xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-configs/hosts/picard/default.nix
Philipp Hochkamp 59a1e58620 a
2023-03-10 12:03:41 +01:00

156 lines
4.5 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = false;
services.syncthing.enable = true;
networking.interfaces."ens3" = {
ipv6 = {
addresses = [
{
address = "2a03:4000:54:a98::1";
prefixLength = 64;
}
];
};
};
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp0s3"; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c21236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_13;
ragon.agenix.secrets."picardResticPassword" = { };
ragon.agenix.secrets."picardResticSSHKey" = { };
ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
appendConfig = ''
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m max_size=4g
inactive=60m use_temp_path=off;
'';
services.nginx.recommendedOptimisation = true;
services.nginx.virtualHosts."xyno.space" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]${config.services.xynoblog.listen}";
locations."/".extraConfig = ''
proxy_buffering on;
proxy_cache STATIC;
proxy_cache_valid 200 1d;
proxy_cache_use_stale error timeout invalid_header updating
http_500 http_502 http_503 http_504;
'';
};
services.nginx.appendHttpConfig = ''
map $remote_addr $ip_anonym1 {
default 0.0.0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
"~(?P<ip>[^:]+:[^:]+):" $ip;
}
map $remote_addr $ip_anonym2 {
default .0;
"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
"~(?P<ip>[^:]+:[^:]+):" ::;
}
map $ip_anonym1$ip_anonym2 $ip_anonymized {
default 0.0.0.0;
"~(?P<ip>.*)" $ip;
}
log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log anonymized;
'';
services.restic.backups."picard" = {
passwordFile = config.age.secrets.picardResticPassword.path;
extraOptions = [
"sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
initialize = true;
repository = "sftp:picardbackup@ds9:/restic";
paths = [
"/persistent"
];
};
systemd.services.restic-backups-picard = {
# ExecStartPost commands are only run if the ExecStart command succeeded
serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})
'';
unitConfig.OnFailure = "backupFailure.service";
};
systemd.services.backupFailure = {
enable = true;
script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail";
};
nixpkgs.overlays = [
(self: super: {
zfs = super.zfs.override { enableMail = true; };
})
];
services.xynoblog.enable = true;
programs.mosh.enable = true;
ragon.agenix.secrets."mailmoverConf" = { };
services.mailmover = {
enable = true;
configFile = config.age.secrets.mailmoverConf.path;
};
ragon = {
cli.enable = true;
user.enable = true;
persist.enable = true;
persist.extraDirectories = [ "/var/lib/syncthing" "/var/lib/${config.services.xynoblog.stateDirectory}" ];
services = {
ssh.enable = true;
msmtp.enable = true;
bitwarden.enable = true;
gitlab.enable = false; # TODO gitlab-runner
synapse.enable = true;
tailscale.enable = true;
hedgedoc.enable = false;
ts3.enable = true;
nginx.enable = true;
nginx.domain = "ragon.xyz";
};
};
}
Reference in a new issue View git blame Copy permalink