{ config
, pkgs
, lib
, ...
}:
with lib;
let
secretsPath = config.dadada.secrets.path;
wg0PrivKey = "${config.networking.hostName}-wg0-key";
wgHydraPrivKey = "${config.networking.hostName}-wg-hydra-key";
wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key";
in
{
imports = [ ./hardware-configuration.nix ];
networking.hostName = "pruflas";
services.logind.lidSwitch = "ignore";
services.hydra = {
enable = true;
package = pkgs.hydra-unstable;
hydraURL = "https://hydra.dadada.li";
notificationSender = "hydra@localhost";
buildMachinesFiles = [ ];
useSubstitutes = true;
listenHost = "hydra.dadada.li";
port = 3000;
};
nix.buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 8;
}
];
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
logError = "/dev/null";
appendHttpConfig = ''
access_log off;
'';
virtualHosts."pruflas.uwu" = {
enableACME = false;
forceSSL = false;
root = "/var/www/pruflas.uwu";
index = "index.html";
locations."/".tryFiles = "$uri $uri/ = 404";
};
};
systemd.tmpfiles.rules = [
"d /var/www/pruflas.uwu 0551 nginx nginx - -"
];
dadada.admin.enable = true;
dadada.backupClient = {
bs.enable = true;
};
age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
age.secrets.${wgHydraPrivKey}.file = "${secretsPath}/${wgHydraPrivKey}.age";
networking.wireguard = {
enable = true;
interfaces.uwupn = {
allowedIPsAsRoutes = true;
privateKeyFile = config.age.secrets.${wg0PrivKey}.path;
ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ];
peers = [
{
publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
endpoint = "53c70r.de:51820";
persistentKeepalive = 25;
presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
}
];
};
interfaces.hydra = {
allowedIPsAsRoutes = true;
privateKeyFile = config.age.secrets.${wgHydraPrivKey}.path;
ips = [ "10.3.3.3/32" ];
peers = [
{
publicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY=";
allowedIPs = [ "10.3.3.1/32" ];
endpoint = "hydra.dadada.li:51235";
persistentKeepalive = 25;
}
];
};
};
networking.useDHCP = false;
networking.interfaces."enp0s25".useDHCP = true;
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
22 # SSH
80
443 # HTTPS
3000 # Hydra
];
allowedUDPPorts = [
51234 # Wireguard
51235 # Wireguard
];
};
boot.kernelModules = [ "kvm-intel" ];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Desktop things for media playback
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware.pulseaudio.enable = false;
environment.systemPackages = [ pkgs.spotify pkgs.mpv ];
users.users."media" = {
isNormalUser = true;
description = "Media playback user";
extraGroups = [ "users" "video" ];
# allow anyone with physical access to log in
password = "media";
};
networking.domain = "dadada.li";
networking.tempAddresses = "disabled";
networking.networkmanager.enable = false;
users.mutableUsers = true;
dadada.networking.localResolver.enable = true;
dadada.networking.localResolver.uwu = true;
dadada.networking.localResolver.s0 = true;
dadada.autoUpgrade.enable = mkDefault true;
documentation.enable = false;
documentation.nixos.enable = false;
services.journald.extraConfig = ''
SystemKeepFree = 2G
'';
system.stateVersion = "20.09";
}