# its clearer, safer and more flexible if not quicker.
{
imports = [
+ modules/security/install.nix
modules/services/networking/domains.nix
#modules/services/networking/knot.nix
modules/services/databases/openldap.nix
{ pkgs, lib, config, ... }:
let inherit (lib) types; in
{
-options = {
- install.shellHook = lib.mkOption {
+options.security.install = {
+ shellHook = lib.mkOption {
type = types.lines;
default = "";
};
"igb"
];
};
-boot.kernelModules = [];
-boot.extraModulePackages = [];
+
boot.kernelParams = [
"gfxpayload=text"
#"console=tty0"
system = import <nixpkgs/nixos/lib/eval-config.nix> {
system = "x86_64-linux";
modules = [
+ <nixpkgs/nixos/modules/profiles/hardened.nix>
../nixos/defaults.nix
- ../nixos/base/install.nix
- ../nixos/base/unbound.nix
+ ../nixos/profiles/services/unbound.nix
losurdo/acme.nix
losurdo/debug.nix
losurdo/fail2ban.nix
--to ssh://${target} --substitute-on-destination \
${nixos}
target="${target}"
- ${config.install.shellHook}
+ ${config.security.install.shellHook}
ssh ${target} nix-env --profile "${profile}" --set "${nixos}" \
'&&' nix-env --profile "${profile}" --delete-generations "${generations}" \
'&&' "${profile}"/bin/switch-to-configuration "''${switch:-switch}"
#dnsPropagationCheck = false;
inherit credentialsFile;
};
-install.shellHook = ''
+security.install.shellHook = ''
{
cat <<-EOF
RFC2136_NAMESERVER=ns.${domain}:53
#dnsPropagationCheck = false;
inherit credentialsFile;
};
-install.shellHook = ''
+security.install.shellHook = ''
{
cat <<-EOF
RFC2136_NAMESERVER=ns.${domain}:53
{ pkgs, lib, config, ... }:
{
imports = [
- ../../nixos/base/zfs.nix
+ ../../nixos/profiles/systems/zfs.nix
];
/*
{ pkgs, lib, config, ... }:
{
imports = [
- ../../nixos/base/dl10j.nix
+ ../../nixos/profiles/hardware/dl10j.nix
];
# The 32-bit host id of the machine, formatted as 8 hexadecimal characters.
user root ${owner}
'';
};
-install.shellHook = ''
+security.install.shellHook = ''
pass "servers/losurdo/postgresql/pass/${owner}" |
ssh "$target" install -D -m 0400 -o root -g root /dev/stdin \
/run/keys/postgresql_pass_${owner}
{ pkgs, lib, config, ... }:
{
-imports = [
- <nixpkgs/nixos/modules/profiles/hardened.nix>
-];
-
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database servers.
# You should change this only after NixOS release notes say you should.
# and let mosh work smoothly.
services.logind.killUserProcesses = false;
+services.unbound.enable = true;
+
environment.systemPackages = with pkgs; [
cryptsetup
direnv
smartctl-tbw
socat
sanoid
- iptables-nftables-compat
+ #iptables-nftables-compat
];
}
imports = [
<nixops/options.nix>
<nixops/resource.nix>
- ../../nixos/base/unbound.nix
../../nixos/defaults.nix
+ ../../nixos/profiles/services/unbound.nix
./users.nix
./system.nix
];
};
};
-install.shellHook = ''
+security.install.shellHook = ''
pass "servers/losurdo/root/ssh/id_ed25519" |
ssh "$target" install -m 0400 -o root -g root /dev/stdin \
/root/.ssh/id_ed25519
system = "x86_64-linux";
modules = [
../nixos/defaults.nix
- ../nixos/base/install.nix
- ../nixos/base/unbound.nix
+ ../nixos/profiles/services/unbound.nix
mermet/acme.nix
mermet/debug.nix
mermet/dovecot.nix
--to ssh://${target} --substitute-on-destination \
${nixos}
target="${target}"
- ${config.install.shellHook}
+ ${config.security.install.shellHook}
ssh ${target} nix-env --profile "${profile}" --set "${nixos}" \
'&&' nix-env --profile "${profile}" --delete-generations "${generations}" \
'&&' "${profile}"/bin/switch-to-configuration "''${switch:-switch}"
{ pkgs, lib, config, ... }:
{
imports = [
- ../../nixos/base/zfs.nix
+ ../../nixos/profiles/systems/zfs.nix
];
/*
{ pkgs, lib, config, ... }:
{
imports = [
- ../../nixos/base/apu2e4.nix
+ ../../nixos/profiles/hardware/apu2e4.nix
];
# The 32-bit host id of the machine, formatted as 8 hexadecimal characters.
};
in
{
-install.shellHook = ''
+security.install.shellHook = ''
# Generated with: keymgr -t acme_${domain}
pass "servers/mermet/knot/${domain}/acme.conf" |
ssh "$target" install -D -m 0400 -o ${users."knot".name} -g root /dev/stdin \
};
in
{
-install.shellHook = ''
+security.install.shellHook = ''
# Generated with: keymgr -t acme_${domainID}
pass "servers/mermet/knot/${domain}/acme.conf" |
ssh "$target" install -D -m 0400 -o ${users."knot".name} -g root /dev/stdin \
"+hH+Mr/4V1wnKtdosk/7+3VIQ6clTIfWhD6PlnWd78Uo5lfWnYxTem7EMc2q7j6tzGwj+Q+b4Li9fdhLqxGuD0V64/nVZit90b0HyfiV5srln2lK6Hczrwqr0gOEBGQ4YeLjOF6ldaV01mFWR9ddr9a5/gVCqw8vw7vhqXvU7yK8VHW2rdsvkNZ0bDOa66MCveD7pH2vyljrfZq9k0T/NLHrsu8CAwEAAQ=="
)
'';
-install.shellHook = ''
+security.install.shellHook = ''
pass "dkim/${domain}/${selector}.key" |
ssh "$target" install -D -m 0400 -o ${rspamd.user} -g root /dev/stdin \
/run/keys/"dkim.${domain}.${selector}.key"
"rWWtSTdO8DilDqN8CAwEAAQ=="
)
'';
-install.shellHook = ''
+security.install.shellHook = ''
pass "dkim/${domain}/${selector}.key" |
ssh "$target" install -D -m 0400 -o ${rspamd.user} -g root /dev/stdin \
/run/keys/"dkim.${domain}.${selector}.key"
# You should change this only after NixOS release notes say you should.
system.stateVersion = "19.09"; # Did you read the comment?
+services.unbound.enable = true;
+
environment.systemPackages = with pkgs; [
cryptsetup
direnv
sourcephile / git / sourcephile-nix.git / commitdiff