2023-09-21 16:05:17 +02:00
|
|
|
|
{
|
|
|
|
|
pkgs,
|
|
|
|
|
lib,
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}: let
|
2023-11-13 12:25:22 +01:00
|
|
|
|
state = builtins.import ../state.nix;
|
2023-11-13 11:03:05 +01:00
|
|
|
|
mkVirtHost = lib.attrsets.recursiveUpdate {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
};
|
2023-09-21 16:05:17 +02:00
|
|
|
|
in {
|
2023-04-19 01:01:07 +02:00
|
|
|
|
imports = [
|
|
|
|
|
../hardware/netcup-vps-200-g10.nix
|
|
|
|
|
../modules/nginx-reverse-proxy.nix
|
|
|
|
|
];
|
|
|
|
|
config = {
|
|
|
|
|
boot.loader.grub.enable = true;
|
|
|
|
|
boot.loader.grub.device = "/dev/sda";
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
networking.hostId = "94d74a20";
|
|
|
|
|
networking.hostName = "granodomus-lima";
|
|
|
|
|
networking.interfaces.ens3.useDHCP = true;
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
settings.ssh.openOutsideVPN = true;
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
users.users = {
|
|
|
|
|
root = {
|
|
|
|
|
hashedPassword = "$6$Yb1gdlKIpY1hRW1X$uUcNFuNnK2JFFN55Tkc.fPV.4I7RJvIfLEQayVP1utfkmjF0f/EHjtypxq11jR5NUUIJFQLW6ffajjduA2689.";
|
|
|
|
|
};
|
2023-01-15 16:52:17 +01:00
|
|
|
|
};
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
sops.defaultSopsFile = ../secrets/hosts/granodomus-lima/secrets.yaml;
|
|
|
|
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-10-30 15:35:55 +01:00
|
|
|
|
services.fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
ignoreIP = let
|
|
|
|
|
vpn = (builtins.import ../state.nix).vpn;
|
2023-11-13 11:03:05 +01:00
|
|
|
|
extractIPs = _: config: [config.v4 config.v6];
|
2023-10-30 15:35:55 +01:00
|
|
|
|
in
|
|
|
|
|
lib.flatten (lib.attrsets.mapAttrsToList extractIPs vpn);
|
|
|
|
|
};
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# Run radicale with infcloud interface for me and Marie
|
|
|
|
|
services.radicaleWithInfcloud.enable = true;
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-10-30 15:35:55 +01:00
|
|
|
|
services.nginx.virtualHosts = let
|
2023-11-13 12:25:22 +01:00
|
|
|
|
services = state.services;
|
2023-11-13 11:03:05 +01:00
|
|
|
|
removeUnexposed = lib.attrsets.filterAttrs (_: config: config ? "external" && config.external);
|
2023-10-30 15:35:55 +01:00
|
|
|
|
createVirtHost = name: config: {
|
|
|
|
|
name = "${name}.tammena.me";
|
2023-11-13 11:03:05 +01:00
|
|
|
|
value = mkVirtHost {
|
2023-10-30 15:35:55 +01:00
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://${config.host}:${builtins.toString config.port}";
|
|
|
|
|
proxyWebsockets = true;
|
|
|
|
|
};
|
2023-10-30 00:31:58 +01:00
|
|
|
|
};
|
|
|
|
|
};
|
2023-10-30 15:35:55 +01:00
|
|
|
|
in
|
|
|
|
|
lib.mapAttrs' createVirtHost (removeUnexposed services);
|
2023-11-13 12:25:22 +01:00
|
|
|
|
services.nginx.appendConfig = ''
|
|
|
|
|
stream {
|
|
|
|
|
upstream ssh {
|
|
|
|
|
server ${state.services.git.host}:22;
|
|
|
|
|
}
|
|
|
|
|
server {
|
|
|
|
|
listen 22222;
|
|
|
|
|
# server_name git.tammena.me;
|
|
|
|
|
proxy_pass ssh;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
'';
|
2023-10-30 15:35:55 +01:00
|
|
|
|
|
|
|
|
