feat(luna): additional configuration

flake.nix

@@ -4,9 +4,10 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     impermanence.url = "github:nix-community/impermanence";
+    agenix.url = "github:ryantm/agenix";
   };
 
-  outputs = inputs @ { self, nixpkgs, impermanence, ... }: rec {
+  outputs = inputs @ { self, nixpkgs, impermanence, agenix, ... }: rec {
     imports = [
       ./configuration.nix
     ];
@@ -16,6 +17,7 @@
       modules = [
         ./hosts/orion
         impermanence.nixosModules.impermanence
+        agenix.nixosModules.default
       ];
     };
     nixosConfigurations.luna = nixpkgs.lib.nixosSystem {
@@ -24,6 +26,7 @@
       modules = [
         ./hosts/luna
         impermanence.nixosModules.impermanence
+        agenix.nixosModules.default
       ];
     };
   };

hosts/luna/modules/default.nix

@@ -1,7 +1,12 @@
 { config, pkgs, lib, ... }:
 
 {
-  # imports = [ ];
+  imports = [
-  # ...
+    ./services
-  # TODO: Actually get these configs in place
+    ./nix.nix
+    ./networking.nix
+    ./programs.nix
+    ./user.nix
+    ./virtualisation.nix
+  ];
 }

hosts/luna/modules/networking.nix

@@ -3,8 +3,8 @@
 let
   hostname = "luna";
   networks_dhcp_use_dns = "no";
-  networks_dhcp = "yes";
+  networks_dhcp = "ipv4";
-  networks_multicast_dns = "yes";
+  networks_multicast_dns = "no";
   networks_ipv6_privacy = "yes";
   networks_ipv6_accept_ra = "yes";
   networks_network_config = {
@@ -40,7 +40,7 @@ in
         };
       };
       "10-ethernet" = {
-        matchConfig.name = [ "en*" "eth*" ];
+        matchConfig.Name = [ "en*" "eth*" ];
         networkConfig = networks_network_config;
         dhcpV4Config = {
           RouteMetric = 100;
@@ -52,7 +52,7 @@ in
         };
       };
       "10-wwan" = {
-        matchConfig.name = [ "ww*" ];
+        matchConfig.Name = [ "ww*" ];
         networkConfig = networks_network_config;
         dhcpV4Config = {
           RouteMetric = 700;
@@ -70,7 +70,7 @@ in
   services.resolved = {
     enable = true;
     dnssec = "allow-downgrade";
-    domains = resolved_nameservers;
+    domains = [ "~." ];
     fallbackDns = resolved_fallback_nameservers;
     llmnr = "resolve";
     extraConfig = ''
@@ -78,11 +78,19 @@ in
       DNSOverTLS=yes
       CacheFromLocalhost=no
       Cache=yes
-      Domains=~.
     '';
   };
   networking = {
+    nameservers = resolved_nameservers;
+    nftables.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+        2200
+      ];
+    };
     hostName = "${hostname}";
   };
-
 }

hosts/luna/modules/programs.nix

@@ -12,6 +12,10 @@
   };
 
   environment.systemPackages = with pkgs; [
-    "vim"
+    vim
+    curl
+    git
+    jq
+    rsync
   ];
 }

hosts/luna/modules/services/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./openssh.nix
+    ./fail2ban.nix
+    # ./gitlab.nix
+    # ./nginx.nix
+  ];
+}

hosts/luna/modules/services/fail2ban.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+  };
+}

hosts/luna/modules/services/gitlab.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  services.gitlab = {
+    enable = true;
+    port = 80;
+    databasePasswordFile = pkgs.writeText "dbPassword" "test123";
+    initialRootPasswordFile = pkgs.writeText "rootPassword" "test123";
+    secrets = rec {
+      secretFile = pkgs.writeText "secret" "Aig5zaic";
+      otpFile = pkgs.writeText "otpsecret" "Riew9mue";
+      dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
+      jwsFile = pkgs.runCommand "oidcKeyBase" { } "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
+    };
+  };
+}

hosts/luna/modules/services/nginx.nix

@@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "gitlab.orion-technologies.io" = {
+        locations."/".proxyPass = "http://unix:/var/gitlab/state/tmp/sockets/gitlab.socket";
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/www/gitlab";
+      };
+    };
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "price@orion-technologies.io";
+  };
+}

hosts/luna/modules/services/openssh.nix

@@ -1,12 +1,10 @@
-{ pkgs, ... }:
+{ ... }:
-
 {
   services.openssh = {
     enable = true;
     settings = {
-      passwordAuthentication = false;
+      PasswordAuthentication = false;
       PermitRootLogin = "prohibit-password";
-      startWhenNeeded = true;
     };
     ports = [
       2200

hosts/luna/modules/user.nix

@@ -1,8 +1,5 @@
 { pkgs, user, ... }:
 
-let
- user = "price";
-in
 {
   users.users = {
     root = {

hosts/luna/modules/virtualisation.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+}

hosts/luna/os/filesystem.nix

@@ -38,21 +38,6 @@
         "/etc/machine-id"
         "/etc/nix/id_rsa"
       ];
-      users.price = {
-        directories = [
-          "Git"
-          "ISOs"
-          "Downloads"
-          "Keep"
-          "Notes"
-          ".local/share"
-          { directory = ".gnupg"; mode = "0700"; }
-          { directory = ".ssh"; mode = "0700"; }
-        ];
-        files = [
-          ".zsh_history"
-        ];
-      };
     };
   };
 }