summaryrefslogtreecommitdiff
path: root/Com
diff options
context:
space:
mode:
Diffstat (limited to 'Com')
-rw-r--r--Com/Simatime/buildOS.nix52
-rw-r--r--Com/Simatime/dev/configuration.nix38
-rw-r--r--Com/Simatime/users.nix57
-rw-r--r--Com/Simatime/vpnHosts.nix37
4 files changed, 122 insertions, 62 deletions
diff --git a/Com/Simatime/buildOS.nix b/Com/Simatime/buildOS.nix
new file mode 100644
index 0000000..2da22a1
--- /dev/null
+++ b/Com/Simatime/buildOS.nix
@@ -0,0 +1,52 @@
+nixos:
+{ ipAddress ? null
+, enableVpn ? false
+, vpnConnectTo ? ""
+, vpnRsaPrivateKeyFile ? null
+, vpnEd25519PrivateKeyFile ? null
+, configuration # see: configuration.nix(5)
+}:
+assert enableVpn -> builtins.isString ipAddress;
+assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile;
+assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile;
+let
+ vpnExtraConfig = ''
+ ConnectTo = ${vpnConnectTo}
+ Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}"
+ PrivateKeyFile = "${vpnRsaPrivateKeyFile}"
+ '';
+ defaults = {
+ boot.cleanTmpDir = true;
+ #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }];
+ nix.binaryCaches = [ "https://cache.nixos.org" ];
+ nix.gc.automatic = true;
+ nix.gc.dates = "Sunday 02:15";
+ nix.maxJobs = 1; # "auto";
+ nix.optimise.automatic = true;
+ nix.optimise.dates = [ "Sunday 02:30" ];
+ security.sudo.wheelNeedsPassword = false;
+ services.clamav.daemon.enable = true; # security
+ services.clamav.updater.enable = true; # security
+ services.fail2ban.enable = true; # security
+ services.openssh.enable = true;
+ services.openssh.forwardX11 = true;
+ services.openssh.passwordAuthentication = false;
+ services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig;
+ services.tinc.networks.simatime-vpn.debugLevel = 3;
+ services.tinc.networks.simatime-vpn.interfaceType = "tap";
+ services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix;
+ system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.09";
+ system.autoUpgrade.dates = "03:00";
+ system.autoUpgrade.enable = true;
+ users.motd = "welcome to simatime.com";
+ users.users = import ./users.nix;
+
+ };
+ os = nixos {
+ system = "x86_64-linux";
+ configuration = (defaults // configuration);
+ };
+in {
+ system = os.system;
+ vm = os.vm;
+}
diff --git a/Com/Simatime/dev/configuration.nix b/Com/Simatime/dev/configuration.nix
index c096f85..ec3a5a4 100644
--- a/Com/Simatime/dev/configuration.nix
+++ b/Com/Simatime/dev/configuration.nix
@@ -113,11 +113,6 @@
configFile = "/home/ben/gitlab-runner.toml";
};
- openssh = {
- enable = true;
- forwardX11 = true;
- };
-
deluge = {
enable = true;
openFilesLimit = 10240;
@@ -164,7 +159,7 @@
};
};
- jellyfin = { # previously emby
+ emby = { # previously emby
enable = true;
user = "jellyfin";
group = "jellyfin";
@@ -172,13 +167,6 @@
vnstat.enable = true;
- # security stuff
- fail2ban.enable = true;
- clamav = {
- daemon.enable = true;
- updater.enable = true;
- };
-
postgresql = {
enable = true;
package = pkgs.postgresql_10;
@@ -193,28 +181,16 @@
};
};
- nix = {
- gc = {
- automatic = true;
- dates = "03:15";
- };
- binaryCaches = [ "https://cache.nixos.org/" ];
- nixPath = [
- "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs"
- "nixos-config=/etc/nixos/configuration.nix"
- "/nix/var/nix/profiles/per-user/root/channels"
- ];
- extraOptions = ''
- gc-keep-outputs = true
- gc-keep-derivations = true
- '';
- };
+ # Since this is the dev machine, we can turn these on at the expense of extra
+ # disk space.
+ nix.extraOptions = ''
+ keep-outputs = true
+ keep-derivations = true
+ '';
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "17.09"; # Did you read the comment?