|
sops.secrets =
|
2023-11-13 11:03:05 +01:00
|
|
|
|
lib.mapAttrs' (name: _: {
|
2023-10-30 15:35:55 +01:00
|
|
|
|
name = "certificate-key-${name}-tammena-me";
|
|
|
|
|
value = {
|
|
|
|
|
owner = "nginx";
|
|
|
|
|
mode = "0400";
|
2023-10-30 00:31:58 +01:00
|
|
|
|
};
|
2023-10-30 15:35:55 +01:00
|
|
|
|
})
|
|
|
|
|
(builtins.import ../state.nix).services;
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
services.qemuGuest.enable = true;
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
services.bind = {
|
|
|
|
|
enable = true;
|
|
|
|
|
cacheNetworks = ["any"];
|
|
|
|
|
forwarders = ["100.100.100.100"];
|
|
|
|
|
listenOn = ["any"];
|
|
|
|
|
listenOnIpv6 = ["any"];
|
|
|
|
|
zones."home" = let
|
2023-10-30 00:31:58 +01:00
|
|
|
|
granodomus-lima = config.state.vpn.machine.granodomus-lima;
|
|
|
|
|
faunus-ater = config.state.vpn.machine.faunus-ater;
|
2023-04-19 01:01:07 +02:00
|
|
|
|
point = domain: host: ''
|
2023-10-30 00:31:58 +01:00
|
|
|
|
${domain} AAAA ${host.ipv6}
|
|
|
|
|
${domain} A ${host.ipv4}
|
2023-04-19 01:01:07 +02:00
|
|
|
|
'';
|
|
|
|
|
in {
|
|
|
|
|
master = true;
|
|
|
|
|
# TODO: Fix TTLs
|
|
|
|
|
file = pkgs.writeText "home-zone" ''
|
|
|
|
|
$TTL 1
|
|
|
|
|
@ IN SOA home. malte.home. (
|
|
|
|
|
5 ; Serial
|
|
|
|
|
1 ; Refresh
|
|
|
|
|
1 ; Retry
|
|
|
|
|
1 ; Expire
|
|
|
|
|
1) ; Negative Cache TTL
|
|
|
|
|
@ NS home.
|
|
|
|
|
${point "home." granodomus-lima}
|
|
|
|
|
${point "cal" granodomus-lima}
|
|
|
|
|
${point "mc" granodomus-lima}
|
|
|
|
|
${point "foto" faunus-ater}
|
|
|
|
|
${point "doc" faunus-ater}
|
|
|
|
|
${point "sheet" faunus-ater}
|
|
|
|
|
${point "media" faunus-ater}
|
|
|
|
|
${point "file" faunus-ater}
|
|
|
|
|
${point "stats" faunus-ater}
|
|
|
|
|
${point "cache" faunus-ater}
|
|
|
|
|
${point "hydra" faunus-ater}
|
|
|
|
|
${point "git" faunus-ater}
|
|
|
|
|
${point "read" faunus-ater}
|
|
|
|
|
${point "note" faunus-ater}
|
|
|
|
|
${point "time" faunus-ater}
|
2023-07-02 10:04:47 +02:00
|
|
|
|
${point "todo" faunus-ater}
|
2023-07-05 15:35:46 +02:00
|
|
|
|
${point "support" faunus-ater}
|
2023-09-10 00:34:14 +02:00
|
|
|
|
${point "config" faunus-ater}
|
2023-10-30 00:31:58 +01:00
|
|
|
|
${point "listen" faunus-ater}
|
2023-04-19 01:01:07 +02:00
|
|
|
|
'';
|
2023-01-15 16:52:17 +01:00
|
|
|
|
};
|
|
|
|
|
};
|
2023-11-13 12:25:22 +01:00
|
|
|
|
networking.firewall.allowedTCPPorts = [53 22222];
|
2023-04-19 01:01:07 +02:00
|
|
|
|
networking.firewall.allowedUDPPorts = [53];
|
2023-01-15 16:52:17 +01:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# This value determines the NixOS release from which the default
|
|
|
|
|
# settings for stateful data, like file locations and database versions
|
|
|
|
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
|
|
|
# this value at the release version of the first install of this system.
|
|
|
|
|
# Before changing this value read the documentation for this option
|
|
|
|
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
|
|
|
system.stateVersion = "21.05"; # Did you read the comment?
|
|
|
|
|
};
|
2023-01-15 16:52:17 +01:00
|
|
|
|
}
|