Skip to content

Commit

Permalink
close #12
Browse files Browse the repository at this point in the history
  • Loading branch information
@schonfinkel
schonfinkel committed Nov 26, 2024
1 parent 965cbe7 commit 80cb343
Show file tree
Hide file tree
Showing 7 changed files with 106 additions and 54 deletions.
2 changes: 2 additions & 0 deletions README.org
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,3 +51,5 @@ deploys can be done in pure Nix.

+ The Terraform-based bootstrap is a modification from the great setup found in the
[[https://github.com/Gabriella439/nixos-in-production][NixOS in Production]] book.
+ Many thanks to @Misterio77 for [[https://jaxy.discourse.group/t/criando-um-servidor-de-factorio-100-declarativo-com-nixos-e-terraform/48][figuring it out]] how to run this on Magalu cloud.

3 changes: 3 additions & 0 deletions configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,7 @@
size = 8 * 1024;
}
];

# Don't change this!
system.stateVersion = "24.05";
}
8 changes: 4 additions & 4 deletions flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 21 additions & 15 deletions flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};

nixpkgs.url = "github:NixOS/nixpkgs/24.05";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};

outputs =
Expand All @@ -35,6 +35,21 @@
config.allowUnfree = true;
};

# Modules
bootstrap = [
./modules/extras.nix
./modules/networking.nix
./modules/users.nix
];

cloud = [
./configuration.nix
./modules/nginx.nix
./modules/postgres.nix
./modules/secrets.nix
] ++ bootstrap;

# Qemu Setup
machine = nixpkgs.lib.nixosSystem {
system = builtins.replaceStrings [ "darwin" ] [ "linux" ] system;

Expand All @@ -43,6 +58,7 @@
./modules/qemu.nix
./modules/erlang.nix
./modules/extras.nix
./modules/networking.nix
./modules/nginx.nix
./modules/postgres.nix
./modules/users.nix
Expand Down Expand Up @@ -73,11 +89,7 @@
# it contains the bare minimum for us to log in there with ssh
bootstrap = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./configuration.nix
./modules/extras.nix
./modules/users.nix
];
modules = bootstrap ++ [ disko.nixosModules.disko ];
specialArgs = {
inherit pkgs;
};
Expand All @@ -87,15 +99,9 @@
# this configuration here.
nekoma = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
modules = cloud ++ [
agenix.nixosModules.default
./configuration.nix
./modules/erlang.nix
./modules/extras.nix
./modules/nginx.nix
./modules/postgres.nix
./modules/users.nix
./modules/secrets.nix
disko.nixosModules.disko
];
specialArgs = {
inherit pkgs agenix;
Expand Down Expand Up @@ -126,7 +132,7 @@
just
];

languages.terraform = {
languages.opentofu = {
enable = true;
};

Expand Down
39 changes: 39 additions & 0 deletions modules/disko.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{modulesPath, ...}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];

boot = {
initrd.availableKernelModules = ["ata_piix" "uhci_hcd"];
kernelModules = ["kvm-intel"];
};

disko.devices.disk.main = {
device = "/dev/vda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
}
35 changes: 0 additions & 35 deletions modules/extras.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
documentation.enable = false;

environment.systemPackages = with pkgs; [
lsof
docker-compose
];

Expand All @@ -17,23 +16,6 @@
};
};

# Networking
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
networking.hostName = "trashcan";

services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = {
multipliers = "1 2 4 8 16 32 64";
# Do not ban for more than 1 week
maxtime = "168h";
# Calculate the bantime based on all the violations
overalljails = true;
};
};

# Nix configuration
nix.settings.trusted-users = ["@wheel"];
nix = {
Expand All @@ -49,27 +31,10 @@
};
};

services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = false;
AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ];
X11Forwarding = false;
# "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
PermitRootLogin = "prohibit-password";
};
};
# Magueta wants this
programs.mosh.enable = true;

# Extra stuff
programs.neovim = {
enable = true;
viAlias = true;
vimAlias = true;
};

# Don't change this!
system.stateVersion = "24.05";
}
37 changes: 37 additions & 0 deletions modules/networking.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{ pkgs, ... }:

{
documentation.enable = false;

environment.systemPackages = with pkgs; [
lsof
];

networking.firewall.allowedTCPPorts = [ 22 80 443 ];
networking.hostName = "trashcan";

services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = {
multipliers = "1 2 4 8 16 32 64";
# Do not ban for more than 1 week
maxtime = "168h";
# Calculate the bantime based on all the violations
overalljails = true;
};
};

services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = false;
AllowUsers = [ "deploy" "benevides" "kanagawa" "lemos" "magueta" "marinho" ];
X11Forwarding = false;
# "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
PermitRootLogin = "prohibit-password";
};
};
}

0 comments on commit 80cb343

Please sign in to comment.