aboutsummaryrefslogtreecommitdiff
path: root/servers/active/nixvps/configuration.nix
diff options
context:
space:
mode:
Diffstat (limited to 'servers/active/nixvps/configuration.nix')
-rw-r--r--servers/active/nixvps/configuration.nix229
1 files changed, 0 insertions, 229 deletions
diff --git a/servers/active/nixvps/configuration.nix b/servers/active/nixvps/configuration.nix
deleted file mode 100644
index 4d793db..0000000
--- a/servers/active/nixvps/configuration.nix
+++ /dev/null
@@ -1,229 +0,0 @@
-{ config, pkgs, ... }:
-
-let
- envsubstConfiguration =
- pkgs.callPackage /opt/secrets/envsubst-configuration.nix { };
- config = rec {
- TLD = envsubstConfiguration.TLD;
- cgitPort = "81";
- openSSHPort = 23841;
- };
-in {
- imports = [
- ./hardware-configuration.nix
- (builtins.fetchTarball {
- url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/master/nixos-mailserver-master.tar.gz";
- })
- ];
-
- boot.loader.grub = {
- enable = true;
- version = 2;
- device = "/dev/vda";
- };
-
- networking = {
- interfaces.ens3.useDHCP = true;
- };
-
- nix = {
- gc = {
- automatic = true;
- options = "--delete-older-than 7d";
- };
- # min-free 1G
- extraOptions = ''
- min-free = ${toString (1024 * 1024 * 1024)}
- '';
- };
-
- environment = {
- systemPackages = let
- c99 = pkgs.tinycc.overrideAttrs (oldAttrs: {
- postInstall = ''
- ln -s $out/bin/tcc $out/bin/c99
- '';
- });
- in with pkgs; [ vim git gitAndTools.git-annex gnumake gnum4 c99 bpytop ];
- shellAliases = { l = "ls -lahF"; };
- };
-
- networking.firewall.allowedTCPPorts = [
- # SSH: OpenSSH
- config.openSSHPort
-
- # HTTP and HTPPS: NGINX
- 80
- 443
-
- # Git daemon
- 9418
- ];
-
- security = {
- acme = {
- acceptTerms = true;
- email = "eu@euandre.org";
- };
- sudo.enable = false;
- doas = {
- enable = true;
- extraConfig = ''
- permit nopass setenv { NIX_PATH } :wheel
- '';
- };
- };
-
- services = {
- openssh = {
- enable = true;
- permitRootLogin = "no";
- passwordAuthentication = false;
- ports = [ config.openSSHPort ];
- };
-
- nginx = {
- enable = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedProxySettings = true;
- recommendedTlsSettings = true;
- virtualHosts = {
- "${config.TLD}" = {
- forceSSL = true;
- enableACME = true;
- root = "/srv/http/";
- extraConfig = ''
- # Allow <script type="module" src="..."> 3rd-party HTML pages
- add_header 'Access-Control-Allow-Origin' '*';
- autoindex on;
- '';
- };
- "git.${config.TLD}" = {
- forceSSL = true;
- enableACME = true;
- extraConfig = ''
- location = /favicon.ico {
- alias ${pkgs.cgit}/cgit/favicon.ico;
- }
- location / {
- # Allow <script type="module" src="..."> 3rd-party HTML pages
- add_header 'Access-Control-Allow-Origin' '*';
- proxy_pass http://localhost:${config.cgitPort};
- }
- '';
- };
- };
- };
-
- lighttpd = {
- enable = true;
- port = pkgs.lib.toInt config.cgitPort;
- cgit = {
- enable = true;
- subdir = "";
- configText = ''
- enable-blame=1
- enable-commit-graph=1
- enable-follow-links=1
- enable-index-owner=0
- enable-log-filecount=1
- enable-log-linecount=1
- enable-html-serving=1
- root-desc=Patches welcome!
