Torjus Håkestad
7fcc043a4d
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Enable Linux audit to log execve syscalls from interactive SSH sessions.
Uses auid filter to exclude system services and nix builds.
Logs forwarded to journald for Loki ingestion. Query with:
{host="testvmXX"} |= "EXECVE"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
106 lines
2.6 KiB
Nix
106 lines
2.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
{
|
|
imports = [
|
|
../template2/hardware-configuration.nix
|
|
|
|
../../system
|
|
../../common/vm
|
|
../../common/ssh-audit.nix
|
|
];
|
|
|
|
# Host metadata (adjust as needed)
|
|
homelab.host = {
|
|
tier = "test"; # Start in test tier, move to prod after validation
|
|
};
|
|
|
|
# Enable Vault integration
|
|
vault.enable = true;
|
|
|
|
# Enable remote deployment via NATS
|
|
homelab.deploy.enable = true;
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.device = "/dev/vda";
|
|
|
|
networking.hostName = "testvm01";
|
|
networking.domain = "home.2rjus.net";
|
|
networking.useNetworkd = true;
|
|
networking.useDHCP = false;
|
|
services.resolved.enable = true;
|
|
networking.nameservers = [
|
|
"10.69.13.5"
|
|
"10.69.13.6"
|
|
];
|
|
|
|
systemd.network.enable = true;
|
|
systemd.network.networks."ens18" = {
|
|
matchConfig.Name = "ens18";
|
|
address = [
|
|
"10.69.13.20/24"
|
|
];
|
|
routes = [
|
|
{ Gateway = "10.69.13.1"; }
|
|
];
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
time.timeZone = "Europe/Oslo";
|
|
|
|
nix.settings.experimental-features = [
|
|
"nix-command"
|
|
"flakes"
|
|
];
|
|
nix.settings.tarball-ttl = 0;
|
|
environment.systemPackages = with pkgs; [
|
|
vim
|
|
wget
|
|
git
|
|
];
|
|
|
|
# Test nginx with ACME certificate from OpenBao PKI
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts."testvm01.home.2rjus.net" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
root = pkgs.writeTextDir "index.html" ''
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>testvm01 - ACME Test</title>
|
|
<style>
|
|
body { font-family: monospace; max-width: 600px; margin: 50px auto; padding: 20px; }
|
|
.joke { background: #f0f0f0; padding: 20px; border-radius: 8px; margin: 20px 0; }
|
|
.punchline { margin-top: 15px; font-weight: bold; }
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<h1>OpenBao PKI ACME Test</h1>
|
|
<p>If you're seeing this over HTTPS, the migration worked!</p>
|
|
<div class="joke">
|
|
<p>Why do programmers prefer dark mode?</p>
|
|
<p class="punchline">Because light attracts bugs.</p>
|
|
</div>
|
|
<p><small>Certificate issued by: vault.home.2rjus.net</small></p>
|
|
</body>
|
|
</html>
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# Open ports in the firewall.
|
|
# networking.firewall.allowedTCPPorts = [ ... ];
|
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
|
# Or disable the firewall altogether.
|
|
networking.firewall.enable = false;
|
|
|
|
system.stateVersion = "25.11"; # Did you read the comment?
|
|
} |