{ pkgs, modulesPath, config, options, inputs, lib, ... }: with lib; let cfg = config.skynet; in { imports = [ # custom lxc mocule until the patch gets merged in ../applications/proxmox-lxc.nix # (modulesPath + "/virtualisation/proxmox-lxc.nix") # for the secrets inputs.agenix.nixosModules.default # every sever may need the firewall config stuff ../applications/firewall.nix # every sever needs to have a dns record ../applications/dns.nix # every server needs teh ldap client for admins ../applications/ldap/client.nix # every server will need the config to backup to ../applications/restic.nix ]; options.skynet = { lxc = mkOption { type = types.bool; # most of our servers are lxc so its true by default default = true; description = mdDoc "Is this a Linux Container?"; }; }; config = { # if its a lxc enable proxmoxLXC.enable = cfg.lxc; nix = { settings = { # flakes are essensial experimental-features = ["nix-command" "flakes"]; trusted-users = [ "root" "@skynet-admins-linux" ]; }; # https://nixos.wiki/wiki/Storage_optimization gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; extraOptions = '' min-free = ${toString (100 * 1024 * 1024)} max-free = ${toString (1024 * 1024 * 1024)} ''; }; system.stateVersion = "22.11"; services.openssh = { enable = true; settings.PermitRootLogin = "prohibit-password"; }; users.users.root = { initialHashedPassword = ""; openssh.authorizedKeys.keys = [ # no obligation to have name attached to keys # Root account "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" # CI/CD key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" # Brendan Golden "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" ]; }; # skynet-admin-linux will always be added, individual servers can override the groups option services.skynet_ldap_client.enable = true; networking = { # every sever needs to be accessable over ssh for admin use at least firewall.allowedTCPPorts = [22]; # explisitly stating this is good defaultGateway = { address = "193.1.99.65"; interface = "eno1"; }; # cannot use our own it seems? nameservers = [ # ns1 "193.1.99.120" # ns2 "193.1.99.109" ]; }; # time on vendetta is strangely out of sync networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"]; services.ntp.enable = true; # use teh above nameservers as the fallback dns services.resolved.fallbackDns = config.networking.nameservers; environment.systemPackages = [ # for flakes pkgs.git # useful tools pkgs.ncdu_2 pkgs.htop pkgs.nano pkgs.nmap pkgs.bind pkgs.zip pkgs.traceroute pkgs.openldap pkgs.screen ]; }; }