diff options
author | tv <tv@krebsco.de> | 2015-07-07 06:20:50 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-07-07 06:20:50 +0200 |
commit | cd8370ea4a66a03aeee3daf1ae7b979e4e4e2b97 (patch) | |
tree | e17e97481f49f2beac80b922ba45318e66b09299 | |
parent | d55f1c09c96f0cceaa84217f5dadb57bec7077ef (diff) |
host nomic: init
-rw-r--r-- | modules/nomic/default.nix | 69 | ||||
-rw-r--r-- | modules/nomic/hardware-configuration.nix | 49 | ||||
-rw-r--r-- | modules/nomic/paths.nix | 12 | ||||
-rw-r--r-- | modules/nomic/users.nix | 42 |
4 files changed, 172 insertions, 0 deletions
diff --git a/modules/nomic/default.nix b/modules/nomic/default.nix new file mode 100644 index 0000000..61310b3 --- /dev/null +++ b/modules/nomic/default.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +let + location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix +in + +{ + imports = [ + ./hardware-configuration.nix + ./users.nix + ../tv/base.nix + ../tv/exim-retiolum.nix + ../tv/git/public.nix + ../tv/sanitize.nix + ../tv/smartd.nix + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "http" + "tinc" + "smtp" + ]; + }; + } + { + imports = [ ../tv/nginx ]; + tv.nginx = { + enable = true; + retiolum-locations = [ + (location "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; + } + { + imports = [ ../tv/retiolum ]; + tv.retiolum = { + enable = true; + hosts = <retiolum-hosts>; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + } + ]; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + networking = { + hostName = "nomic"; + wireless.enable = true; + }; + + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; +} diff --git a/modules/nomic/hardware-configuration.nix b/modules/nomic/hardware-configuration.nix new file mode 100644 index 0000000..8a00730 --- /dev/null +++ b/modules/nomic/hardware-configuration.nix @@ -0,0 +1,49 @@ +{ config, ... }: + +{ + boot.initrd.luks = { + cryptoModules = [ "aes" "sha1" "xts" ]; + devices = [ + { + name = "luks1"; + device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; + } + ]; + }; + + boot.initrd.availableKernelModules = [ "ahci" ]; + boot.kernelModules = [ "kvm-intel" "wl" ]; + boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; + + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; + fsType = "ext4"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; + fsType = "btrfs"; + }; + + swapDevices = [ ]; + + nix = { + buildCores = 2; + maxJobs = 2; + daemonIONiceLevel = 1; + daemonNiceLevel = 1; + }; + + # For config.boot.kernelPackages.broadcom_sta + nixpkgs.config.allowUnfree = true; +} diff --git a/modules/nomic/paths.nix b/modules/nomic/paths.nix new file mode 100644 index 0000000..a62ef33 --- /dev/null +++ b/modules/nomic/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/nomic/nix; +} diff --git a/modules/nomic/users.nix b/modules/nomic/users.nix new file mode 100644 index 0000000..70e1d8d --- /dev/null +++ b/modules/nomic/users.nix @@ -0,0 +1,42 @@ +{ pkgs, ... }: + +{ + imports = [ + { users = import <secrets/users.nix>; } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>) + ]; + }; + tv = { + uid = 1337; + group = "users"; + home = "/home/tv"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + openssh.authorizedKeys.keys = [ + (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>) + ]; + }; + }; + } + ]; + + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + + security.setuidPrograms = [ + "sendmail" # for sudo + ]; + + security.sudo.extraConfig = '' + Defaults mailto="tv@wu.retiolum" + ''; +} |