diff options
Diffstat (limited to 'nixos/socrates/default.nix')
-rw-r--r-- | nixos/socrates/default.nix | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix new file mode 100644 index 000000000000..d98cdb993300 --- /dev/null +++ b/nixos/socrates/default.nix @@ -0,0 +1,239 @@ +let + briefcase = import /home/wpcarro/briefcase {}; + pkgs = briefcase.third_party.pkgs; + trimNewline = x: pkgs.lib.removeSuffix "\n" x; + readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); +in { + imports = [ ./hardware.nix ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 6697 ]; + }; + + time.timeZone = "UTC"; + + programs.fish.enable = true; + programs.mosh.enable = true; + + environment.systemPackages = with pkgs; [ + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git + ]; + + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.buildkite-agent = { + # TODO: Consider setting this to `false` when you better understand the + # implications. + isNormalUser = true; + extraGroups = [ "git" ]; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + nixPath = []; + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## + + systemd.services.bitlbee-stunnel = { + description = "Provides TLS termination for Bitlbee."; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Restart = "always"; + User = "nginx"; # This is a hack to easily get certificate access. + }; + script = let configFile = builtins.toFile "stunnel.conf" '' + foreground = yes + debug = 7 + + [ircs] + accept = 0.0.0.0:6697 + connect = 6667 + cert = /var/lib/acme/wpcarro.dev/full.pem + ''; in "${pkgs.stunnel}/bin/stunnel ${configFile}"; + }; + + nixpkgs.config.bitlbee.enableLibPurple = true; + services.bitlbee = { + interface = "0.0.0.0"; + enable = true; + libpurple_plugins = [ + pkgs.telegram-purple + ]; + }; + + services.journaldriver = { + enable = true; + logStream = "home"; + googleCloudProject = "wpcarros-infrastructure"; + applicationCredentials = "/etc/gcp/key.json"; + }; + + services.openssh.enable = true; + + services.gitea = { + enable = true; + # Without this the links to clone a repository like briefcase will be + # "http://localhost:3000/wpcarro/briefcase". + rootUrl = "https://git.wpcarro.dev/"; + }; + + # systemd.services.monzo-token-server = { + # enable = true; + # description = "Ensure my Monzo access token is valid"; + # script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; + # # TODO(wpcarro): I'm unsure of the size of this security risk, but if a + # # non-root user runs `systemctl cat monzo-token-server`, they could read the + # # following, sensitive environment variables. + # environment = { + # store_path = "/var/cache/monzo_ynab"; + # monzo_client_id = readSecret "monzo-client-id"; + # monzo_client_secret = readSecret "monzo-client-secret"; + # ynab_personal_access_token = readSecret "ynab-personal-access-token"; + # ynab_account_id = readSecret "ynab-account-id"; + # ynab_budget_id = readSecret "ynab-budget-id"; + # }; + # serviceConfig = { + # Type = "simple"; + # }; + # }; + + systemd.services.zoo = { + enable = true; + description = "Run my monoserver"; + script = "${briefcase.zoo}/zoo"; + environment = {}; + serviceConfig = { + Restart = "always"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + polkit.log("subject.user: " + subject.user + " is attempting action.id: " + action.id); + }); + ''; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"remote_addr":"$remote_addr",' + '"method":"$request_method",' + '"host":"$host",' + '"uri":"$request_uri",' + '"status":$status,' + '"request_size":$request_length,' + '"response_size":$body_bytes_sent,' + '"response_time":$request_time,' + '"referrer":"$http_referer",' + '"user_agent":"$http_user_agent"' + '}'; + + access_log syslog:server=unix:/dev/log,nohostname json_combined; + ''; + + virtualHosts = { + "wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website; + }; + "learn.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.learn; + }; + "git.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + "blog.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = briefcase.website.blog; + }; + # "sandbox.wpcarro.dev" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox; + # }; + # "learnpianochords.app" = { + # addSSL = true; + # enableACME = true; + # root = briefcase.website.sandbox.learnpianochords; + # }; + "zoo.wpcarro.dev" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; + + system.stateVersion = "20.09"; +} |