diff options
Diffstat (limited to 'Com')
-rw-r--r-- | Com/Simatime/buildOS.nix | 52 | ||||
-rw-r--r-- | Com/Simatime/dev/configuration.nix | 38 | ||||
-rw-r--r-- | Com/Simatime/users.nix | 57 | ||||
-rw-r--r-- | Com/Simatime/vpnHosts.nix | 37 |
4 files changed, 122 insertions, 62 deletions
diff --git a/Com/Simatime/buildOS.nix b/Com/Simatime/buildOS.nix new file mode 100644 index 0000000..2da22a1 --- /dev/null +++ b/Com/Simatime/buildOS.nix @@ -0,0 +1,52 @@ +nixos: +{ ipAddress ? null +, enableVpn ? false +, vpnConnectTo ? "" +, vpnRsaPrivateKeyFile ? null +, vpnEd25519PrivateKeyFile ? null +, configuration # see: configuration.nix(5) +}: +assert enableVpn -> builtins.isString ipAddress; +assert enableVpn -> builtins.isString vpnRsaPrivateKeyFile; +assert enableVpn -> builtins.isString vpnEd25519PrivateKeyFile; +let + vpnExtraConfig = '' + ConnectTo = ${vpnConnectTo} + Ed25519PrivateKeyFile = "${vpnEd25519PrivateKeyFile}" + PrivateKeyFile = "${vpnRsaPrivateKeyFile}" + ''; + defaults = { + boot.cleanTmpDir = true; + #networking.interfaces.simatime-vpn = [{ ipv4.address = ipAddress; }]; + nix.binaryCaches = [ "https://cache.nixos.org" ]; + nix.gc.automatic = true; + nix.gc.dates = "Sunday 02:15"; + nix.maxJobs = 1; # "auto"; + nix.optimise.automatic = true; + nix.optimise.dates = [ "Sunday 02:30" ]; + security.sudo.wheelNeedsPassword = false; + services.clamav.daemon.enable = true; # security + services.clamav.updater.enable = true; # security + services.fail2ban.enable = true; # security + services.openssh.enable = true; + services.openssh.forwardX11 = true; + services.openssh.passwordAuthentication = false; + services.tinc.networks.simatime-vpn.extraConfig = vpnExtraConfig; + services.tinc.networks.simatime-vpn.debugLevel = 3; + services.tinc.networks.simatime-vpn.interfaceType = "tap"; + services.tinc.networks.simatime-vpn.hosts = import ./vpnHosts.nix; + system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.09"; + system.autoUpgrade.dates = "03:00"; + system.autoUpgrade.enable = true; + users.motd = "welcome to simatime.com"; + users.users = import ./users.nix; + + }; + os = nixos { + system = "x86_64-linux"; + configuration = (defaults // configuration); + }; +in { + system = os.system; + vm = os.vm; +} diff --git a/Com/Simatime/dev/configuration.nix b/Com/Simatime/dev/configuration.nix index c096f85..ec3a5a4 100644 --- a/Com/Simatime/dev/configuration.nix +++ b/Com/Simatime/dev/configuration.nix @@ -113,11 +113,6 @@ configFile = "/home/ben/gitlab-runner.toml"; }; - openssh = { - enable = true; - forwardX11 = true; - }; - deluge = { enable = true; openFilesLimit = 10240; @@ -164,7 +159,7 @@ }; }; - jellyfin = { # previously emby + emby = { # previously emby enable = true; user = "jellyfin"; group = "jellyfin"; @@ -172,13 +167,6 @@ vnstat.enable = true; - # security stuff - fail2ban.enable = true; - clamav = { - daemon.enable = true; - updater.enable = true; - }; - postgresql = { enable = true; package = pkgs.postgresql_10; @@ -193,28 +181,16 @@ }; }; - nix = { - gc = { - automatic = true; - dates = "03:15"; - }; - binaryCaches = [ "https://cache.nixos.org/" ]; - nixPath = [ - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - extraOptions = '' - gc-keep-outputs = true - gc-keep-derivations = true - ''; - }; + # Since this is the dev machine, we can turn these on at the expense of extra + # disk space. + nix.extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "17.09"; # Did you read the comment? - system.autoUpgrade.enable = true; - } diff --git a/Com/Simatime/users.nix b/Com/Simatime/users.nix index daac9d6..c951c8e 100644 --- a/Com/Simatime/users.nix +++ b/Com/Simatime/users.nix @@ -1,33 +1,28 @@ -{ ... }: - -let - key = f: builtins.readFile (./keys/. + ("/" + f)); -in -{ - users = { - users = { - # bots - deploy = { - isNormalUser = true; - home = "/home/deploy"; - openssh.authorizedKeys.keys = [ (key "deploy.pub") ]; - extraGroups = [ "wheel" ]; - }; - - # humans - root.openssh.authorizedKeys.keys = [ (key "ben.pub") ]; - ben = { - isNormalUser = true; - home = "/home/ben"; - openssh.authorizedKeys.keys = [ (key "ben.pub") ]; - extraGroups = [ "wheel" "networkmanager" "docker" ]; - }; - nick = { - isNormalUser = true; - home = "/home/nick"; - openssh.authorizedKeys.keys = [ (key "nick.pub") ]; - extraGroups = [ "docker" ]; - }; - }; +{ # + # bots + # + deploy = { + isNormalUser = true; + home = "/home/deploy"; + openssh.authorizedKeys.keyFiles = [ ./keys/deploy.pub ]; + extraGroups = [ "wheel" ]; + }; + # + # humans + # + root.openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ]; + ben = { + description = "Ben Sima"; + isNormalUser = true; + home = "/home/ben"; + openssh.authorizedKeys.keyFiles = [ ./keys/ben.pub ]; + extraGroups = [ "wheel" "networkmanager" "docker" ]; + }; + nick = { + description = "Nick Sima"; + isNormalUser = true; + home = "/home/nick"; + openssh.authorizedKeys.keyFiles = [ ./keys/nick.pub ]; + extraGroups = [ "docker" ]; }; } diff --git a/Com/Simatime/vpnHosts.nix b/Com/Simatime/vpnHosts.nix new file mode 100644 index 0000000..1a66e92 --- /dev/null +++ b/Com/Simatime/vpnHosts.nix @@ -0,0 +1,37 @@ +let + mkVpnPeer = { address, subnet, ed25519PublicKey, rsaPublicKey }: '' + Address = ${address} + Subnet = ${subnet} + Ed25519PublicKey = ${ed25519PublicKey} + ${rsaPublicKey} + ''; +in { + "com.simatime" = mkVpnPeer { + address = "159.89.128.69"; + subnet = "10.1.1.25"; + ed25519PublicKey = "TODO"; + rsaPublicKey = '' + TODO + ''; + }; + "com.simatime.dev" = mkVpnPeer { + address = "69.181.254.154"; + subnet = "10.1.1.21"; + ed25519PublicKey = "s5/rbuM7WaYqaZH0BP4/mYefrl3uWfaT+Ew4gmSsh8F"; + rsaPublicKey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAydQHK4jUQnp4ZSqIB/fjfLxILqy/IHR6DPiUp/HustFDOaLKSVM8 + 75fVtBybiEkUmXLU3Bg8WX9zR+llTf3za1B13w+uJpcR4FS/LhAN/wgHCdgHUb4W + D7YZzGUnLhPAu3Ivnu5QZ6vzigqtbPCIFfwGDW2RGjq3iJMag1sM/xBOZrSn+zsZ + azCEP/snY30UE5ggrxJSMpZXSpS9u266nTblo8gTwfjdzrC93gmNNIxdHpeYGb0O + VGdaMmExq5Ny4flG2qtWA0u8nDscg7bEVIYfPjZr1G2FT5A0Ma4kteu6TeYpQEd9 + 0if3lRb48iMwh1VBfXBps9Heexz0HjG6EAku2B1mEL5orjmC3jJK0DpuXnwVN5pz + B+UrFnqbFykeHxZD5RdAB1tcuHZlJ/mQyZRQMJtkifFLdj4iBBK+si05GpodGhIz + iXkMYRIOja9/4EyukDdU2i2yEOmgif6DhIh4awss1b2Crtxs2bg6/xi2Hy63IQEy + u8LxuiPGA69NsaFZz49SXXJw11KQt5g7WE0jweYXmT3VO6yZlktGdJjzXyhaw7ma + G9VgHvxh+K/mDZ2SXwDcINzwYwZxxqcxcmA4o8glCKQyVHIT5hlo7QkSzK4P+GgN + Js+sRDreM6Rha2zcOaJWZ5IO2Xva6AZZ29oO5m4V/CYPCuMAzXwV2GMCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; +} |