{ config, lib, pkgs, ... }: { imports = [ ../config/acme-sh.nix ../config/mpd.nix ../config/borg-backup.nix ../config/common.nix ../config/users.nix ../config/weechat.nix ../config/dns.nix ../config/hydra.nix ../config/web-server.nix ../config/cgit.nix ../config/mail-server.nix ../config/munin-node.nix ../config/munin-master.nix ../config/vpn-server.nix ../config/terraria.nix ]; environment.systemPackages = with pkgs; [ ipmitool ]; programs.mosh.enable = true; virtualisation.lxd.enable = true; #security.apparmor = { # enable = true; # profiles = [ # "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-star" # "${pkgs.lxc}/etc/apparmor.d/lxc-containers" # ]; # packages = [ pkgs.lxc pkgs.apparmor-parser ]; #}; # containers.kick = { # autoStart = true; # hostBridge = "br0"; # privateNetwork = true; # config = { config, pkgs, ... }: { # system.activationScripts = { # resolvconf = { # text = '' # chmod +w /etc/resolv.conf # echo nameserver 2001:4860:4860::8888 >> /etc/resolv.conf # chmod -w /etc/resolv.conf # ''; # }; # }; # networking.firewall.allowedTCPPorts = [ 80 443 ]; # networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ]; # services.nginx = { # enable = true; # virtualHosts = { # "kick.orbekk.no" = { # enableACME = true; # addSSL = true; # }; # }; # }; # environment.systemPackages = [ # pkgs.simp_le pkgs.certbot # ]; # # nixpkgs.config.packageOverrides = pkgs: { # # simp_le = pkgs.stdenv.mkDerivation { # # name = "simp_le"; # # nativeBuildInputs = [ pkgs.makeWrapper ]; # # buildCommand = '' # # mkdir -p $out/bin # # makeWrapper "${pkgs.simp_le}/bin/simp_le" $out/bin/simp_le \ # # --add-flags "--server https://api.buypass.com/acme/directory" \ # # --add-flags "--email kj@orbekk.com" \ # # --add-flags "--tos_sha256 07c2ac41aff33fe06e27447ea592c503f22967fd43b0e8500cbc8452f28a4bf1" # # ''; # # }; # # }; # }; # }; boot = { kernelParams = [ "console=tty0" ''console="ttyS0,115200n8"'' ]; kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.br0.accept_ra" = 2; }; loader.grub.extraConfig = '' GRUB_TERMINAL="serial" GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" ''; loader.grub.enable = true; loader.grub.version = 2; loader.grub.devices = ["/dev/sda" "/dev/sdb"]; }; networking = { hostName = lib.mkForce "dragon"; firewall.allowPing = true; firewall.checkReversePath = "loose"; bridges = { br0 = { interfaces = ["eno2"]; }; }; dhcpcd.extraConfig = '' duid ipv6ra_noautoconf ''; # interfaces.br0.ip6 = [ # # { address = "2001:470:8e2e:20:eca0:41ff:feef:92"; prefixLength = 64; } # { address = "2001:470:8e2e:20::d"; prefixLength = 64; } # ]; # Managed with dhcpv6 now. # localCommands = '' # sleep 10 # echo setting up routes # ip -6 addr add 2001:470:8e2e:20::d/64 dev br0 || true # ip -6 route replace default via fe80::822a:a8ff:fe4d:f5d6 dev br0 metric 0 src 2001:470:8e2e:20::d || true # ip route replace default via 10.0.20.1 dev br0 metric 0 || true # ''; }; # Required to enable password authentication for one user. security.pam.services.sshd.unixAuth = lib.mkForce true; services = { openssh = { enable = lib.mkDefault true; passwordAuthentication = false; extraConfig = '' Match User readonly PasswordAuthentication yes ''; }; }; fileSystems = { "/storage" = { device = "/dev/sda3"; fsType = "btrfs"; options = [ "subvol=storage" ]; }; "/staging" = { device = "/dev/sda3"; fsType = "btrfs"; options = [ "subvol=staging" ]; }; }; system.stateVersion = lib.mkForce "17.09"; }