Nest configuration beneath socrates directory

Create a socrates directory to store configuration for socrates.

3 files changed, 192 insertions, 0 deletions

diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix
new file mode 100644
index 000000000000..1692ac356ec2
--- /dev/null
+++ b/nixos/socrates/default.nix
@@ -0,0 +1,151 @@
+{ pkgs, briefcase, ... }:
+
+let
+  trimNewline = x: pkgs.lib.removeSuffix "\n" x;
+  readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x));
+in pkgs.lib.fix(self: {
+  imports = [ ./hardware.nix ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking = {
+    hostName = "socrates";
+    # The global useDHCP flag is deprecated, therefore explicitly set to false
+    # here.  Per-interface useDHCP will be mandatory in the future, so this
+    # generated config replicates the default behaviour.
+    useDHCP = false;
+    networkmanager.enable = true;
+    interfaces.enp2s0f1.useDHCP = true;
+    interfaces.wlp3s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 9418 80 443 ];
+  };
+
+  time.timeZone = "UTC";
+
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    direnv
+    emacs26-nox
+    gnupg
+    htop
+    pass
+    vim
+    certbot
+    tree
+    git
+  ];
+
+  users = {
+    # I need a git group to run the git server.
+    groups.git = {};
+
+    users.wpcarro = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      shell = pkgs.fish;
+    };
+
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  nix = {
+    # Expose depot as <depot>, nixpkgs as <nixpkgs>
+    nixPath = [
+      "briefcase=/home/wpcarro/briefcase"
+      "depot=/home/wpcarro/depot"
+      "nixpkgs=/home/wpcarro/nixpkgs"
+    ];
+
+    trustedUsers = [ "root" "wpcarro" ];
+  };
+
+  ##############################################################################
+  # Services
+  ##############################################################################
+  services.openssh.enable = true;
+
+  services.lorri.enable = true;
+
+  systemd.services.monzo-token-server = {
+    enable = true;
+    description = "Ensure my Monzo access token is valid";
+    script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
+
+    # TODO(wpcarro): I'm unsure of the size of this security risk, but if a
+    # non-root user runs `systemctl cat monzo-token-server`, they could read the
+    # following, sensitive environment variables.
+    environment = {
+      store_path = "/var/cache/monzo_ynab";
+      monzo_client_id = readSecret "monzo-client-id";
+      monzo_client_secret = readSecret "monzo-client-secret";
+      ynab_personal_access_token = readSecret "ynab-personal-access-token";
+      ynab_account_id = readSecret "ynab-account-id";
+      ynab_budget_id = readSecret "ynab-budget-id";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+    };
+  };
+
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    exportAll = true;
+    repositories = [ "/srv/git/briefcase" ];
+  };
+
+  # Since I'm using this laptop as a server in my flat, I'd prefer to close its
+  # lid.
+  services.logind.lidSwitch = "ignore";
+
+  # Provision SSL certificates to support HTTPS connections.
+  security.acme.acceptTerms = true;
+  security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com";
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      log_format json_combined escape=json
+      '{'
+          '"time_local":"$time_local",'
+          '"remote_addr":"$remote_addr",'
+          '"remote_user":"$remote_user",'
+          '"request":"$request",'
+          '"status": "$status",'
+          '"body_bytes_sent":"$body_bytes_sent",'
+          '"request_time":"$request_time",'
+          '"http_referrer":"$http_referer",'
+          '"http_user_agent":"$http_user_agent"'
+      '}';
+      access_log syslog:server=unix:/dev/log json_combined;
+    '';
+
+    virtualHosts.blog = {
+      serverName = "blog.wpcarro.dev";
+      useACMEHost = "wpcarro.dev";
+      addSSL = true;
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:80
+        }
+      '';
+    };
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+})
diff --git a/nixos/socrates/hardware.nix b/nixos/socrates/hardware.nix
new file mode 100644
index 000000000000..dde14eb1e627
--- /dev/null
+++ b/nixos/socrates/hardware.nix
@@ -0,0 +1,30 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/aadf1a77-1e98-4b5f-8e74-abf8e77bda34";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1613-35B9";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 2;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/nixos/socrates/rebuild.nix b/nixos/socrates/rebuild.nix
new file mode 100644
index 000000000000..e6d885f975ca
--- /dev/null
+++ b/nixos/socrates/rebuild.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "rebuild" ''
+  set -ue
+  sudo nixos-rebuild \
+    -I nixos-config=/home/wpcarro/briefcase/nixos/socrates/default.nix \
+    -I nixpkgs=/home/wpcarro/nixpkgs \
+    -I depot=/home/wpcarro/depot \
+    -I briefcase=/home/wpcarro/briefcase \
+    switch
+''