host nomic: init

modules/nomic/default.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, ... }:
+
+let
+  location = pkgs.lib.nameValuePair; # TODO this is also in modules/tv/git/cgit.nix
+in
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./users.nix
+    ../tv/base.nix
+    ../tv/exim-retiolum.nix
+    ../tv/git/public.nix
+    ../tv/sanitize.nix
+    ../tv/smartd.nix
+    {
+      imports = [ ../tv/iptables ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "http"
+          "tinc"
+          "smtp"
+        ];
+      };
+    }
+    {
+      imports = [ ../tv/nginx ];
+      tv.nginx = {
+        enable = true;
+        retiolum-locations = [
+          (location "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
+      };
+    }
+    {
+      imports = [ ../tv/retiolum ];
+      tv.retiolum = {
+        enable = true;
+        hosts = <retiolum-hosts>;
+        connectTo = [
+          "gum"
+          "pigstarter"
+        ];
+      };
+    }
+  ];
+
+  boot.kernel.sysctl = {
+    # Enable IPv6 Privacy Extensions
+    "net.ipv6.conf.all.use_tempaddr" = 2;
+    "net.ipv6.conf.default.use_tempaddr" = 2;
+  };
+
+  networking = {
+    hostName = "nomic";
+    wireless.enable = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+  };
+}

modules/nomic/hardware-configuration.nix

@@ -0,0 +1,49 @@
+{ config, ... }:
+
+{
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha1" "xts" ];
+    devices = [
+      {
+        name = "luks1";
+        device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
+      }
+    ];
+  };
+
+  boot.initrd.availableKernelModules = [ "ahci" ];
+  boot.kernelModules = [ "kvm-intel" "wl" ];
+  boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+      fsType = "btrfs";
+    };
+
+  swapDevices = [ ];
+
+  nix = {
+    buildCores = 2;
+    maxJobs = 2;
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+
+  # For config.boot.kernelPackages.broadcom_sta
+  nixpkgs.config.allowUnfree = true;
+}

modules/nomic/paths.nix

@@ -0,0 +1,12 @@
+{
+  lib.file.url = ../../lib;
+  modules.file.url = ../../modules;
+  nixpkgs.git = {
+    url = https://github.com/NixOS/nixpkgs;
+    rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
+    cache = ../../tmp/git-cache;
+  };
+  pubkeys.file.url = ../../pubkeys;
+  retiolum-hosts.file.url = ../../hosts;
+  secrets.file.url = ../../secrets/nomic/nix;
+}

modules/nomic/users.nix

@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    { users = import <secrets/users.nix>; }
+    {
+      users.extraUsers = {
+        root = {
+          openssh.authorizedKeys.keys = [
+            (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
+          ];
+        };
+        tv = {
+          uid = 1337;
+          group = "users";
+          home = "/home/tv";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "video"
+            "wheel"
+          ];
+          openssh.authorizedKeys.keys = [
+            (pkgs.lib.readFile <pubkeys/tv_wu.ssh.pub>)
+          ];
+        };
+      };
+    }
+  ];
+
+  users.defaultUserShell = "/run/current-system/sw/bin/bash";
+  users.mutableUsers = false;
+
+  security.setuidPrograms = [
+    "sendmail"  # for sudo
+  ];
+
+  security.sudo.extraConfig = ''
+    Defaults mailto="tv@wu.retiolum"
+  '';
+}