 2020-05-21 17:39:38 +02:00			`[ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];`
change all the things 2016-01-28 02:59:31 +01:00
update 2022-03-16 17:12:11 +01:00			`nix.settings.trusted-users = [ "@wheel" ];`
global: enable prometheus exporters 2021-01-03 19:00:33 +01:00			`services.prometheus.exporters.node = {`
			`enable = true;`
			`enabledCollectors = [ "systemd" ];`
			`disabledCollectors = [ "rapl" ];`
			`};`
			`networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];`
refactoring 2022-04-11 13:26:26 +02:00			`xdg.autostart.enable = false;`
initial commit 2020-05-21 17:39:38 +02:00			`}`