summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2015-07-07 06:20:50 +0200
committertv <tv@krebsco.de>2015-07-07 06:20:50 +0200
commitcd8370ea4a66a03aeee3daf1ae7b979e4e4e2b97 (patch)
treee17e97481f49f2beac80b922ba45318e66b09299
parentd55f1c09c96f0cceaa84217f5dadb57bec7077ef (diff)
host nomic: init
-rw-r--r--modules/nomic/default.nix69
-rw-r--r--modules/nomic/hardware-configuration.nix49
-rw-r--r--modules/nomic/paths.nix12
-rw-r--r--modules/nomic/users.nix42
4 files changed, 172 insertions, 0 deletions
diff --git a/modules/nomic/default.nix b/modules/nomic/default.nix
new file mode 100644
index 0000000..61310b3
--- /dev/null
+++ b/modules/nomic/default.nix
@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+
+let
+ location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix
+in
+
+{
+ imports = [
+ ./hardware-configuration.nix
+ ./users.nix
+ ../tv/base.nix
+ ../tv/exim-retiolum.nix
+ ../tv/git/public.nix
+ ../tv/sanitize.nix
+ ../tv/smartd.nix
+ {
+ imports = [ ../tv/iptables ];
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "http"
+ "tinc"
+ "smtp"
+ ];
+ };
+ }
+ {
+ imports = [ ../tv/nginx ];
+ tv.nginx = {
+ enable = true;
+ retiolum-locations = [
+ (location "~ ^/~(.+?)(/.*)?\$" ''
+ alias /home/$1/public_html$2;
+ '')
+ ];
+ };
+ }
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
+ ];
+
+ boot.kernel.sysctl = {
+ # Enable IPv6 Privacy Extensions
+ "net.ipv6.conf.all.use_tempaddr" = 2;
+ "net.ipv6.conf.default.use_tempaddr" = 2;
+ };
+
+ networking = {
+ hostName = "nomic";
+ wireless.enable = true;
+ };
+
+ services.openssh = {
+ enable = true;
+ hostKeys = [
+ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+ ];
+ };
+}
diff --git a/modules/nomic/hardware-configuration.nix b/modules/nomic/hardware-configuration.nix
new file mode 100644
index 0000000..8a00730
--- /dev/null
+++ b/modules/nomic/hardware-configuration.nix
@@ -0,0 +1,49 @@
+{ config, ... }:
+
+{
+ boot.initrd.luks = {
+ cryptoModules = [ "aes" "sha1" "xts" ];
+ devices = [
+ {
+ name = "luks1";
+ device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
+ }
+ ];
+ };
+
+ boot.initrd.availableKernelModules = [ "ahci" ];
+ boot.kernelModules = [ "kvm-intel" "wl" ];
+ boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+
+ boot.loader.grub = {
+ device = "/dev/sda";
+ splashImage = null;
+ };
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+ fsType = "btrfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+ fsType = "ext4";
+ };
+
+ fileSystems."/home" =
+ { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+ fsType = "btrfs";
+ };
+
+ swapDevices = [ ];
+
+ nix = {
+ buildCores = 2;
+ maxJobs = 2;
+ daemonIONiceLevel = 1;
+ daemonNiceLevel = 1;
+ };
+
+ # For config.boot.kernelPackages.broadcom_sta
+ nixpkgs.config.allowUnfree = true;
+}
diff --git a/modules/nomic/paths.nix b/modules/nomic/paths.nix
new file mode 100644
index 0000000..a62ef33
--- /dev/null
+++ b/modules/nomic/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/nomic/nix;
+}
diff --git a/modules/nomic/users.nix b/modules/nomic/users.nix
new file mode 100644
index 0000000..70e1d8d
--- /dev/null
+++ b/modules/nomic/users.nix
@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+
+{
+ imports = [
+ { users = import <secrets/users.nix>; }
+ {
+ users.extraUsers = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
+ ];
+ };
+ tv = {
+ uid = 1337;
+ group = "users";
+ home = "/home/tv";
+ createHome = true;
+ useDefaultShell = true;
+ extraGroups = [
+ "audio"
+ "video"
+ "wheel"
+ ];
+ openssh.authorizedKeys.keys = [
+ (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
+ ];
+ };
+ };
+ }
+ ];
+
+ users.defaultUserShell = "/run/current-system/sw/bin/bash";
+ users.mutableUsers = false;
+
+ security.setuidPrograms = [
+ "sendmail" # for sudo
+ ];
+
+ security.sudo.extraConfig = ''
+ Defaults mailto="tv@wu.retiolum"
+ '';
+}