aires/nix-configuration
aires/nix-configuration
1
0
Fork 0
Code Actions Activity
nix-configuration/hosts/Haven/default.nix

145 lines
3.9 KiB
Nix
Raw Blame History

{
pkgs,
home-manager,
lib,
config,
...
}:
let
start-haven = pkgs.writeShellScriptBin "start-haven" (builtins.readFile ./start-haven.sh);
subdomains = map (subdomain: subdomain + ".${config.secrets.networking.primaryDomain}") [
"code"
"music"
];
in
{
imports = [ ./hardware-configuration.nix ];
system.stateVersion = "24.05";
system.autoUpgrade.enable = lib.mkForce false;
host = {
role = "server";
apps.development.kubernetes.enable = true;
services = {
apcupsd.enable = true;
airsonic = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/airsonic-advanced";
};
duplicacy-web = {
enable = true;
autostart = false;
environment = "${config.users.users.aires.home}";
};
forgejo = {
enable = true;
domain = config.secrets.networking.primaryDomain;
home = "/storage/services/forgejo";
};
msmtp.enable = true;
};
users = {
aires = {
enable = true;
services.syncthing = {
enable = true;
autostart = false;
};
};
media.enable = true;
};
};
# TLS certificate renewal via Let's Encrypt
security.acme = {
acceptTerms = true;
defaults.email = "${config.secrets.users.aires.email}";
certs."${config.secrets.networking.primaryDomain}" = {
dnsProvider = "namecheap";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user}
''}";
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
${config.secrets.networking.namecheap.api.key}
''}";
};
};
};
# /var/lib/acme/.challenges must be writable by the ACME user
# and readable by the Nginx user. The easiest way to achieve
# this is to add the Nginx user to the ACME group.
users.users.nginx.extraGroups = [ "acme" ];
services = {
nginx = {
enable = true;
# Use recommended settings per https://nixos.wiki/wiki/Nginx#Hardened_setup_with_TLS_and_HSTS_preloading
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts = {
# Base URL: make sure we've got Let's Encrypt running challenges here, and all other requests going to HTTPS
"${config.secrets.networking.primaryDomain}" = {
default = true;
enableACME = true;
# Catchall vhost, will Redirect users to Forgejo
locations."/" = {
return = "301 https://code.${config.secrets.networking.primaryDomain}";
};
};
};
};
# Enable BOINC (distributed research computing)
boinc = {
enable = true;
package = pkgs.boinc-headless;
dataDir = "/var/lib/boinc";
extraEnvPackages = [ pkgs.ocl-icd ];
};
# Enable SSH
openssh = {
enable = true;
ports = [ config.secrets.hosts.haven.ssh.port ];
settings = {
# require public key authentication and disable root logins
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PubkeyAuthentication = true;
PermitRootLogin = "no";
};
};
# TODO: VPN (Check out Wireguard)
};
# Nginx: Disable autostart, and start sub-services first.
systemd.services.nginx.wantedBy = lib.mkForce [ ];
# Open ports
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
# Add Haven's startup script
environment.systemPackages = [ start-haven ];
# Allow Haven to be a build target for other architectures (mainly ARM64)
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}
View git blame Copy permalink