2021-01-23 17:16:48 +00:00
|
|
|
|
# Edit this configuration file to define what should be installed on
|
|
|
|
|
# your system. Help is available in the configuration.nix(5) man page
|
|
|
|
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
|
|
|
|
|
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
imports =
|
|
|
|
|
[ # Include the results of the hardware scan.
|
|
|
|
|
./hardware-configuration.nix
|
2022-12-11 13:07:19 +00:00
|
|
|
|
#./amanuensis.nix
|
2021-01-23 17:16:48 +00:00
|
|
|
|
./catacomb.nix
|
|
|
|
|
./gitea.nix
|
2024-01-05 01:22:43 +00:00
|
|
|
|
./sync-pipeline.nix
|
2021-01-23 17:16:48 +00:00
|
|
|
|
];
|
|
|
|
|
|
2023-08-02 17:45:22 +00:00
|
|
|
|
beatific.hostName = "empyrean";
|
2023-08-02 18:11:53 +00:00
|
|
|
|
beatific.isLighthouse = true;
|
2024-01-04 20:55:12 +00:00
|
|
|
|
beatific.defaults.tvbSync = true;
|
2023-08-02 17:45:22 +00:00
|
|
|
|
|
2021-01-23 17:16:48 +00:00
|
|
|
|
# Use the GRUB 2 boot loader.
|
|
|
|
|
boot.loader.grub = {
|
|
|
|
|
enable = true;
|
|
|
|
|
device = "/dev/xvda";
|
|
|
|
|
extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
|
|
|
|
|
};
|
|
|
|
|
boot.kernelParams = ["console=ttyS0"];
|
|
|
|
|
|
2022-11-27 01:40:04 +00:00
|
|
|
|
nix = {
|
2022-12-11 00:00:55 +00:00
|
|
|
|
settings.max-jobs = 2;
|
2022-11-27 01:40:04 +00:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
swapDevices = [ { device = "/swap"; size = 1024; } ];
|
2022-01-08 00:06:07 +00:00
|
|
|
|
|
2024-10-22 03:48:09 +00:00
|
|
|
|
services.journald.extraConfig = ''
|
|
|
|
|
SystemMaxUse=500M
|
|
|
|
|
'';
|
|
|
|
|
|
2021-01-23 17:16:48 +00:00
|
|
|
|
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
|
|
|
|
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
|
|
|
|
# replicates the default behaviour.
|
|
|
|
|
networking.useDHCP = false;
|
|
|
|
|
networking.interfaces.eth0.useDHCP = true;
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
gitea
|
|
|
|
|
];
|
|
|
|
|
|
2023-01-10 17:43:25 +00:00
|
|
|
|
services.nginx = let
|
|
|
|
|
static-site = srv-dir: {
|
|
|
|
|
enableACME = true;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
root = "/srv/${srv-dir}/";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
access_log /var/log/nginx/access_${srv-dir}.log;
|
|
|
|
|
index index.html;
|
|
|
|
|
'';
|
|
|
|
|
};
|
2024-02-22 22:37:50 +00:00
|
|
|
|
service-stub = {
|
|
|
|
|
rejectSSL = true;
|
|
|
|
|
locations."/".return = "403";
|
|
|
|
|
};
|
2023-01-10 17:43:25 +00:00
|
|
|
|
in {
|
2021-01-23 17:16:48 +00:00
|
|
|
|
enable = true;
|
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
|
virtualHosts = {
|
|
|
|
|
# Static pages
|
2024-02-22 22:37:50 +00:00
|
|
|
|
"home.ktvb.site" = static-site "home.ktvb.site";
|
2023-01-10 17:43:25 +00:00
|
|
|
|
"wedding.ktvb.site" = static-site "wedding.ktvb.site";
|
|
|
|
|
"www.ktvb.site" = static-site "www.ktvb.site";
|
2023-09-12 02:59:39 +00:00
|
|
|
|
"www.alogoulogoi.com" = static-site "www.alogoulogoi.com";
|
2024-01-23 03:07:44 +00:00
|
|
|
|
"ecumene.alogoulogoi.com" = static-site "ecumene.alogoulogoi.com";
|
2024-02-22 22:37:50 +00:00
|
|
|
|
# Home service stub domains
|
|
|
|
|
"mopidy.home.ktvb.site" = service-stub;
|
|
|
|
|
"jellyfin.home.ktvb.site" = service-stub;
|
2024-01-17 12:32:06 +00:00
|
|
|
|
# mirror revproxy
|
|
|
|
|
"mirror.alogoulogoi.com" = {
|
|
|
|
|
enableACME = true;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
access_log /var/log/nginx/access_mirror.alogoulogoi.com.log;
|
|
|
|
|
'';
|
2024-04-27 14:31:31 +00:00
|
|
|
|
locations."/".proxyPass = "http://mirror.backyard.home:7474/";
|
2024-01-17 12:32:06 +00:00
|
|
|
|
};
|
2021-01-23 17:16:48 +00:00
|
|
|
|
# Deny all other subdomains
|
|
|
|
|
"alogoulogoi.com" = {
|
|
|
|
|
default = true;
|
2024-01-12 18:21:44 +00:00
|
|
|
|
rejectSSL = true;
|
2021-01-23 17:16:48 +00:00
|
|
|
|
locations."/".return = "444";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
security.acme = {
|
2022-12-11 00:00:55 +00:00
|
|
|
|
defaults.email = "tim.vanbaak+alogoulogoi@gmail.com";
|
2021-01-23 17:16:48 +00:00
|
|
|
|
acceptTerms = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.openssh = {
|
2023-06-09 20:59:09 +00:00
|
|
|
|
settings.PasswordAuthentication = false;
|
|
|
|
|
settings.PermitRootLogin = "prohibit-password";
|
2021-01-23 17:16:48 +00:00
|
|
|
|
};
|
|
|
|
|
|
2023-06-20 04:35:45 +00:00
|
|
|
|
services.intake = {
|
2023-08-08 15:47:09 +00:00
|
|
|
|
listen = { addr = "10.22.20.1"; };
|
2023-06-20 04:35:45 +00:00
|
|
|
|
users.tvb.enable = true;
|
2023-07-05 12:44:09 +00:00
|
|
|
|
users.tvb.extraPackages = [ pkgs.intakeSources pkgs.openssh ];
|
2023-06-20 04:35:45 +00:00
|
|
|
|
};
|
|
|
|
|
|
2021-01-23 17:16:48 +00:00
|
|
|
|
networking.firewall = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedTCPPorts = [
|
|
|
|
|
80 # http
|
|
|
|
|
443 # https
|
|
|
|
|
];
|
|
|
|
|
allowedUDPPorts = [
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# This value determines the NixOS release from which the default
|
|
|
|
|
# settings for stateful data, like file locations and database versions
|
|
|
|
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
|
|
|
# this value at the release version of the first install of this system.
|
|
|
|
|
# Before changing this value read the documentation for this option
|
|
|
|
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
2023-06-09 20:59:09 +00:00
|
|
|
|
system.stateVersion = "23.05"; # Did you read the comment?
|
2021-01-23 17:16:48 +00:00
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|