feat(packaging): Add host machine config

2025-07-17 03:04:19 +02:00 · 2025-07-17 03:04:19 +02:00 · cb8ee3f94d
commit cb8ee3f94d
parent e80a68a68d
9 changed files with 276 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -61,3 +61,5 @@ web_modules/
 [Rr]elease/

 result
+
+/configuration.nix
--- a/nix/host/README.md
+++ b/nix/host/README.md
@ -0,0 +1,5 @@
+Configuration of the vm hosting Kahulm.
+
+To redeploy pull the repo, update the hash of the dependencies if changed and apply with `nixos-rebuild switch`.
+
+Do not forgot to push your changes at the end.
--- a/nix/host/configuration.nix
+++ b/nix/host/configuration.nix
@ -0,0 +1,116 @@
+{
+  config,
+  ...
+}:
+let
+  sources = import ./lon.nix;
+  pkgs = import sources.nixpkgs { };
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./kahulm.nix
+  ];
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  nixpkgs.pkgs = pkgs;
+  nix = {
+    nixPath = [
+      "nixpkgs=${sources.nixpkgs}"
+      "nixos=${sources.nixpkgs}"
+      "nixos-config=/etc/nixos/configuration.nix"
+    ];
+    channel.enable = false;
+    settings.nix-path = config.nix.nixPath;
+    package = pkgs.lix;
+  };
+  documentation.nixos.enable = false; # they managed to make this fail the build...
+
+  networking = {
+    hostName = "kahulm";
+    useNetworkd = true;
+    nftables.enable = true;
+  };
+  systemd.network = {
+    enable = true;
+    networks."10-ens18" = {
+      name = "ens18";
+      address = [ "129.199.146.62/24" ];
+      routes = [
+        { Gateway = "129.199.146.254"; }
+      ];
+      dns = [
+        "129.199.96.11"
+        "129.199.162.16"
+        "129.199.98.16"
+      ];
+    };
+  };
+
+  time.timeZone = "Europe/Paris";
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "fr";
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    ##### DGNum #####
+
+    # catvayor
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfIJ8BToZ9EDxBsEJXQhUju7gm+rUDjGCNMvFSZCl1o openpgp:0x5CADCA1B"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdOxx4I8BSbYPdouvuzDepwTwzQzGSBCNIV8TB5dduT openpgp:0xF6018131"
+    # mdebray
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+    # thubrecht
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+
+    ##### DGNum end #####
+
+    # Hubert
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHRPO1Ynb1SUDlVpadqG5Lo9sWs7jlHolWTzHUq8x98a"
+    # Matthieu
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhwbuqaUSxuvaxYRaxM5jbMRHaB3JGdzuy1bMGX3YVk"
+  ];
+
+  environment = {
+    variables.EDITOR = "nvim";
+    systemPackages = with pkgs; [
+      wget
+      btop
+      dig
+      git
+      htop
+      tcpdump
+      lon
+    ];
+  };
+
+  programs = {
+    neovim = {
+      enable = true;
+      vimAlias = true;
+    };
+    mosh.enable = true;
+  };
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      LoginGraceTime = "30";
+      MaxSessions = "64";
+      MaxStartups = "64";
+      PasswordAuthentication = false;
+    };
+  };
+
+  system.stateVersion = "25.05";
+}
--- a/nix/host/hardware-configuration.nix
+++ b/nix/host/hardware-configuration.nix
@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/ca584130-c1c6-4ffd-abc7-808c810690ad";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/7251-09E2";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/nix/host/kahulm.nix
+++ b/nix/host/kahulm.nix
@ -0,0 +1,44 @@
+let
+  host = "kahulm.dgnum.eu";
+  port = 3009;
+in
+{
+  imports = [ ../module.nix ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@dgnum.eu";
+  };
+
+  services = {
+    kahulm = {
+      inherit port;
+      enable = true;
+      baseUrl = "https://${host}";
+      sessionSecretFile = "/etc/secrets/kahulm-session-secret";
+    };
+
+    nginx = {
+      enable = true;
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+
+      virtualHosts.${host} = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/nix/host/lon.lock
+++ b/nix/host/lon.lock
@ -0,0 +1,15 @@
+{
+  "version": "1",
+  "sources": {
+    "nixpkgs": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "branch": "nixos-25.05",
+      "revision": "88983d4b665fb491861005137ce2b11a9f89f203",
+      "url": "https://github.com/NixOS/nixpkgs/archive/88983d4b665fb491861005137ce2b11a9f89f203.tar.gz",
+      "hash": "sha256-7orTnNqkGGru8Je6Un6mq1T8YVVU/O5kyW4+f9C1mZQ="
+    }
+  }
+}
--- a/nix/host/lon.nix
+++ b/nix/host/lon.nix
@ -0,0 +1,53 @@
+# Generated by lon. Do not modify!
+let
+
+  lock = builtins.fromJSON (builtins.readFile ./lon.lock);
+
+  # Override with a path defined in an environment variable. If no variable is
+  # set, the original path is used.
+  overrideFromEnv =
+    name: path:
+    let
+      replacement = builtins.getEnv "LON_OVERRIDE_${name}";
+    in
+    if replacement == "" then
+      path
+    else
+    # this turns the string into an actual Nix path (for both absolute and
+    # relative paths)
+    if builtins.substring 0 1 replacement == "/" then
+      /. + replacement
+    else
+      /. + builtins.getEnv "PWD" + "/${replacement}";
+
+  fetchSource =
+    args@{ fetchType, ... }:
+    if fetchType == "git" then
+      builtins.fetchGit (
+        {
+          url = args.url;
+          ref = args.branch;
+          rev = args.revision;
+          narHash = args.hash;
+          submodules = args.submodules;
+        }
+        // (
+          if args ? lastModified then
+            {
+              inherit (args) lastModified;
+              shallow = true;
+            }
+          else
+            { }
+        )
+      )
+    else if fetchType == "tarball" then
+      builtins.fetchTarball {
+        url = args.url;
+        sha256 = args.hash;
+      }
+    else
+      builtins.throw "Unsupported source type ${fetchType}";
+
+in
+builtins.mapAttrs (name: args: overrideFromEnv name (fetchSource args)) lock.sources
--- a/nix/module.nix
+++ b/nix/module.nix
--- a/nix/package.nix
+++ b/nix/package.nix
@ -16,15 +16,15 @@ stdenv.mkDerivation rec {
  src =
    with lib.fileset;
    toSource {
-      root = ./.;
-      fileset = intersection (gitTracked ./.) (
-        fileFilter (file: !file.hasExt "nix") ./.
+      root = ./..;
+      fileset = intersection (gitTracked ./..) (
+        fileFilter (file: !file.hasExt "nix") ./..
      );
    };

  offlineCache = fetchYarnDeps {
    yarnLock = "${src}/yarn.lock";
-    hash = "sha256-TYvDmRhdYhp5yie6TXGw1p1lB9ToKN0h8Pqmt9RXyVw=";
+    hash = "sha256-NH3uckI1M+/WKs7XPWoFYhVv1eOl7II1PrRYf7LbutM=";
  };

  nativeBuildInputs = [