59d742f4ba
- flake.nix exposes a devShell (openstackclient, opentofu, sops, age) plus
nixosConfigurations.watcher (runtime) and packages.watcher-image (QCOW2
via nixos-generators / openstack format).
- hosts/watcher/default.nix: SSH-only base, tyro user with key auth, root
SSH disabled, trusted-users set so laptop closure pushes work.
- modules/website.nix: Caddy serves tyrolize.ch from sites/tyrolize.ch/;
lize.ch 301-redirects; firewall opens 80/443. Let's Encrypt via HTTP-01.
- terraform/infomaniak/: OpenStack provider, security group (22/80/443),
keypair, compute instance booted from the uploaded image. Auth via OS_*
env vars sourced from terraform/infomaniak/.env by the devShell hook.
- scripts/build-image.sh + scripts/deploy.sh.
- dns/{tyrolize,lize}.ch.zone: full BIND zone files for the advanced view
in Infomaniak DNS Manager; preserves kSuite mail records on lize.ch.
Watcher live at 195.15.203.200 (IPv6 2001:1600:10💯:b4e), NixOS 25.05.
HTTPS confirmed working on both domains.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
65 lines
1.7 KiB
Nix
65 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }: {
|
|
imports = [
|
|
../../modules/website.nix
|
|
];
|
|
|
|
# Boot, disk layout, and cloud-init are provided by:
|
|
# - openstack-config.nix (for nixos-rebuild on the live box), or
|
|
# - openstack-image.nix (when building the QCOW2 image)
|
|
# Both are wired in flake.nix.
|
|
|
|
system.stateVersion = "25.05";
|
|
|
|
networking.hostName = "watcher";
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowedTCPPorts = [ 22 ]; # services like 80/443 added as they come online
|
|
};
|
|
|
|
time.timeZone = "Europe/Zurich";
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
users.mutableUsers = false;
|
|
users.users.tyro = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC7oEcIquy/HWSHjA9N62FVKA6js4aOWu9q41Qp3nNj tyrolize@nixos"
|
|
];
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
# openstack-config.nix defaults this to "prohibit-password" so cloud-init can
|
|
# inject the OpenStack keypair into root. We don't need it: the same key is
|
|
# already in users.users.tyro via the flake. Hard-disable root SSH.
|
|
PermitRootLogin = lib.mkForce "no";
|
|
};
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
git
|
|
htop
|
|
tmux
|
|
curl
|
|
wget
|
|
];
|
|
|
|
nix.settings = {
|
|
experimental-features = [ "nix-command" "flakes" ];
|
|
# Allow the tyro user to push pre-built closures from the laptop via
|
|
# `nixos-rebuild --target-host` without re-signing every store path.
|
|
trusted-users = [ "root" "@wheel" ];
|
|
};
|
|
nix.gc = {
|
|
automatic = true;
|
|
dates = "weekly";
|
|
options = "--delete-older-than 14d";
|
|
};
|
|
}
|