From c187d89f271e7ef176a10ea9a2ac58fef9c0ed0c Mon Sep 17 00:00:00 2001 From: William Carroll Date: Sat, 7 Mar 2020 15:23:11 +0000 Subject: Rename socrates/default.nix -> socrates/configuration.nix readTree uses the output attribute set of default.nix as the value for nixos.socrates, which disables me from resolving nixos.socrates.rebuild since there is no rebuild attribute in the output attribute set from default.nix. If I rename default.nix -> configuration.nix, I can resolve nixos.socrates.{configuration,hardware,rebuild}. --- nixos/socrates/configuration.nix | 161 +++++++++++++++++++++++++++++++++++++++ nixos/socrates/default.nix | 161 --------------------------------------- nixos/socrates/rebuild.nix | 2 +- 3 files changed, 162 insertions(+), 162 deletions(-) create mode 100644 nixos/socrates/configuration.nix delete mode 100644 nixos/socrates/default.nix (limited to 'nixos') diff --git a/nixos/socrates/configuration.nix b/nixos/socrates/configuration.nix new file mode 100644 index 000000000000..fbdff3f50f6b --- /dev/null +++ b/nixos/socrates/configuration.nix @@ -0,0 +1,161 @@ +{ ... }: + +let + # TODO(wpcarro): Instead of importing these dependencies as parameters that + # readTree will expose I need to import these dependencies manually because + # I'm building this using `nixos-rebuild`. When I better understand how to + # build socrates using readTree, prefer defining this as an anonymous + # function. + pkgs = import {}; + briefcase = import {}; + + trimNewline = x: pkgs.lib.removeSuffix "\n" x; + readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); +in { + imports = [ ./hardware.nix ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking = { + hostName = "socrates"; + # The global useDHCP flag is deprecated, therefore explicitly set to false + # here. Per-interface useDHCP will be mandatory in the future, so this + # generated config replicates the default behaviour. + useDHCP = false; + networkmanager.enable = true; + interfaces.enp2s0f1.useDHCP = true; + interfaces.wlp3s0.useDHCP = true; + firewall.allowedTCPPorts = [ 9418 80 443 ]; + }; + + time.timeZone = "UTC"; + + programs.fish.enable = true; + programs.mosh.enable = true; + + environment.systemPackages = with pkgs; [ + curl + direnv + emacs26-nox + gnupg + htop + pass + vim + certbot + tree + git + ]; + + users = { + # I need a git group to run the git server. + groups.git = {}; + + users.wpcarro = { + isNormalUser = true; + extraGroups = [ "git" "wheel" ]; + shell = pkgs.fish; + }; + + users.git = { + group = "git"; + isNormalUser = false; + }; + }; + + nix = { + # Expose depot as , nixpkgs as + nixPath = [ + "briefcase=/home/wpcarro/briefcase" + "depot=/home/wpcarro/depot" + "nixpkgs=/home/wpcarro/nixpkgs" + ]; + + trustedUsers = [ "root" "wpcarro" ]; + }; + + ############################################################################## + # Services + ############################################################################## + services.openssh.enable = true; + + services.lorri.enable = true; + + systemd.services.monzo-token-server = { + enable = true; + description = "Ensure my Monzo access token is valid"; + script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; + + # TODO(wpcarro): I'm unsure of the size of this security risk, but if a + # non-root user runs `systemctl cat monzo-token-server`, they could read the + # following, sensitive environment variables. + environment = { + store_path = "/var/cache/monzo_ynab"; + monzo_client_id = readSecret "monzo-client-id"; + monzo_client_secret = readSecret "monzo-client-secret"; + ynab_personal_access_token = readSecret "ynab-personal-access-token"; + ynab_account_id = readSecret "ynab-account-id"; + ynab_budget_id = readSecret "ynab-budget-id"; + }; + + serviceConfig = { + Type = "simple"; + }; + }; + + services.gitDaemon = { + enable = true; + basePath = "/srv/git"; + exportAll = true; + repositories = [ "/srv/git/briefcase" ]; + }; + + # Since I'm using this laptop as a server in my flat, I'd prefer to close its + # lid. + services.logind.lidSwitch = "ignore"; + + # Provision SSL certificates to support HTTPS connections. + security.acme.acceptTerms = true; + security.acme.email = "wpcarro@gmail.com"; + + services.nginx = { + enable = true; + enableReload = true; + + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + commonHttpConfig = '' + log_format json_combined escape=json + '{' + '"time_local":"$time_local",' + '"remote_addr":"$remote_addr",' + '"remote_user":"$remote_user",' + '"request":"$request",' + '"status": "$status",' + '"body_bytes_sent":"$body_bytes_sent",' + '"request_time":"$request_time",' + '"http_referrer":"$http_referer",' + '"http_user_agent":"$http_user_agent"' + '}'; + access_log syslog:server=unix:/dev/log json_combined; + ''; + + virtualHosts = { + "learn.