diff options
Diffstat (limited to 'nixos/socrates/default.nix')
-rw-r--r-- | nixos/socrates/default.nix | 151 |
1 files changed, 151 insertions, 0 deletions
diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix new file mode 100644 index 000000000000..1692ac356ec2 --- /dev/null +++ b/nixos/socrates/default.nix @@ -0,0 +1,151 @@ +{ pkgs, briefcase, ... }: + +let + trimNewline = x: pkgs.lib.removeSuffix "\n" x; + readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); +in pkgs.lib.fix(self: { + imports = [ ./hardware.nix ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 ]; + }; + + time.timeZone = "UTC"; + + programs.fish.enable = true; + programs.mosh.enable = true; + + environment.systemPackages = with pkgs; [ + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git + ]; + + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + # Expose depot as <depot>, nixpkgs as <nixpkgs> + nixPath = [ + "briefcase=/home/wpcarro/briefcase" + "depot=/home/wpcarro/depot" + "nixpkgs=/home/wpcarro/nixpkgs" + ]; + + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## + services.openssh.enable = true; + + services.lorri.enable = true; + + systemd.services.monzo-token-server = { + enable = true; + description = "Ensure my Monzo access token is valid"; + script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; + + # TODO(wpcarro): I'm unsure of the size of this security risk, but if a + # non-root user runs `systemctl cat monzo-token-server`, they could read the + # following, sensitive environment variables. + environment = { + store_path = "/var/cache/monzo_ynab"; + monzo_client_id = readSecret "monzo-client-id"; + monzo_client_secret = readSecret "monzo-client-secret"; + ynab_personal_access_token = readSecret "ynab-personal-access-token"; + ynab_account_id = readSecret "ynab-account-id"; + ynab_budget_id = readSecret "ynab-budget-id"; + }; + + serviceConfig = { + Type = "simple"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent"' + '}'; + access_log syslog:server=unix:/dev/log json_combined; + ''; + + virtualHosts.blog = { + serverName = "blog.wpcarro.dev"; + useACMEHost = "wpcarro.dev"; + addSSL = true; + extraConfig = '' + location / { + proxy_pass http://localhost:80 + } + ''; + }; + }; + + system.stateVersion = "20.09"; # Did you read the comment? +}) |