WIP: Move to Vultr and NixOS

1 files changed, 124 insertions, 0 deletions

diff --git a/configuration.nix b/configuration.nix
new file mode 100644
index 0000000..fad5305
--- /dev/null
+++ b/configuration.nix
@@ -0,0 +1,124 @@
+{ config, pkgs, ... }:
+
+let
+  privateConfiguration = import ./private-configuration.nix;
+  derivedConfiguration = import ./derived-configuration.nix;
+in {
+  imports = [ ./hardware-configuration.nix];
+
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    useDHCP = false;
+    interfaces.ens3.useDHCP = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    vim
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+
+  security.acme = {
+    acceptTerms = true;
+    email = privateConfiguration.letsencryptEmail;
+  };
+
+  services = {
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; # FIXME: ?????
+      virtualHosts = let
+        customConfigTLDs = {};
+        defaultConfigTLDs = [
+          derivedConfiguration.nextcloudTLD
+          derivedConfiguration.gitTLD
+        ];
+        buildDefaultConfiguration = tld:
+          {
+            "${tld}" = {
+              forceSSL = true;
+              enableACME = true;
+            };
+          };
+      in
+        pkgs.lib.fold
+          (tldString: acc: acc // buildDefaultConfiguration tldString)
+          customConfigTLDs
+          defaultConfigTLDs;
+
+      gitweb = {
+        enable = true;
+        location = "/";
+        virtualHost = derivedConfiguration.gitTLD;
+      };
+    };
+
+    nextcloud = {
+      enable = true;
+      hostName = derivedConfiguration.nextcloudTLD;
+      nginx.enable = true;
+      https = true;
+      autoUpdateApps.enable = true;
+      autoUpdateApps.startAt = "05:00:00";
+      config = {
+        overwriteProtocol = "https";
+
+        dbtype = "pgsql";
+        dbuser = "nextcloud";
+        dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
+        dbname = "nextcloud";
+        dbpassFile = "/var/nextcloud-db-pass";
+
+        adminpassFile = "/var/nextcloud-admin-pass";
+        adminuser = "admin";
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ "nextcloud" ];
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    gitweb = {
+      gitwebTheme = true;
+      projectroot = "/srv/git";
+    };
+  };
+
+  # FIXME: is this required?
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+
+  users.users.nixos = {
+    uid = 1000;
+    extraGroups = ["wheel"];
+    useDefaultShell = true;
+    # FIXME: password hash file?
+    openssh.authorizedKeys.keyFiles = [ "/etc/nixos/nixos-user-authorized-key"];
+  };
+
+  system.stateVersion = "19.09";
+}