about summary refs log tree commit diff
path: root/nixos/socrates/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/socrates/default.nix')
-rw-r--r--nixos/socrates/default.nix151
1 files changed, 151 insertions, 0 deletions
diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix
new file mode 100644
index 000000000000..1692ac356ec2
--- /dev/null
+++ b/nixos/socrates/default.nix
@@ -0,0 +1,151 @@
+{ pkgs, briefcase, ... }:
+
+let
+  trimNewline = x: pkgs.lib.removeSuffix "\n" x;
+  readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x));
+in pkgs.lib.fix(self: {
+  imports = [ ./hardware.nix ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking = {
+    hostName = "socrates";
+    # The global useDHCP flag is deprecated, therefore explicitly set to false
+    # here.  Per-interface useDHCP will be mandatory in the future, so this
+    # generated config replicates the default behaviour.
+    useDHCP = false;
+    networkmanager.enable = true;
+    interfaces.enp2s0f1.useDHCP = true;
+    interfaces.wlp3s0.useDHCP = true;
+    firewall.allowedTCPPorts = [ 9418 80 443 ];
+  };
+
+  time.timeZone = "UTC";
+
+  programs.fish.enable = true;
+  programs.mosh.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    curl
+    direnv
+    emacs26-nox
+    gnupg
+    htop
+    pass
+    vim
+    certbot
+    tree
+    git
+  ];
+
+  users = {
+    # I need a git group to run the git server.
+    groups.git = {};
+
+    users.wpcarro = {
+      isNormalUser = true;
+      extraGroups = [ "git" "wheel" ];
+      shell = pkgs.fish;
+    };
+
+    users.git = {
+      group = "git";
+      isNormalUser = false;
+    };
+  };
+
+  nix = {
+    # Expose depot as <depot>, nixpkgs as <nixpkgs>
+    nixPath = [
+      "briefcase=/home/wpcarro/briefcase"
+      "depot=/home/wpcarro/depot"
+      "nixpkgs=/home/wpcarro/nixpkgs"
+    ];
+
+    trustedUsers = [ "root" "wpcarro" ];
+  };
+
+  ##############################################################################
+  # Services
+  ##############################################################################
+  services.openssh.enable = true;
+
+  services.lorri.enable = true;
+
+  systemd.services.monzo-token-server = {
+    enable = true;
+    description = "Ensure my Monzo access token is valid";
+    script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
+
+    # TODO(wpcarro): I'm unsure of the size of this security risk, but if a
+    # non-root user runs `systemctl cat monzo-token-server`, they could read the
+    # following, sensitive environment variables.
+    environment = {
+      store_path = "/var/cache/monzo_ynab";
+      monzo_client_id = readSecret "monzo-client-id";
+      monzo_client_secret = readSecret "monzo-client-secret";
+      ynab_personal_access_token = readSecret "ynab-personal-access-token";
+      ynab_account_id = readSecret "ynab-account-id";
+      ynab_budget_id = readSecret "ynab-budget-id";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+    };
+  };
+
+  services.gitDaemon = {
+    enable = true;
+    basePath = "/srv/git";
+    exportAll = true;
+    repositories = [ "/srv/git/briefcase" ];
+  };
+
+  # Since I'm using this laptop as a server in my flat, I'd prefer to close its
+  # lid.
+  services.logind.lidSwitch = "ignore";
+
+  # Provision SSL certificates to support HTTPS connections.
+  security.acme.acceptTerms = true;
+  security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com";
+
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    commonHttpConfig = ''
+      log_format json_combined escape=json
+      '{'
+          '"time_local":"$time_local",'
+          '"remote_addr":"$remote_addr",'
+          '"remote_user":"$remote_user",'
+          '"request":"$request",'
+          '"status": "$status",'
+          '"body_bytes_sent":"$body_bytes_sent",'
+          '"request_time":"$request_time",'
+          '"http_referrer":"$http_referer",'
+          '"http_user_agent":"$http_user_agent"'
+      '}';
+      access_log syslog:server=unix:/dev/log json_combined;
+    '';
+
+    virtualHosts.blog = {
+      serverName = "blog.wpcarro.dev";
+      useACMEHost = "wpcarro.dev";
+      addSSL = true;
+      extraConfig = ''
+        location / {
+          proxy_pass http://localhost:80
+        }
+      '';
+    };
+  };
+
+  system.stateVersion = "20.09"; # Did you read the comment?
+})