"secrets": {
"flake": false,
"locked": {
- "narHash": "sha256-OQepJ4d1tyMPGI5ZPK3M6PTEE/hS3HYTEEhBdTJ+xdc=",
+ "narHash": "sha256-qpBUNjaf26xiKyArfPDtAKkakVS0tMriMUfoeIsrvf0=",
"path": "./sec",
"type": "path"
},
# Example: nix run .#losurdo.sendkeys
"sendkeys" = {
type = "app";
- program = config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys";
+ #program = config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys";
+ program = (pkgs.writeShellScript "sendkeys" ''
+ set -eux
+ ${pkgs.bash}/bin/bash -eux ${config.security.gnupg.agent.sendKeys + "/bin/gnupg-agent-sendKeys"}
+ '').outPath;
};
}) inputs.self.nixosConfigurations;}
);
let domain = "sourcephile.fr"; in
{
imports = map (m: import m {inherit domain;}) [
- sourcephile.fr/losurdo.nix
sourcephile.fr/cryptpad.nix
+ sourcephile.fr/losurdo.nix
+ sourcephile.fr/nix-serve.nix
];
security.acme.certs."${domain}" = {
postRun = "systemctl reload nginx";
--- /dev/null
+{ domain, ... }:
+{ pkgs, lib, config, hostName, ... }:
+let
+ inherit (config) networking;
+ inherit (config.security) gnupg;
+ inherit (config.services) nginx nix-serve;
+ inherit (config.users) users groups;
+ srv = "nix-serve";
+in
+{
+nix.trustedUsers = [ users."nix-serve".name ];
+users.users."nix-serve".extraGroups = [ groups."keys".name ];
+security.gnupg.secrets."nix/binary-cache-key/1" = {
+ user = users."nix-serve".name;
+ systemdConfig = {
+ before = [ "nix-serve.service" ];
+ wantedBy = [ "nix-serve.service" ];
+ };
+};
+services.nix-serve = {
+ enable = true;
+ secretKeyFile = gnupg.secrets."nix/binary-cache-key/1".path;
+ bindAddress = "127.0.0.1";
+};
+services.nginx = let vhostConfig = priority:
+ {
+ #onlySSL = true;
+ #addSSL = true;
+ forceSSL = true;
+ useACMEHost = domain;
+ extraConfig = ''
+ #access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
+ #error_log /var/log/nginx/${domain}/${srv}/error.log warn;
+ access_log off;
+ error_log /dev/null crit;
+ '';
+ locations."/nix-cache-info" = {
+ # cache.nixos.org has priority 40
+ return = ''200 "StoreDir: ${builtins.storeDir}\nWantMassQuery: 1\nPriority: ${toString priority}\n"'';
+ extraConfig = ''
+ ${nginx.configs.https_add_headers}
+ add_header Content-Type text/plain;
+ '';
+ };
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:${toString nix-serve.port};
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ '';
+ };
+ in {
+ virtualHosts."nix-localcache.${domain}" = vhostConfig 30;
+ virtualHosts."nix-extracache.${domain}" = vhostConfig 60 // {
+ serverAliases = [ "${srv}.${domain}" ];
+ };
+};
+systemd.services.nginx = {
+ serviceConfig = {
+ LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+ };
+};
+}
# You should change this only after NixOS release notes say you should.
system.stateVersion = "19.09"; # Did you read the comment?
+nix.gc.dates = "weekly";
+nix.gc.options = "--delete-older-than 7d";
+
# Avoid the use of systemd-run --user --scope tmux
# and let mosh work smoothly.
services.logind.killUserProcesses = false;
-nix.gc.dates = "weekly";
-nix.gc.options = "--delete-older-than 7d";
-nix.extraOptions = ''
- secret-key-files = ${gnupg.secrets."nix/binary-cache-key/1".path}
-'';
-security.gnupg.secrets."nix/binary-cache-key/1" = {
- systemdConfig = {
- before = [ "nix-daemon.service" ];
- wantedBy = [ "nix-daemon.service" ];
- };
-};
-
documentation.nixos = {
enable = false; # NOTE: useless on a server, and CPU intensive.
};
verbosity: 1
interface: 127.0.0.1
interface: ::1
-
+ ${lib.optionalString (!config.networking.enableIPv6) "prefer-ip4: yes"}
port: 53
# The file which contains the listing of primary root DNS servers.
cryptpad-sandbox CNAME losurdo
mumble CNAME mermet
freeciv CNAME losurdo
+ nix-serve CNAME losurdo
+ nix-extracache CNAME losurdo
+ nix-localcache CNAME lan.losurdo
; SPF (Sender Policy Framework)
@ 3600 IN SPF "v=spf1 mx ip4:${hosts.mermet.extraArgs.ipv4} -all"
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
+let inherit (config) networking; in
{
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database servers.
nix.gc.dates = "daily";
nix.gc.options = "--delete-older-than 2d";
+nix.extraOptions = ''
+ trusted-public-keys = ${builtins.readFile (inputs.secrets + "/hosts/losurdo/nix/binary-cache-key/1.pub")}
+ substituters = https://nix-extracache.${networking.domain}
+'';
environment.systemPackages = with pkgs; [
cryptsetup
verbosity: 1
interface: 127.0.0.1
interface: ::1
-
+ ${lib.optionalString (!config.networking.enableIPv6) "prefer-ip4: yes"}
port: 53
# The file which contains the listing of primary root DNS servers.
sourcephile / git / sourcephile-nix.git / commitdiff