losurdo: enable hardened profile

[sourcephile-nix.git] / servers / mermet.nix

# NixOS configuration of mermet.sourcephile.fr
#
# Show configuration options with, for example:
#   nix-instantiate servers/mermet.nix --eval -A config.networking.hostName
# or:
#  nix eval servers.mermet.config.networking.hostName
# Install/upgrade with:
#   nix run install -f servers/mermet.nix
# or:
#   nix run servers.mermet.install
let
  ipv4 = "80.67.180.129";
  system = import <nixpkgs/nixos/lib/eval-config.nix> {
    system = "x86_64-linux";
    modules = [
      ../nixos/defaults.nix
      ../nixos/base/install.nix
      ../nixos/base/unbound.nix
      mermet/acme.nix
      mermet/debug.nix
      mermet/dovecot.nix
      mermet/fileSystems.nix
      mermet/gitolite.nix
      mermet/hardware.nix
      mermet/knot.nix
      #mermet/mlmmj.nix
      mermet/networking.nix
      mermet/nginx.nix
      mermet/openldap.nix
      mermet/postfix.nix
      mermet/public-inbox.nix
      mermet/redis.nix
      mermet/rspamd.nix
      mermet/sanoid.nix
      mermet/shorewall.nix
      mermet/system.nix
      mermet/users.nix
    ];
    extraArgs = {
      name = "mermet";
      inherit ipv4;
      servers = import ../servers.nix;
    };
  };
  inherit (system.config) networking;
  lib = system.pkgs.lib;
in with system; system // {
inherit ipv4;
install =
  let target = "root@${networking.hostName}.${networking.domain}";
      profile = "/nix/var/nix/profiles/system";
      generations = "+10";
      nixos = config.system.build.toplevel;
  in
  pkgs.writeShellScriptBin "bash" ''
  PATH="$PATH:${with pkgs; lib.makeBinPath [nix openssh pass]}"
  set -eux
  nix ''${TRACE:+-L} copy \
   --to ssh://${target} --substitute-on-destination \
   ${nixos}
  target="${target}"
  ${config.install.shellHook}
  ssh ${target} nix-env --profile "${profile}" --set "${nixos}" \
   '&&' nix-env --profile "${profile}" --delete-generations "${generations}" \
   '&&' "${profile}"/bin/switch-to-configuration "''${switch:-switch}"
'';
}