Move configuration.nix to nix/ subfolderprod

1 files changed, 116 insertions, 0 deletions

diff --git a/nix/configuration.nix b/nix/configuration.nix
new file mode 100644
index 0000000..7e32a8d
--- /dev/null
+++ b/nix/configuration.nix
@@ -0,0 +1,116 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... } @ args:
+
+# Configuration local for this cluster node (hostname, IP, etc)
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      # Include generic Deuxfleurs module
+      ./deuxfleurs.nix
+      # Configuration for this deployment (a cluster)
+      ./cluster.nix
+      # Configuration local for this Deuxfleurs site (set of nodes)
+      ./site.nix
+      # Configuration local for this cluster node (hostname, IP, etc)
+      ./node.nix
+    ];
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "sun12x22";
+    keyMap = "fr";
+  };
+
+  boot.kernel.sysctl = {
+    "vm.max_map_count" = 262144;
+  };
+
+  services.journald.extraConfig = ''
+SystemMaxUse=1G
+  '';
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    nmap
+    bind
+    inetutils
+    pciutils
+    vim
+    tmux
+    ncdu
+    iotop
+    jnettop
+    nethogs
+    wget
+    htop
+    smartmontools
+    links
+    git
+    rclone
+    docker
+    docker-compose
+  ];
+
+  programs.vim.defaultEditor = true;
+
+  # Enable network time
+  services.ntp.enable = true;
+
+  # Enable the OpenSSH daemon and disable password login.
+  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+
+  # ---- CONFIG FOR DEUXFLEURS CLUSTER ----
+
+  # Open ports in the firewall.
+  networking.firewall = {
+    enable = true;
+
+    # Allow anyone to connect on SSH port
+    allowedTCPPorts = [
+      (builtins.head ({ openssh.ports = [22]; } // config.services).openssh.ports)
+    ];
+
+    # Allow specific hosts access to specific things in the cluster
+    extraCommands = ''
+      # Allow everything from router (usefull for UPnP/IGD)
+      iptables -A INPUT -s 192.168.1.254 -j ACCEPT
+
+      # Allow docker containers to access all ports
+      iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT
+
+      # Allow other nodes on VPN to access all ports
+      iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT
+    '';
+
+    # When stopping firewall, delete all rules that were configured manually above
+    extraStopCommands = ''
+      iptables -D INPUT -s 192.168.1.254 -j ACCEPT
+      iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT
+      iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT
+    '';
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+}
+