modules/cd/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

{ pkgs, ... }:

let
  inherit (builtins) readFile;
in

{
  imports =
    [
      <secrets/hashedPasswords.nix>
      ./iptables.nix
      ./networking.nix
      ./users.nix
      ../common/nixpkgs.nix
      ../tv/base.nix
      ../tv/base-cac-CentOS-7-64bit.nix
      ../tv/ejabberd.nix # XXX echtes modul
      ../tv/exim-smarthost.nix
      ../tv/git/public.nix
      ../tv/retiolum.nix
      ../tv/sanitize.nix
    ];

  # "Developer 2" plan has two vCPUs.
  nix.maxJobs = 2;

  nixpkgs = {
    url = "https://github.com/NixOS/nixpkgs";
    rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
  };

  environment.systemPackages = with pkgs; [
    git # required for ./deploy, clone_or_update
    htop
    iftop
    iotop
    iptables
    mutt    # for mv
    nethogs
    rxvt_unicode.terminfo
    tcpdump
  ];

  security.rtkit.enable = false;

  services.cron.enable = false;

  services.ejabberd-cd = {
    enable = true;
  };

  services.journald.extraConfig = ''
    SystemMaxUse=1G
    RuntimeMaxUse=128M
  '';

  services.ntp.enable = false;

  services.openssh = {
    enable = true;
    hostKeys = [
      # XXX bits here make no science
      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
    ];
    permitRootLogin = "yes";
  };

  services.retiolum = {
    enable = true;
    hosts = <retiolum-hosts>;
    privateKeyFile = "/etc/nixos/secrets/cd.retiolum.rsa_key.priv";
    connectTo = [
      "fastpoke"
      "pigstarter"
      "ire"
    ];
  };

  sound.enable = false;
}