hosts: add ghost

2023-10-14 16:30:51 -03:00 · 2023-10-14 16:30:51 -03:00 · 9c1709c039
commit 9c1709c039
parent 152344a801
5 changed files with 113 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -138,6 +138,10 @@
            services.flatpak.enable = lib.mkOverride 0 false;
          }];
        };
        ghost = lib.nixosSystem {
          inherit system specialArgs;
          modules = [ ./hosts/ghost.nix ];
        };
      };
      homeConfigurations.lelgenio = home-manager.lib.homeManagerConfiguration {
--- a/hosts/ghost.nix
+++ b/hosts/ghost.nix
@ -0,0 +1,86 @@
 { config, pkgs, inputs, ... }: {
  imports = [
    "${inputs.nixpkgs}/nixos/modules/virtualisation/digital-ocean-image.nix"
    inputs.agenix.nixosModules.default
    ../system/nix.nix
    ../system/secrets.nix
  ];
  # Use more aggressive compression then the default.
  virtualisation.digitalOceanImage.compressionMethod = "bzip2";
  # Headless - don't start a tty on the serial consoles.
  systemd.services."serial-getty@ttyS0".enable = false;
  systemd.services."serial-getty@hvc0".enable = false;
  systemd.services."getty@tty1".enable = false;
  systemd.services."autovt@".enable = false;
  # Enable networking
  networking.networkmanager.enable = true;
  # Set your time zone.
  time.timeZone = "America/Sao_Paulo";
  # Select internationalisation properties.
  i18n.defaultLocale = "pt_BR.utf8";
  security.rtkit.enable = true;
  services.openssh = {
    enable = true;
    ports = [ 9022 ];
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
  };
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.mutableUsers = false;
  users.users.lelgenio = {
    isNormalUser = true;
    description = "Leonardo Eugênio";
    hashedPassword = "$y$j9T$0e/rczjOVCy7PuwC3pG0V/$gTHZhfO4wQSlFvbDyfghbCnGI2uDI0a52zSrQ/yOA5A";
    extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "bluetooth" "corectrl" "vboxusers" ];
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
    ];
  };
  users.users.root = {
    shell = pkgs.fish;
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15"
    ];
    initialHashedPassword = "$y$j9T$E3aBBSSq0Gma8hZD9L7ov0$iCGDW4fqrXWfHO0qodBYYgMFA9CpIraoklHcPbJJrM3";
  };
  security.sudo.wheelNeedsPassword = false;
  programs.fish.enable = true;
  environment.systemPackages = with pkgs; [
    git
  ];
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;
    hostName = "cloud.lelgenio.xyz";
    https = true;
    config = {
      adminpassFile = config.age.secrets.ghost-nextcloud.path;
    };
  };
  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "lelgenio@disroot.org";
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  system.stateVersion = "23.05"; # Never change this
 }
--- a/secrets/ghost-nextcloud.age
+++ b/secrets/ghost-nextcloud.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> ssh-rsa BwwxHg
 CgOkaIy+ZuqNHzRX/OnUZbtHeSevslgVz71cBSqSsaTxuB74D+hSoIsUZW50/x0n
 jKz9XF/3Fp+WwTtBNGwhI6VpYrbOFSyLzNGtyO+SyUVQKjST9Cw0QbPCko9DTAEK
 pfSjP+Ie3A2gq6mUFJxTjQG4t+kmNPCxHeAVvKepgEkOxkQdirKec+ckjGXh91yK
 IvEOthD4NR5OQF8QqHffzFQtSrFISF5eKHvJJZADydnr54g8+vPJgOy90isRzVPz
 cp3pAnyNgPu4Ia6yOuM6/GmGlJUtSqV/22JQJBgz0DmgmHVlzJEjhQ6b9RIeBz/5
 M6AugEJlGsLpUccqeJcfihLOzDrOeT8wei/CLea4U0jJMGtWEitVWF+dSt7YkrJr
 wWnHMqhl7lFjxN44zbGznQqnSDRcfO7vxmnaUwFAebid0P+v0NNonweYdro0YEF/
 hfTUqQfW82+4GYOsFEDCt0Z3lcifr5b9rgHDGDyycFtwBDKW3SbOmTFkKQJ+vwQ0
 -> CL,"/i5.-grease \2_ R|j[#4B Mx5'9 /,
 jX9wt0kuGZ89xhA/
 --- iSlatZrp3jzlFY4VXx5CPNk521dJwM4L3rEDL4mO9GM
 ¿¼ßS7?pú+÷è0÷‡íep0\ÏÞ€M©<4D>j®0¼»Zö<5A>ÔÉ<C394>ê]|zçKÚ³š"$EŽ›<u7«åÃšÿÀî
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,4 +7,5 @@ in
  "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
  "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
  "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
  "ghost-nextcloud.age".publicKeys = [ main_ssh_public_key ];
 }
--- a/system/secrets.nix
+++ b/system/secrets.nix
@ -1,6 +1,6 @@
 { pkgs, ... }: {
  age = {
-    identityPaths = [ "/home/lelgenio/.ssh/id_rsa" ];
+    identityPaths = [ "/home/lelgenio/.ssh/id_rsa" "/root/.ssh/id_rsa" ];
    secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
    secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
      ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
@ -10,5 +10,11 @@
      ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
    secrets.monolith-nix-serve-privkey.file =
      ../secrets/monolith-nix-serve-privkey.age;
    secrets.ghost-nextcloud = {
      file = ../secrets/monolith-nix-serve-privkey.age;
      mode = "400";
      owner = "nextcloud";
      group = "nextcloud";
    };
  };
 }