Cleanup
This commit is contained in:
parent
1813986ad4
commit
a7f6e9f4c7
|
@ -1,9 +0,0 @@
|
||||||
age-encryption.org/v1
|
|
||||||
-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
|
|
||||||
tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
|
|
||||||
-> D-grease &[o{ }PTMp/+M y!I
|
|
||||||
4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
|
|
||||||
Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
|
|
||||||
--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
|
|
||||||
Y ù_•<>AœWæ"#W@^¦<>‰y4Ò!‘êHz
|
|
||||||
°ú)×0Oži5‹9ûV¨7rÖ¦ÙQß(¦ì ™Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #‹è¹ŒƒÁJ±XŒ¶¼xN<>CÚÖ)Èi«ï\t»åq
|
|
|
@ -1,52 +0,0 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
|
||||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
./hardware.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
|
||||||
|
|
||||||
time.timeZone = "Europe/London";
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
vim
|
|
||||||
wget
|
|
||||||
k3s
|
|
||||||
git
|
|
||||||
];
|
|
||||||
services = {
|
|
||||||
openssh.enable = true;
|
|
||||||
k3s = {
|
|
||||||
enable = true;
|
|
||||||
role = "server";
|
|
||||||
extraFlags = toString [
|
|
||||||
"--secrets-encryption"
|
|
||||||
"--tls-san=192.168.50.229"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
|
||||||
hostName = "k3s";
|
|
||||||
domain = "gmem.ca";
|
|
||||||
firewall = {
|
|
||||||
enable = false;
|
|
||||||
allowedTCPPorts = [ 6443 80 443 ];
|
|
||||||
};
|
|
||||||
|
|
||||||
nftables.enable = true;
|
|
||||||
};
|
|
||||||
# Copy the NixOS configuration file and link it from the resulting system
|
|
||||||
# (/run/current-system/configuration.nix). This is useful in case you
|
|
||||||
# accidentally delete configuration.nix.
|
|
||||||
system.copySystemConfiguration = true;
|
|
||||||
|
|
||||||
system.stateVersion = "23.05"; # Did you read the comment?
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,38 +0,0 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, pkgs, modulesPath, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
|
|
||||||
boot.initrd.kernelModules = [ ];
|
|
||||||
boot.kernelModules = [ "kvm-amd" ];
|
|
||||||
boot.extraModulePackages = [ ];
|
|
||||||
|
|
||||||
fileSystems."/" =
|
|
||||||
{ device = "/dev/disk/by-uuid/f306aefe-e24d-4f19-9131-124aeb3b0880";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/7562-558C";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices =
|
|
||||||
[ { device = "/dev/disk/by-uuid/b94a7a44-73d2-4c69-aadd-80f030a38bc0"; }
|
|
||||||
];
|
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
||||||
}
|
|
|
@ -1,93 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.services.n8n;
|
|
||||||
format = pkgs.formats.json {};
|
|
||||||
configFile = format.generate "n8n.json" cfg.settings;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.services.n8n = {
|
|
||||||
enable = mkEnableOption (lib.mdDoc "n8n server");
|
|
||||||
|
|
||||||
openFirewall = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Open ports in the firewall for the n8n web interface.";
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = mkOption {
|
|
||||||
type = format.type;
|
|
||||||
default = {};
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Configuration for n8n, see <https://docs.n8n.io/hosting/environment-variables/configuration-methods/>
|
|
||||||
for supported values.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
webhookUrl = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "";
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
WEBHOOK_URL for n8n, in case we're running behind a reverse proxy.
|
|
||||||
This cannot be set through configuration and must reside in an environment variable.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
services.n8n.settings = {
|
|
||||||
# We use this to open the firewall, so we need to know about the default at eval time
|
|
||||||
port = lib.mkDefault 5678;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.n8n = {
|
|
||||||
description = "N8N service";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
environment = {
|
|
||||||
# This folder must be writeable as the application is storing
|
|
||||||
# its data in it, so the StateDirectory is a good choice
|
|
||||||
N8N_USER_FOLDER = "/var/lib/n8n";
|
|
||||||
HOME = "/var/lib/n8n";
|
|
||||||
N8N_CONFIG_FILES = "${configFile}";
|
|
||||||
WEBHOOK_URL = "${cfg.webhookUrl}";
|
|
||||||
VUE_APP_URL_BASE_API="https://vancouver.scorpion-ghost.ts.net/n8n/";
|
|
||||||
N8N_PATH="/n8n/";
|
|
||||||
# Don't phone home
|
|
||||||
N8N_DIAGNOSTICS_ENABLED = "false";
|
|
||||||
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "simple";
|
|
||||||
ExecStart = "${pkgs.n8n}/bin/n8n";
|
|
||||||
Restart = "on-failure";
|
|
||||||
StateDirectory = "n8n";
|
|
||||||
|
|
||||||
# Basic Hardening
|
|
||||||
NoNewPrivileges = "yes";
|
|
||||||
PrivateTmp = "yes";
|
|
||||||
PrivateDevices = "yes";
|
|
||||||
DevicePolicy = "closed";
|
|
||||||
DynamicUser = "true";
|
|
||||||
ProtectSystem = "strict";
|
|
||||||
ProtectHome = "read-only";
|
|
||||||
ProtectControlGroups = "yes";
|
|
||||||
ProtectKernelModules = "yes";
|
|
||||||
ProtectKernelTunables = "yes";
|
|
||||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
||||||
RestrictNamespaces = "yes";
|
|
||||||
RestrictRealtime = "yes";
|
|
||||||
RestrictSUIDSGID = "yes";
|
|
||||||
MemoryDenyWriteExecute = "no"; # v8 JIT requires memory segments to be Writable-Executable.
|
|
||||||
LockPersonality = "yes";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall = mkIf cfg.openFirewall {
|
|
||||||
allowedTCPPorts = [ cfg.settings.port ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
Loading…
Reference in a new issue