Tim Schubert
0c12c8de35
Some checks failed
Continuous Integration / Checks (push) Has been cancelled
162 lines
3.6 KiB
Nix
162 lines
3.6 KiB
Nix
{ config
|
|
, pkgs
|
|
, ...
|
|
}:
|
|
let
|
|
hostName = "surgat";
|
|
in
|
|
{
|
|
imports = [
|
|
./hardware-configuration.nix
|
|
../modules/profiles/cloud.nix
|
|
];
|
|
|
|
networking.hostName = hostName;
|
|
|
|
services.nginx = {
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
#logError = "/dev/null";
|
|
appendHttpConfig = ''
|
|
access_log off;
|
|
'';
|
|
};
|
|
|
|
services.nginx.virtualHosts."hydra.${config.networking.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
root = "${pkgs.nginx}/html";
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://10.3.3.3:3000/";
|
|
extraConfig = ''
|
|
proxy_redirect default;
|
|
'';
|
|
};
|
|
};
|
|
|
|
dadada.element.enable = true;
|
|
dadada.forgejo.enable = true;
|
|
dadada.miniflux.enable = true;
|
|
dadada.weechat.enable = false;
|
|
dadada.homepage.enable = true;
|
|
dadada.share.enable = true;
|
|
dadada.backupClient = {
|
|
backup1.enable = true;
|
|
backup2 = {
|
|
enable = true;
|
|
repo = "u355513-sub3@u355513-sub3.your-storagebox.de:/home/backup";
|
|
};
|
|
};
|
|
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
backupAll = true;
|
|
compression = "zstd";
|
|
location = "/var/backup/postgresql";
|
|
};
|
|
|
|
networking.useDHCP = false;
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
networks = {
|
|
"10-wan" = {
|
|
matchConfig.Name = "ens3";
|
|
networkConfig.DHCP = "ipv4";
|
|
address = [
|
|
"49.12.3.98/32"
|
|
"2a01:4f8:c17:1d70::/64"
|
|
];
|
|
routes = [
|
|
{ routeConfig.Gateway = "fe80::1"; }
|
|
{
|
|
routeConfig = {
|
|
Gateway = "172.31.1.1";
|
|
GatewayOnLink = true;
|
|
};
|
|
}
|
|
];
|
|
linkConfig.RequiredForOnline = "routable";
|
|
};
|
|
"10-ninurta" = {
|
|
matchConfig.Name = "ninurta";
|
|
address = [ "10.3.3.1/32" "fd42:9c3b:f96d:121::1/128" ];
|
|
DHCP = "no";
|
|
networkConfig.IPv6AcceptRA = false;
|
|
linkConfig.RequiredForOnline = "no";
|
|
routes = [
|
|
{ routeConfig = { Destination = "10.3.3.3/24"; }; }
|
|
{ routeConfig = { Destination = "fd42:9c3b:f96d:121::/64"; }; }
|
|
{ routeConfig = { Destination = "fd42:9c3b:f96d:101::/64"; }; }
|
|
];
|
|
};
|
|
};
|
|
netdevs = {
|
|
"10-ninurta" = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "ninurta";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = "/var/lib/wireguard/hydra";
|
|
ListenPort = 51235;
|
|
};
|
|
wireguardPeers = [{
|
|
wireguardPeerConfig = {
|
|
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
|
|
AllowedIPs = [ "10.3.3.3/32" "fd42:9c3b:f96d:121::3/128" "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" ];
|
|
};
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
allowedTCPPorts = [
|
|
22 # SSH
|
|
80
|
|
443 # HTTPS
|
|
];
|
|
allowedUDPPorts = [
|
|
51234 # Wireguard
|
|
51235 # Wireguard
|
|
];
|
|
interfaces.ninurta.allowedTCPPorts = [
|
|
4949 # munin-node
|
|
];
|
|
};
|
|
|
|
# Use the GRUB 2 boot loader.
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.device = "/dev/sda";
|
|
|
|
boot.kernelParams = [
|
|
"ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp"
|
|
];
|
|
|
|
services.resolved = {
|
|
enable = true;
|
|
fallbackDns = [ "9.9.9.9" "2620:fe::fe" ];
|
|
};
|
|
|
|
system.autoUpgrade.allowReboot = false;
|
|
|
|
services.postgresql.package = pkgs.postgresql_15;
|
|
|
|
services.munin-node = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
host_name surgat
|
|
cidr_allow 10.3.3.3/32
|
|
'';
|
|
};
|
|
|
|
system.stateVersion = "23.05";
|
|
}
|