- system.autoUpgrade.enable = true;
-
}
diff --git a/Com/Simatime/users.nix b/Com/Simatime/users.nix
index daac9d6..c951c8e 100644
--- a/Com/Simatime/users.nix
+++ b/Com/Simatime/users.nix
@@ -1,33 +1,28 @@
-{ ... }:
-
-let
- key = f: builtins.readFile (./keys/. + ("/" + f));
-in
-{
- users = {
- users = {
- # bots
- deploy = {
- isNormalUser = true;
- home = "/home/deploy";
- openssh.authorizedKeys.keys = [ (key "deploy.pub") ];
- extraGroups = [ "wheel" ];
- };
-
- # humans
- root.openssh.authorizedKeys.keys = [ (key "ben.pub") ];
- ben = {
- isNormalUser = true;
- home = "/home/ben";
- openssh.authorizedKeys.keys = [ (key "ben.pub") ];
- extraGroups = [ "wheel" "networkmanager" "docker" ];
- };
- nick = {
- isNormalUser = true;
- home = "/home/nick";
- openssh.authorizedKeys.keys = [ (key "nick.pub") ];
- extraGroups = [ "docker" ];
- };
- };
+{ #
+ # bots
+ #
+ deploy = {
+ isNormalUser = true;
+ home = "/home/deploy";
+ openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ];
+ extraGroups = [ "wheel" ];
+ };
+ #
+ # humans
+ #
+ root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+ ben = {
+ description = "Ben Sima";
+ isNormalUser = true;
+ home = "/home/ben";
+ openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ];
+ extraGroups = [ "wheel" "networkmanager" "docker" ];
+ };
+ nick = {
+ description = "Nick Sima";
+ isNormalUser = true;
+ home = "/home/nick";
+ openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ];
+ extraGroups = [ "docker" ];
};
}
diff --git a/Com/Simatime/vpnHosts.nix b/Com/Simatime/vpnHosts.nix
new file mode 100644
index 0000000..1a66e92
--- /dev/null
+++ b/Com/Simatime/vpnHosts.nix
@@ -0,0 +1,37 @@
+let
+ mkVpnPeer = { address, subnet, ed25519PublicKey, rsaPublicKey }: ''
+ Address = ${address}
+ Subnet = ${subnet}
+ Ed25519PublicKey = ${ed25519PublicKey}
+ ${rsaPublicKey}
+ '';
+in {
+ "com.simatime" = mkVpnPeer {
+ address = "159.89.128.69";
+ subnet = "10.1.1.25";
+ ed25519PublicKey = "TODO";
+ rsaPublicKey = ''
+ TODO
+ '';
+ };
+ "com.simatime.dev" = mkVpnPeer {
+ address = "69.181.254.154";
+ subnet = "10.1.1.21";
+ ed25519PublicKey = "s5/rbuM7WaYqaZH0BP4/mYefrl3uWfaT+Ew4gmSsh8F";
+ rsaPublicKey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAydQHK4jUQnp4ZSqIB/fjfLxILqy/IHR6DPiUp/HustFDOaLKSVM8
+ 75fVtBybiEkUmXLU3Bg8WX9zR+llTf3za1B13w+uJpcR4FS/LhAN/wgHCdgHUb4W
+ D7YZzGUnLhPAu3Ivnu5QZ6vzigqtbPCIFfwGDW2RGjq3iJMag1sM/xBOZrSn+zsZ
+ azCEP/snY30UE5ggrxJSMpZXSpS9u266nTblo8gTwfjdzrC93gmNNIxdHpeYGb0O
+ VGdaMmExq5Ny4flG2qtWA0u8nDscg7bEVIYfPjZr1G2FT5A0Ma4kteu6TeYpQEd9
+ 0if3lRb48iMwh1VBfXBps9Heexz0HjG6EAku2B1mEL5orjmC3jJK0DpuXnwVN5pz
+ B+UrFnqbFykeHxZD5RdAB1tcuHZlJ/mQyZRQMJtkifFLdj4iBBK+si05GpodGhIz
+ iXkMYRIOja9/4EyukDdU2i2yEOmgif6DhIh4awss1b2Crtxs2bg6/xi2Hy63IQEy
+ u8LxuiPGA69NsaFZz49SXXJw11KQt5g7WE0jweYXmT3VO6yZlktGdJjzXyhaw7ma
+ G9VgHvxh+K/mDZ2SXwDcINzwYwZxxqcxcmA4o8glCKQyVHIT5hlo7QkSzK4P+GgN
+ Js+sRDreM6Rha2zcOaJWZ5IO2Xva6AZZ29oO5m4V/CYPCuMAzXwV2GMCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+}