nixos-configs/machine/empyrean/default.nix

129 lines
3.6 KiB
Nix
Raw Normal View History

2021-01-23 17:16:48 +00:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
#./amanuensis.nix
2021-01-23 17:16:48 +00:00
./catacomb.nix
./gitea.nix
./sync-pipeline.nix
2021-01-23 17:16:48 +00:00
];
2023-08-02 17:45:22 +00:00
beatific.hostName = "empyrean";
beatific.isLighthouse = true;
2024-01-04 20:55:12 +00:00
beatific.defaults.tvbSync = true;
2023-08-02 17:45:22 +00:00
2021-01-23 17:16:48 +00:00
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
device = "/dev/xvda";
extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
};
boot.kernelParams = ["console=ttyS0"];
2022-11-27 01:40:04 +00:00
nix = {
2022-12-11 00:00:55 +00:00
settings.max-jobs = 2;
2022-11-27 01:40:04 +00:00
};
swapDevices = [ { device = "/swap"; size = 1024; } ];
2022-01-08 00:06:07 +00:00
services.journald.extraConfig = ''
SystemMaxUse=500M
'';
2021-01-23 17:16:48 +00:00
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
environment.systemPackages = with pkgs; [
gitea
];
services.nginx = let
static-site = srv-dir: {
enableACME = true;
forceSSL = true;
root = "/srv/${srv-dir}/";
extraConfig = ''
access_log /var/log/nginx/access_${srv-dir}.log;
index index.html;
'';
};
service-stub = {
rejectSSL = true;
locations."/".return = "403";
};
in {
2021-01-23 17:16:48 +00:00
enable = true;
recommendedProxySettings = true;
virtualHosts = {
# Static pages
"home.ktvb.site" = static-site "home.ktvb.site";
"wedding.ktvb.site" = static-site "wedding.ktvb.site";
"www.ktvb.site" = static-site "www.ktvb.site";
"www.alogoulogoi.com" = static-site "www.alogoulogoi.com";
2024-01-23 03:07:44 +00:00
"ecumene.alogoulogoi.com" = static-site "ecumene.alogoulogoi.com";
# Home service stub domains
"mopidy.home.ktvb.site" = service-stub;
"jellyfin.home.ktvb.site" = service-stub;
# mirror revproxy
"mirror.alogoulogoi.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/access_mirror.alogoulogoi.com.log;
'';
locations."/".proxyPass = "http://mirror.backyard.home:7474/";
};
2021-01-23 17:16:48 +00:00
# Deny all other subdomains
"alogoulogoi.com" = {
default = true;
rejectSSL = true;
2021-01-23 17:16:48 +00:00
locations."/".return = "444";
};
};
};
security.acme = {
2022-12-11 00:00:55 +00:00
defaults.email = "tim.vanbaak+alogoulogoi@gmail.com";
2021-01-23 17:16:48 +00:00
acceptTerms = true;
};
services.openssh = {
2023-06-09 20:59:09 +00:00
settings.PasswordAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
2021-01-23 17:16:48 +00:00
};
2023-06-20 04:35:45 +00:00
services.intake = {
2023-08-08 15:47:09 +00:00
listen = { addr = "10.22.20.1"; };
2023-06-20 04:35:45 +00:00
users.tvb.enable = true;
users.tvb.extraPackages = [ pkgs.intakeSources pkgs.openssh ];
2023-06-20 04:35:45 +00:00
};
2021-01-23 17:16:48 +00:00
networking.firewall = {
enable = true;
allowedTCPPorts = [
80 # http
443 # https
];
allowedUDPPorts = [
];
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
2023-06-09 20:59:09 +00:00
system.stateVersion = "23.05"; # Did you read the comment?
2021-01-23 17:16:48 +00:00
}