nixos/impermanence: remove ssh host key persistence

The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.

agenix/secrets.nix

@@ -21,5 +21,5 @@ in
   map (user: {
     name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
     value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+  }) (builtins.filter (user: user.value.options.ddns or false) (attrsToList users))
 )

lib/default.nix

@@ -1,24 +1,21 @@
 rec {
-  toList = x: if builtins.isList x then x else [ x ];
+  users = import ./users.nix;
 
-  nameValuePair = name: value: { inherit name value; };
+  adminSSHKeys = builtins.concatLists (
-
+    map (user: getSSHKeys user.name) (
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+      builtins.filter (user: user.value.options.admin or false) (attrsToList users)
+    )
+  );
 
   attrsToList = mapAttrsToList nameValuePair;
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+  nameValuePair = name: value: { inherit name value; };
+  toList = x: if builtins.isList x then x else [ x ];
 
   getSSHKeys =
     username:
     if (builtins.hasAttr "ssh" users.${username}) then
       toList users.${username}.ssh
     else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
+      builtins.warn "user ${username} declared without ssh key" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
 }

lib/users.nix

@@ -1,19 +1,23 @@
 {
   error = {
     ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-    admin = true;
+    options = {
-    ddns = true;
+      admin = true;
+      ddns = true;
+    };
   };
 
   javalsai = {
     ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
-    admin = true;
+    options = {
-    ddns = true;
+      admin = true;
+      ddns = true;
+    };
   };
 
   max = {
     ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
+    options.admin = true;
   };
 
   vectorum = {

nixos/common.nix

@@ -100,17 +100,21 @@ in
     extraHosts =
       let
         subdomains = [
-          "git"
+          ""
-          "auth"
+          ".git"
         ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
       in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
-        127.0.0.1 ${host}
+        hosts-acc: domain-prefix:
-        ::1 ${host}
+        let
-      '') hosts;
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
+          127.0.0.1 ${host}
+          ::1 ${host}
+        ''
+      ) "" subdomains;
   };
 
   virtualisation.podman.enable = true;

nixos/hardware.nix

@@ -15,10 +15,7 @@
       "xhci_pci"
     ];
 
-    kernelModules = [
+    kernelModules = [ "kvm-intel" ];
-      "kvm-amd"
-      "kvm-intel"
-    ];
   };
 
   hardware = {

nixos/hosts/tuxcord-acmetest/default.nix

@@ -1,14 +1,11 @@
 {
-  imports = [
+  acme = {
-    ./storage.nix
+    enable = true;
-  ];
+    rfc2136.nameserver = "tuxcord.net";
+  };
 
-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
   dns.enable = true;
-
+  networking.fqdn = "nix.tuxcord.net";
-  services.getty.autologinUser = "root";
 
   time.timeZone = "Europe/Madrid";
 }

nixos/hosts/tuxcord-acmetest/storage.nix

@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}

nixos/hosts/tuxcord-ca/storage.nix

@@ -32,7 +32,6 @@
         device = "/dev/xvda2";
         fsType = "btrfs";
         options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
       };
     };
 }

nixos/hosts/tuxcord-test/default.nix

@@ -1,12 +1,6 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
   acme.enable = false;
   dns.enable = true;
 
-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }

nixos/hosts/tuxcord-test/storage.nix

@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}

nixos/impermanence.nix

@@ -55,6 +55,8 @@
     };
   };
 
+  fileSystems."/persist".neededForBoot = true;
+
   environment.persistence."/persist" = {
     enable = true;
     hideMounts = true;

nixos/modules/authelia.nix

@@ -1,136 +0,0 @@
-{ config, ... }:
-let
-  inherit (config.networking) fqdn;
-
-  acmeEnabled = config.acme.enable;
-in
-{
-  services.authelia.instances.main = {
-    enable = true;
-
-    secrets = {
-      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
-      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
-      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
-    };
-
-    settings = {
-      theme = "dark";
-      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
-
-      server.address = "127.0.0.1:3001";
-
-      log = {
-        level = "debug";
-        format = "text";
-      };
-
-      authentication_backend = {
-        file = {
-          path = "/var/lib/authelia-main/users_database.yml";
-        };
-      };
-
-      access_control = {
-        default_policy = "deny";
-        rules = [
-          {
-            domain = [ "auth.${fqdn}" ];
-            policy = "bypass";
-          }
-          {
-            domain = [ "*.${fqdn}" ];
-            policy = "one_factor";
-          }
-        ];
-      };
-
-      session = {
-        name = "authelia_session";
-        expiration = "12h";
-        inactivity = "45m";
-        remember_me = "1M";
-        domain = "${fqdn}";
-        redis.host = "/run/redis-authelia-main/redis.sock";
-      };
-
-      regulation = {
-        max_retries = 3;
-        find_time = "5m";
-        ban_time = "15m";
-      };
-
-      storage = {
-        local = {
-          path = "/var/lib/authelia-main/db.sqlite3";
-        };
-      };
-
-      notifier = {
-        disable_startup_check = false;
-        filesystem = {
-          filename = "/var/lib/authelia-main/notification.txt";
-        };
-      };
-    };
-  };
-
-  services.redis.servers.authelia-main = {
-    enable = true;
-    user = "authelia-main";
-    port = 0;
-    unixSocket = "/run/redis-authelia-main/redis.sock";
-    unixSocketPerm = 600;
-  };
-
-  # services.openldap = {
-  #   enable = true;
-
-  #   # enable plain connections only
-  #   urlList = [ "ldap:///" ];
-
-  #   settings = {
-  #     attrs = {
-  #       olcLogLevel = "conns config";
-  #     };
-
-  #     children = {
-  #       # "cn=schema".includes = [
-  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
-  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-  #       # ];
-
-  #       "olcDatabase={1}mdb".attrs = {
-  #         objectClass = [
-  #           "olcDatabaseConfig"
-  #           "olcMdbConfig"
-  #         ];
-
-  #         olcDatabase = "{1}mdb";
-  #         olcDbDirectory = "/var/lib/openldap/data";
-
-  #         olcSuffix = "dc=example,dc=com";
-
-  #         # your admin account, do not use writeText on a production system
-  #         olcRootDN = "cn=admin,dc=example,dc=com";
-  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
-
-  #         olcAccess = [
-  #           # custom access rules for userPassword attributes
-  #           ''
-  #             {0}to attrs=userPassword
-  #                           by self write
-  #                           by anonymous auth
-  #                           by * none''
-
-  #           # allow read on anything else
-  #           ''
-  #             {1}to *
-  #                           by * read''
-  #         ];
-  #       };
-  #     };
-  #   };
-  # };
-}

