2020-05-21 17:39:38 +02:00
|
|
|
let secrets = import ../secrets.nix;
|
2021-05-29 18:05:31 +02:00
|
|
|
in { config, pkgs, lib, name, ... }:
|
2018-03-11 18:28:25 +01:00
|
|
|
let
|
2020-05-21 17:39:38 +02:00
|
|
|
machine = name;
|
|
|
|
vpn = import ../vpn.nix;
|
2021-05-29 18:05:31 +02:00
|
|
|
in {
|
|
|
|
imports = [
|
2018-02-27 16:31:16 +01:00
|
|
|
../modules/tor-hidden-service.nix
|
2018-03-11 18:28:25 +01:00
|
|
|
../modules/nginx.nix
|
2022-04-11 13:26:26 +02:00
|
|
|
../modules/lumi-cache.nix
|
2021-01-03 17:38:59 +01:00
|
|
|
../modules/lumi-vpn.nix
|
2020-05-21 17:39:38 +02:00
|
|
|
../deploy/keys.nix
|
|
|
|
../services
|
2018-02-27 16:31:16 +01:00
|
|
|
];
|
2022-04-11 13:26:26 +02:00
|
|
|
|
|
|
|
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
|
|
|
|
|
2021-01-02 20:39:48 +01:00
|
|
|
networking.domain = "yori.cc";
|
|
|
|
networking.hostName = machine;
|
2021-05-29 18:05:31 +02:00
|
|
|
time.timeZone = "Europe/Amsterdam";
|
|
|
|
users.mutableUsers = false;
|
|
|
|
users.users.root = {
|
|
|
|
openssh.authorizedKeys.keys =
|
|
|
|
config.users.users.yorick.openssh.authorizedKeys.keys;
|
2017-02-02 16:31:19 +01:00
|
|
|
# root password is useful from console, ssh has password logins disabled
|
|
|
|
hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own
|
|
|
|
|
2021-05-29 18:05:31 +02:00
|
|
|
};
|
2016-12-08 15:31:45 +01:00
|
|
|
services.timesyncd.enable = true;
|
2021-05-29 18:05:31 +02:00
|
|
|
users.users.yorick = {
|
|
|
|
isNormalUser = true;
|
|
|
|
uid = 1000;
|
|
|
|
extraGroups = [ "wheel" ];
|
|
|
|
group = "users";
|
|
|
|
openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
|
2020-05-21 17:39:38 +02:00
|
|
|
hashedPassword = secrets.yorick_hashedPassword;
|
2021-10-19 11:16:42 +02:00
|
|
|
createHome = true;
|
2021-05-29 18:05:31 +02:00
|
|
|
};
|
2016-01-28 02:59:31 +01:00
|
|
|
|
|
|
|
# Nix
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
2020-05-21 17:39:38 +02:00
|
|
|
#nix.buildCores = config.nix.maxJobs;
|
2021-11-15 21:08:11 +01:00
|
|
|
nix.extraOptions = ''
|
|
|
|
experimental-features = nix-command flakes
|
|
|
|
'';
|
2016-01-28 02:59:31 +01:00
|
|
|
|
|
|
|
# Networking
|
2018-11-20 22:26:42 +01:00
|
|
|
networking.enableIPv6 = true;
|
2016-01-28 02:59:31 +01:00
|
|
|
|
|
|
|
services.openssh = {
|
2017-02-02 16:31:19 +01:00
|
|
|
enable = true;
|
2021-05-29 18:05:31 +02:00
|
|
|
passwordAuthentication = false;
|
2022-03-16 17:12:11 +01:00
|
|
|
kbdInteractiveAuthentication = false;
|
2016-01-28 02:59:31 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
2018-02-25 21:29:39 +01:00
|
|
|
rlwrap
|
2016-01-28 02:59:31 +01:00
|
|
|
|
2020-05-21 17:39:38 +02:00
|
|
|
#vim
|