- readme=:README.en.md
- readme=:README.md
- readme=:README
- max-repodesc-length=120
- max-repo-count=999
- remove-suffix=1
- root-title=EuAndreh's repositories
- snapshots=tar.xz
- source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
- about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
- scan-path=/srv/http
- mimetype.mjs=text/javascript
- '';
- };
- };
-
- gitDaemon = {
- enable = true;
- basePath = "/srv/http";
- exportAll = true;
- };
-
- cron = {
- enable = true;
- systemCronJobs = [
- "30 1 * * 1 root /opt/bin/gc.sh"
- "30 0 * * * root /opt/bin/backup.sh"
- ];
- };
- };
-
- users = {
- # Improve: make mutable
- mutableUsers = false;
- extraUsers = let
- andrehUser = {
- andreh = {
- uid = 1000;
- isNormalUser = true;
- extraGroups = [ "wheel" ];
- hashedPassword = envsubstConfiguration.hashedPassword;
- openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF+uy407LKZAFnfFkJPRiOBzwV98qIEcKhITnLYhqfITfrJvcFVOY0/YDCrs6WHXyLdM29AoywVWsQ1qXiB7xQCwknPV8YZoCnJQcn0gvH8jbCk+C8Po0Rx846wbhL49qYolnmlhe+Uoy30j7XIJSDtPVO9d/hZqt2GPwGVJ98HLyY2ak+j4i1YkHr+mPFgnCaqCAzA374d1Bop18+YENYtMMU0k8hCsomwZny/7qNo4V8mjLxQAS8FvTuljxlthEpOM4Jsjl07yDLgE69kLvU7mmFi8EeC26e50N18Ouse82dZigtVhAMeLBhbJnQbDff4WfUBzSjpKjZPGcxoRaej3qSRbIkcMMqCOSlww6GcjRi+COvlpA4c1i4hKI15wHceoiKghDLA6jbaHfOqEMldflYl5gCVUIYzJ5XehZppH6L7PzO+L4suNs+aFjWPDZ0jqEtcyTmgTMea40p7wwz086ExnBDorbG79oDiJrWc+swJjXuVakS+fQjb3mPsCC/FgUhsxEtqiVfvLo2mphp47pOYvs64aUp3RV9muqQNuS4tEuP9V1urGTLtgPL26LEjF0oLu1ag0H+VZY5O/T9KRYvWre8IWbj/KkZYo1tJaGJyEVr0plmyzLBEy8b3Hu/6Wtq7yB0Eii60fxqFWC24nEkvs1V0cxDa+o6I2iA9w== eu@euandre.org"
- ];
- };
- };
- buildUser = (i: {
- "guixbuilder${i}" = {
- group = "guixbuild";
- extraGroups = [ "guixbuild" ];
- home = "/var/empty";
- shell = pkgs.nologin;
- description = "Guix build user ${i}";
- isSystemUser = true;
- };
- });
- in pkgs.lib.fold (str: acc: acc // buildUser str) andrehUser
- (map (pkgs.lib.fixedWidthNumber 2) (builtins.genList (n: n + 1) 10));
- extraGroups.guixbuild = { name = "guixbuild"; };
- };
-
- mailserver = {
- enable = true;
- fqdn = "mail.${config.TLD}";
- domains = [ config.TLD ];
- loginAccounts = {
- "eu@${config.TLD}" = {
- hashedPasswordFile = "/opt/secrets/mail-user-password-hash.txt";
- aliases = [ "@${config.TLD}" ];
- };
- };
- certificateScheme = 3;
- };
-
- systemd = {
- services = {
- guix-daemon = {
- enable = true;
- description = "Build daemon for GNU Guix";
- serviceConfig = {
- ExecStart =
- "/var/guix/profiles/per-user/root/current-guix/bin/guix-daemon --build-users-group=guixbuild";
- };
- wantedBy = [ "multi-user.target" ];
- };
- };
- };
-
- system = {
- stateVersion = "20.09";
- autoUpgrade = {
- enable = true;
- allowReboot = true;
- };
- };
-}