nix-cfg/hosts/vps1/configuration.nix

177 lines
4.3 KiB
Nix

{ pkgs, config, data, ... }:
let
inherit (data.host) rootDomain;
gtnhDomain = "gtnh.${rootDomain}";
discDomain = "discourse.testdrive.${rootDomain}";
akkoDomain = "akko429164.testdrive.${rootDomain}";
iceDomain = "ice758549.testdrive.${rootDomain}";
gitSSHPort = data.services.git.sshPort;
robots_disallow_all = pkgs.writeText "robots.txt" ''
User-agent: *
Disallow: /
'';
in
{
imports = [
./hardware-configuration.nix
./services/postgres.nix
./services/authentik.nix
./services/git.nix
./services/mailserver.nix
./akkotest.nix
(fetchTarball { url = "https://github.com/cariandrum22/nixos-vscode-server/tarball/support-for-new-dir-structure-of-vscode-server"; sha256 = "1sp4h0nb7dh7mcm8vdflihv76yz8azf5zifkcbxhq7xz48c8k5pd"; })
];
systemd.tmpfiles.rules = [
"d /shared/openvscode 2770 root ${config.services.openvscode-server.group}"
];
programs.fish.enable = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "lgm-vps1";
networking.domain = "contaboserver.net";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.openssh = {
enable = true;
ports = [ (if data ? sshPort then data.sshPort else 37163) gitSSHPort ];
settings.PermitRootLogin = "no";
settings.PasswordAuthentication = false;
extraConfig = ''
Match LocalPort ${toString gitSSHPort}
AllowUsers forgejo
'';
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "eth0";
services.endlessh-go = {
enable = true;
openFirewall = true;
port = 22;
};
services.vscode-server = {
enable = true;
nodejsPackage = pkgs.nodejs_18;
installPath = "$HOME/.vscodium-server";
};
services.openvscode-server = {
enable = false;
};
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets.example_key = {
owner = config.users.users.akkoma.name;
group = config.users.users.akkoma.group;
};
secrets.porkbun = {
sopsFile = ../../secrets/porkbun.env;
format = "dotenv";
};
};
users.users.nginx.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
virtualHosts."${rootDomain}80" = {
serverName = rootDomain;
rejectSSL = true;
default = true;
locations."/" = {
return = "301 https://${rootDomain}$request_uri";
};
};
virtualHosts.${rootDomain} = {
onlySSL = true;
useACMEHost = "${rootDomain}";
root = "/var/www/root";
locations."=/robots.txt" = {
alias = robots_disallow_all;
extraConfig = ''
add_header Content-Type text/plain;
'';
};
};
virtualHosts.${gtnhDomain} = {
forceSSL = true;
useACMEHost = "${rootDomain}";
root = "/var/www/gtnh";
};
virtualHosts.${discDomain} = {
forceSSL = true;
useACMEHost = "${rootDomain}";
root = "/var/www/todo";
};
# virtualHosts.${akkoDomain} = {
# forceSSL = true;
# useACMEHost = "${rootDomain}";
# root = "/var/www/todo";
# };
virtualHosts.${iceDomain} = {
forceSSL = true;
useACMEHost = "${rootDomain}";
root = "/var/www/todo";
};
};
security.acme = {
acceptTerms = true;
defaults.email = "lgmrszd@disroot.org";
certs.${rootDomain} = {
# domain = "*.${rootDomain}";
dnsProvider = "porkbun";
environmentFile = config.sops.secrets.porkbun.path;
extraDomainNames = [
"*.${rootDomain}"
"*.testdrive.${rootDomain}"
# gtnhDomain
# akkoDomain
# iceDomain
# discDomain
];
};
};
programs.nh = {
enable = true;
};
programs.mosh.enable = true;
environment.systemPackages = with pkgs; [
git
vim
tmux
sops
];
users.users.lgm = {
isNormalUser = true;
description = "lgm";
extraGroups = [
"wheel"
"docker"
config.services.openvscode-server.group
];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [''sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHFPA2RhqZIVCLwYuEUDQyOnJ4g1R6IfQyhGqZ2Cvvu+AAAABHNzaDo= lgm@lgm-nixos''];
};
system.stateVersion = "23.11";
}