feat: add nix server provision

2026-03-18 02:44:54 +01:00
parent 6f55289ca4
commit 19f9b0594a
19 changed files with 3114 additions and 30 deletions
--- a/modules/nixos/common.nix
+++ b/modules/nixos/common.nix
@@ -0,0 +1,101 @@
+{
+  config,
+  lib,
+  self,
+  ...
+}:
+let
+  cfg = config.nodeiwest;
+  trustedUserCAKeysPath = "/etc/ssh/trusted-user-ca-keys.pem";
+in
+{
+  imports = [ ./tailscale-init.nix ];
+
+  options.nodeiwest = {
+    openbao.address = lib.mkOption {
+      type = lib.types.str;
+      default = "https://secrets.api.nodeiwest.se";
+      description = "Remote OpenBao address that hosts should use as clients.";
+      example = "https://secrets.api.nodeiwest.se";
+    };
+
+    homeManagerUsers = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [
+        "root"
+        "deploy"
+      ];
+      description = "Users that should receive the shared Home Manager company profile.";
+      example = [
+        "root"
+        "deploy"
+      ];
+    };
+
+    ssh.userCAPublicKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.singleLineStr;
+      default = [ ];
+      description = "OpenBao SSH user CA public keys trusted by sshd for user certificate authentication.";
+      example = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBExampleOpenBaoUserCA openbao-user-ca"
+      ];
+    };
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [
+      22
+      80
+      443
+    ];
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PubkeyAuthentication = true;
+        PermitRootLogin = "prohibit-password";
+      }
+      // lib.optionalAttrs (cfg.ssh.userCAPublicKeys != [ ]) {
+        TrustedUserCAKeys = trustedUserCAKeysPath;
+      };
+    };
+
+    users.groups.deploy = { };
+    users.users.deploy = {
+      isNormalUser = true;
+      group = "deploy";
+      createHome = true;
+      extraGroups = [ "wheel" ];
+    };
+
+    services.traefik = {
+      enable = true;
+      staticConfigOptions = {
+        api.dashboard = true;
+        entryPoints.web.address = ":80";
+        entryPoints.websecure.address = ":443";
+        ping = { };
+      };
+      dynamicConfigOptions = lib.mkMerge [ ];
+    };
+
+    home-manager = {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+      users = lib.genAttrs cfg.homeManagerUsers (_: {
+        imports = [ self.homeManagerModules.default ];
+        home.stateVersion = config.system.stateVersion;
+      });
+    };
+
+    environment.etc = lib.mkIf (cfg.ssh.userCAPublicKeys != [ ]) {
+      "ssh/trusted-user-ca-keys.pem".text = lib.concatStringsSep "\n" cfg.ssh.userCAPublicKeys + "\n";
+    };
+
+    environment.variables = {
+      BAO_ADDR = cfg.openbao.address;
+    };
+  };
+}