Cleanup
This commit is contained in:
parent
1813986ad4
commit
a7f6e9f4c7
|
@ -1,9 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> piv-p256 JccfSQ AhIbgVYw7nnbfVvpM2755rvolAK+7TVKMYV7+7HXweKW
|
||||
tpz/Ea90ttJQanaA033mrIgMzKtIOgiBkcfNY9qPPyM
|
||||
-> D-grease &[o{ }PTMp/+M y!I
|
||||
4B6KLBrcEWiTzcCyfN+EKTd0j9rOPe9RP5KFM87HAmFAOR7fa4yOousUqFvP32Xw
|
||||
Xs8hyC4vT+P3buXFMPR/k9yrzJcAOdmB
|
||||
--- e930foLDztNKnvtkkj6phGiXCo6z02hczVmScHC0uw8
|
||||
Y ù_•<>AœWæ"#W@^¦<>‰y4Ò!‘êHz
|
||||
°ú)×0Oži5‹9ûV¨7rÖ¦ÙQß(¦ì ™Íš{lÎ.B<>ÖøR¨·¶˜Ä‡U+²hª!h[(©ê1ö ªt #‹è¹ŒƒÁJ±XŒ¶¼xN<>CÚÖ)Èi«ï\t»åq
|
|
@ -1,52 +0,0 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page
|
||||
# and in the NixOS manual (accessible by running `nixos-help`).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
wget
|
||||
k3s
|
||||
git
|
||||
];
|
||||
services = {
|
||||
openssh.enable = true;
|
||||
k3s = {
|
||||
enable = true;
|
||||
role = "server";
|
||||
extraFlags = toString [
|
||||
"--secrets-encryption"
|
||||
"--tls-san=192.168.50.229"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking = {
|
||||
hostName = "k3s";
|
||||
domain = "gmem.ca";
|
||||
firewall = {
|
||||
enable = false;
|
||||
allowedTCPPorts = [ 6443 80 443 ];
|
||||
};
|
||||
|
||||
nftables.enable = true;
|
||||
};
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
system.copySystemConfiguration = true;
|
||||
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/f306aefe-e24d-4f19-9131-124aeb3b0880";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/7562-558C";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/b94a7a44-73d2-4c69-aadd-80f030a38bc0"; }
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
|
@ -1,93 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.n8n;
|
||||
format = pkgs.formats.json {};
|
||||
configFile = format.generate "n8n.json" cfg.settings;
|
||||
in
|
||||
{
|
||||
options.services.n8n = {
|
||||
enable = mkEnableOption (lib.mdDoc "n8n server");
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc "Open ports in the firewall for the n8n web interface.";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
default = {};
|
||||
description = lib.mdDoc ''
|
||||
Configuration for n8n, see <https://docs.n8n.io/hosting/environment-variables/configuration-methods/>
|
||||
for supported values.
|
||||
'';
|
||||
};
|
||||
|
||||
webhookUrl = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = lib.mdDoc ''
|
||||
WEBHOOK_URL for n8n, in case we're running behind a reverse proxy.
|
||||
This cannot be set through configuration and must reside in an environment variable.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.n8n.settings = {
|
||||
# We use this to open the firewall, so we need to know about the default at eval time
|
||||
port = lib.mkDefault 5678;
|
||||
};
|
||||
|
||||
systemd.services.n8n = {
|
||||
description = "N8N service";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment = {
|
||||
# This folder must be writeable as the application is storing
|
||||
# its data in it, so the StateDirectory is a good choice
|
||||
N8N_USER_FOLDER = "/var/lib/n8n";
|
||||
HOME = "/var/lib/n8n";
|
||||
N8N_CONFIG_FILES = "${configFile}";
|
||||
WEBHOOK_URL = "${cfg.webhookUrl}";
|
||||
VUE_APP_URL_BASE_API="https://vancouver.scorpion-ghost.ts.net/n8n/";
|
||||
N8N_PATH="/n8n/";
|
||||
# Don't phone home
|
||||
N8N_DIAGNOSTICS_ENABLED = "false";
|
||||
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${pkgs.n8n}/bin/n8n";
|
||||
Restart = "on-failure";
|
||||
StateDirectory = "n8n";
|
||||
|
||||
# Basic Hardening
|
||||
NoNewPrivileges = "yes";
|
||||
PrivateTmp = "yes";
|
||||
PrivateDevices = "yes";
|
||||
DevicePolicy = "closed";
|
||||
DynamicUser = "true";
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = "read-only";
|
||||
ProtectControlGroups = "yes";
|
||||
ProtectKernelModules = "yes";
|
||||
ProtectKernelTunables = "yes";
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
||||
RestrictNamespaces = "yes";
|
||||
RestrictRealtime = "yes";
|
||||
RestrictSUIDSGID = "yes";
|
||||
MemoryDenyWriteExecute = "no"; # v8 JIT requires memory segments to be Writable-Executable.
|
||||
LockPersonality = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [ cfg.settings.port ];
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue