# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
imports =
[ # Include the results of the hardware scan.
beatific.hostName = "empyrean";
beatific.isLighthouse = true;
beatific.defaults.tvbSync = true;
# Use the GRUB 2 boot loader.
boot.loader.grub = {
enable = true;
device = "/dev/xvda";
extraConfig = "serial --unit=0 --speed=115200 ; terminal_input serial console ; terminal_output serial console";
boot.kernelParams = ["console=ttyS0"];
nix = {
settings.max-jobs = 2;
swapDevices = [ { device = "/swap"; size = 1024; } ];
services.journald.extraConfig = ''
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
environment.systemPackages = with pkgs; [
programs.screen.enable = true;
services.nginx = let
static-site = srv-dir: {
enableACME = true;
forceSSL = true;
root = "/srv/${srv-dir}/";
extraConfig = ''
access_log /var/log/nginx/access_${srv-dir}.log;
index index.html;
service-stub = {
rejectSSL = true;
locations."/".return = "403";
in {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
# Static pages
"home.ktvb.site" = static-site "home.ktvb.site";
"wedding.ktvb.site" = static-site "wedding.ktvb.site";
"www.ktvb.site" = static-site "www.ktvb.site";
"www.alogoulogoi.com" = static-site "www.alogoulogoi.com";
"ecumene.alogoulogoi.com" = static-site "ecumene.alogoulogoi.com";
# Home service stub domains
"mopidy.home.ktvb.site" = service-stub;
"jellyfin.home.ktvb.site" = service-stub;
# mTLS secure domains
"www.secure.ktvb.site" = {
enableACME = true;
forceSSL = true;
root = "/srv/www.secure.ktvb.site";
extraConfig = ''
# Enable mTLS
ssl_verify_client on;
ssl_client_certificate /etc/nginx/client-ca.crt;
index index.html;
"mopidy.secure.ktvb.site" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "";
locations."/mopidy/ws" = {
proxyPass = "";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
extraConfig = ''
# Enable mTLS
ssl_verify_client on;
ssl_client_certificate /etc/nginx/client-ca.crt;
"immich.secure.ktvb.site" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "";
extraConfig = ''
# enable mTLS
ssl_verify_client on;
ssl_client_certificate /etc/nginx/client-ca.crt;
# mirror revproxy
"mirror.alogoulogoi.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/access_mirror.alogoulogoi.com.log;
locations."/".proxyPass = "http://mirror.backyard.home:7474/";
# immich revproxy
"immich.ktvb.site" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/access_immich.alogoulogoi.com.log;
locations."/".proxyPass = "http://localhost:3000";
# immich proxy revproxy
"ipp.ktvb.site" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8002";
# Deny all other subdomains
"alogoulogoi.com" = {
default = true;
rejectSSL = true;
locations."/".return = "444";
security.acme = {
defaults.email = "tim.vanbaak+alogoulogoi@gmail.com";
acceptTerms = true;
services.openssh = {
settings.PasswordAuthentication = false;
settings.PermitRootLogin = "prohibit-password";
services.intake = {
listen = { addr = ""; };
users.tvb.enable = true;
users.tvb.extraPackages = [
networking.firewall = {
enable = true;
allowedTCPPorts = [
80 # http
443 # https
8081 # intake-ng
allowedUDPPorts = [
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?