2016-01-28 02:59:31 +01:00
|
|
|
|
|
|
|
# system stuff
|
2021-05-29 18:05:31 +02:00
|
|
|
ethtool
|
|
|
|
inetutils
|
|
|
|
pciutils
|
|
|
|
usbutils
|
|
|
|
# iotop
|
|
|
|
powertop
|
|
|
|
htop
|
|
|
|
psmisc
|
|
|
|
lsof
|
|
|
|
smartmontools
|
|
|
|
hdparm
|
2016-01-28 02:59:31 +01:00
|
|
|
lm_sensors
|
|
|
|
ncdu
|
2021-05-29 18:05:31 +02:00
|
|
|
|
2016-01-28 02:59:31 +01:00
|
|
|
# utils
|
2021-05-29 18:05:31 +02:00
|
|
|
file
|
|
|
|
which
|
2016-01-28 02:59:31 +01:00
|
|
|
reptyr
|
|
|
|
tmux
|
2016-04-12 16:48:36 +02:00
|
|
|
shadow
|
2021-05-29 18:05:31 +02:00
|
|
|
|
2016-01-28 02:59:31 +01:00
|
|
|
# archiving
|
|
|
|
xdelta
|
2020-05-21 17:39:38 +02:00
|
|
|
libarchive
|
2016-01-28 02:59:31 +01:00
|
|
|
atool
|
|
|
|
|
|
|
|
# network
|
2021-05-29 18:05:31 +02:00
|
|
|
nmap
|
|
|
|
mtr
|
|
|
|
bind
|
|
|
|
socat
|
2022-03-16 17:12:11 +01:00
|
|
|
libressl.nc
|
2021-05-29 18:05:31 +02:00
|
|
|
lftp
|
|
|
|
wget
|
|
|
|
rsync
|
2022-04-11 13:37:52 +02:00
|
|
|
arp-scan
|
2016-01-28 02:59:31 +01:00
|
|
|
|
2020-05-21 17:39:38 +02:00
|
|
|
#gitMinimal
|
2016-01-28 02:59:31 +01:00
|
|
|
];
|
|
|
|
nix.gc.automatic = true;
|
2017-02-02 16:58:48 +01:00
|
|
|
|
2020-05-21 17:39:38 +02:00
|
|
|
services.avahi = {
|
|
|
|
ipv6 = true;
|
|
|
|
hostName = machine;
|
|
|
|
};
|
2021-11-15 12:59:44 +01:00
|
|
|
deployment.keyys = [ (../keys + "/wg.${machine}.key") ];
|
2020-05-21 17:39:38 +02:00
|
|
|
networking.wireguard.interfaces.wg-y = {
|
|
|
|
privateKeyFile = "/root/keys/wg.${machine}.key";
|
|
|
|
ips = [ vpn.ips.${machine} ];
|
|
|
|
listenPort = 31790;
|
2021-05-29 18:05:31 +02:00
|
|
|
peers = [{
|
2020-05-21 17:39:38 +02:00
|
|
|
publicKey = vpn.keys.pennyworth;
|
|
|
|
endpoint = "pennyworth.yori.cc:31790";
|
|
|
|
allowedIPs = [ "10.209.0.0/24" ];
|
|
|
|
persistentKeepalive = 30;
|
|
|
|
}];
|
|
|
|
postSetup = "ip link set dev wg-y mtu 1371";
|
|
|
|
};
|
2022-01-17 20:35:48 +01:00
|
|
|
security.acme.defaults.email = "acme@yori.cc";
|
2020-05-21 17:39:38 +02:00
|
|
|
security.acme.acceptTerms = true;
|
2022-03-16 17:12:11 +01:00
|
|
|
nix.settings.trusted-public-keys =
|
2020-05-21 17:39:38 +02:00
|
|
|
[ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];
|
2016-01-28 02:59:31 +01:00
|
|
|
|
2022-03-16 17:12:11 +01:00
|
|
|
nix.settings.trusted-users = [ "@wheel" ];
|
2021-01-03 19:00:33 +01:00
|
|
|
services.prometheus.exporters.node = {
|
|
|
|
enable = true;
|
|
|
|
enabledCollectors = [ "systemd" ];
|
|
|
|
disabledCollectors = [ "rapl" ];
|
|
|
|
};
|
|
|
|
networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 9100 ];
|
2022-04-11 13:26:26 +02:00
|
|
|
xdg.autostart.enable = false;
|
2020-05-21 17:39:38 +02:00
|
|
|
}
|