nixos/machines/_base.nix

151 lines
3.8 KiB
Nix
Raw Permalink Normal View History

2023-01-25 11:48:44 +00:00
{
pkgs,
modulesPath,
config,
options,
inputs,
lib,
...
}:
with lib; let
cfg = config.skynet;
in {
2023-01-25 11:48:44 +00:00
imports = [
# custom lxc mocule until the patch gets merged in
../applications/proxmox-lxc.nix
# (modulesPath + "/virtualisation/proxmox-lxc.nix")
# for the secrets
2023-08-06 20:58:23 +00:00
inputs.agenix.nixosModules.default
# base config for all servers
../applications/_base.nix
2023-06-15 21:02:30 +00:00
# every sever may need the firewall config stuff
../applications/firewall.nix
# every sever needs to have a dns record
../applications/dns.nix
# every server needs teh ldap client for admins
../applications/ldap/client.nix
# every server will need the config to backup to
../applications/restic.nix
# every server will be monitored for grafana
../applications/prometheus.nix
2023-01-25 11:48:44 +00:00
];
options.skynet = {
lxc = mkOption {
type = types.bool;
# most of our servers are lxc so its true by default
default = true;
description = mdDoc "Is this a Linux Container?";
};
};
config = {
# if its a lxc enable
proxmoxLXC.enable = cfg.lxc;
nix = {
settings = {
# flakes are essensial
experimental-features = ["nix-command" "flakes"];
trusted-users = [
"root"
"@skynet-admins-linux"
];
};
# https://nixos.wiki/wiki/Storage_optimization
# gc = {
# automatic = true;
# dates = "weekly";
# options = "--delete-older-than 30d";
# };
# to free up to 10GiB whenever there is less than 1GiB left
extraOptions = ''
min-free = ${toString (1024 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024 * 10)}
'';
};
2023-01-25 11:48:44 +00:00
system.stateVersion = "22.11";
2023-01-25 11:48:44 +00:00
services.openssh = {
enable = true;
settings.PermitRootLogin = "prohibit-password";
};
2023-01-25 11:48:44 +00:00
users.users.root = {
initialHashedPassword = "";
2023-01-25 11:48:44 +00:00
openssh.authorizedKeys.keys = [
# no obligation to have name attached to keys
# Root account
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
# CI/CD key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
2023-07-25 22:54:56 +00:00
# Brendan Golden
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
];
};
# skynet-admin-linux will always be added, individual servers can override the groups option
services.skynet.ldap_client.enable = true;
2023-01-25 11:48:44 +00:00
networking = {
# every sever needs to be accessable over ssh for admin use at least
firewall.allowedTCPPorts = [22];
# explisitly stating this is good
defaultGateway = {
2023-12-20 14:41:55 +00:00
address = "193.1.99.65";
2023-12-22 15:52:34 +00:00
interface = "eth0";
};
2023-04-20 23:53:25 +00:00
# cannot use our own it seems?
nameservers = [
# ns1
"193.1.99.120"
# ns2
"193.1.99.109"
];
};
# time on vendetta is strangely out of sync
networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
services.ntp.enable = true;
# use teh above nameservers as the fallback dns
services.resolved.fallbackDns = config.networking.nameservers;
2024-01-27 23:04:48 +00:00
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
systemd.network.wait-online.enable = false;
environment.systemPackages = [
# for flakes
pkgs.git
# useful tools
pkgs.ncdu_2
pkgs.htop
pkgs.nano
pkgs.nmap
pkgs.bind
pkgs.zip
pkgs.traceroute
pkgs.openldap
pkgs.screen
];
};
2023-01-25 11:48:44 +00:00
}