shell: gnupg: always update conf

[sourcephile-nix.git] / servers / mermet.nix

diff --git a/servers/mermet.nix b/servers/mermet.nix
index f8e4adbb2831e20e991a948245b1f9ed8e7da569..a9b1fb8f1a6a09630842f06d88cf94e395562b3d 100644 (file)
--- a/servers/mermet.nix
+++ b/servers/mermet.nix
@@ -2,9 +2,10 @@
 # Usable by nixos-install and used by nixops.
 # It is NOT copied nor usable on the target machine,
 # only the resulting closure is copied to the target machine.
-{pkgs, lib, config, options, nodes, resources, ...}:
+{ pkgs, lib, config, options, ... }:
 let
-  inherit (builtins.extraBuiltins) pass;
+  inherit (builtins) readFile;
+  inherit (builtins.extraBuiltins) pass pass-chomp;
 in
 {
   # This value determines the NixOS release with which your system is to be
@@ -12,18 +13,23 @@ in
   # You should change this only after NixOS release notes say you should.
   system.stateVersion = "19.09"; # Did you read the comment?
 
+  nix = {
+    trustedUsers = [ "julm" ];
+  };
+
   nixpkgs.overlays = import ../overlays.nix;
 
   imports =
     [ ../nixos/defaults.nix
-      mermet/apu2e4.nix
-      mermet/zfs.nix
-      mermet/lesptts.nix
-      mermet/shorewall.nix
       mermet/unbound.nix
-      mermet/nsd.nix
-      #mermet/rspamd.nix
-      #mermet/dovecot2.nix
+      #mermet/nsd.nix
+      mermet/knot.nix
+      mermet/openldap.nix
+      mermet/gitolite.nix
+      mermet/nginx.nix
+      mermet/postfix.nix
+      mermet/dovecot.nix
+      mermet/rspamd.nix
     ];
 
   networking = rec {
@@ -32,28 +38,63 @@ in
     domain     = "${domainBase}.fr";
   };
 
+  /*
+  environment.etc."sudo.conf".text = ''
+    Debug sudo /var/log/sudo_debug.log all@debug
+    Debug sudoers.so /var/log/sudo_debug.log all@debug
+  '';
+  */
+
   users = {
     mutableUsers = false;
     users = {
-      root = rec {
-        initialPassword = password;
-        password = pass "servers/mermet/login/root";
+      root = {
+        hashedPassword = pass-chomp "servers/mermet/login/root/hashedPassword";
+        openssh.authorizedKeys.keys = [
+          (readFile ../../sec/ssh/julm.pub)
+          (readFile ../../sec/ssh/julm-mob.pub)
+        ];
+      };
+      julm = {
+        uid = 1000;
+        hashedPassword = pass-chomp "servers/mermet/login/julm/hashedPassword";
+        isNormalUser = true;
         openssh.authorizedKeys.keys = [
-          (pass "members/julm/ssh.pub")
+          (readFile ../../sec/ssh/julm.pub)
+          (readFile ../../sec/ssh/julm-mob.pub)
+          (readFile ../../sec/ssh/julm-mermet.pub)
         ];
       };
     };
     groups = {
+      wheel = {
+        members = [ "julm" ];
+      };
+      julm = {
+        members = [ "julm" ];
+        gid = 1000;
+      };
     };
   };
 
+  programs = {
+    mosh.enable = true;
+  };
+
+  systemd.coredump.enable = true;
+
   environment = {
+    enableDebugInfo = true;
     systemPackages = with pkgs; [
       cryptsetup
+      direnv
+      file
+      gdb
       fio
       git
       gptfdisk
       lm_sensors
+      rsync
       smartctl-tbw
       socat
     ];