rp5: move things in separate configs, to be reused

2024-11-25 23:02:09 +01:00 · 2024-11-25 23:02:09 +01:00 · 09a34fac3f
commit 09a34fac3f
parent ac0fd3094c
4 changed files with 92 additions and 67 deletions
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@ -0,0 +1,29 @@
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.services.openssh;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.${namespace}.services.openssh = {
+    enable = mkEnableOption "Enable SSH";
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+
+    services.fail2ban = {
+      enable = true;
+    };
+  };
+}
--- a/modules/nixos/services/remotebuild/default.nix
+++ b/modules/nixos/services/remotebuild/default.nix
@ -0,0 +1,48 @@
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.services.remotebuild;
+  inherit (lib) mkIf mkEnableOption;
+in
+{
+  options.${namespace}.services.remotebuild = {
+    enable = mkEnableOption "Enable remotebuild";
+  };
+
+  config = mkIf cfg.enable {
+    users.users.remotebuild = {
+      isNormalUser = true;
+      createHome = false;
+      group = "remotebuild";
+
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYZjG+XPNoVHVdCel5MK4mwvtoFCqDY1WMI1yoU71Rd root@yggdrasil"
+      ];
+    };
+
+    users.groups.remotebuild = { };
+
+    nix = {
+      nrBuildUsers = 64;
+      settings = {
+        trusted-users = [ "remotebuild" ];
+
+        min-free = 10 * 1024 * 1024;
+        max-free = 200 * 1024 * 1024;
+
+        max-jobs = "auto";
+        cores = 0;
+      };
+    };
+
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "90%";
+      OOMScoreAdjust = 500;
+    };
+  };
+}