summaryrefslogtreecommitdiffstats
path: root/modules/cd/default.nix
blob: b36355671352cd3f1fa39222dc3cdf0b7312dd96 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
{ pkgs, ... }:

let
  inherit (builtins) readFile;
in

{
  imports =
    [
      { users.extraUsers = import <secrets/extraUsers.nix>; }
      ./networking.nix
      ./users.nix
      ../tv/base.nix
      ../tv/base-cac-CentOS-7-64bit.nix
      ../tv/ejabberd.nix # XXX echtes modul
      ../tv/exim-smarthost.nix
      ../tv/git/public.nix
      ../tv/sanitize.nix
      {
        imports = [ ../tv/iptables ];
        tv.iptables = {
          enable = true;
          input-internet-accept-new-tcp = [
            "ssh"
            "tinc"
            "smtp"
            "xmpp-client"
            "xmpp-server"
          ];
          input-retiolum-accept-new-tcp = [
            "http"
          ];
        };
      }
      {
        imports = [ ../tv/retiolum ];
        tv.retiolum = {
          enable = true;
          hosts = <retiolum-hosts>;
          connectTo = [
            "fastpoke"
            "pigstarter"
            "ire"
          ];
        };
      }
    ];

  # "Developer 2" plan has two vCPUs.
  nix.maxJobs = 2;

  environment.systemPackages = with pkgs; [
    git # required for ./deploy, clone_or_update
    htop
    iftop
    iotop
    iptables
    mutt    # for mv
    nethogs
    rxvt_unicode.terminfo
    tcpdump
  ];

  services.ejabberd-cd = {
    enable = true;
  };

  services.journald.extraConfig = ''
    SystemMaxUse=1G
    RuntimeMaxUse=128M
  '';

  services.openssh = {
    enable = true;
    hostKeys = [
      # XXX bits here make no science
      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
    ];
    permitRootLogin = "yes";
  };

  sound.enable = false;
}