shell: gnupg: always update conf

[sourcephile-nix.git] / servers / mermet.nix

diff --git a/servers/mermet.nix b/servers/mermet.nix
index dbe67016b5727369fe2505c732b7c3ce603cea14..a9b1fb8f1a6a09630842f06d88cf94e395562b3d 100644 (file)
--- a/servers/mermet.nix
+++ b/servers/mermet.nix
@@ -2,32 +2,34 @@
 # Usable by nixos-install and used by nixops.
 # It is NOT copied nor usable on the target machine,
 # only the resulting closure is copied to the target machine.
-{ pkgs, lib, config, options
-# NixOps extra module inputs
-, nodes, name, uuid, resources
-, ... }:
-let inherit (builtins.extraBuiltins) pass; in
+{ pkgs, lib, config, options, ... }:
+let
+  inherit (builtins) readFile;
+  inherit (builtins.extraBuiltins) pass pass-chomp;
+in
 {
   # This value determines the NixOS release with which your system is to be
   # compatible, in order to avoid breaking some software such as database servers.
   # You should change this only after NixOS release notes say you should.
   system.stateVersion = "19.09"; # Did you read the comment?
 
+  nix = {
+    trustedUsers = [ "julm" ];
+  };
+
   nixpkgs.overlays = import ../overlays.nix;
 
   imports =
     [ ../nixos/defaults.nix
-      mermet/apu2e4.nix
-      mermet/zfs.nix
-      mermet/lesptts.nix
-      mermet/shorewall.nix
       mermet/unbound.nix
-      mermet/nsd.nix
+      #mermet/nsd.nix
+      mermet/knot.nix
       mermet/openldap.nix
+      mermet/gitolite.nix
       mermet/nginx.nix
-      #mermet/postfix.nix
-      #mermet/rspamd.nix
-      #mermet/dovecot2.nix
+      mermet/postfix.nix
+      mermet/dovecot.nix
+      mermet/rspamd.nix
     ];
 
   networking = rec {
@@ -36,28 +38,63 @@ let inherit (builtins.extraBuiltins) pass; in
     domain     = "${domainBase}.fr";
   };
 
+  /*
+  environment.etc."sudo.conf".text = ''
+    Debug sudo /var/log/sudo_debug.log all@debug
+    Debug sudoers.so /var/log/sudo_debug.log all@debug
+  '';
+  */
+
   users = {
     mutableUsers = false;
     users = {
-      root = rec {
-        initialPassword = password;
-        password = pass "servers/mermet/login/root";
+      root = {
+        hashedPassword = pass-chomp "servers/mermet/login/root/hashedPassword";
+        openssh.authorizedKeys.keys = [
+          (readFile ../../sec/ssh/julm.pub)
+          (readFile ../../sec/ssh/julm-mob.pub)
+        ];
+      };
+      julm = {
+        uid = 1000;
+        hashedPassword = pass-chomp "servers/mermet/login/julm/hashedPassword";
+        isNormalUser = true;
         openssh.authorizedKeys.keys = [
-          (pass "members/julm/ssh.pub")
+          (readFile ../../sec/ssh/julm.pub)
+          (readFile ../../sec/ssh/julm-mob.pub)
+          (readFile ../../sec/ssh/julm-mermet.pub)
         ];
       };
     };
     groups = {
+      wheel = {
+        members = [ "julm" ];
+      };
+      julm = {
+        members = [ "julm" ];
+        gid = 1000;
+      };
     };
   };
 
+  programs = {
+    mosh.enable = true;
+  };
+
+  systemd.coredump.enable = true;
+
   environment = {
+    enableDebugInfo = true;
     systemPackages = with pkgs; [
       cryptsetup
+      direnv
+      file
+      gdb
       fio
       git
       gptfdisk
       lm_sensors
+      rsync
       smartctl-tbw
       socat
     ];