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = "/var/www/learn"; + }; + "blog.wpcarro.dev" = { + addSSL = true; + enableACME = true; + root = "/var/www/blog"; + }; + }; + }; + + system.stateVersion = "20.09"; # Did you read the comment? +} diff --git a/nixos/socrates/default.nix b/nixos/socrates/default.nix deleted file mode 100644 index fbdff3f50f6b..000000000000 --- a/nixos/socrates/default.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ ... }: - -let - # TODO(wpcarro): Instead of importing these dependencies as parameters that - # readTree will expose I need to import these dependencies manually because - # I'm building this using `nixos-rebuild`. When I better understand how to - # build socrates using readTree, prefer defining this as an anonymous - # function. - pkgs = import {}; - briefcase = import {}; - - trimNewline = x: pkgs.lib.removeSuffix "\n" x; - readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); -in { - imports = [ ./hardware.nix ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking = { - hostName = "socrates"; - # The global useDHCP flag is deprecated, therefore explicitly set to false - # here. Per-interface useDHCP will be mandatory in the future, so this - # generated config replicates the default behaviour. - useDHCP = false; - networkmanager.enable = true; - interfaces.enp2s0f1.useDHCP = true; - interfaces.wlp3s0.useDHCP = true; - firewall.allowedTCPPorts = [ 9418 80 443 ]; - }; - - time.timeZone = "UTC"; - - programs.fish.enable = true; - programs.mosh.enable = true; - - environment.systemPackages = with pkgs; [ - curl - direnv - emacs26-nox - gnupg - htop - pass - vim - certbot - tree - git - ]; - - users = { - # I need a git group to run the git server. - groups.git = {}; - - users.wpcarro = { - isNormalUser = true; - extraGroups = [ "git" "wheel" ]; - shell = pkgs.fish; - }; - - users.git = { - group = "git"; - isNormalUser = false; - }; - }; - - nix = { - # Expose depot as , nixpkgs as - nixPath = [ - "briefcase=/home/wpcarro/briefcase" - "depot=/home/wpcarro/depot" - "nixpkgs=/home/wpcarro/nixpkgs" - ]; - - trustedUsers = [ "root" "wpcarro" ]; - }; - - ############################################################################## - # Services - ############################################################################## - services.openssh.enable = true; - - services.lorri.enable = true; - - systemd.services.monzo-token-server = { - enable = true; - description = "Ensure my Monzo access token is valid"; - script = "${briefcase.monzo_ynab.tokens}/bin/token-server"; - - # TODO(wpcarro): I'm unsure of the size of this security risk, but if a - # non-root user runs `systemctl cat monzo-token-server`, they could read the - # following, sensitive environment variables. - environment = { - store_path = "/var/cache/monzo_ynab"; - monzo_client_id = readSecret "monzo-client-id"; - monzo_client_secret = readSecret "monzo-client-secret"; - ynab_personal_access_token = readSecret "ynab-personal-access-token"; - ynab_account_id = readSecret "ynab-account-id"; - ynab_budget_id = readSecret "ynab-budget-id"; - }; - - serviceConfig = { - Type = "simple"; - }; - }; - - services.gitDaemon = { - enable = true; - basePath = "/srv/git"; - exportAll = true; - repositories = [ "/srv/git/briefcase" ]; - }; - - # Since I'm using this laptop as a server in my flat, I'd prefer to close its - # lid. - services.logind.lidSwitch = "ignore"; - - # Provision SSL certificates to support HTTPS connections. - security.acme.acceptTerms = true; - security.acme.email = "wpcarro@gmail.com"; - - services.nginx = { - enable = true; - enableReload = true; - - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - commonHttpConfig = '' - log_format json_combined escape=json - '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent"' - '}'; - access_log syslog:server=unix:/dev/log json_combined; - ''; - - virtualHosts = { - "learn.wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = "/var/www/learn"; - }; - "blog.wpcarro.dev" = { - addSSL = true; - enableACME = true; - root = "/var/www/blog"; - }; - }; - }; - - system.stateVersion = "20.09"; # Did you read the comment? -} diff --git a/nixos/socrates/rebuild.nix b/nixos/socrates/rebuild.nix index e6d885f975ca..1ab4f5133d0b 100644 --- a/nixos/socrates/rebuild.nix +++ b/nixos/socrates/rebuild.nix @@ -3,7 +3,7 @@ pkgs.writeShellScriptBin "rebuild" '' set -ue sudo nixos-rebuild \ - -I nixos-config=/home/wpcarro/briefcase/nixos/socrates/default.nix \ + -I nixos-config=/home/wpcarro/briefcase/nixos/socrates/configuration.nix \ -I nixpkgs=/home/wpcarro/nixpkgs \ -I depot=/home/wpcarro/depot \ -I briefcase=/home/wpcarro/briefcase \ -- cgit 1.4.1