mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/nixos/configuration.nix

157 lines
4 KiB
Nix
Raw Normal View History

Define monzo-token-server as a root systemd service After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
2020-02-23 21:01:33 +01:00
{
pkgs ? import <nixpkgs> {},
briefcase ? import <briefcase> {},
...
}:
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
Expose secrets to Monzo / YNAB service Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer.
2020-02-23 19:55:28 +01:00
let
trimNewline = x: pkgs.lib.removeSuffix "\n" x;
readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x));
in {
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
imports = [ ./hardware.nix ];
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
networking = {
hostName = "socrates";
# The global useDHCP flag is deprecated, therefore explicitly set to false
# here. Per-interface useDHCP will be mandatory in the future, so this
# generated config replicates the default behaviour.
useDHCP = false;
networkmanager.enable = true;
interfaces.enp2s0f1.useDHCP = true;
interfaces.wlp3s0.useDHCP = true;
firewall.allowedTCPPorts = [ 9418 80 443 ];
};
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
time.timeZone = "UTC";
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
programs.fish.enable = true;
programs.mosh.enable = true;
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
environment.systemPackages = with pkgs; [
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
curl
direnv
emacs26-nox
gnupg
htop
pass
vim
certbot
tree
git
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
];
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
users = {
# I need a git group to run the git server.
groups.git = {};
users.wpcarro = {
isNormalUser = true;
extraGroups = [ "git" "wheel" ];
shell = pkgs.fish;
};
users.git = {
group = "git";
isNormalUser = false;
};
};
nix = {
# Expose depot as <depot>, nixpkgs as <nixpkgs>
nixPath = [
"briefcase=/home/wpcarro/briefcase"
"depot=/home/wpcarro/depot"
"nixpkgs=/home/wpcarro/nixpkgs"
];
# Allow wpcarro to call nixos-rebuild
trustedUsers = [ "root" "wpcarro" ];
};
##############################################################################
# Services
##############################################################################
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
services.openssh.enable = true;
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
services.lorri.enable = true;
Define monzo-token-server as a root systemd service After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
2020-02-23 21:01:33 +01:00
systemd.services.monzo-token-server = {
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
enable = true;
description = "Ensure my Monzo access token is valid";
Define monzo-token-server as a root systemd service After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
2020-02-23 21:01:33 +01:00
script = "${briefcase.monzo_ynab.tokens}/bin/token-server";
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
Define monzo-token-server as a root systemd service After I considered the security implications of calling `systemctl --user cat monzo-token-server`, I realized that monzo-token-server should be a root service instead of a user service. This service unit now also explicitly depends on briefcase.monzo_ynab.tokens, which is a big improvement.
2020-02-23 21:01:33 +01:00
# TODO(wpcarro): I'm unsure of the size of this security risk, but if a
# non-root user runs `systemctl cat monzo-token-server`, they could read the
# following, sensitive environment variables.
Expose secrets to Monzo / YNAB service Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer.
2020-02-23 19:55:28 +01:00
environment = {
Consume updated kv module Exposing store_path to the tokens module to support the newly updated kv module, which requires an explicit storePath parameter.
2020-02-23 21:00:04 +01:00
store_path = "/var/cache/monzo_ynab";
Expose secrets to Monzo / YNAB service Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer.
2020-02-23 19:55:28 +01:00
monzo_client_id = readSecret "monzo-client-id";
monzo_client_secret = readSecret "monzo-client-secret";
ynab_personal_access_token = readSecret "ynab-personal-access-token";
ynab_account_id = readSecret "ynab-account-id";
ynab_budget_id = readSecret "ynab-budget-id";
};
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
serviceConfig = {
Change systemd unit type: oneshot -> simple "oneshot", according to `man systemd.service`, "will consider the unit up after the main process exits". Since I designed token-server to run continuously, it will not intentionally exit; therefore, systemd awaits its exit, which never comes. "simple", on the other hand, does what I want.
2020-02-23 20:32:52 +01:00
Type = "simple";
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
};
};
services.gitDaemon = {
enable = true;
basePath = "/srv/git";
exportAll = true;
repositories = [ "/srv/git/briefcase" ];
};
# Since I'm using this laptop as a server in my flat, I'd prefer to close its
# lid.
services.logind.lidSwitch = "ignore";
# Provision SSL certificates to support HTTPS connections.
security.acme.acceptTerms = true;
security.acme.certs."wpcarro.dev".email = "wpcarro@gmail.com";
services.nginx = {
enable = true;
enableReload = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
commonHttpConfig = ''
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log syslog:server=unix:/dev/log json_combined;
'';
virtualHosts.blog = {
serverName = "blog.wpcarro.dev";
useACMEHost = "wpcarro.dev";
addSSL = true;
extraConfig = ''
location / {
proxy_pass http://localhost:80
}
'';
};
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
};
Incorporate NixOS configuration TL;DR: - Move /etc/nixos/configuration.nix -> //nixos/configuration.nix - Move /etc/nixos/hardware-configuration.nix -> //nixos/harware.nix - Document installer.nix - Create rebuild.nix wrapper around `sudo nixos-rebuild switch` Previously I sketched ideas for the configuration.nix for socrates -- also known as flattop -- the inexpensive Acer laptop residing in my flat and stored that configuration.nix file in briefcase. Now, however, I have successfully installed NixOS onto socrates. By default NixOS saves the configuration.nix and hardware-configuration.nix files to /etc/nixos/. I'm moving both of these files into briefcase. Because the command `nixos-rebuild` looks for the NixOS configuration file in /etc/nixos, I wrote rebuild.nix, which creates a program to call `nixos-rebuild` with the new location of my configuration.nix.
2020-02-22 19:44:44 +01:00
system.stateVersion = "20.09"; # Did you read the comment?
Support basic nixos/configuration.nix I'm attempting to configure an old Acer laptop that I bought at a used electronics store in Shepherd's Bush (~100GBP) as my server. I'd like to install NixOS on it. The configuration.nix herein defines a starting point for the configuration for that machine. It isn't currently working. Troubleshooting and solutions forthcoming...
2020-02-20 20:49:15 +01:00
}
Reference in a new issue Copy permalink