nixos/networking: fix extraHosts generation

The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.

lib/default.nix

@@ -1,11 +1,11 @@
 rec {
-  toList = x: if builtins.isList x then x else [ x ];
+  attrsToList = mapAttrsToList nameValuePair;
-
-  nameValuePair = name: value: { inherit name value; };
 
   mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
 
-  attrsToList = mapAttrsToList nameValuePair;
+  nameValuePair = name: value: { inherit name value; };
+
+  toList = x: if builtins.isList x then x else [ x ];
 
   getSSHKeys =
     username:

nixos/common.nix

@@ -99,10 +99,7 @@ in
 
     extraHosts =
       let
-        subdomains = [
+        subdomains = [ "git" ];
-          "git"
-          "auth"
-        ];
 
         inherit (config.networking) fqdn;
         hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;

nixos/hardware.nix

@@ -15,10 +15,7 @@
       "xhci_pci"
     ];
 
-    kernelModules = [
+    kernelModules = [ "kvm-intel" ];
-      "kvm-amd"
-      "kvm-intel"
-    ];
   };
 
   hardware = {

nixos/modules/authelia.nix

@@ -1,136 +0,0 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
-{
-  services.authelia.instances.main = {
-    enable = true;
-
-    secrets = {
-      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
-      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
-    };
-
-    settings = {
-      theme = "dark";
-      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
-
-      server.address = "127.0.0.1:3001";
-
-      log = {
-        level = "debug";
-        format = "text";
-      };
-
-      authentication_backend = {
-        file = {
-          path = "/var/lib/authelia-main/users_database.yml";
-        };
-      };
-
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = [ "auth.${fqdn}" ];
-            policy = "bypass";
-          }
-          {
-            domain = [ "*.${fqdn}" ];
-            policy = "one_factor";
-          }
-        ];
-      };
-
-      session = {
-        name = "authelia_session";
-        expiration = "12h";
-        inactivity = "45m";
-        remember_me = "1M";
-        domain = "${fqdn}";
-        redis.host = "/run/redis-authelia-main/redis.sock";
-      };
-
-      regulation = {
-        max_retries = 3;
-        find_time = "5m";
-        ban_time = "15m";
-      };
-
-      storage = {
-        local = {
-          path = "/var/lib/authelia-main/db.sqlite3";
-        };
-      };
-
-      notifier = {
-        disable_startup_check = false;
-        filesystem = {
-          filename = "/var/lib/authelia-main/notification.txt";
-        };
-      };
-    };
-  };
-
-  services.redis.servers.authelia-main = {
-    enable = true;
-    user = "authelia-main";
-    port = 0;
-    unixSocket = "/run/redis-authelia-main/redis.sock";
-    unixSocketPerm = 600;
-  };
-
-  # services.openldap = {
-  #   enable = true;
-
-  #   # enable plain connections only
-  #   urlList = [ "ldap:///" ];
-
-  #   settings = {
-  #     attrs = {
-  #       olcLogLevel = "conns config";
-  #     };
-
-  #     children = {
-  #       # "cn=schema".includes = [
-  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-  #       # ];
-
-  #       "olcDatabase={1}mdb".attrs = {
-  #         objectClass = [
-  #           "olcDatabaseConfig"
-  #           "olcMdbConfig"
-  #         ];
-
-  #         olcDatabase = "{1}mdb";
-  #         olcDbDirectory = "/var/lib/openldap/data";
-
-  #         olcSuffix = "dc=example,dc=com";
-
-  #         # your admin account, do not use writeText on a production system
-  #         olcRootDN = "cn=admin,dc=example,dc=com";
-  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
-
-  #         olcAccess = [
-  #           # custom access rules for userPassword attributes
-  #           ''
-  #             {0}to attrs=userPassword
-  #                           by self write
-  #                           by anonymous auth
-  #                           by * none''
-
-  #           # allow read on anything else
-  #           ''
-  #             {1}to *
-  #                           by * read''
-  #         ];
-  #       };
-  #     };
-  #   };
-  # };
-}

nixos/modules/default.nix

@@ -1,7 +1,6 @@
 {
   imports = [
     ./acme.nix
-    ./authelia.nix
     ./dns.nix
     ./fail2ban.nix
     ./gitea.nix

nixos/modules/nginx.nix

@@ -3,20 +3,13 @@ let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs: locations:
+    attrs:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
     }
     // attrs;
 
@@ -28,19 +21,6 @@ let
       proxy_request_buffering off;
     '';
   };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
   services.nginx = {
@@ -52,19 +32,21 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts = {
+    virtualHosts."${fqdn}" = mkVhost {
-      "${fqdn}" = mkVhost { default = true; } {
+      default = true;
-        "/" = mkSsi "${self.pins.website}/web-root";
-      };
 
-      "git.${fqdn}" = mkVhost { } {
+      locations."/" = {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+        root = "${self.pins.website}/web-root";
-      };
 
-      "auth.${fqdn}" = mkVhost { } {
+        extraConfig = ''
-        "/" = mkProxy 3001;
+          ssi on;
+        '';
       };
     };
+
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+    };
   };
 
   networking.firewall.allowedTCPPorts = [

nixos/users.nix

@@ -45,21 +45,8 @@ lib.recursiveUpdate
     (lib.attrsToList users)
   ).options
   {
-    users = {
+    users.users.root = {
-      motd = ''
+      initialPassword = "tuxcord";
-                  __                                          __                      __
+      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
-        initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
     };
   }