about summary refs log tree commit diff
path: root/nixos/socrates/configuration.nix
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2020-03-07T15·23+0000
committerWilliam Carroll <wpcarro@gmail.com>2020-03-07T16·17+0000
commitc187d89f271e7ef176a10ea9a2ac58fef9c0ed0c (patch)
treefb5367f1a326b3671ef988f5a322c2204b214d58 /nixos/socrates/configuration.nix
parent694ca4a85f8203be53b12ee553601d461465fe34 (diff)
Rename socrates/default.nix -> socrates/configuration.nix
readTree uses the output attribute set of default.nix as the value for
nixos.socrates, which disables me from resolving nixos.socrates.rebuild since
there is no rebuild attribute in the output attribute set from default.nix.

If I rename default.nix -> configuration.nix, I can resolve
nixos.socrates.{configuration,hardware,rebuild}.
Diffstat (limited to 'nixos/socrates/configuration.nix')
-rw-r--r--nixos/socrates/configuration.nix161
1 files changed, 161 insertions, 0 deletions
diff --git a/nixos/socrates/configuration.nix b/nixos/socrates/configuration.nix
new file mode 100644
index 000000000000..fbdff3f50f6b
--- /dev/null
+++ b/nixos/socrates/configuration.nix
@@ -0,0 +1,161 @@
+{ ... }:
+
+let
+  # TODO(wpcarro): Instead of importing these dependencies as parameters that
+  # readTree will expose I need to import these dependencies manually because
+  # I'm building this using `nixos-rebuild`. When I better understand how to
+  # build socrates using readTree, prefer defining this as an anonymous
+  # function.
+  pkgs = import <nixpkgs> {};
+  briefcase = import <briefcase> {};
+
+  trimNewline = x: pkgs.lib.removeSuffix "\n" x;
+  readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x));
+in {
+  imports = [ ./hardware.nix ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking = {
+    hostName = "socrates";
+    # The global useDHCP flag is deprecated, therefore explicitly set to false
+    # here.  Per-interface useDHCP will be mandatory in the future, so this
+    # generated config replicates the default behaviour.
+    useDHCP = false;
+    networkmanager.enable = true;
+    interfaces.enp2s0f1.useDHCP = true;
+    interfaces.wlp3s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 9418 80 443 ];
+  };
+
+  time.timeZone = "UTC";
+
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    direnv
+    emacs26-nox
+    gnupg
+    htop
+    pass
+    vim
+    certbot
+    tree
+    git
+  ];
+
+  users = {
+    # I need a git group to run the git server.
+    groups.git = {};
+
+    users.wpcarro = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      shell = pkgs.fish;
+    };
+
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  nix = {
+    # Expose depot as <depot>, nixpkgs as <nixpkgs>
+    nixPath = [
+      "briefcase=/home/wpcarro/briefcase"
+      "depot=/home/wpcarro/depot"
+      "nixpkgs=/home/wpcarro/nixpkgs"
+    ];
+
+    trustedUsers = [ "root" "wpcarro" ];
+  };
+
+  ##############################################################################
+  # Services
+  ##############################################################################
+  services.openssh.enable = true;
+
+  services.lorri.enable = true;
+
+  systemd.services.monzo-token-server = {
+    enable = true;
+    description = "Ensure my Monzo access token is valid";
+    script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
+
+    # TODO(wpcarro): I'm unsure of the size of this security risk, but if a
+    # non-root user runs `systemctl cat monzo-token-server`, they could read the
+    # following, sensitive environment variables.
+    environment = {
+      store_path = "/var/cache/monzo_ynab";
+      monzo_client_id = readSecret "monzo-client-id";
+      monzo_client_secret = readSecret "monzo-client-secret";
+      ynab_personal_access_token = readSecret "ynab-personal-access-token";
+      ynab_account_id = readSecret "ynab-account-id";
+      ynab_budget_id = readSecret "ynab-budget-id";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+    };
+  };
+
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    exportAll = true;
+    repositories = [ "/srv/git/briefcase" ];
+  };
+
+  # Since I'm using this laptop as a server in my flat, I'd prefer to close its
+  # lid.
+  services.logind.lidSwitch = "ignore";
+
+  # Provision SSL certificates to support HTTPS connections.
+  security.acme.acceptTerms = true;
+  security.acme.email = "wpcarro@gmail.com";
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      log_format json_combined escape=json
+      '{'
+          '"time_local":"$time_local",'
+          '"remote_addr":"$remote_addr",'
+          '"remote_user":"$remote_user",'
+          '"request":"$request",'
+          '"status": "$status",'
+          '"body_bytes_sent":"$body_bytes_sent",'
+          '"request_time":"$request_time",'
+          '"http_referrer":"$http_referer",'
+          '"http_user_agent":"$http_user_agent"'
+      '}';
+      access_log syslog:server=unix:/dev/log json_combined;
+    '';
+
+    virtualHosts = {
+      "learn.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        root = "/var/www/learn";
+      };
+      "blog.wpcarro.dev" = {
+        addSSL = true;
+        enableACME = true;
+        root = "/var/www/blog";
+      };
+    };
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+}