forked from M-Labs/it-infra
nixbld: run AFWS server
This commit is contained in:
parent
322d267caf
commit
0b8aa97192
|
@ -0,0 +1,38 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
afws = pkgs.callPackage ./afws { inherit pkgs; };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.afws = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable AFWS server";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf config.services.afws.enable {
|
||||||
|
systemd.services.afws = {
|
||||||
|
description = "AFWS server";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
User = "afws";
|
||||||
|
Group = "afws";
|
||||||
|
ExecStart = "${afws}/bin/afws_server";
|
||||||
|
};
|
||||||
|
path = [ pkgs.nix_2_4 pkgs.git ];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.afws = {
|
||||||
|
name = "afws";
|
||||||
|
group = "afws";
|
||||||
|
description = "AFWS server user";
|
||||||
|
isSystemUser = true;
|
||||||
|
createHome = false;
|
||||||
|
home = "/var/lib/afws";
|
||||||
|
useDefaultShell = true;
|
||||||
|
};
|
||||||
|
users.extraGroups.afws = {};
|
||||||
|
};
|
||||||
|
}
|
|
@ -17,6 +17,7 @@ in
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./backup-module.nix
|
./backup-module.nix
|
||||||
./github-backup-module.nix
|
./github-backup-module.nix
|
||||||
|
./afws-module.nix
|
||||||
./rt.nix
|
./rt.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -59,7 +60,7 @@ in
|
||||||
hostName = "nixbld";
|
hostName = "nixbld";
|
||||||
hostId = "e423f012";
|
hostId = "e423f012";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [ 80 443 ];
|
allowedTCPPorts = [ 80 443 7402 ];
|
||||||
allowedUDPPorts = [ 53 67 ];
|
allowedUDPPorts = [ 53 67 ];
|
||||||
trustedInterfaces = [ netifLan ];
|
trustedInterfaces = [ netifLan ];
|
||||||
};
|
};
|
||||||
|
@ -222,6 +223,7 @@ in
|
||||||
iw
|
iw
|
||||||
nvme-cli
|
nvme-cli
|
||||||
borgbackup
|
borgbackup
|
||||||
|
(callPackage ./afws { inherit pkgs; })
|
||||||
];
|
];
|
||||||
|
|
||||||
# Some programs need SUID wrappers, can be configured further or are
|
# Some programs need SUID wrappers, can be configured further or are
|
||||||
|
@ -273,7 +275,7 @@ in
|
||||||
|
|
||||||
users.extraUsers.sb = {
|
users.extraUsers.sb = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "scanner"];
|
extraGroups = ["lp" "scanner" "afws"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
|
@ -282,6 +284,7 @@ in
|
||||||
};
|
};
|
||||||
users.extraUsers.rj = {
|
users.extraUsers.rj = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
extraGroups = ["afws"];
|
||||||
};
|
};
|
||||||
users.extraUsers.backupdl = {
|
users.extraUsers.backupdl = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
@ -293,7 +296,7 @@ in
|
||||||
};
|
};
|
||||||
users.extraUsers.occheung = {
|
users.extraUsers.occheung = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "scanner"];
|
extraGroups = ["lp" "scanner" "afws"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
|
||||||
];
|
];
|
||||||
|
@ -404,7 +407,7 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.afws.enable = true;
|
||||||
|
|
||||||
nix.extraOptions = ''
|
nix.extraOptions = ''
|
||||||
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
|
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
|
||||||
|
|
Loading…
Reference in New Issue