{ config, pkgs, ... }: let hostName = "surgat"; in { imports = [ ./hardware-configuration.nix ../modules/profiles/cloud.nix ]; networking.hostName = hostName; services.nginx = { recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; #logError = "/dev/null"; appendHttpConfig = '' access_log off; ''; }; services.nginx.virtualHosts."hydra.${config.networking.domain}" = { useACMEHost = "dadada.li"; forceSSL = true; root = "${pkgs.nginx}/html"; locations."/" = { proxyPass = "http://10.3.3.3:3000/"; extraConfig = '' proxy_redirect default; ''; }; }; dadada.element.enable = true; dadada.forgejo.enable = true; dadada.miniflux.enable = true; dadada.weechat.enable = false; dadada.homepage.enable = true; dadada.share.enable = true; dadada.backupClient = { backup1.enable = true; backup2 = { enable = true; repo = "u355513-sub3@u355513-sub3.your-storagebox.de:/home/backup"; }; }; services.postgresqlBackup = { enable = true; backupAll = true; compression = "zstd"; location = "/var/backup/postgresql"; }; networking.useDHCP = false; systemd.network = { enable = true; networks = { "10-wan" = { matchConfig.Name = "ens3"; networkConfig.DHCP = "ipv4"; address = [ "49.12.3.98/32" "2a01:4f8:c17:1d70::/64" ]; routes = [ { Gateway = "fe80::1"; } { Gateway = "172.31.1.1"; GatewayOnLink = true; } ]; linkConfig.RequiredForOnline = "routable"; }; "10-ninurta" = { matchConfig.Name = "ninurta"; address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ]; DHCP = "no"; networkConfig.IPv6AcceptRA = false; linkConfig.RequiredForOnline = "no"; routes = [ { Destination = "10.3.3.3/24"; } { Destination = "fd42:9c3b:f96d:121::/64"; } { Destination = "fd42:9c3b:f96d:101::/64"; } ]; }; }; netdevs = { "10-ninurta" = { netdevConfig = { Kind = "wireguard"; Name = "ninurta"; }; wireguardConfig = { PrivateKeyFile = "/var/lib/wireguard/hydra"; ListenPort = 51235; }; wireguardPeers = [ { PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" ]; } ]; }; }; }; networking.firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 22 # SSH 80 443 # HTTPS 1667 ]; allowedUDPPorts = [ 51234 # Wireguard 51235 # Wireguard ]; interfaces.ninurta.allowedTCPPorts = [ 4949 # munin-node ]; }; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; boot.kernelParams = [ "ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp" ]; services.resolved = { enable = true; fallbackDns = [ "9.9.9.9" "2620:fe::fe" ]; }; system.autoUpgrade.allowReboot = false; services.postgresql.package = pkgs.postgresql_15; services.munin-node = { enable = true; extraConfig = '' host_name surgat cidr_allow 10.3.3.3/32 ''; }; services.soju = { enable = true; listen = [ "unix:///run/soju/irc.sock" ]; acceptProxyIP = [ "localhost" ]; }; # For owning the socket the right group systemd.services.soju.serviceConfig.Group = "nginx"; services.nginx.streamConfig = '' server { listen 1667 ssl; proxy_pass unix:/run/soju/irc.sock; proxy_protocol on; proxy_connect_timeout 1s; ssl_certificate /var/lib/acme/dadada.li/fullchain.pem; ssl_certificate_key /var/lib/acme/dadada.li/key.pem; ssl_trusted_certificate /var/lib/acme/dadada.li/chain.pem; } ''; services.nginx.virtualHosts."soju.dadada.li" = { useACMEHost = "dadada.li"; forceSSL = true; }; users.groups.acme.members = [ "nginx" ]; security.acme.certs = { "dadada.li" = { webroot = "/var/lib/acme/acme-challenge"; extraDomainNames = [ "element.dadada.li" "hydra.dadada.li" "git.dadada.li" "miniflux.dadada.li" "share.dadada.li" "soju.dadada.li" ]; }; }; system.stateVersion = "23.05"; }