2023-01-25 11:48:44 +00:00
|
|
|
{
|
2023-09-17 19:51:08 +00:00
|
|
|
pkgs,
|
|
|
|
modulesPath,
|
|
|
|
config,
|
|
|
|
options,
|
|
|
|
inputs,
|
2023-11-16 01:09:35 +00:00
|
|
|
lib,
|
2023-09-17 19:51:08 +00:00
|
|
|
...
|
2023-11-16 01:09:35 +00:00
|
|
|
}:
|
|
|
|
with lib; let
|
|
|
|
cfg = config.skynet;
|
|
|
|
in {
|
2023-01-25 11:48:44 +00:00
|
|
|
imports = [
|
2023-11-16 01:09:35 +00:00
|
|
|
# custom lxc mocule until the patch gets merged in
|
|
|
|
../applications/proxmox-lxc.nix
|
|
|
|
# (modulesPath + "/virtualisation/proxmox-lxc.nix")
|
|
|
|
|
2023-07-21 20:56:19 +00:00
|
|
|
# for the secrets
|
2023-08-06 20:58:23 +00:00
|
|
|
inputs.agenix.nixosModules.default
|
2023-07-21 20:56:19 +00:00
|
|
|
|
2023-06-15 21:02:30 +00:00
|
|
|
# every sever may need the firewall config stuff
|
|
|
|
../applications/firewall.nix
|
|
|
|
|
|
|
|
# every sever needs to have a dns record
|
|
|
|
../applications/dns.nix
|
|
|
|
|
2023-06-14 20:04:29 +00:00
|
|
|
# every server needs teh ldap client for admins
|
2023-08-27 21:47:36 +00:00
|
|
|
../applications/ldap/client.nix
|
2023-07-08 08:47:13 +00:00
|
|
|
|
|
|
|
# every server will need the config to backup to
|
|
|
|
../applications/restic.nix
|
2023-01-25 11:48:44 +00:00
|
|
|
];
|
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
options.skynet = {
|
|
|
|
lxc = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
# most of our servers are lxc so its true by default
|
|
|
|
default = true;
|
|
|
|
description = mdDoc "Is this a Linux Container?";
|
2023-10-01 21:06:05 +00:00
|
|
|
};
|
2023-11-16 01:09:35 +00:00
|
|
|
};
|
2023-10-01 21:06:05 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
config = {
|
|
|
|
# if its a lxc enable
|
|
|
|
proxmoxLXC.enable = cfg.lxc;
|
|
|
|
|
|
|
|
nix = {
|
|
|
|
settings = {
|
|
|
|
# flakes are essensial
|
|
|
|
experimental-features = ["nix-command" "flakes"];
|
|
|
|
trusted-users = [
|
|
|
|
"root"
|
|
|
|
"@skynet-admins-linux"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
# https://nixos.wiki/wiki/Storage_optimization
|
|
|
|
gc = {
|
|
|
|
automatic = true;
|
|
|
|
dates = "weekly";
|
|
|
|
options = "--delete-older-than 30d";
|
|
|
|
};
|
|
|
|
extraOptions = ''
|
|
|
|
min-free = ${toString (100 * 1024 * 1024)}
|
|
|
|
max-free = ${toString (1024 * 1024 * 1024)}
|
|
|
|
'';
|
2023-10-01 21:06:05 +00:00
|
|
|
};
|
2023-01-25 11:48:44 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
system.stateVersion = "22.11";
|
2023-01-25 11:48:44 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
settings.PermitRootLogin = "prohibit-password";
|
|
|
|
};
|
2023-01-25 11:48:44 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
users.users.root = {
|
|
|
|
initialHashedPassword = "";
|
2023-01-25 11:48:44 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
# no obligation to have name attached to keys
|
2023-04-23 15:43:52 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# Root account
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"
|
2023-04-23 15:43:52 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# CI/CD key
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key"
|
2023-07-25 22:54:56 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# Brendan Golden
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"
|
2023-04-23 15:43:52 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
# skynet-admin-linux will always be added, individual servers can override the groups option
|
|
|
|
services.skynet_ldap_client.enable = true;
|
2023-01-25 11:48:44 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
networking = {
|
|
|
|
# every sever needs to be accessable over ssh for admin use at least
|
|
|
|
firewall.allowedTCPPorts = [22];
|
2023-06-14 20:04:29 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# explisitly stating this is good
|
2023-12-20 14:37:08 +00:00
|
|
|
defaultGateway = {
|
2023-12-20 14:41:55 +00:00
|
|
|
address = "193.1.99.65";
|
2023-12-22 15:52:34 +00:00
|
|
|
interface = "eth0";
|
2023-12-20 14:37:08 +00:00
|
|
|
};
|
2023-04-20 23:53:25 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# cannot use our own it seems?
|
|
|
|
nameservers = [
|
|
|
|
# ns1
|
|
|
|
"193.1.99.120"
|
|
|
|
# ns2
|
|
|
|
"193.1.99.109"
|
|
|
|
];
|
|
|
|
};
|
2023-04-20 08:16:28 +00:00
|
|
|
|
2023-11-16 01:09:35 +00:00
|
|
|
# time on vendetta is strangely out of sync
|
|
|
|
networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"];
|
|
|
|
services.ntp.enable = true;
|
|
|
|
|
|
|
|
# use teh above nameservers as the fallback dns
|
|
|
|
services.resolved.fallbackDns = config.networking.nameservers;
|
|
|
|
|
|
|
|
environment.systemPackages = [
|
|
|
|
# for flakes
|
|
|
|
pkgs.git
|
|
|
|
# useful tools
|
|
|
|
pkgs.ncdu_2
|
|
|
|
pkgs.htop
|
|
|
|
pkgs.nano
|
|
|
|
pkgs.nmap
|
|
|
|
pkgs.bind
|
|
|
|
pkgs.zip
|
|
|
|
pkgs.traceroute
|
|
|
|
pkgs.openldap
|
|
|
|
pkgs.screen
|
2023-04-20 08:16:28 +00:00
|
|
|
];
|
|
|
|
};
|
2023-01-25 11:48:44 +00:00
|
|
|
}
|