diff options
Diffstat (limited to 'servers/active/nixvps/configuration.nix')
-rw-r--r-- | servers/active/nixvps/configuration.nix | 229 |
1 files changed, 0 insertions, 229 deletions
diff --git a/servers/active/nixvps/configuration.nix b/servers/active/nixvps/configuration.nix deleted file mode 100644 index 4d793db..0000000 --- a/servers/active/nixvps/configuration.nix +++ /dev/null @@ -1,229 +0,0 @@ -{ config, pkgs, ... }: - -let - envsubstConfiguration = - pkgs.callPackage /opt/secrets/envsubst-configuration.nix { }; - config = rec { - TLD = envsubstConfiguration.TLD; - cgitPort = "81"; - openSSHPort = 23841; - }; -in { - imports = [ - ./hardware-configuration.nix - (builtins.fetchTarball { - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz"; - }) - ]; - - boot.loader.grub = { - enable = true; - version = 2; - device = "/dev/vda"; - }; - - networking = { - interfaces.ens3.useDHCP = true; - }; - - nix = { - gc = { - automatic = true; - options = "--delete-older-than 7d"; - }; - # min-free 1G - extraOptions = '' - min-free = ${toString (1024 * 1024 * 1024)} - ''; - }; - - environment = { - systemPackages = let - c99 = pkgs.tinycc.overrideAttrs (oldAttrs: { - postInstall = '' - ln -s $out/bin/tcc $out/bin/c99 - ''; - }); - in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ]; - shellAliases = { l = "ls -lahF"; }; - }; - - networking.firewall.allowedTCPPorts = [ - # SSH: OpenSSH - config.openSSHPort - - # HTTP and HTPPS: NGINX - 80 - 443 - - # Git daemon - 9418 - ]; - - security = { - acme = { - acceptTerms = true; - email = "eu@euandre.org"; - }; - sudo.enable = false; - doas = { - enable = true; - extraConfig = '' - permit nopass setenv { NIX_PATH } :wheel - ''; - }; - }; - - services = { - openssh = { - enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - ports = [ config.openSSHPort ]; - }; - - nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - "${config.TLD}" = { - forceSSL = true; - enableACME = true; - root = "/srv/http/"; - extraConfig = '' - # Allow <script type="module" src="..."> 3rd-party HTML pages - add_header 'Access-Control-Allow-Origin' '*'; - autoindex on; - ''; - }; - "git.${config.TLD}" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - location = /favicon.ico { - alias ${pkgs.cgit}/cgit/favicon.ico; - } - location / { - # Allow <script type="module" src="..."> 3rd-party HTML pages - add_header 'Access-Control-Allow-Origin' '*'; - proxy_pass http://localhost:${config.cgitPort}; - } - ''; - }; - }; - }; - - lighttpd = { - enable = true; - port = pkgs.lib.toInt config.cgitPort; - cgit = { - enable = true; - subdir = ""; - configText = '' - enable-blame=1 - enable-commit-graph=1 - enable-follow-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - enable-html-serving=1 - root-desc=Patches welcome! - readme=:README.en.md - readme=:README.md - readme=:README - max-repodesc-length=120 - max-repo-count=999 - remove-suffix=1 - root-title=EuAndreh's repositories - snapshots=tar.xz - source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh - scan-path=/srv/http - mimetype.mjs=text/javascript - ''; - }; - }; - - gitDaemon = { - enable = true; - basePath = "/srv/http"; - exportAll = true; - }; - - cron = { - enable = true; - systemCronJobs = [ - "30 1 * * 1 root /opt/bin/gc.sh" - "30 0 * * * root /opt/bin/backup.sh" - ]; - }; - }; - - users = { - # Improve: make mutable - mutableUsers = false; - extraUsers = let - andrehUser = { - andreh = { - uid = 1000; - isNormalUser = true; - extraGroups = [ "wheel" ]; - hashedPassword = envsubstConfiguration.hashedPassword; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org" - ]; - }; - }; - buildUser = (i: { - "guixbuilder${i}" = { - group = "guixbuild"; - extraGroups = [ "guixbuild" ]; - home = "/var/empty"; - shell = pkgs.nologin; - description = "Guix build user ${i}"; - isSystemUser = true; - }; - }); - in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser - (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10)); - extraGroups.guixbuild = { name = "guixbuild"; }; - }; - - mailserver = { - enable = true; - fqdn = "mail.${config.TLD}"; - domains = [ config.TLD ]; - loginAccounts = { - "eu@${config.TLD}" = { - hashedPasswordFile = "/opt/secrets/mail-user-password-hash.txt"; - aliases = [ "@${config.TLD}" ]; - }; - }; - certificateScheme = 3; - }; - - systemd = { - services = { - guix-daemon = { - enable = true; - description = "Build daemon for GNU Guix"; - serviceConfig = { - ExecStart = - "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild"; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; - }; - - system = { - stateVersion = "20.09"; - autoUpgrade = { - enable = true; - allowReboot = true; - }; - }; -} |