dadada/nix-config
dadada/nix-config
1
0
Fork 0
Code Issues 2 Pull requests 5 Projects Releases Packages Wiki Activity Actions
nix-config/nixos/surgat/configuration.nix
Tim Schubert a901e37b73
Some checks are pending
Continuous Integration / Checks (push) Waiting to run
Details
feat(surgat): add soju bouncer
2025-08-03 00:22:07 +02:00

222 lines
4.7 KiB
Nix
Raw Blame History

{
config,
pkgs,
...
}:
let
hostName = "surgat";
in
{
imports = [
./hardware-configuration.nix
../modules/profiles/cloud.nix
];
networking.hostName = hostName;
services.nginx = {
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
#logError = "/dev/null";
appendHttpConfig = ''
access_log off;
'';
};
services.nginx.virtualHosts."hydra.${config.networking.domain}" = {
useACMEHost = "dadada.li";
forceSSL = true;
root = "${pkgs.nginx}/html";
locations."/" = {
proxyPass = "http://10.3.3.3:3000/";
extraConfig = ''
proxy_redirect default;
'';
};
};
dadada.element.enable = true;
dadada.forgejo.enable = true;
dadada.miniflux.enable = true;
dadada.weechat.enable = false;
dadada.homepage.enable = true;
dadada.share.enable = true;
dadada.backupClient = {
backup1.enable = true;
backup2 = {
enable = true;
repo = "u355513-sub3@u355513-sub3.your-storagebox.de:/home/backup";
};
};
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "zstd";
location = "/var/backup/postgresql";
};
networking.useDHCP = false;
systemd.network = {
enable = true;
networks = {
"10-wan" = {
matchConfig.Name = "ens3";
networkConfig.DHCP = "ipv4";
address = [
"49.12.3.98/32"
"2a01:4f8:c17:1d70::/64"
];
routes = [
{ Gateway = "fe80::1"; }
{
Gateway = "172.31.1.1";
GatewayOnLink = true;
}
];
linkConfig.RequiredForOnline = "routable";
};
"10-ninurta" = {
matchConfig.Name = "ninurta";
address = [
"10.3.3.1/32"
"fd42:9c3b:f96d:121::1/128"
];
DHCP = "no";
networkConfig.IPv6AcceptRA = false;
linkConfig.RequiredForOnline = "no";
routes = [
{
Destination = "10.3.3.3/24";
}
{
Destination = "fd42:9c3b:f96d:121::/64";
}
{
Destination = "fd42:9c3b:f96d:101::/64";
}
];
};
};
netdevs = {
"10-ninurta" = {
netdevConfig = {
Kind = "wireguard";
Name = "ninurta";
};
wireguardConfig = {
PrivateKeyFile = "/var/lib/wireguard/hydra";
ListenPort = 51235;
};
wireguardPeers = [
{
PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE=";
AllowedIPs = [
"10.3.3.3/32"
"fd42:9c3b:f96d:121::3/128"
"fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128"
];
}
];
};
};
};
networking.firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = [
22 # SSH
80
443 # HTTPS
1667
];
allowedUDPPorts = [
51234 # Wireguard
51235 # Wireguard
];
interfaces.ninurta.allowedTCPPorts = [
4949 # munin-node
];
};
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.kernelParams = [
"ip=49.12.3.98::172.31.1.1:255.255.255.255:surgat::dhcp"
];
services.resolved = {
enable = true;
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
];
};
system.autoUpgrade.allowReboot = false;
services.postgresql.package = pkgs.postgresql_15;
services.munin-node = {
enable = true;
extraConfig = ''
host_name surgat
cidr_allow 10.3.3.3/32
'';
};
services.soju = {
enable = true;
listen = [ "unix:///run/soju/irc.sock" ];
acceptProxyIP = [ "localhost" ];
};
# For owning the socket the right group
systemd.services.soju.serviceConfig.Group = "nginx";
services.nginx.streamConfig = ''
server {
listen 1667 ssl;
proxy_pass unix:/run/soju/irc.sock;
proxy_protocol on;
proxy_connect_timeout 1s;
ssl_certificate /var/lib/acme/dadada.li/fullchain.pem;
ssl_certificate_key /var/lib/acme/dadada.li/key.pem;
ssl_trusted_certificate /var/lib/acme/dadada.li/chain.pem;
}
'';
services.nginx.virtualHosts."soju.dadada.li" = {
useACMEHost = "dadada.li";
forceSSL = true;
};
users.groups.acme.members = [
"nginx"
];
security.acme.certs = {
"dadada.li" = {
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = [
"element.dadada.li"
"hydra.dadada.li"
"git.dadada.li"
"miniflux.dadada.li"
"share.dadada.li"
"soju.dadada.li"
];
};
};
system.stateVersion = "23.05";
}
Reference in a new issue View git blame Copy permalink