Setup mail server and restructure some things

2023-09-14 14:43:49 +02:00 · 2023-09-14 14:43:49 +02:00 · ba93d164cf
commit ba93d164cf
parent 4c382e629d
90 changed files with 512 additions and 66 deletions
--- a/config/common/default.nix
+++ b/config/common/default.nix
@ -0,0 +1,74 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./prometheus-node-exporter.nix
+    ./nginx.nix
+    ../users/colmena-deploy
+    ../users/yuri
+  ];
+
+  time.timeZone = "Europe/Berlin";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    keyMap = "de-latin1";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix.settings = {
+    trusted-users = [ "colmena-deploy" ];
+    auto-optimise-store = true;
+    experimental-features = [ "nix-command" "flakes" ];
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  environment.systemPackages = with pkgs; [
+    htop
+    parted
+    tmux
+    nano
+  ];
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  security.acme = {
+    defaults.email = "acme@grzb.de";
+    acceptTerms = true;
+    preliminarySelfsigned = true;
+  };
+
+  # Print the ed25519 public ssh host key to console when booting
+  systemd.units."print-public-ssh-host-key.service" = {
+    enable = true;
+    text = ''
+      [Unit]
+      Description=print-public-ssh-host-key.service
+      Before=getty@tty1.service
+      After=sshd.service
+
+      [Service]
+      Type=oneshot
+      ExecStart=/run/current-system/sw/bin/bash -c "/run/current-system/sw/bin/echo -e \"----- ED25519 PUBLIC SSH HOST KEY -----\
+                \n$(/run/current-system/sw/bin/cut -d ' ' -f 1-2 /etc/ssh/ssh_host_ed25519_key.pub)\""
+      RemainAfterExit=no
+      StandardOutput=tty
+    '';
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  services.fstrim.enable = true;
+}
--- a/config/common/nginx.nix
+++ b/config/common/nginx.nix
@ -0,0 +1,9 @@
+{ ... }: {
+  services.nginx = {
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}
--- a/config/common/prometheus-node-exporter.nix
+++ b/config/common/prometheus-node-exporter.nix
@ -0,0 +1,7 @@
+{ lib, ... }:
+{
+  services.prometheus.exporters.node = {
+    enable = lib.mkDefault true;
+    openFirewall = true;
+  };
+}