# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix #./identity.nix ./mailserver.nix ./nextcloud.nix ./authentik.nix ./forgejo.nix ./backups.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "szalotka"; networking.domain = "cebula.camp"; networking.useDHCP = false; networking.interfaces.enp1s0 = { ipv4.addresses = [ { address = "135.181.235.222"; prefixLength = 29; } ]; ipv6.addresses = [ { address = "2a01:4f9:4a:4319:1337::14"; prefixLength = 80; } ]; }; networking.defaultGateway = "135.181.235.217"; networking.defaultGateway6 = "2a01:4f9:4a:4319:1337::1"; networking.nameservers = [ "8.8.8.8" ]; users.groups.ldap-access = {}; services.sssd = { enable = true; sshAuthorizedKeysIntegration = true; config = let baseDN = "dc=cebula,dc=camp"; serviceAccount = "ldap-access"; allowedGroup = "cn=orga-infra,ou=groups,${baseDN}"; in '' [sssd] config_file_version = 2 domains = LDAP services = nss, pam, ssh [domain/LDAP] cache_credentials = True id_provider = ldap chpass_provider = ldap auth_provider = ldap access_provider = ldap ldap_uri = ldaps://10.88.0.1/ ldap_tls_reqcert = allow ldap_schema = rfc2307bis ldap_search_base = ${baseDN} ldap_user_search_base = ou=users,${baseDN} ldap_group_search_base = ${baseDN} ldap_user_ssh_public_key = sshPublicKey ldap_user_object_class = user ldap_user_name = cn ldap_group_object_class = group ldap_group_name = cn ldap_default_bind_dn = cn=${serviceAccount},ou=users,${baseDN} ldap_default_authtok = $LDAP_DEFAULT_AUTHTOK ldap_access_filter = memberOf=${allowedGroup} ''; environmentFile = "/var/secrets/sssd"; }; security.pam.services.sshd.makeHomeDir = true; security.sudo.extraRules = [{ groups = ["orga-infra"]; commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }]; }]; environment.variables.EDITOR = "vim"; environment.systemPackages = with pkgs; [ wget rxvt-unicode-unwrapped.terminfo htop dstat git ((vim_configurable.override { features = "normal"; }).customize { name = "vim"; vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; { start = [ vim-nix nerdtree ]; }; vimrcConfig.customRC = '' syntax on set expandtab set tabstop=4 set autoindent set shiftwidth=4 set bs=2 autocmd FileType nix setlocal shiftwidth=2 tabstop=2 ''; }) ]; programs.mtr.enable = true; services.journald.extraConfig = '' SystemMaxUse=2G ''; services.openssh = { enable = true; ports = [ 2222 ]; }; services.nginx = { enable = true; recommendedProxySettings = true; }; security.acme = { # TODO(q3k): change to @cebula.camp address. defaults.email = "q3k@q3k.org"; acceptTerms = true; }; # Limit nscd memory usage, as it sometimes just blows up and the OOMkiller # sucks at picking it up. systemd.services.nscd.serviceConfig.MemoryMax = "256M"; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 443 # http 2222 # host ssh ]; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "20.09"; # Did you read the comment? }