nixos/modules/default.nix

@@ -1,7 +1,6 @@
 {
   imports = [
     ./acme.nix
-    ./authelia.nix
     ./dns.nix
     ./fail2ban.nix
     ./gitea.nix

nixos/modules/nginx.nix

@@ -1,46 +1,21 @@
-{ config, self, ... }:
+{ config, ... }:
 let
   inherit (config.networking) fqdn;
 
   mkVhost =
-    attrs: locations:
+    attrs:
     let
       acmeEnabled = config.acme.enable;
     in
     {
       forceSSL = acmeEnabled;
       useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
     }
     // attrs;
 
   mkProxy = port: {
     proxyPass = "http://127.0.0.1:${toString port}/";
-
-    extraConfig = ''
-      proxy_buffering off;
-      proxy_request_buffering off;
-    '';
   };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
   services.nginx = {
@@ -52,18 +27,14 @@ in
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
 
-    virtualHosts = {
+    # services.nginx.virtualHosts."${fqdn}" = {
-      "${fqdn}" = mkVhost { default = true; } {
+    #   addSSL = true;
-        "/" = mkSsi "${self.pins.website}/web-root";
+    #   root = "/var/www/myhost.org";
-      };
+    #   default = true;
+    # };
 
-      "git.${fqdn}" = mkVhost { } {
+    virtualHosts."git.${fqdn}" = mkVhost {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
-
-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
-      };
     };
   };
 

nixos/openssh.nix

@@ -4,7 +4,6 @@
 
     settings = {
       ClientAliveInterval = 300;
-      X11Forwarding = true;
 
       KbdInteractiveAuthentication = false;
       PasswordAuthentication = false;

nixos/users.nix

@@ -11,30 +11,35 @@ let
     "wheel"
   ];
 
-  mkUser = name: uid: admin: {
+  mkUser =
-    users.users.${name} = {
+    name: uid: options:
-      inherit uid;
+    let
-      isNormalUser = true;
+      admin = options.admin or false;
-      extraGroups = lib.optionals admin adminGroups;
+    in
-      openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
+    {
-    };
+      users.users.${name} = {
+        inherit uid;
+        isNormalUser = true;
+        extraGroups = lib.optionals admin adminGroups;
+        openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
+      };
 
-    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
+      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
-      CPUQuota = "50%";
+        CPUQuota = "50%";
-      CPUWeight = "10";
+        CPUWeight = "10";
-      IOAccounting = true;
+        IOAccounting = true;
-      IOWeight = "10";
+        IOWeight = "10";
-      MemoryMax = "2G";
+        MemoryMax = "2G";
-      MemorySwapMax = "1G";
+        MemorySwapMax = "1G";
-      TasksMax = "100";
+        TasksMax = "100";
+      };
     };
-  };
 in
 lib.recursiveUpdate
   (builtins.foldl'
     (attrs: user: {
       options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
+        mkUser user.name attrs.uid (user.value.options or { })
       );
       uid = attrs.uid + 1;
     })
@@ -45,21 +50,8 @@ lib.recursiveUpdate
     (lib.attrsToList users)
   ).options
   {
-    users = {
+    users.users.root = {
-      motd = ''
+      initialPassword = "tuxcord";
-                  __                                          __                      __
+      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
-        initialPassword = "tuxcord";
-        openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
-      };
     };
   }

npins/sources.json

@@ -1,17 +1,4 @@
 {
-  "pins": {
+  "pins": {},
-    "website": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.javalsai.tuxcord.net/tuxcord/website.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
-      "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
-    }
-  },
   "version": 5
 }