From c8676b05827bc4a764c355397c7f0622f5676798 Mon Sep 17 00:00:00 2001 From: EuAndreh Date: Thu, 29 Jul 2021 14:44:17 -0300 Subject: WIP reactivate nixvps with Terraform and nixos-rebuild on Vultr --- servers/active/nixvps/configuration.nix | 229 ++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 servers/active/nixvps/configuration.nix (limited to 'servers/active/nixvps/configuration.nix') diff --git a/servers/active/nixvps/configuration.nix b/servers/active/nixvps/configuration.nix new file mode 100644 index 0000000..4d793db --- /dev/null +++ b/servers/active/nixvps/configuration.nix @@ -0,0 +1,229 @@ +{ config, pkgs, ... }: + +let + envsubstConfiguration = + pkgs.callPackage /opt/secrets/envsubst-configuration.nix { }; + config = rec { + TLD = envsubstConfiguration.TLD; + cgitPort = "81"; + openSSHPort = 23841; + }; +in { + imports = [ + ./hardware-configuration.nix + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz"; + }) + ]; + + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + interfaces.ens3.useDHCP = true; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 7d"; + }; + # min-free 1G + extraOptions = '' + min-free = ${toString (1024 * 1024 * 1024)} + ''; + }; + + environment = { + systemPackages = let + c99 = pkgs.tinycc.overrideAttrs (oldAttrs: { + postInstall = '' + ln -s $out/bin/tcc $out/bin/c99 + ''; + }); + in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ]; + shellAliases = { l = "ls -lahF"; }; + }; + + networking.firewall.allowedTCPPorts = [ + # SSH: OpenSSH + config.openSSHPort + + # HTTP and HTPPS: NGINX + 80 + 443 + + # Git daemon + 9418 + ]; + + security = { + acme = { + acceptTerms = true; + email = "eu@euandre.org"; + }; + sudo.enable = false; + doas = { + enable = true; + extraConfig = '' + permit nopass setenv { NIX_PATH } :wheel + ''; + }; + }; + + services = { + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + ports = [ config.openSSHPort ]; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "${config.TLD}" = { + forceSSL = true; + enableACME = true; + root = "/srv/http/"; + extraConfig = '' + # Allow